Sicebisa ukuba siye ezantsi kwinqanaba eliphantsi kwakhona kwaye sithethe malunga nokhuseleko lwe-firmware ye-x86-ehambelanayo namaqonga ekhompyuter. Ngeli xesha, isithako esiphambili sophononongo yi-Intel Boot Guard (ukuba ingabhidaniswa ne-Intel BIOS Guard!) - i-hardware-inkxaso ye-BIOS ye-boot technology ethembekileyo ukuba umthengisi wenkqubo yekhompyutha unokuvumela ngokusisigxina okanye ukukhubaza kwinqanaba lemveliso. Ewe, iresiphi yophando sele iqhelekile kuthi: ceke kancinci ukuphunyezwa kobu buchwepheshe usebenzisa ubunjineli obubuyela umva, chaza ulwakhiwo lwayo, ugcwalise ngeenkcukacha ezingabhalwanga, ixesha lonyaka kunye nee-vectors zokuhlaselwa ukungcamla kunye nokuxuba. Masifake amafutha kwibali lendlela i-bug eye yaqulunqwa ngayo iminyaka kwimveliso yabathengisi abaninzi ivumela umhlaseli onokuthi asebenzise le teknoloji ukwenza i-rootkit efihliweyo kwinkqubo engenakususwa (nokuba ngumdwelisi weprogram).
Ngendlela, eli nqaku lisekelwe kwiingxelo "Kugada iRootkits: Intel BootGuard" evela kwinkomfa. kunye nentlanganiso yama-29 (zombini iintetho ).
I-Firmware yeqonga lekhompyutheni kunye ne-Intel 64 ye-architecture
Okokuqala, makhe siphendule umbuzo: yintoni i-firmware yeqonga lekhompyuter yanamhlanje kunye ne-Intel 64 yezakhiwo? Kakade ke, UEFI BIOS. Kodwa impendulo enjalo ayiyi kuba ichanekile. Makhe sijonge kumfanekiso, obonisa i-desktop (laptop) inguqulelo yale zakhiwo.
Isiseko likhonkco:
- Iprosesa (i-CPU, i-Central Processing Unit), leyo, ukongeza kwiinqununu eziphambili, ine-core graphics eyakhelwe ngaphakathi (kungekhona kuzo zonke iimodeli) kunye nomlawuli wememori (IMC, i-Memory Controller edibeneyo);
- I-Chipset (i-PCH, i-Platform Controller Hub), equlethe abalawuli abahlukeneyo bokusebenzisana nezixhobo ze-peripheral kunye nokulawula i-subsystems. Phakathi kwazo kukho i-Intel Management Engine (ME) eyaziwayo, ene-firmware (i-Intel ME firmware).
Iilaptops, ngaphezu koku ngasentla, zifuna isilawuli esakhelwe ngaphakathi (i-ACPI EC, i-Advanced Control kunye ne-Power Interface Embedded Controller), ejongene nokusebenza kwenkqubo engaphantsi kwamandla, i-touchpad, ikhibhodi, izitshixo ze-Fn (ukukhanya kwesikrini, umthamo wesandi. , ikhibhodi backlight, njl. ) kunye nezinye izinto. Kwaye nayo ine-firmware yayo.
Ngoko ke, ukuphelela kwe-firmware engentla yi-firmware yeqonga lekhompyutheni (i-firmware ye-system), egcinwe kwimemori ye-flash ye-SPI eqhelekileyo. Ukuze abasebenzisi bale nkumbulo bangabhideki malunga nokuba iphi na, imixholo yale nkumbulo yahlulahlulwe yangale mimandla ilandelayo (njengoko kubonisiwe kumfanekiso):
- UEFI BIOS;
- I-firmware ye-ACPI EC (indawo eyahlukileyo ibonakala kunye ne-Skylake processor microarchitecture (2015), kodwa-endle asikayiboni imizekelo yokusetyenziswa kwayo, ngoko ke i-firmware yomlawuli owakhelwe ngaphakathi isabandakanywa kwi-UEFI BIOS) ;
- Intel ME firmware;
- uqwalaselo (idilesi ye-MAC, njl.) ye-adaptha yenethiwekhi eyakhelwe-ngaphakathi ye-GbE (Gigabit Ethernet);
- Izichazi zeFlash ngowona mmandla uphambili wememori edanyazayo equlathe izikhombisi eziya kweminye imimandla, kunye neemvume zokufikelela kuzo.
Inkosi yebhasi ye-SPI, umlawuli we-SPI owakhiwe kwi-chipset, apho le memori ifikeleleke khona, inoxanduva lokunciphisa ukufikelela kwimimandla (ngokuhambelana neemvume ezichaziweyo). Ukuba iimvume zimiselwe kwi-Intel ecetyisiweyo (ngenxa yezizathu zokhuseleko) amaxabiso, ngoko umsebenzisi ngamnye we-SPI unofikelelo olupheleleyo (ukufunda/ukubhala) kummandla wabo kuphela. Kwaye ezinye zifundeka kuphela okanye azifikeleleki. Inyaniso eyaziwayo: kwiinkqubo ezininzi, i-CPU inokufikelela ngokupheleleyo kwi-UEFI BIOS kunye ne-GbE, ukufunda ukufikelela kuphela kwiinkcazo ze-flash, kwaye akukho ukufikelela kwingingqi ye-Intel ME kwaphela. Kutheni kwabaninzi, kungekhona kubo bonke? Oko kucetyiswayo akufuneki. Siza kukuxelela ngakumbi ngokweenkcukacha kamva kwinqaku.
Iindlela zokukhusela i-firmware yeqonga lekhompyuter ukusuka kuhlengahlengiso
Ngokucacileyo, i-firmware yeqonga lekhompyuter kufuneka ikhuselwe kwingozi enokwenzeka, eya kuvumela umhlaseli onokuthi afumane indawo yokuhlala kuyo (ukusinda ngohlaziyo lwe-OS / ukufakwa kwakhona), yenze ikhowudi yabo kwiindlela ezinelungelo, njl. Kwaye ukuthintela ukufikelela kwimimandla yememori ye-flash ye-SPI, ngokuqinisekileyo, akwanelanga. Ke ngoko, ukukhusela i-firmware kuhlengahlengiso, iindlela ezahlukeneyo ezikhethekileyo kwindawo nganye yokusebenza zisetyenziswa.
