ulwazi mayelana nesigaba esisha sokuhlasela (Umjovo Wenani Lomthwalo, ) kumshini wokubulala oqagelayo kuma-Intel CPUs, angasetshenziswa ukuvuza okhiye nedatha eyimfihlo evela ku-Intel SGX enclaves nezinye izinqubo.
Isigaba esisha sokuhlasela sisekelwe ekukhohlisweni kwezakhiwo ezincane zezakhiwo ezisetshenziswa ekuhlaselweni (Isampula yedatha ye-Microarchitectural), . Ngesikhathi esifanayo, ukuhlaselwa okusha akuvinjwa izindlela ezikhona zokuvikela ngokumelene ne-Meltdown, Specter, MDS nokunye ukuhlaselwa okufanayo. Ukuvikelwa kwe-LVI okusebenzayo kudinga izinguquko zehadiwe ku-CPU. Lapho uhlela ukuvikela ngokohlelo, ngokwengeza isiyalo se-LFENCE ngumhlanganisi ngemva komthwalo ngamunye womthwalo osuka enkumbulweni futhi esikhundleni somyalo we-RET nge-POP, LFENCE kanye ne-JMP, kuqoshwa i-overhead eningi kakhulu - ngokusho kwabacwaningi, ukuvikelwa okuphelele kwesofthiwe kuzoholela ekwehleni ukusebenza izikhathi ezingu-2-19.
Ingxenye yobunzima ekuvimbeni inkinga ixazululwa yiqiniso lokuthi ukuhlasela okwamanje kungokwethiyori kakhulu kunokusebenza (ukuhlasela kungenzeka ngokwethiyori, kodwa kunzima kakhulu ukukusebenzisa futhi kukhiqizwa kuphela ezivivinyweni zokwenziwa).
Intel inkinga inezinga elilinganiselwe lengozi (5.6 kokungu-10) futhi ibuyekeza i-firmware ne-SDK yemvelo ye-SGX, lapho izame ukuvimba ukuhlasela isebenzisa i-workaround. Izindlela zokuhlasela ezihlongozwayo okwamanje zisebenza kuphela kuma-Intel processors, kodwa amathuba okujwayela i-LVI kwamanye ama-processor lapho ukuhlaselwa kwe-Meltdown-class kusebenza khona angeke akhishwe.
Inkinga ikhonjwe ngo-Ephreli odlule ngumcwaningi uJo Van Bulck waseNyuvesi yaseLeuven, ngemva kwalokho, ngokubamba iqhaza kwabacwaningi be-9 abavela kwamanye amanyuvesi, izindlela ezinhlanu zokuhlasela eziyisisekelo zenziwa, ngayinye evumela ukuba khona kokucaciswa okwengeziwe. . Ngokuzimela, ngoFebhuwari walo nyaka, abacwaningi abavela ku-Bitdefender nabo enye yezinhlobonhlobo zokuhlasela kwe-LVI futhi yabika ku-Intel. Izinhlobonhlobo zokuhlasela zihlukaniswa ngokusetshenziswa kwezakhiwo ezincane ezihlukene, njengesilondolozi sesitoreji (i-SB, i-Store Buffer), i-buffer yokugcwalisa (i-LFB, i-Line Fill Buffer), i-FPU ye-context switch buffer kanye ne-cache yezinga lokuqala (L1D), esetshenziswe ngaphambilini. ekuhlaselweni ezifana , , , , ΠΈ .
Okusemqoka I-LVI ngokumelene nokuhlaselwa kwe-MDS iwukuthi i-MDS ilawula ukunqunywa kokuqukethwe kwezakhiwo ezincane ezisele kunqolobane ngemva kokuphatha iphutha lokuqagela noma imisebenzi yokulayisha kanye nesitolo, kuyilapho.
Ukuhlaselwa kwe-LVI kuvumela idatha yomhlaseli ukuthi ifakwe ezakhiweni ze-microarchitectural ukuze ibe nomthelela ekusebenzeni okuqagelayo okulandelayo kwekhodi yesisulu. Ngokusebenzisa lokhu kukhohlisa, umhlaseli angakhipha okuqukethwe kwezakhiwo zedatha eyimfihlo kwezinye izinqubo lapho esebenzisa ikhodi ethile kumongo we-CPU oqondiwe.
