Abaphandi kwiziko le-Helmholtz loKhuseleko loLwazi (CISPA) bapapashe indlela entsha yokuhlaselwa kweCacheWarp ukuthomalalisa i-AMD SEV (i-Secure Encrypted Virtualization) indlela yokhuseleko esetyenziswa kwiinkqubo ze-virtualization ukukhusela oomatshini benyani ekuphazamisekeni kwe-hypervisor okanye umlawuli wenkqubo yokusingatha. Indlela ecetywayo ivumela umhlaseli ukuba afikelele kwi-hypervisor ukuba enze ikhowudi yomntu wesithathu kunye nokunyusa amalungelo kumatshini okhuselekileyo okhuselweyo usebenzisa i-AMD SEV.
Uhlaselo lusekelwe ekusebenziseni ubuthathaka (CVE-2023-20592) okubangelwa ukusebenza okungalunganga kwe-cache ngexesha lokuphunyezwa komyalelo we-INVD weprosesa, ngoncedo apho kunokwenzeka ukufezekisa ukungahambi kakuhle kwedatha kwimemori kunye ne-cache. , kunye neendlela zokudlula zokugcina ingqibelelo yememori yomatshini wenyani, ephunyezwe ngokusekelwe kwizandiso ze-SEV-ES kunye ne-SEV-SNP. Ukuba sesichengeni kuchaphazela abaqhubekeki be-AMD EPYC ukusuka kwisizukulwana sokuqala ukuya kwesesithathu.
Kwisizukulwana sesithathu i-AMD EPYC processors (Zen 3), umba usonjululwe kuhlaziyo lwe-microcode kaNovemba ekhutshwe izolo yi-AMD (ukulungiswa akuphumeleli nakuphi na ukuthotywa kokusebenza). Kwisizukulwana sokuqala nesesibini se-AMD EPYC (iZen 1 kunye neZen 2), ukhuseleko alubonelelwanga, kuba ezi CPUs azixhasi i-SEV-SNP yokwandiswa, ebonelela ngolawulo lokuthembeka koomatshini bokwenene. Isizukulwana sesine se-AMD AMD EPYC "Genoa" iprosesa esekelwe kwi-microarchitecture "Zen 4" ayisengozini.
Itekhnoloji ye-AMD SEV isetyenziselwa ukwahlulwa komatshini obonakalayo ngababoneleli belifu abafana neeNkonzo zeWebhu ye-Amazon (AWS), i-Google Cloud, iMicrosoft Azure kunye ne-Oracle Compute Infrastructure (OCI). Ukhuseleko lwe-AMD SEV luphunyezwa nge-encryption yenqanaba le-hardware yememori yomatshini wenyani. Ukongeza, ulwandiso lwe-SEV-ES (Encrypted State) lukhusela iirejista ze-CPU. Kuphela inkqubo yeendwendwe yangoku inokufikelela kwidatha efihliweyo, kwaye xa abanye oomatshini abanenyani kunye ne-hypervisor bezama ukufikelela kule memori, bafumana iseti efihliweyo yedatha.
Isizukulwana sesithathu se-AMD EPYC processors sazisa ulwandiso olongezelelweyo, i-SEV-SNP (i-Secure Nested Paging), eqinisekisa ukusebenza okukhuselekileyo kweetafile zephepha lememori. Ukongeza kwi-encryption yememori ngokubanzi kunye nerejista yodwa, i-SEV-SNP iphumeza amanyathelo ongezelelweyo ukukhusela ingqibelelo yememori ngokuthintela utshintsho kwi-VM nge-hypervisor. Izitshixo ze-Encryption zilawulwa kwicala le-PSP eyahlukileyo (i-Platform Security Processor) eyakhelwe kwi-chip, ephunyezwe ngesiseko soyilo lwe-ARM.
Undoqo wendlela ecetywayo yokuhlaselwa kukusebenzisa umyalelo we-INVD ukwenza iibhloko ezingasebenziyo (imigca) kwi-cache yamaphepha amdaka ngaphandle kokulahla idatha eqokelelwe kwi-cache kwimemori (bhala-umva). Ke, indlela ikuvumela ukuba ukhuphe idatha etshintshileyo kwi-cache ngaphandle kokutshintsha imeko yememori. Ukwenza uhlaselo, kucetywa ukuba kusetyenziswe ngaphandle kwesoftware (inaliti yempazamo) ukuphazamisa ukusebenza komatshini kwindawo ezimbini: kwindawo yokuqala, umhlaseli ubiza umyalelo othi "wbnoinvd" ukuseta kwakhona yonke imisebenzi yokubhala imemori eqokelelwe kuyo. i-cache, kwaye kwindawo yesibini ibiza i-"invd" yomyalelo wokubuyisela ukubhala imisebenzi engabonakali kwimemori kwimeko yakudala.
Ukujonga iisistim zakho zobuthathaka, iprototype yokuxhaphaza ishicilelwe ekuvumela ukuba ufake ngaphandle kumatshini okhuselweyo nge-AMD SEV kwaye ubuyisele umva utshintsho kwi-VM olungasetwanga ngokutsha kwinkumbulo. Ukubuyisela umva kotshintsho kunokusetyenziselwa ukutshintsha ukuhamba kwenkqubo ngokubuyisela idilesi endala yokubuyisela kwisitaki, okanye ukusebenzisa iiparamitha zokungena kwiseshoni endala ebiqinisekisiwe ngaphambili ngokubuyisela ixabiso lophawu lobungqina.
Ngokomzekelo, abaphandi babonise ukuba kunokwenzeka ukusebenzisa indlela yeCacheWarp ukwenza uhlaselo lweBellcore ekuphunyezweni kwe-algorithm ye-RSA-CRT kwilayibrari ye-ipp-crypto, eyenza kube lula ukubuyisela isitshixo sabucala ngokutshintshwa kwempazamo xa kubalwa idijithali. utyikityo. Ikwabonisa ukuba ungatshintsha njani iiparamitha zokuqinisekisa iseshoni kwi-OpenSSH xa uqhagamshela ukude kwinkqubo yeendwendwe, kwaye emva koko utshintshe imeko yokuqinisekisa xa usebenzisa i-sudo utility ukufumana amalungelo engcambu ku-Ubuntu 20.04. Ukuxhaphaza kuye kwavavanywa kwiinkqubo ezine-AMD EPYC 7252, 7313P kunye ne-7443 processors.
umthombo: opennet.ru