Ngaloo ndlela, i-firmware ye-Intel ME isayinwe ukulawula ingqibelelo kunye nokunyaniseka, kwaye ihlolwe ngumlawuli we-ME rhoqo xa ilayishwe kwimemori ye-ME UMA. Le nkqubo yokuqinisekisa sele ixoxwe sithi kwenye ye , enikezelwe kwi-Intel ME ephantsi kwendlela.
Kwaye i-firmware ye-ACPI EC, njengomthetho, ihlolwe kuphela ukunyaniseka. Nangona kunjalo, ngenxa yokuba le bhinari ifakwe kwi-UEFI BIOS, isoloko ixhomekeke kwiindlela ezifanayo zokukhusela ezisetyenziswa yi-UEFI BIOS. Makhe sithethe ngazo.
Ezi ndlela zinokwahlulwa zibe ziindidi ezimbini.
Bhala ukhuseleko kwindawo ye-UEFI BIOS
- Ukukhuselwa ngokomzimba kwimixholo yememori ye-SPI ye-flash kunye ne-jumper ekhuselayo yokubhala;
- Ukukhusela uqikelelo lwengingqi ye-UEFI BIOS kwindawo yedilesi ye-CPU usebenzisa iirejista ze-chipset ze-PRx;
- Ukuthintela iinzame zokubhalela ummandla we-UEFI BIOS ngokuvelisa kunye nokucubungula i-SMI ehambelanayo yokuphazamisa ngokucwangcisa i-BIOS_WE / BLE kunye ne-SMM_BWP bits kwiirejista ze-chipset;
- Uguqulelo oluphambili ngakumbi lolu khuselo yi-Intel BIOS Guard (PFAT).
Ukongeza kwezi ndlela, abathengisi banokuphuhlisa kwaye basebenzise amanyathelo abo okhuseleko (umzekelo, ukusayina ii-capsules kunye nohlaziyo lwe-UEFI BIOS).
Kubalulekile ukuba uqaphele ukuba kwinkqubo ethile (kuxhomekeke kumthengisi), azikho zonke iindlela zokukhusela ezingentla apha ezinokuthi zisetyenziswe, azinakusetyenziswa kuzo zonke, okanye ziphunyezwe ngendlela enobungozi. Unokufunda ngakumbi malunga nezi ndlela kunye nemeko ngokuphunyezwa kwazo . Kwabo banomdla, sicebisa ukuba ufunde lonke uthotho lwamanqaku kukhuseleko lwe-UEFI BIOS ukusuka .
UEFI BIOS uqinisekiso
Xa sithetha ngetekhnoloji ye-boot ethembekileyo, into yokuqala ethi qatha engqondweni kuKhuseleko lwe-Boot. Nangona kunjalo, ngokwezakhiwo zenzelwe ukuqinisekisa ubunyani bamacandelo angaphandle kwi-UEFI BIOS (abaqhubi, ii-bootloaders, njl.), kwaye hayi i-firmware ngokwayo.
Ngoko ke, i-Intel, kwi-SoCs kunye ne-Bay Trail microarchitecture (2012), iphumeze i-hardware engakhubazekanga i-Secure Boot (i-Boot eQinisekisiweyo), engenanto ehambelanayo ne-teknoloji ye-Secure Boot ekhankanywe ngasentla. Kamva (2013), lo matshini waphuculwa kwaye wakhululwa phantsi kwegama le-Intel Boot Guard yeedeskithophu ezine-Haswell microarchitecture.
Phambi kokuchaza i-Intel Boot Guard, makhe sijonge iimeko zokuqhutywa kuyilo lwe-Intel 64, ethi, ngokudibeneyo, ziingcambu zokuthembela kobu buchwephesha bokuqalisa obuthembekileyo.
intel-cpu
I-Cap icebisa ukuba iprosesa yeyona ndawo iphambili yokuqhutywa kwi-Intel 64. Kutheni ingcambu yokuthembela? Kuyavela ukuba into emenza abe njalo kukuba nezinto ezilandelayo:
- I-Microcode ROM yinkumbulo engaguqukiyo, engabhalwanga kwakhona yokugcina i-microcode. Kukholelwa ukuba i-microcode kukuphunyezwa kwenkqubo yomyalelo weprosesa usebenzisa eyona miyalelo ilula. Yenzeka kwi-microcode nayo . Ngoko kwi-BIOS unokufumana iibhinari kunye nohlaziyo lwe-microcode (egqunywe ngexesha lokuqalisa, ekubeni i-ROM ayikwazi ukubhalwa ngaphezulu). Imixholo yala mabhinari i-encrypted, enzima kakhulu uhlalutyo (ngoko ke, umxholo othile we-microcode uyaziwa kuphela kwabo bawuphuhlisayo), kwaye usayinwe ukulawula ingqibelelo kunye nokunyaniseka;
- Isitshixo se-AES sokucima imixholo yohlaziyo lwe-microcode;
- I-hash yesitshixo sikawonke-wonke sase-RSA esisetyenziselwa ukungqinisisa utyikityo lohlaziyo lwe-microcode;
- I-RSA ye-hash yesitshixo sikawonkewonke, eqinisekisa ukusayinwa kwe-Intel-developed ACM (i-Authenticated Code Module) iimodyuli zekhowudi, apho i-CPU inokuqalisa ngaphambi kokubulawa kwe-BIOS (hello microcode) okanye ngexesha lokusebenza kwayo, xa iziganeko ezithile zenzeka.
Intel ME
Ibhlog yethu yanikezelwa kule subsystem . Masikhumbule ukuba le ndawo isebenzayo isekwe kwi-microcontroller eyakhelwe kwi-chipset kwaye yeyona nto ifihliweyo kwaye inelungelo kwinkqubo.
Ngaphandle kwemfihlo yayo, i-Intel ME iyingcambu yokuthembela kuba ine:
- I-ME ROM - imemori engaguqukiyo, engabhalwanga kwakhona (akukho ndlela yokuhlaziya inikezelwayo) equlethe ikhowudi yokuqala, kunye ne-SHA256 ye-hash yesitshixo sikawonkewonke se-RSA, esiqinisekisa ukusayinwa kwe-Intel ME firmware;
- Isitshixo se-AES sokugcina ulwazi oluyimfihlo;
- ukufikelela kwiseti yeefuse (FPFs, Field Programmable Fuses) edityaniswe kwi-chipset yokugcina isigxina solunye ulwazi, kubandakanywa naloo nto ichazwe ngumthengisi wenkqubo yekhompyutha.