Ukuze kukhodi yenqubo yezisulu ukulandelana okukhethekile kwekhodi (amagajethi) lapho inani elilawulwa umhlaseli lilayishwa khona, futhi ukulayisha leli nani kubangela okuhlukile (iphutha, kuhoxiswe noma umsizi) ukuthi kuphonswe, kulahlwe umphumela futhi kuphinde kufakwe umyalelo. Uma okuhlukile kucutshungulwa, iwindi lokuqagela liyavela lapho idatha ecutshungulwa kugajethi ivuza. Ikakhulukazi, iphrosesa iqala ukwenza ucezu lwekhodi (igajethi) ngemodi yokuqagela, bese inquma ukuthi ukubikezela akuzange kuthethelelwe futhi ibuyisela ukusebenza esimweni sayo sangempela, kodwa idatha ecutshungulwayo ngesikhathi sokuqagela ifakwa kunqolobane ye-L1D. kanye namabhafa ezakhiwo ezincane futhi ayatholakala ukuze alandwe kuwo ngokusebenzisa izindlela ezaziwayo zokunquma idatha eyinsalela ngamashaneli ezinkampani zangaphandle.
Okuhlukile "kokusiza", ngokungafani "nephutha", kusingathwa ngaphakathi yiphrosesa ngaphandle kokubiza izibambi zesofthiwe. Ukusiza kungenzeka, isibonelo, uma ibhithi ethi A (Kufinyelelwe) noma D (Engcolile) kuthebula lememori yekhasi idinga ukubuyekezwa. Ubunzima obukhulu ekwenzeni ukuhlasela kwezinye izinqubo ukuthi ungaqala kanjani ukwenzeka kosizo ngokulawula inqubo yezisulu. Okwamanje azikho izindlela ezinokwethenjelwa zokwenza lokhu, kodwa kungenzeka ukuthi zizotholakala esikhathini esizayo. Amathuba okwenza ukuhlasela kuze kube manje aqinisekisiwe kuphela kuma-Intel SGX enclaves, ezinye izimo zingokwethiyori noma zikhiqizwa kabusha ezimeni zokwenziwa (kudinga ukungeza amagajethi athile kukhodi)
Ama-vector okuhlasela okungenzeka:
- Ukuvuza kwedatha kusuka ezinhlakeni ze-kernel kuya kwinqubo yezinga lomsebenzisi. Ukuvikelwa kwe-Linux kernel ekuhlaselweni kwe-Specter 1, kanye nendlela yokuvikela ye-SMAP (Supervisor Mode Access Prevention), kunciphisa kakhulu amathuba okuhlaselwa kwe-LVI. Ukwengeza ukuvikeleka okwengeziwe ku-kernel kungase kudingeke uma izindlela zokuhlasela ze-LVI ezilula zikhonjwa ngokuzayo.
- Ukuvuza kwedatha phakathi kwezinqubo ezahlukene. Ukuhlasela kudinga ukuba khona kwezingcezu ezithile zekhodi kuhlelo lokusebenza kanye nencazelo yendlela yokwenza okuhlukile enqubweni eqondiwe.
- Ukuvuza kwedatha kusuka endaweni yokusingatha kuya kusistimu yesivakashi. Ukuhlasela kubhekwa njengokuyinkimbinkimbi kakhulu, okudinga izinyathelo ezihlukahlukene okunzima ukuzisebenzisa nokubikezela komsebenzi ohlelweni.
- Ukuvuza kwedatha phakathi kwezinqubo kumasistimu ezivakashi ahlukene. Ivektha yokuhlasela isiseduze nokuhlela ukuvuza kwedatha phakathi kwezinqubo ezihlukene, kodwa ngaphezu kwalokho idinga ukukhohlisa okuyinkimbinkimbi ukuze kudlule ukuhlukaniswa phakathi kwamasistimu esivakashi.
Ishicilelwe abacwaningi ngokuboniswa kwezimiso zokwenza ukuhlasela, kodwa azikakulungeli ukuhlasela kwangempela. Isibonelo sokuqala sikuvumela ukuthi uqondise kabusha ukwenziwa kwekhodi eqagelayo enqubweni yesisulu, efana nezinhlelo ezigxile ekubuyiseleni (,Uhlelo olugxile ekubuyiseleni). Kulesi sibonelo, isisulu siyinqubo elungiselelwe ngokukhethekile equkethe amagajethi adingekayo (ukusebenzisa ukuhlaselwa kwezinqubo zangempela zezinkampani zangaphandle kunzima). Isibonelo sesibili sisivumela ukuthi sizihlanganise esibalweni ngesikhathi sokubethelwa kwe-AES ngaphakathi kwe-Intel SGX enclave futhi sihlele ukuvuza kwedatha ngesikhathi sokuqagela kwemiyalelo yokubuyisela inani lokhiye osetshenziselwa ukubethela.
Source: opennet.ru