Abacwaningi e-Helmholtz Centre for Information Security (CISPA) bashicilele indlela entsha yokuhlasela ye-CacheWarp ukuze babeke engcupheni indlela yokuphepha ye-AMD SEV (Secure Encrypted Virtualization) esetshenziswa ezinhlelweni ze-virtualization ukuvikela imishini ebonakalayo ekuphazamisekeni yi-hypervisor noma umlawuli wesistimu yokusingatha. Indlela ehlongozwayo ivumela umhlaseli onokufinyelela ku-hypervisor ukuthi akhiphe ikhodi yenkampani yangaphandle futhi andise amalungelo emshinini obonakalayo ovikelwe kusetshenziswa i-AMD SEV.
Ukuhlasela kusekelwe ekusebenziseni ubungozi (CVE-2023-20592) okudalwe ukusebenza okungalungile kwenqolobane ngesikhathi kusetshenziswa umyalo we-INVD processor, ongasetshenziswa ukufeza ukungafani kwedatha kumemori nenqolobane kanye nezindlela zokudlula zokugcina umshini obonakalayo. ubuqotho bememori busetshenziswa ngokusekelwe ezandiso ze-SEV-ES ne-SEV-SNP. Ukuba sengozini kuthinta amaphrosesa e-AMD EPYC kusukela esizukulwaneni sokuqala kuya kwesesithathu.
Okwesizukulwane sesithathu se-AMD EPYC processors (Zen 3), inkinga ixazululwa kusibuyekezo se-microcode sikaNovemba esikhishwe izolo yi-AMD (ukulungiswa akuholeli kunoma yikuphi ukonakala kokusebenza). Esizukulwaneni sokuqala nesesibili se-AMD EPYC (Zen 1 ne-Zen 2), isivikelo asinikezwa, njengoba lawa ma-CPU awasekeli isandiso se-SEV-SNP, esihlinzeka ngokulawula ubuqotho emishinini ebonakalayo. Isizukulwane sesine se-AMD AMD EPYC "Genoa" processors esekelwe "Zen 4" microarchitecture ayinabungozi.
Ubuchwepheshe be-AMD SEV busetshenziselwa ukuhlukaniswa kwemishini ebonakalayo ngabahlinzeki bamafu abafana ne-Amazon Web Services (AWS), i-Google Cloud, i-Microsoft Azure ne-Oracle Compute Infrastructure (OCI). Ukuvikelwa kwe-AMD SEV kwenziwa ngokubethelwa kwezinga lehadiwe lememori yomshini obonakalayo. Ukwengeza, isandiso se-SEV-ES (Encrypted State) sivikela amarejista e-CPU. Isistimu yamanje yesivakashi kuphela ekwazi ukufinyelela idatha esusiwe, neminye imishini ebonakalayo kanye ne-hypervisor, lapho izama ukufinyelela le memori, ithola isethi yedatha ebethelwe.
Isizukulwane sesithathu se-AMD EPYC processors sethule isandiso esengeziwe, i-SEV-SNP (Secure Nested Paging), esiqinisekisa ukusebenza okuphephile kwamathebula ekhasi lememori efakwe esidlekeni. Ngokungeziwe ekubetheni okujwayelekile kwememori nokuhlukaniswa kwerejista, i-SEV-SNP isebenzisa izinyathelo ezengeziwe zokuvikela ubuqotho bememori ngokuvimbela izinguquko ku-VM nge-hypervisor. Okhiye bokubethela baphethwe ohlangothini lwephrosesa ehlukile ye-PSP (Platform Security Processor) eyakhelwe ku-chip, esetshenziswa ngesisekelo sezakhiwo ze-ARM.
Ingqikithi yendlela yokuhlasela ehlongozwayo iwukusebenzisa umyalelo we-INVD ukuze wenze amabhlogo angavumelekile (imigqa) kunqolobane yamakhasi angcolile ngaphandle kokulahla idatha eqoqwe kunqolobane kumemori (bhala emuva). Ngakho, indlela ikuvumela ukuba ukhiphe idatha eshintshile kunqolobane ngaphandle kokushintsha isimo sememori. Ukuze wenze ukuhlasela, kuhlongozwa ukuthi kusetshenziswe okuhlukile kwesoftware (umjovo wephutha) ukuphazamisa ukusebenza komshini obonakalayo ezindaweni ezimbili: okokuqala, umhlaseli ubiza umyalo we- βwbnoinvdβ ukuze usethe kabusha yonke imisebenzi yokubhala inkumbulo eqoqwe ku. inqolobane, futhi endaweni yesibili ibiza umyalelo we-βinvdβ wokubuyisela imisebenzi yokubhala engaboniswa kumemori esimweni esidala.
Ukuze uhlole amasistimu akho ngobungozi, kushicilelwe isibonelo sokuxhaphaza esikuvumela ukuthi ufake okuhlukile emshinini obonakalayo ovikelwe nge-AMD SEV futhi ubuyisele emuva izinguquko ku-VM ezingakasethwa kabusha kumemori. Ukubuyiselwa emuva koshintsho kungase kusetshenziselwe ukushintsha ukugeleza kohlelo ngokubuyisela ikheli lokubuyisela elidala kusitaki, noma ukusebenzisa izinhlaka zokungena zeseshini endala eyaqinisekiswa ngaphambilini ngokubuyisela inani lesibaluli sokuqinisekisa.
Isibonelo, abacwaningi babonise ukuthi kungenzeka ukusebenzisa indlela ye-CacheWarp ukwenza ukuhlasela kweBellcore ekusetshenzisweni kwe-algorithm ye-RSA-CRT kumtapo wezincwadi we-ipp-crypto, okwenze kwaba nokwenzeka ukubuyisela ukhiye wangasese ngokufaka iphutha esikhundleni lapho kubalwa idijithali. isiginesha. Iphinde ibonise ukuthi ungawashintsha kanjani amapharamitha okuqinisekisa iseshini abe yi-OpenSSH uma uxhuma ukude kusistimu yesivakashi, bese ushintsha isimo sokuqinisekisa lapho usebenzisa insiza ye-sudo ukuze uthole amalungelo ezimpande ku-Ubuntu 20.04. Ukuxhaphaza kuhlolwe kumasistimu ane-AMD EPYC 7252, 7313P kanye namaphrosesa angu-7443.
Source: opennet.ru