Intel Boot Guard 1.x
Inkcazo encinci. Iinombolo zenguqulo ye-Intel Boot Guard yetekhnoloji esiyisebenzisayo kweli nqaku ayinasizathu kwaye ayinanto yakwenza nokubalwa kweenombolo ezisetyenziswe kumaxwebhu angaphakathi e-Intel. Ukongezelela, ulwazi olunikwe apha malunga nokuphunyezwa kobu buchwepheshe lufunyenwe ngexesha lobunjineli obungasemva, kwaye lunokuthi luqulathe ukungachaneki xa kuthelekiswa nenkcazo ye-Intel Boot Guard, engenakwenzeka ukuba ipapashwe.
Ke, i-Intel Boot Guard (BG) yitekhnoloji yokuqinisekisa i-UEFI BIOS exhaswa yihardware. Ukujonga ngenkcazo emfutshane kwincwadi ethi [I-Platform Embedded Security Technology Ityhilwe, isahluko Ukuqalisa ngeMfezeko, okanye i- Not Boot], isebenza njengekhonkco lokuqalisa elithembekileyo. Kwaye ikhonkco yokuqala kuyo yikhowudi yokuqalisa (i-microcode) ngaphakathi kwe-CPU, ebangelwa yi-RESET isiganeko (ungadideki kunye ne-RESET vector kwi-BIOS!). I-CPU ifumana imodyuli yekhowudi ephuhliswe kwaye isayinwe yi-Intel (Intel BG yokuqalisa i-ACM) kwimemori ye-flash ye-SPI, ilayishe kwi-cache yayo, iqinisekisa (yayisele iphawulwe ngasentla ukuba i-CPU ine-hash yesitshixo sikawonke-wonke esiqinisekisa i-ACM. utyikityo) kwaye iqala.
Le modyuli yekhowudi inoxanduva lokuqinisekisa inxalenye encinci yokuqala ye-UEFI BIOS - Ibhloko yokuQala yokuQala (IBB), leyo, iqulethe umsebenzi wokuqinisekisa inxalenye ephambili ye-UEFI BIOS. Ngaloo ndlela, i-Intel BG ikuvumela ukuba uqinisekise ubunyani be-BIOS ngaphambi kokulayisha i-OS (enokuthi yenziwe phantsi kweliso loBuchwephesha obuKhuselekileyo).
Itekhnoloji ye-Intel BG ibonelela ngeendlela ezimbini zokusebenza (kwaye enye ayiphazamisi enye, oko kukuthi zombini iindlela zinokuvulwa kwinkqubo, okanye zombini zinokukhubazwa).
I-Measured Boot
Kwimowudi yokuQalisa uMlinganiso (MB), icandelo ngalinye lokuqalisa (ukuqala nge-CPU yokuqalisa i-ROM) “ilinganisa” elandelayo isebenzisa ubunakho be-TPM (i-Trusted Platform Module). Kwabo bangenalwazi makhe ndicacise.
I-TPM ine-PCRs (iiRejista zokuLungiswa kwePlatform), apho isiphumo sokusebenza kwe-hashing sibhalwa ngokwefomula:
Ezo. ixabiso langoku lePCR lixhomekeke kuleyo yangaphambili, kwaye ezi rejista zisetwa kwakhona kuphela xa inkqubo ISETHIWA FUTHI.
Ke, kwimowudi ye-MB, ngaxa lithile, ii-PCR zibonisa into eyodwa (ngaphakathi kobuchule bokusebenza kwe-hashing) isazisi sekhowudi okanye idatha “eyalinganiswayo.” Amaxabiso ePCR anokusetyenziswa kufihlo lwedatha (TPM_Seal) ukusebenza. Emva koku, ukukhutshwa kwabo kwi-decryption (TPM_Unseal) kuya kwenzeka kuphela ukuba ixabiso le-PCR alizange litshintshe ngenxa yokulayishwa (oko kukuthi, akukho nxalenye enye "elinganiselweyo" eyalungiswayo).
I-Boot eqinisekisiweyo
Eyona nto imbi kwabo bathanda ukulungisa i-UEFI BIOS yimowudi eQinisekisiweyo yeBoot (VB), apho icandelo ngalinye lesiqalo liqinisekisa ngokufihlakeleyo ingqibelelo kunye nokunyaniseka kwelandelayo. Kwaye kwimeko yempazamo yokuqinisekisa, (enye) iyenzeka:
- ukuvala ngexesha lokuphuma kwemizuzu eyi-1 ukuya kwimizuzu engama-30 (ukuze umsebenzisi abe nexesha lokuqonda ukuba kutheni ikhompyuter yakhe ingaqalisi, kwaye, ukuba kunokwenzeka, izama ukubuyisela i-BIOS);
- ukuvala ngokukhawuleza (ukuze umsebenzisi angabi naxesha lokuqonda, kuncinci ukwenza, nantoni na);
- ukuqhubeka nokusebenza ngokubonakalisa ukuzola (loo meko xa kungekho xesha lokhuseleko, kuba kukho izinto ezibaluleke ngakumbi zokwenza).
Ukhetho lwesenzo luxhomekeke kuqwalaselo oluchaziweyo lwe-Intel BG (olukuthi, kumgaqo-nkqubo wokunyanzeliswa okubizwa ngokusisigxina), ebhalwe ngokusisigxina ngumthengisi weqonga lekhompyuter kwindawo yokugcina eyilelwe ngokukodwa - i-chipset fuses (FPFs). Siza kuhlala kule ngongoma ngokweenkcukacha ngakumbi kamva.
Ukongeza kuqwalaselo, umthengisi uvelisa izitshixo ezimbini ze-RSA 2048 kwaye enze izakhiwo zedatha ezibini (eziboniswe kumzobo):
- I-manifest yengcambu yomthengisi (KEYM, OEM Root Key Manifest), equlathe i-SVN (iNombolo yoKhuseleko lweNguqulelo) yalo myalelo, i-SHA256 hash yesitshixo sikawonke-wonke se-manifesto elandelayo, isitshixo sikawonke-wonke seRSA (okt. ingcambu yesitshixo somthengisi) ukuqinisekisa utyikityo lwalo myalelo kunye notyikityo ngokwalo;
- I-IBB Manifest (IBBM, i-Initial Boot Block Manifest), equlethe i-SVN yalo myalelo we-manifesto, i-SHA256 hash ye-IBB, isitshixo sikawonke-wonke sokuqinisekisa utyikityo lwalo myalelo kunye notyikityo ngokwalo.
