Ukukhishwa kwephrojekthi ye-CoreBoot 4.17 kushicilelwe, ngaphakathi kohlaka lapho kuthuthukiswa enye indlela yamahhala ye-firmware yobunikazi kanye ne-BIOS. Ikhodi yephrojekthi isatshalaliswa ngaphansi kwelayisensi ye-GPLv2. Abathuthukisi be-150 babambe iqhaza ekwakhiweni kwenguqulo entsha, abalungiselele izinguquko ezingaphezu kwe-1300.
Izinguquko eziyinhloko:
- Ukuba sengozini (CVE-2022-29264) okuvele ekukhishweni kwe-CoreBoot okungu-4.13 kuye ku-4.16 kulungisiwe futhi kuvumela amasistimu ane-AP (Application Processor) ukuthi asebenzise ikhodi ezingeni le-SMM (Imodi Yokulawulwa Kwesistimu), ebaluleke kakhulu (Indandatho). -2) kunemodi ye-hypervisor kanye nendandatho enguziro yokuvikela, nokuba nokufinyelela okungenamkhawulo kuyo yonke inkumbulo. Inkinga ibangelwa ucingo olungalungile oluya kusibambi se-SMI kumojuli smm_module_loader.
- Usekelo olungeziwe lwamabhodi omama angu-12, angu-5 asetshenziswa kumadivayisi ane-Chrome OS noma kumaseva e-Google. Phakathi kwezinkokhelo ezingezona eze-Google:
- I-Clevo L140MU / L141MU / L142MU
- UDell Precision T1650
- I-HP Z220 CMT Workstation
- I-Star Labs LabTop Mk III (i7-8550u), LabTop Mk IV (i3-10110U, i7-10710U), Lite Mk III (N5000) ne-Lite Mk IV (N5030).
- Ukusekelwa kwamabhodi omama we-Google Deltan kanye ne-Deltaur kunqanyuliwe.
- Kwengezwe i-coreDOOM entsha yokulayisha, okukuvumela ukuthi uqalise igeyimu ye-DOOM usuka ku-Coreboot. Iphrojekthi isebenzisa ikhodi ye-doomgeneric, ethunyelwa ku-libpayload. I-Coreboot linear framebuffer isetshenziselwa okukhiphayo, futhi amafayela e-WAD anezinsiza zegeyimu alayishwa ku-CBFS.
- Izingxenye zokulayisha okukhokhelwayo ezibuyekeziwe i-SeaBIOS 1.16.0 kanye ne-iPXE 2022.1.
- Imodi ye-SeaGRUB eyengeziwe (i-GRUB2 phezu kwe-SeaBIOS), evumela i-GRUB2 ukuthi isebenzise izingcingo zokushayela ezinikezwa i-SeaBIOS, isibonelo, ukuze ifinyelele okokusebenza okungafinyeleleki ekulayishweni kwe-GRUB2.
- Ukuvikela okungeziwe ekuhlaselweni kwe-SinkHole, okuvumela ikhodi ukuthi isetshenziswe ezingeni le-SMM (Imodi Yokulawulwa Kwesistimu).
- Kusetshenziswe ikhono elakhelwe ngaphakathi lokukhiqiza amathebula amile amakhasi enkumbulo ukusuka kumafayela omhlangano, ngaphandle kwesidingo sokubiza izinsiza zezinkampani zangaphandle.
- Vumela ukubhala imininingwane yokususa iphutha kukhonsoli ye-CBMEMC kusuka kuzibambi ze-SMI uma usebenzisa i-DEBUG_SMI.
- Isistimu yezibambi zokuqalisa ze-CBMEM ishintshiwe; esikhundleni sezibambi *_CBMEM_INIT_HOOK eziboshelwe ezigabeni, kuhlongozwa izibambi ezimbili: CBMEM_CREATION_HOOK (esetshenziswa esigabeni sokuqala esidala i-cbmem) kanye ne-CBMEM_READY_HOOK (isetshenziswa kunoma yiziphi izigaba lapho i-cbmem isivele isetshenziswe khona. idaliwe).
- Ukwesekwa okwengeziwe kwe-PSB (i-Platform Secure Boot), eyenziwe yasebenza iphrosesa ye-PSP (Platform Security Processor) ukuze kuqinisekiswe ubuqotho be-BIOS kusetshenziswa isiginesha yedijithali.
- Sengeze ukwethulwa kwethu kwesibambi sokususa iphutha kwedatha edluliswa isuka ku-FSP (FSP Debug Handler).
- Kwengezwe imisebenzi ye-TIS eqondene nomthengisi (i-TPM Interface Specification) yokufunda nokubhala ngokuqondile ukusuka kumarejista we-TPM (I-Trusted Platform Module) - tis_vendor_read() kanye ne-tis_vendor_write().
- Kwengezwe usekelo lokuvimbela izinkomba ezingenalutho ngamarejista okususa iphutha.
- Kusetshenziswe ukutholwa kwedivayisi ye-i2c, okwenza kube lula ukusebenza ngamabhodi afakwe amaphedi wokuthinta noma izikrini zokuthinta ezivela kubakhiqizi abahlukene.
- Kwengezwe ikhono lokulondoloza idatha yesikhathi ngefomethi efaneleka ukukhiqiza amagrafu e-FlameGraph, abonisa ngokucacile ukuthi singakanani isikhathi esichithwa ezigabeni ezihlukene zokwethulwa.
- Inketho yengezwe kunsiza ye-cbmem yokwengeza "isitembu sesikhathi" sesikhathi kusuka endaweni yomsebenzisi kuya kuthebula le-cbmem, okwenza kube nokwenzeka ukukhombisa imicimbi ngezigaba ezenziwe ngemuva kwe-CoreBoot ku-cbmem.
Ukwengeza, singaphawula ukushicilelwa kwe-OSFF (Open-Source Firmware Foundation) kwencwadi evulekile eya ku-Intel, ehlongoza ukwenza amaphakheji okusekelwa kwe-firmware (i-FSP, Iphakheji Yokusekela I-Firmware) abe yimodyuli kakhudlwana futhi aqale ukushicilela imibhalo ehlobene nokuqalisa i-Intel SoC. . Ukuntuleka kwekhodi ye-FSP kwenza kube nzima kakhulu ukwakhiwa kwe-firmware evulekile futhi kuvimbela ukuthuthuka kwamaphrojekthi we-Coreboot, U-Boot kanye ne-LinuxBoot ku-Intel hardware. Ngaphambilini, uhlelo olufanayo lwaba yimpumelelo futhi i-Intel yavula ikhodi ye-PSE (Programmable Services Engine) block firmware ecelwe umphakathi.
Source: opennet.ru