I-Linux Foundation ekusungulweni kwe-consortium , okuhloswe ngayo ukuthuthukisa ubuchwepheshe obuvulekile namazinga ahlobene nokuphepha kokucubungula okusenkumbulweni kanye nekhompyutha eyimfihlo. Iphrojekthi ehlanganyelwe isivele ijoyinwe izinkampani ezifana ne-Alibaba, i-Arm, i-Baidu, i-Google, i-IBM, i-Intel, i-Tencent ne-Microsoft, ehlose ukusebenzisana endaweni yesikhulumi esingathathi hlangothi ukuthuthukisa ubuchwepheshe bokuhlukanisa idatha ememori ngesikhathi senqubo yekhompyutha.
Umgomo omkhulu uwukunikeza izindlela zokusekela umjikelezo ogcwele wokucutshungulwa kwedatha ngendlela ebethelwe, ngaphandle kokuthola ulwazi ngendlela evulekile ezigabeni ngazinye. Indawo ethakaselwayo ye-consortium ikakhulukazi ihlanganisa ubuchwepheshe obuhlobene nokusetshenziswa kwedatha ebethelwe enqubweni yekhompiyutha, okungukuthi, ukusetshenziswa kwe-enclave ehlukanisiwe, izivumelwano , ukukhohliswa kwedatha ebethelwe enkumbulweni kanye nokuhlukaniswa okuphelele kwedatha kumemori (isibonelo, ukuvimbela umlawuli wesistimu ekufinyeleleni idatha kumemori yezinhlelo zesivakashi).
Amaphrojekthi alandelayo adluliselwe ukuze athuthukiswe ezimele njengengxenye ye-Confidential Computing Consortium:
- I-Intel idluliselwe phambili ekuthuthukisweni okuhlangene
izingxenye zokusebenzisa ubuchwepheshe (Izandiso Zokuqapha Isofthiwe) ku-Linux, okuhlanganisa i-SDK enesethi yamathuluzi nemitapo yolwazi. I-SGX ihlongoza ukusebenzisa isethi yemiyalo yephrosesa ekhethekile ukwaba izindawo zememori yangasese kuzinhlelo zokusebenza ezisezingeni lomsebenzisi, okuqukethwe kwazo okubethelwe futhi okungakwazi ukufundwa noma ukuguqulwa ngisho ne-kernel kanye nekhodi esebenza ngezindlela ze-ring0, SMM ne-VMM; - I-Microsoft inikeze uhlaka , okukuvumela ukuthi udale izinhlelo zokusebenza zezakhiwo ezihlukahlukene ze-TEE (Trusted Execution Environment) usebenzisa i-API eyodwa kanye nokumelwa kwe-enclave abstract. Uhlelo lokusebenza olulungiselelwe kusetshenziswa i-Open Enclav lungasebenza kumasistimu anokufakwa okuhlukile kwe-enclave. Kuma-TEE, yi-Intel SGX kuphela esekelwayo njengamanje. Ikhodi yokusekela i-ARM TrustZone iyathuthukiswa. Mayelana nokusekela , i-AMD PSP (I-Platform Security Processor) kanye ne-AMD SEV (I-Virtual Encryption Virtualization) azibikwa.
- I-Red Hat inikeze iphrojekthi , esihlinzeka ngesendlalelo esishubile sokudala izinhlelo zokusebenza ezisebenza endaweni yonke ukuze zisebenze kuma-enclave asekela izindawo ezihlukahlukene ze-TEE, ezizimele zezakhiwo zehadiwe futhi okuvumela ukusetshenziswa kwezilimi ezihlukahlukene zokuhlela (kusetshenziswa isikhathi sokusebenza esisekelwe ku-WebAssembly). Iphrojekthi okwamanje isekela ubuchwepheshe be-AMD SEV kanye ne-Intel SGX.
Phakathi kwamaphrojekthi afanayo anganakwa, singaluphawula uhlaka , ethuthukiswa ngokuyinhloko ngonjiniyela be-Google, kodwa umkhiqizo we-Google osekelwa ngokusemthethweni. Uhlaka lukuvumela ukuthi uguqule kalula izinhlelo zokusebenza ukuhambisa okunye ukusebenza okudinga ukuvikeleka okwengeziwe ohlangothini lwe-enclave evikelekile. Ezindleleni zokuhlukanisa ihadiwe e-Asylo, i-Intel SGX kuphela esekelwayo, kepha indlela yesoftware yokwakha ama-enclave ngokusekelwe ekusetshenzisweni kwe-virtualization iyatholakala.
Khumbula ukuthi i-enclave (, Trusted Execution Environment) ibandakanya ukuhlinzekwa komprosesa wendawo ekhethekile engayodwa, ekuvumela ukuthi uhambise ingxenye yokusebenza kwezinhlelo zokusebenza kanye nesistimu yokusebenza endaweni ehlukile, okuqukethwe kwenkumbulo kanye nekhodi esebenzisekayo lapho kungafinyeleleki khona kusuka main uhlelo, kungakhathaliseki izinga lamalungelo atholakalayo. Ukuze zisetshenziswe, ukusetshenziswa kwama-algorithms ahlukahlukene wokubethela, imisebenzi yokucubungula okhiye abayimfihlo namagama-mfihlo, izinqubo zokuqinisekisa, kanye nekhodi yokusebenza ngedatha eyimfihlo kungathuthelwa ku-enclave.
Uma isistimu eyinhloko isengozini, umhlaseli ngeke akwazi ukunquma ulwazi olugcinwe ku-enclave futhi uzokhawulelwa kuphela kusixhumi esibonakalayo sesofthiwe sangaphandle. Ukusetshenziswa kwe-hardware enclaves kungabhekwa njengenye indlela yokusetshenziswa kwezindlela ezisekelwe ukubethela noma , kodwa ngokungafani nalobu buchwepheshe, i-enclave ayinawo umthelela ekusebenzeni kwezibalo ngedatha eyimfihlo futhi yenza intuthuko ibe lula.
Source: opennet.ru