I-SHA256 hash ye-OEM Root Key isitshixo sikawonke-wonke sirekhodwa ngokusisigxina kwi-chipset fuses (FPFs), kanye njenge-Intel BG yoqwalaselo. Ukuba uqwalaselo lwe-Intel BG lubonelela ngokubandakanywa kobu buchwepheshe, ngoko ukususela ngoku kuphela umninimzi wangasese we-OEM Root Key unokuhlaziya i-BIOS kule nkqubo (oko kukuthi, ukwazi ukubala kwakhona ezi zibonakaliso), oko kukuthi. umthengisi.
Xa ujonga umfanekiso, amathandabuzo avela ngokukhawuleza malunga nesidingo sekhonkco elide lokuqinisekisa - bebenokusebenzisa i-manifest enye. Kutheni izinto zinzima?
Ngapha koko, i-Intel ngaloo ndlela ibonelela umthengisi ithuba lokusebenzisa izitshixo ze-IBB ezahlukeneyo kwimigca eyahlukeneyo yeemveliso zayo kwaye enye njengengcambu. Ukuba inxalenye yangasese yesitshixo se-IBB (apho i-manifest yesibini isayinwe) iyavuza, isiganeko siya kuchaphazela umgca wemveliso omnye kuphela kwaye kude kube yilapho umthengisi evelisa isibini esitsha kwaye uquka ukubonakaliswa kwakhona kokuhlaziywa kwe-BIOS elandelayo.
Kodwa ukuba iqhosha lengcambu (eline-manifest yokuqala lisayinwe ngalo) lisengozini, ayizukwenzeka ukulibuyisela endaweni yalo; akukho nkqubo yokurhoxiswa ibonelelweyo. I-hash yendawo yoluntu yesi sitshixo ifakwe kwi-FPF kube kanye.
Uqwalaselo lwe-Intel Boot Guard
Ngoku makhe sijonge ngakumbi kuqwalaselo lwe-Intel BG kunye nenkqubo yokuyidala. Ukuba ujonga ithebhu ehambelanayo kwi-GUI yeSixhobo soMfanekiso weFlash usetyenziso oluvela kwi-Intel System Tool Kit (STK), uya kuqaphela ukuba uqwalaselo lwe-Intel BG lubandakanya ihashi yendawo yoluntu yesitshixo sengcambu yomthengisi, isibini se amaxabiso angacacanga, njl. Iprofayile ye-Intel BG.
Ubume bale profayile:
typedef struct BG_PROFILE
{
unsigned long Force_Boot_Guard_ACM : 1;
unsigned long Verified_Boot : 1;
unsigned long Measured_Boot : 1;
unsigned long Protect_BIOS_Environment : 1;
unsigned long Enforcement_Policy : 2; // 00b – do nothing
// 01b – shutdown with timeout
// 11b – immediate shutdown
unsigned long : 26;
};Ngokubanzi, uqwalaselo lwe-Intel BG liqumrhu elibhetyebhetye kakhulu. Cinga, umzekelo, iflegi ye-Force_Boot_Guard_ACM. Xa isusiwe, ukuba imodyuli ye-BG yokuqalisa i-ACM kwi-flash ye-SPI ayifunyenwanga, akukho siqalo sithenjwa siya kwenzeka. Akayi kuthenjwa.
Sele sibhale ngasentla ukuba umgaqo-nkqubo wokunyanzeliswa kwemodi ye-VB unokuqwalaselwa ukuze ukuba kukho impazamo yokuqinisekisa, ukukhuphela okungathenjwa kuya kwenzeka.
Ziyeke izinto ezinjalo ngokubona kwabathengisi...
Usetyenziso lwe-GUI lubonelela ngolu hlobo lulandelayo "esele zenziwe" iinkangeleko:
Inani
Indlela
inkcazelo
0
Hayi_FVME
Itekhnoloji ye-Intel BG ivaliwe
1
VE
Imowudi yeVB yenziwe, icinyiwe ngexesha lokuphuma
2
VME
zombini iindlela zenziwe (i-VB kunye ne-MB), ukuvalwa kwexesha
3
VM
zombini iindlela zenziwe, ngaphandle kokucima inkqubo
4
FVE
Imowudi ye-VB yenziwe, icinyiwe kwangoko
5
FVME
zombini iindlela zenziwe, ukuvalwa kwangoko
Njengoko sele kukhankanyiwe, uqwalaselo lwe-Intel BG kufuneka lubhalwe kube kanye ngumthengisi wenkqubo kwi-chipset fuses (FPFs) - encinci (ngokolwazi olungaqinisekiswanga, kuphela i-256 bytes) yokugcina i-hardware yolwazi ngaphakathi kwe-chipset, enokucwangciswa. ngaphandle kwezixhobo ze-Intel zokuvelisa (yiyo loo nto kanye I-Findle Programmable iiFuse).
Ilungile ekugcineni ulungelelwaniso kuba:
- inommandla wexesha elinye-olucwangcisiweyo lokugcina idatha (kanye apho uqwalaselo lwe-Intel BG lubhalwe khona);
- Kuphela i-Intel ME enokufunda kwaye iyiprogram.
Ke, ukuze usete uqwalaselo lwetekhnoloji ye-Intel BG kwinkqubo ethile, umthengisi wenza oku kulandelayo ngexesha lemveliso:
- Ukusebenzisa i-Flash Image Tool utility (ukusuka kwi-Intel STK), yenza umfanekiso we-firmware kunye noqwalaselo lwe-Intel BG olunikeziweyo ngendlela yezinto eziguquguqukayo ngaphakathi kwingingqi ye-Intel ME (ebizwa ngokuba sisibuko sexeshana se-FPFs);
- Ukusebenzisa i-Flash Programming Tool utility (ukusuka kwi-Intel STK), ibhala lo mfanekiso kwimemori ye-SPI ye-flash yenkqubo kwaye ivale into ebizwa. imo yokuvelisa (kule meko, umyalelo ohambelanayo uthunyelwa kwi-Intel ME).
Ngenxa yale misebenzi, i-Intel ME iya kwenza amaxabiso achaziweyo ukusuka kwisibuko se-FPFs kummandla we-ME ukuya kwi-FPFs, ibeke izisombululo kwiinkcazo ze-SPI flash kumaxabiso acetyiswa yi-Intel (echazwe ekuqaleni article) kwaye wenze inkqubo SETHA FUTHI.
