ProHoster > Блог > izindaba ze-inthanethi > Ubungozi ekusetshenzisweni kobuchwepheshe be-AMD SEV obuthinta amaphrosesa e-AMD EPYC

Ubungozi ekusetshenzisweni kobuchwepheshe be-AMD SEV obuthinta amaphrosesa e-AMD EPYC

I-AMD ixwayise ngokuthi kukhonjwe izindlela ezimbili zokuhlasela ezingadlula indlela yezokuphepha ye-AMD SEV (Secure Encrypted Virtualization). Inkinga ithinta isizukulwane sokuqala, sesibili nesesithathu se-AMD EPYC processors (ngokusekelwe ku-Zen1 - Zen3 microarchitecture), kanye nama-processor we-AMD EPYC ashumekiwe.

I-AMD SEV inikeza ukubethela okusobala kwememori yomshini obonakalayo ezingeni lehadiwe, okuvumela uhlelo lwezivakashi lwamanje kuphela ukufinyelela idatha ekhishwe ukubethela, kuyilapho eminye imishini engokoqobo kanye ne-hypervisor zithola idatha ebethelwe lapho zizama ukufinyelela le memori. Izinkinga ezitholiwe zivumela umhlaseli onamalungelo okuphatha kuseva kanye nokulawula i-hypervisor ukuthi adlule imikhawulo ye-AMD SEV futhi asebenzise ikhodi yakhe kumongo wedatha evikelwe. imishini ebonakalayo.

Izinkinga ezikhonjiwe:

  • I-CVE-2021-26311 (ukuhlaselwa kwe-undeSErVed) - ngokulawula ukuhleleka kwamabhulokhi enkumbulo esikhaleni sekheli lesistimu yezivakashi ngokulawula i-hypervisor, kungenzeka ukusebenzisa ikhodi yakho esivakashini. umshini obonakalayo, naphezu kokusetshenziswa kokuvikelwa kwe-AMD SEV/SEV-ES. Abacwaningi bathuthukise uhlobo lwe-prototype lwe-universal exploit oluhlela kabusha amabhlogo e-UEFI alayishiwe futhi lusebenzise amasu ohlelo lokubuyisela (ROP) ukuze kusetshenziswe ikhodi engahleliwe.
  • I-CVE-2020-12967 (SEVerity attack) - ukuntuleka kokuvikelwa okufanele kwamathebula ekhasi lememori afakwe isidleke ku-AMD SEV/SEV-ES kuvumela, uma ukwazi ukufinyelela ku-hypervisor, ukuhlela ukufakwa esikhundleni kwekhodi ku-kernel yesistimu yezivakashi futhi uhlele ukudluliswa kokulawula kule khodi. Indlela ikuvumela ukuthi uthole ukulawula okugcwele kusistimu yesivakashi evikelwe futhi ukhiphe idatha eyimfihlo kuyo.

Ukubhekana nezindlela zokuhlasela ezihlongozwayo, i-AMD ilungiselele isandiso se-SEV-SNP (Secure Nested Paging), esitholakala njengesibuyekezo se-firmware sesizukulwane sesithathu samaphrosesa e-AMD EPYC futhi sihlinzeka ngokusebenza okuphephile ngamatafula enkumbulo afakwe esidlekeni. Ngokungeziwe ekubethelweni kwenkumbulo okuvamile kanye nesandiso se-SEV-ES (I-Encrypted State) esivikela amarejista e-CPU, i-SEV-SNP inikeza ukuvikelwa kobuqotho okwengeziwe kwememori okungamelana nokuhlaselwa okuvela kuma-hypervisors futhi inikeze ukuvikeleka okwengeziwe ekuhlaselweni kwesiteshi eseceleni.

Source: opennet.ru

Thenga ukusingathwa okuthembekile kwamasayithi anokuvikelwa kwe-DDoS, amaseva e-VPS VDS 🔥 Thenga ukusingathwa kwewebhusayithi okuthembekile ngokuvikelwa kwe-DDoS, amaseva e-VPS VDS | ProHoster