I-ProHoster > Π‘Π»ΠΎΠ³ > izindaba ze-inthanethi > Ubungozi ekusetshenzisweni kobuchwepheshe be-AMD SEV obuthinta amaphrosesa e-AMD EPYC

Ubungozi ekusetshenzisweni kobuchwepheshe be-AMD SEV obuthinta amaphrosesa e-AMD EPYC

I-AMD ixwayise ngokuthi kukhonjwe izindlela ezimbili zokuhlasela ezingadlula indlela yezokuphepha ye-AMD SEV (Secure Encrypted Virtualization). Inkinga ithinta isizukulwane sokuqala, sesibili nesesithathu se-AMD EPYC processors (ngokusekelwe ku-Zen1 - Zen3 microarchitecture), kanye nama-processor we-AMD EPYC ashumekiwe.

I-AMD SEV ezingeni lezingxenyekazi zekhompuyutha inikeza ukubethela okusobala kwememori yomshini obonakalayo, lapho kuphela isistimu yesivakashi yamanje enokufinyelela kudatha esusiwe, futhi eminye imishini ebonakalayo kanye ne-hypervisor zithola isethi yedatha ebethelwe lapho izama ukufinyelela le nkumbulo. Izinkinga ezikhonjiwe zivumela umhlaseli onamalungelo okuphatha kuseva nokulawula kwe-hypervisor ukuthi adlule imikhawulo ye-AMD SEV futhi asebenzise ikhodi yakhe kumongo wemishini ebonakalayo evikelwe.

Izinkinga ezikhonjiwe:

  • I-CVE-2021-26311 (uhlaselo olungaphansi kweSerVed) - ngokusebenzisa ukukhohlisa kokushintsha ukuhleleka kwamabhulokhi ememori endaweni yekheli lesistimu yezivakashi, uma ulawula i-hypervisor, ungasebenzisa ikhodi yakho emshinini wezivakashi, ngaphandle kokusetshenziswa. yokuvikelwa kwe-AMD SEV/SEV-ES. Abacwaningi balungiselele i-prototype yokuxhashazwa kwendawo yonke ehlanganisa kabusha amabhlogo e-UEFI elayishiwe futhi isebenzisa amasu okuhlela agxile ekubuyiseleni (ROP - Return-Oriented Programming) ukuze bahlele ukusetshenziswa kwekhodi engafanele.
  • I-CVE-2020-12967 (SEVerity attack) - ukuntuleka kokuvikelwa okufanele kwamathebula ekhasi lememori afakwe isidleke ku-AMD SEV/SEV-ES kuvumela, uma ukwazi ukufinyelela ku-hypervisor, ukuhlela ukufakwa esikhundleni kwekhodi ku-kernel yesistimu yezivakashi futhi uhlele ukudluliswa kokulawula kule khodi. Indlela ikuvumela ukuthi uthole ukulawula okugcwele kusistimu yesivakashi evikelwe futhi ukhiphe idatha eyimfihlo kuyo.

Ukubhekana nezindlela zokuhlasela ezihlongozwayo, i-AMD ilungiselele isandiso se-SEV-SNP (Secure Nested Paging), esitholakala njengesibuyekezo se-firmware sesizukulwane sesithathu samaphrosesa e-AMD EPYC futhi sihlinzeka ngokusebenza okuphephile ngamatafula enkumbulo afakwe esidlekeni. Ngokungeziwe ekubethelweni kwenkumbulo okuvamile kanye nesandiso se-SEV-ES (I-Encrypted State) esivikela amarejista e-CPU, i-SEV-SNP inikeza ukuvikelwa kobuqotho okwengeziwe kwememori okungamelana nokuhlaselwa okuvela kuma-hypervisors futhi inikeze ukuvikeleka okwengeziwe ekuhlaselweni kwesiteshi eseceleni.

Source: opennet.ru

Engeza amazwana