Uhlalutyo lwe-Intel Boot Guard ukuphunyezwa
Ukuze sihlalutye ukuphunyezwa kobu buchwepheshe sisebenzisa umzekelo othile, sijonge ezi nkqubo zilandelayo zokulandelela iteknoloji ye-Intel BG:
Inkqubo
Qaphela:
Gigabyte GA-H170-D3H
Skylake, kukho inkxaso
Gigabyte GA-Q170-D3H
Skylake, kukho inkxaso
Gigabyte GA-B150-HD3
Skylake, kukho inkxaso
I-MSI H170A yeMidlalo yePro
Skylake, akukho nkxaso
Lenovo ThinkPad 460
I-Skylake, ixhaswa, iteknoloji inikwe amandla
I-Lenovo Yoga 2 Pro
Haswell, akukho nkxaso
Lenovo U330p
Haswell, akukho nkxaso
Ngokuthi "inkxaso" sithetha ubukho be-Intel BG yokuqalisa imodyuli ye-ACM, ukubonakaliswa okukhankanywe ngasentla kunye nekhowudi ehambelanayo kwi-BIOS, okt. ukuphunyezwa kohlalutyo.
Njengomzekelo, makhe sithathe leyo ikhutshelweyo eofisini. umfanekiso wewebhusayithi yomthengisi wememori ye-SPI ye-flash ye-Gigabyte GA-H170-D3H (uhlobo lwe-F4).
Intel CPU boot ROM
Okokuqala, makhe sithethe ngezenzo zeprosesa ukuba iteknoloji ye-Intel BG ivuliwe.
Kwakungenakwenzeka ukufumana iisampulu ze-microcode efihliweyo, ngoko ke ukuba izenzo ezichazwe ngezantsi ziphunyezwa njani (kwi-microcode okanye kwi-hardware) ngumbuzo ovulekileyo. Nangona kunjalo, yinyani ukuba iiprosesa ze-Intel zanamhlanje "zinokwenza" ezi zenzo.
Emva kokuphuma kwimeko ye-RESET, iprosesa (imixholo yememori ye-flash sele ifakwe kwimephu kwindawo yedilesi) ifumana itafile ye-FIT (Firmware Interface Table). Kulula ukuyifumana; isalathiso kuyo sibhalwe kwidilesi FFFF FFC0h.
Kumzekelo oqwalaselwayo, ixabiso FFD6 9500h lifumaneka kule dilesi. Ngokufikelela kule dilesi, iprosesa ibona itafile ye-FIT, imixholo eyahlulahlulwe kwiirekhodi. Ungeno lokuqala yintloko yesi sakhiwo silandelayo:
typedef struct FIT_HEADER
{
char Tag[8]; // ‘_FIT_ ’
unsigned long NumEntries; // including FIT header entry
unsigned short Version; // 1.0
unsigned char EntryType; // 0
unsigned char Checksum;
};
Ngesizathu esingaziwayo, i-checksum ayisoloko ibalwa kwezi thebhile (umhlaba ushiywe ngu-zero).
Amangeno aseleyo akhomba kwiibhinari ezahlukeneyo ezifuna ukucalulwa/ukwenziwa phambi kokuba i-BIOS iphunyezwe, okt. phambi kokuba utshintshele kwi-RESET vector yelifa (FFFF FFF0h). Ulwakhiwo lwengeniso nganye lulolu hlobo lulandelayo:
typedef struct FIT_ENTRY
{
unsigned long BaseAddress;
unsigned long : 32;
unsigned long Size;
unsigned short Version; // 1.0
unsigned char EntryType;
unsigned char Checksum;
};
Indawo yoHlobo lokuNgena ikuxelela uhlobo lwebhloko olukhombayo longeno. Siyazi iintlobo ezininzi:
enum FIT_ENTRY_TYPES
{
FIT_HEADER = 0,
MICROCODE_UPDATE,
BG_ACM,
BIOS_INIT = 7,
TPM_POLICY,
BIOS_POLICY,
TXT_POLICY,
BG_KEYM,
BG_IBBM
};Ngoku kucacile ukuba elinye lamangeno likhomba indawo ye-Intel BG yokuqalisa i-ACM yokubini. Ulwakhiwo lweheader yale yokubini iqhelekile kwiimodyuli zekhowudi eziphuhliswe yi-Intel (ACMs, uhlaziyo lwe-microcode, amacandelo ekhowudi ye-Intel ME, ...).
typedef struct BG_ACM_HEADER
{
unsigned short ModuleType; // 2
unsigned short ModuleSubType; // 3
unsigned long HeaderLength; // in dwords
unsigned long : 32;
unsigned long : 32;
unsigned long ModuleVendor; // 8086h
unsigned long Date; // in BCD format
unsigned long TotalSize; // in dwords
unsigned long unknown1[6];
unsigned long EntryPoint;
unsigned long unknown2[16];
unsigned long RsaKeySize; // in dwords
unsigned long ScratchSize; // in dwords
unsigned char RsaPubMod[256];
unsigned long RsaPubExp;
unsigned char RsaSig[256];
};
Iprosesa ilayisha oku kubini kwi-cache yayo, iyayiqinisekisa kwaye iyiqhube.
Intel BG yokuqalisa i-ACM
Ngenxa yokuhlalutya umsebenzi wale ACM, kuye kwacaca ukuba yenza oku kulandelayo:
- ifumana uqwalaselo lwe-Intel BG kwi-Intel ME, ebhalwe kwii-chipset fuses (FPFs);
- ifumana i-KEYM kunye ne-IBBM ibonakalisa kwaye iziqinisekise.
Ukufumana oku kubonakaliswa, i-ACM isebenzisa itafile ye-FIT, eneentlobo ezimbini zokungena ukubonisa idatha yesakhiwo (bona i-FIT_ENTRY_TYPES ngasentla).
