Abaphuhlisi abavela kwiqela likaGoogle Cloud ubungozi (CVE-2019-9836) ekuphunyezweni kwe-AMD SEV (i-Secure Encrypted Virtualization) iteknoloji, evumela ukuba idatha ekhuselweyo isebenzisa le teknoloji ukuba ibe sengozini. I-AMD SEV kwinqanaba le-hardware ibonelela ngoguqulelo olucacileyo lwememori yomatshini wenyani, apho kuphela inkqubo yeendwendwe yangoku inokufikelela kwidatha efihliweyo, kunye nabanye oomatshini benyani kunye ne-hypervisor bafumana iseti efihliweyo yedatha xa uzama ukufikelela kule memori.
Ingxaki echongiweyo yenza kube lula ukubuyisela ngokupheleleyo imixholo yesitshixo sePDH yangasese, ecutshungulwa kwinqanaba leprosesa ye-PSP ekhuselweyo (i-AMD Security Processor), engafikelelekiyo kwi-OS engundoqo.
Ukuba nesitshixo sePDH, umhlaseli unokubuyisela isitshixo seseshoni kunye nolandelelwano oluyimfihlo oluchaziweyo xa udala umatshini wenyani kwaye ufumane ukufikelela kwidatha efihliweyo.
Ubuthathaka bubangelwa ziziphene ekuphunyezweni kwe-elliptic curve encryption (ECC), evumela ukuba ukubuyisela iparameters zegophe. Ngexesha lokuphunyezwa komyalelo wokuqalisa umatshini okhuselweyo, umhlaseli unokuthumela iiparamitha zegophe ezingahambelaniyo neeparamitha ezicetyiswayo ze-NIST, okukhokelela ekusetyenzisweni kwamaxabiso asezantsi ocwangco kwimisebenzi yokuphindaphinda ngedatha yesitshixo sabucala.
Ukhuseleko lweprothokholi ye-ECDH ngokuthe ngqo ukusuka indawo yokuqala evelisiweyo yegophe, i-logarithm edibeneyo ingumsebenzi onzima kakhulu. Ngexesha elinye lamanyathelo okuqalisa okusingqongileyo kwe-AMD SEV, izibalo ezingundoqo zabucala zisebenzisa iiparamitha ezifunyenwe kumsebenzisi. Ngokusisiseko, umsebenzi uphinda-phinda amanqaku amabini, enye yawo ehambelana neqhosha labucala. Ukuba inqaku lesibini libhekiselele kumanani aphantsi, ngoko umhlaseli unokumisela iiparameters zenqaku lokuqala (ii-bits zemodyuli ezisetyenziswe kwi-modulo operation) ngokukhangela kuwo onke amaxabiso anokwenzeka. Ukumisela iqhosha labucala, amaqhekeza amanani akhethiweyo anokunqunyulwa kunye kusetyenziswa .
Ingxaki ichaphazela iiplatifti zeseva ye-AMD EPYC isebenzisa i-SEV firmware ukuya kwinguqulo ye-0.17 yokwakha 11. I-AMD sele Uhlaziyo lweFirmware olongeza ukuvaleka kwamanqaku angahambelaniyo negophe le-NIST. Ngexesha elifanayo, izatifikethi eziveliswe ngaphambili ze-PDH izitshixo zihlala zivumelekile, ezivumela umhlaseli ukuba enze uhlaselo lokufuduka koomatshini benyani ukusuka kwiindawo ezikhuselweyo ukusuka kumngcipheko ukuya kwiindawo ezithintekayo kwingxaki. Ukubanakho ukwenza uhlaselo lokubuyisela umva inguqulelo ye-firmware kukhupho oludala olusemngciphekweni ikwakhankanyiwe, kodwa oku kunokwenzeka akukaqinisekiswa.
umthombo: opennet.ru
