Abaphuhlisi beqela leLifu likaGoogle bachonge ukuba semngciphekweni (I-CVE-2019-9836) ekuphunyezweni kwetekhnoloji ye-AMD SEV (ukhuseleko olubhaliweyo olukhuselekileyo), olunokuthi lubeke esichengeni idatha ekhuselweyo ngale teknoloji.
I-AMD SEV kwinqanaba lezixhoboe ibonelela ngememori ngokufihlakeleyo yokubhala koomatshini ababonakalayo, Apho kuphela kwenkqubo yeendwendwe ezikhoyo ezinokufikelela kwidatha ebhaliweyo, ngelixa abanye oomatshini ababonakalayo kunye ne-hypervisor bafumana iseti yedatha ebhaliweyo xa befikelela kule memori.
Ingxaki echongiweyo ivumela ukubuyisela ngokupheleleyo umxholo weqhosha labucala le-PDH eqhutywa kwinqanaba lePSP enye ekhuselweyo (iprosesa yoKhuseleko lwe-AMD) engafumanekiyo kwinkqubo yokusebenza enkulu.
Ngokufumana isitshixo se-PDH, umhlaseli unokubuyisela iseshoni yeseshoni kunye nokulandelelana okuyimfihlo icacisiwe xa kusenziwa umatshini obonakalayo kunye nokufikelela kwidatha ebhaliweyo.
Ubungozi bubangelwa ziziphene ekuphunyezweni kwee-elliptic curves (ECC) esetyenziselwa ukubethela, okuvumela uhlaselo ukuba lubuyisele iiparameter kwigophe.
Ngexesha lokuphunyezwa komyalelo wokuqala womatshini okhuselweyo oqinisekileyo, umhlaseli angathumela iiparameter zekherifti ezingadibaniyo neparamitha ezicetyiswe yi-NIST, eya kuthi ikhokelele ekusetyenzisweni kwamaxabiso e-odolo esezantsi kwimisebenzi yokuphindaphinda nedatha evela isitshixo sangasese.
Ukuphunyezwa kwe-SEV's Elliptical Curve (ECC) kwafunyanwa kusengozini kuhlaselo lwegophe olungavumelekanga. Kumyalelo wokuqalisa wesiqalo, umhlaseli angathumela
Amanqaku amancinci e-ECC awekho kwii-curve ze-NIST ezisemthethweni, kwaye banyanzela i-firmware ye-SEV ukuba iphindaphinde indawo encinci yoku-odola yi-DH yabucala ye-firmware yesikali.
Ngokuqokelela inkunkuma eyaneleyo yemodyuli, umhlaseli unokufumana kwakhona isitshixo sangasese se-PDH. Nge-PDH, umhlaseli unokufumana kwakhona iseshoni kwaye aqalise imfihlo yomatshini obonakalayo. Oku kwaphula iziqinisekiso zokugcinwa kwemfihlo ezinikezelwa yi-SEV.
Ukhuseleko lomgaqo olandelwayo we-ECDH luxhomekeke ngqo kwi-odolo yenqaku lokuqala elivelisiweyo kwigophe, eline-logarithm eyahlukileyo ngumsebenzi onzima kakhulu.
Kwinqanaba elinye lokuqalisa imeko ye-AMD SEV, iiparameter ezifunyenwe kumsebenzisi zisetyenziselwa ukubala ngesitshixo sangasese.
Eyona nto ibalulekileyo, ukusebenza kokuphindaphinda amanqaku amabini kuyenziwa, elinye lawo lihambelana nesitshixo sangasese.
Ukuba inqaku lesibini libhekisa kumanani aphantsi e-odolo esezantsi, ke umhlaseli unokumisela iiparameter zenqaku lokuqala (iibits zemodyuli ezisetyenzisiweyo kwisibonisi somsebenzi) ngokudwelisa onke amaxabiso anokubakho. Iziqwenga ezikhethiweyo zamanani aphambili zinokudityaniswa ukumisela isitshixo sangasese usebenzisa i-theorem yaseTshayina kwintsalela.
Uhlaselo lwegophe olungasebenziyo kulapho ukuphindaphindwa kwamanqaku e-ECDH kwenziwa kwigophe elahlukileyo-iiparameter ezahlukeneyo (a, b). Oku kwenzekile kwisishwankathelo esifutshane somsebenzi we-Weierstrass wamanqaku okoko iparameter "b" ingasetyenziswanga.
Kule curve, inqaku linomyalelo wokuqala ophambili. Ngokuzama onke amaxabiso anokubakho kwindawo encinci yoku-odola, umhlaseli unokufumana kwakhona i-scalar bits (modulate the order).
Iqonga leseva ye-AMD EPYC isebenzisa i-firmware ye-SEV ukuya kuhlobo lwe-0.17 yokwakha i-11 yingxaki.
I-AMD sele ikhuphe uhlaziyo lwe-firmware, eyongeze isitshixo ekusebenziseni amanqaku angadibaniyo negophe le-NIST.
Kwangelo xesha, izatifikethi eziveliswe ngaphambili zezitshixo ze-PDH zihlala zisebenza, zivumela umhlaseli ukuba enze uhlaselo lokufuduka komatshini ovela kwiindawo ezikhuselweyo ngokuchasene nokuba sesichengeni kwabo baphantsi kwengxaki.
Ithuba lokwenza uhlaselo olubuyela umva kuhlobo lwe-firmware lwenguqulo yangaphambili yokuba sesichengeni nayo iyakhankanywa, kodwa lo msebenzi awukaqinisekiswa okwangoku.
Umthombo: https://seclists.org/