Makhe sijonge ngakumbi kwiimanifesto. Kulwakhiwo lwe-manifest yokuqala, sibona izinto ezininzi ezingacacanga, ihashi yesitshixo sikawonke-wonke esivela kumboniso wesibini, kunye neSitshixo seNqaku seOEM sikawonke-wonke esisayinwe njengesakhiwo esinendlwane:
typedef struct KEY_MANIFEST
{
char Tag[8]; // ‘__KEYM__’
unsigned char : 8; // 10h
unsigned char : 8; // 10h
unsigned char : 8; // 0
unsigned char : 8; // 1
unsigned short : 16; // 0Bh
unsigned short : 16; // 20h == hash size?
unsigned char IbbmKeyHash[32]; // SHA256 of an IBBM public key
BG_RSA_ENTRY OemRootKey;
};
typedef struct BG_RSA_ENTRY
{
unsigned char : 8; // 10h
unsigned short : 16; // 1
unsigned char : 8; // 10h
unsigned short RsaPubKeySize; // 800h
unsigned long RsaPubExp;
unsigned char RsaPubKey[256];
unsigned short : 16; // 14
unsigned char : 8; // 10h
unsigned short RsaSigSize; // 800h
unsigned short : 16; // 0Bh
unsigned char RsaSig[256];
};
Ukuqinisekisa isitshixo sikawonke-wonke se-OEM Root, siyakhumbula ukuba sisebenzisa i-SHA256 hash ye-fuses, esele ifunyenwe kwi-Intel ME.
Masiqhubele phambili kwi-manifesto yesibini. Inezakhiwo ezithathu:
typedef struct IBB_MANIFEST
{
ACBP Acbp; // Boot policies
IBBS Ibbs; // IBB description
IBB_DESCRIPTORS[];
PMSG Pmsg; // IBBM signature
};Eyokuqala iqulethe izinto ezingaguqukiyo:
typedef struct ACBP
{
char Tag[8]; // ‘__ACBP__’
unsigned char : 8; // 10h
unsigned char : 8; // 1
unsigned char : 8; // 10h
unsigned char : 8; // 0
unsigned short : 16; // x & F0h = 0
unsigned short : 16; // 0 < x <= 400h
};Eyesibini iqulethe i-SHA256 hash ye-IBB kunye nenani leenkcazo ezichaza imixholo ye-IBB (oko kukuthi, i-hash ibalwa phi):
typedef struct IBBS
{
char Tag[8]; // ‘__IBBS__’
unsigned char : 8; // 10h
unsigned char : 8; // 0
unsigned char : 8; // 0
unsigned char : 8; // x <= 0Fh
unsigned long : 32; // x & FFFFFFF8h = 0
unsigned long Unknown[20];
unsigned short : 16; // 0Bh
unsigned short : 16; // 20h == hash size ?
unsigned char IbbHash[32]; // SHA256 of an IBB
unsigned char NumIbbDescriptors;
};Abachazi be-IBB balandela esi sakhiwo, enye emva kwenye. Imixholo yazo inefomathi ilandelayo:
typedef struct IBB_DESCRIPTOR
{
unsigned long : 32;
unsigned long BaseAddress;
unsigned long Size;
};Ilula: isichazi ngasinye sinedilesi/ubungakanani be-IBB chunk. Ngaloo ndlela, i-concatenation yeebhloko ezibhekiselele kwezi zichazi (ngolandelelwano lwezichazi ngokwabo) yi-IBB. Kwaye, njengomthetho, i-IBB yingqokelela yazo zonke iimodyuli ze-SEC kunye nezigaba ze-PEI.
Umboniso wesibini ugqityezelwa lulwakhiwo oluqulathe isitshixo sikawonke-wonke se-IBB (ingqinwe yi-SHA256 hash ukusuka kumboniso wokuqala) kunye notyikityo lwalo mboniso:
typedef struct PMSG
{
char Tag[8]; // ‘__PMSG__’
unsigned char : 8; // 10h
BG_RSA_ENTRY IbbKey;
};
Ngoko, nangaphambi kokuba i-UEFI BIOS iqalise ukusebenza, iprosesa iya kuqalisa i-ACM, eya kuqinisekisa ubunyani bemixholo yamacandelo kunye ne-SEC kunye nekhowudi yesigaba se-PEI. Okulandelayo, iprosesa iphuma kwi-ACM, ilandela i-RESET vector kwaye iqala ukwenza i-BIOS.
Ulwahlulo oluqinisekisiweyo lwe-PEI kufuneka luqulathe imodyuli eya kukhangela yonke i-BIOS (ikhowudi yeDXE). Le modyuli sele iphuhliswa ngu-IBV (umthengisi weBIOS oZimeleyo) okanye umthengisi wenkqubo ngokwakhe. Ngokuba Kuphela ziinkqubo zeLenovo kunye neGigabyte ezazikhona kwaye zinenkxaso ye-Intel BG; makhe sijonge ikhowudi ekhutshwe kwezi nkqubo.
Imodyuli ye-UEFI BIOS LenovoVerifiedBootPei
Kwimeko yeLenovo, kwavela ukuba yimodyuli yeLenovoVerifiedBootPei {B9F2AC77-54C7-4075-B42E-C36325A9468D}, ephuhliswe nguLenovo.
Umsebenzi wayo kukukhangela phezulu (nge-GUID) itafile ye-hash ye-DXE kwaye uqinisekise i-DXE.
if (EFI_PEI_SERVICES->GetBootMode() != BOOT_ON_S3_RESUME)
{
if (!FindHashTable())
return EFI_NOT_FOUND;
if (!VerifyDxe())
return EFI_SECURITY_VIOLATION;
}Хеш таблица {389CC6F2-1EA8-467B-AB8A-78E769AE2A15} имеет следующий формат:
typedef struct HASH_TABLE
{
char Tag[8]; // ‘$HASHTBL’
unsigned long NumDxeDescriptors;
DXE_DESCRIPTORS[];
};typedef struct DXE_DESCRIPTOR
{
unsigned char BlockHash[32]; // SHA256
unsigned long Offset;
unsigned long Size;
};Imodyuli ye-UEFI BIOS BootGuardPei
Kwimeko yeGigabyte, kwavela ukuba yimodyuli yeBootGuardPei {B41956E1-7CA2-42DB-9562-168389F0F066}, ephuhliswe yi-AMI, ngoko ke, ikhona kuyo nayiphi na i-AMI BIOS ngenkxaso ye-Intel BG.
I-algorithm yokusebenza kwayo yahlukile, nangona kunjalo, iphelela kwinto enye:
int bootMode = EFI_PEI_SERVICES->GetBootMode();
if (bootMode != BOOT_ON_S3_RESUME &&
bootMode != BOOT_ON_FLASH_UPDATE &&
bootMode != BOOT_IN_RECOVERY_MODE)
{
HOB* h = CreateHob();
if (!FindHashTable())
return EFI_NOT_FOUND;
WriteHob(&h, VerifyDxe());
return h;
}Itheyibhile yehashi {389CC6F2-1EA8-467B-AB8A-78E769AE2A15} ikhangelayo inale fomati ilandelayo:
typedef HASH_TABLE DXE_DESCRIPTORS[];
typedef struct DXE_DESCRIPTOR
{
unsigned char BlockHash[32]; // SHA256
unsigned long BaseAddress;
unsigned long Size;
};Intel Boot Guard 2.x
Makhe sithethe ngokufutshane malunga nolunye ukuphunyezwa kwe-Intel Boot Guard, eyafunyanwa kwinkqubo entsha esekwe kwi-Intel SoC ene-Apollo Lake microarchitecture-ASRock J4205-IT.
Nangona olu guqulelo luya kusetyenziswa kuphela kwii-SoCs (iinkqubo ezintsha ezineprosesa ye-Kaby Lake microarchitecture iqhubeka nokusebenzisa i-Intel Boot Guard 1.x), inomdla omkhulu wokufunda ukhetho olutsha lwezakhiwo ze-Intel SoC, ezibone utshintsho olubalulekileyo, umzekelo :
- imimandla ye-BIOS kunye ne-Intel ME (okanye kunokuba i-Intel TXE, ngokwesigama se-Intel SoC) ngoku iyindawo enye ye-IFWI;
- nangona i-Intel BG yenziwe eqongeni, izakhiwo ezifana ne-FIT, KEYM, IBBM azifumanekanga kwimemori yeflash;
- Ukongeza kwi-TXE kunye ne-ISH cores (x86), ingundoqo yesithathu yongezwa kwi-chipset (i-ARC kwakhona, ngendlela) - i-PMC (uMlawuli woLawulo lwaMandla), ehambelana nokuqinisekisa ukusebenza kwenkqubo engaphantsi kwamandla kunye nokubeka iliso ekusebenzeni.
Umxholo wommandla omtsha we-IFWI yiseti yezi modyuli zilandelayo:
Ukugxothwa
Igama
inkcazelo
0000h
SMIP
uqwalaselo lweqonga elithile, elisayinwe ngumthengisi
0000h
RBEP
Icandelo lekhowudi ye-Intel TXE, i-x86, isayinwe i-Intel
0001h
PMCP
Icandelo lekhowudi ye-Intel PMC, i-ARC, isayinwe i-Intel
0002h
I-FTPR
Icandelo lekhowudi ye-Intel TXE, i-x86, isayinwe i-Intel
0007 B000h
UCOD
uhlaziyo lwe-microcode ye-CPU, esayinwe yi-Intel
0008h
IBBP
UEFI BIOS, SEC/PEI izigaba, x86, isayinwe ngumthengisi
0021h
ISHC
Icandelo lekhowudi ye-Intel ISH ye-firmware, x86, esayinwe ngumthengisi
0025h
I-NFTP
Icandelo lekhowudi ye-Intel TXE, i-x86, isayinwe i-Intel
0036h
IUNP
ayaziwa
0038h
I-OBBP
UEFI BIOS, DXE isigaba, x86, engasayinwanga
Ngethuba lokuhlalutya kwe-firmware ye-TXE, kwacaca ukuba emva kwe-RESET, i-TXE igcina iprosesa kule meko ide ilungiselele imixholo esisiseko yendawo yedilesi ye-CPU (FIT, ACM, RESET vector ...). Ngaphezu koko, i-TXE ibeka le datha kwi-SRAM yayo, emva koko inika iprosesa ukufikelela apho kwaye "iyikhupha" kwi-RESET.
Qaphela kwii-rootkits
Kulungile, ngoku makhe siqhubele phambili kwizinto “ezishushu”. Sakhe safumanisa ukuba kwiinkqubo ezininzi, SPI flash izichazi ziqulathe iimvume ukufikelela kwimimandla SPI flash memory ukuze bonke abasebenzisi le nkumbulo bakwazi ukubhala kwaye ukufunda nawuphi na ummandla. Ezo. akho ndlela yimbi.
Emva kokutshekisha nge-MEinfo utility (ukusuka kwi-Intel STK), sabona ukuba imodi yokuvelisa kwezi nkqubo ayivaliwe, ngoko ke, i-chipset fuses (FPFs) ishiywe kwimeko engachazwanga. Ewe, i-Intel BG ayivulwanga okanye ayicinywanga kwiimeko ezinjalo.
Sithetha ngezi nkqubo zilandelayo (ngokumalunga ne-Intel BG kwaye yintoni eza kuchazwa kamva kwinqaku, siza kuthetha ngeenkqubo ezine-Haswell processor microarchitecture nangaphezulu):
- zonke iimveliso zeGigabyte;
- zonke iimveliso zeMSI;
- Iimodeli ezingama-21 zeelaptops zeLenovo kunye neemodeli ezi-4 zeeseva zeLenovo.
Ewe kunjalo, sixele ukufunyanwa kwaba bathengisi, kunye nakwi-Intel.
Ukusabela okwaneleyo kwavela kuphela lenovongubani owaqaphela ingxaki kwaye .
Gigabyte Babonakala belwamkela ulwazi malunga nokuba sesichengeni, kodwa abazange baphawule nangayiphi na indlela.
Unxibelelwano kunye MSI zimiswe ngokupheleleyo kwisicelo sethu sokuthumela isitshixo sakho sikawonke-wonke sePGP (ukubathumelela ingcebiso yokhuseleko kwifomu efihliweyo). Bachaza ukuba "bangabavelisi be-hardware kwaye abavelisi izitshixo ze-PGP."
Kodwa makhe sifikelele kwinqanaba. Kuba iifusi zishiywe kwimeko engachazwanga, umsebenzisi (okanye umhlaseli) angazicwangcisa ngokuzimeleyo (eyona nto inzima ). Ukwenza oku, kufuneka ugcwalise la manyathelo alandelayo.
1. Qalisa kwi-Windows OS (ngokubanzi, izenzo ezichazwe ngezantsi zinokwenziwa phantsi kweLinux, ukuba uphuhlisa i-analogue ye-Intel STK ye-OS efunwayo). Usebenzisa into eluncedo ye-MEinfo, qiniseka ukuba iifusi azicwangciswanga kule nkqubo.
2. Funda imixholo yememori edanyazayo usebenzisa iSixhobo sokuCwangcisa seFlash.
3. Vula umfanekiso ofundwayo usebenzisa nasiphi na isixhobo sokuhlela se-UEFI BIOS, yenza utshintsho oluyimfuneko (ukwazisa i-rootkit, umzekelo), yenza / uhlele izakhiwo ezikhoyo ze-KEYM kunye ne-IBBM kummandla we-ME.
Umfanekiso ubonisa indawo yoluntu yesitshixo se-RSA, i-hash eya kucwangciswa kwi-chipset fuses kunye nayo yonke i-Intel BG yoqwalaselo.
4. Ukusebenzisa i-Flash Image Tool, yakha umfanekiso omtsha we-firmware (ngokusetha i-Intel BG uqwalaselo).
5. Bhala umfanekiso omtsha kwimemori edanyazayo usebenzisa iFlash Programming Tool, kwaye uqinisekise usebenzisa i-MEinfo ukuba ummandla we-ME ngoku uqulethe uqwalaselo lwe-Intel BG.
6. Sebenzisa iFlash Programming Tool ukuvala imo yokuvelisa.
7. Inkqubo iya kuqalisa kwakhona, emva koko ungasebenzisa i-MEinfo ukuqinisekisa ukuba ii-FPFs zicwangcisiwe ngoku.
Ezi zenzo ngonaphakade yenza i-Intel BG isebenze kule nkqubo. Isenzo asinakuphinda singenziwa, okuthetha ukuthi:
- Kuphela umnini wecandelo labucala leqhosha lengcambu (oko kukuthi, lowo wenze i-Intel BG) uya kukwazi ukuhlaziya i-UEFI BIOS kule nkqubo;
- ukuba ubuyisela i-firmware yokuqala kule nkqubo, umzekelo, usebenzisa umdwelisi, ayiyi kuvulwa (isiphumo somgaqo-nkqubo wokunyanzeliswa kwimeko yempazamo yokuqinisekisa);
- ukulahla i-UEFI BIOS enjalo, kufuneka utshintshe i-chipset nge-FPF ecwangcisiweyo kunye "ecocekileyo" (oko kukuthi, ukubuyisela kwakhona i-chipset ukuba unokufikelela kwisikhululo sokuthengiswa kwe-infrared ixabiso lemoto, okanye utshintshe i-motherboard ).
Ukuze uqonde ukuba yintoni i-rootkit enokuyenza, kufuneka uvavanye ukuba yintoni eyenza kube lula ukwenza ikhowudi yakho kwindawo ye-UEFI BIOS. Masithi, kwimowudi yeprosesa enelungelo kakhulu-SMM. I-rootkit enjalo ingaba neempawu ezilandelayo:
- isetyenziswe ngokuhambelana ne-OS (ungaqwalasela inkqubo ukuvelisa uphazamiseko lwe-SMI, oluya kuqhutywa sisibali-xesha);
- ube nazo zonke iingenelo zokuba kwimodi ye-SMM (ukufikelela ngokupheleleyo kwimixholo ye-RAM kunye nezixhobo ze-hardware, imfihlo evela kwi-OS);
- Ikhowudi yenkqubo yerootkit inokuguqulelwa ngokuntsonkothileyo kwaye ikhutshelwe xa iqaliswa ngendlela yeSMM. Nayiphi na idatha ekhoyo kuphela kwimo ye-SMM ingasetyenziswa njengeqhosha loguqulelo oluntsonkothileyo. Umzekelo, i-hash evela kwiseti yeedilesi kwi-SMRAM. Ukuze ufumane esi sitshixo, kuya kufuneka ungene kwi-SMM. Kwaye oku kunokwenziwa ngeendlela ezimbini. Fumana i-RCE kwikhowudi ye-SMM kwaye uyisebenzise, okanye ungeze eyakho imodyuli yeSMM kwi-BIOS, engenakwenzeka ukususela oko senze iBoot Guard.
Ke, obu buthathaka buvumela umhlaseli ukuba:
- yenza i-rootkit efihliweyo, engacimekiyo yenjongo engaziwayo kwinkqubo;
- yenza ikhowudi yakho kwenye ye-chipset cores ngaphakathi kwe-Intel SoC, eyile, kwi-Intel ISH (jonga ngononophelo umfanekiso).
Nangona amandla e-Intel ISH engaphantsi kwenkqubo ayikaphononongwa, kubonakala ngathi yinto enomdla yokuhlaselwa kwe-Intel ME.
ezifunyanisiweyo
- Uphononongo lwenza ukuba kube lula ukufumana inkcazo yobugcisa bokusebenza kweteknoloji ye-Intel Boot Guard. Ukususa iimfihlo ezimbalwa kukhuseleko lwe-Intel ngokusebenzisa imodeli yokungacaci.
- Imeko yohlaselo ibonisiwe ekuvumela ukuba wenze i-rootkit engafakwanga kwisixokelelwano.
- Sibonile ukuba iiprosesa ze-Intel zanamhlanje ziyakwazi ukwenza uninzi lwekhowudi yobunini nangaphambi kokuba i-BIOS iqale ukusebenza.
- Iiplatifomu ezine-Intel 64 zezakhiwo ziba ngaphantsi kwaye zingaphantsi kokufaneleka ekusebenziseni isofthiwe yamahhala: ukuqinisekiswa kwe-hardware, inani elikhulayo lobuchwepheshe obunini kunye ne-subsystems (ii-cores ezintathu kwi-chipset ye-SoC: x86 ME, x86 ISH kunye ne-ARC PMC).
Ungenelelo
Abathengisi abashiya ngabom indlela yokuvelisa ivuliwe kufuneka baqiniseke ukuba bayayivala. Ukuza kuthi ga ngoku, amehlo abo kuphela avaliwe, kwaye iinkqubo ezintsha zeLake Lake zibonisa oku.
Abasebenzisi banokukhubaza i-Intel BG kwiinkqubo zabo (ezinokuthi zichaphazeleke kubuthathaka obuchaziweyo) ngokuqhuba iSixhobo sokuCwangcisa seFlash kunye neparamitha -closemnf. Okokuqala, kufuneka uqiniseke (usebenzisa i-MEinfo) ukuba uqwalaselo lwe-Intel BG kummandla we-ME lubonelela ngokucinywa kobu buchwepheshe emva kwenkqubo kwi-FPFs.
umthombo: www.habr.com