Emasontweni ambalwa edlule sabelana lapha engosini izindaba ze Ukuba sengozini kwe-EntrySign okuvumela ukubalekela indlela yokuqinisekisa isiginesha yedijithali ngesikhathi sokubuyekezwa kwe-microcode kuma-processor we-AMD.
Ini Ekuqaleni bekubukeka njengesiphazamisi esikhawulelwe ezizukulwaneni zeZen 1 kuya kuZen 4, Manje inwebela kuma-chips njengamanje njenge-Ryzen 9000, EPYC 9005, Ryzen AI 300 kanye ne-Ryzen 9000HX. Leli phutha livumela, ngaphansi kwezimo ezithile, i-microcode ye-CPU ukuthi ilungiswe ngokweqa indlela yokuqinisekisa isiginesha yedijithali, okunemiphumela engathi sÃna ekuvikelekeni kwezinhlelo ezenziwe nge-virtual.
Umsuka wenkinga kusefayili ye- ukusetshenziswa okungalungile kwe-algorithm ye-CMAC ngesikhathi senqubo yokuqinisekisa i-microcode. I-AMD ngokwesiko isebenzisa ukhiye we-RSA oyimfihlo ukuze usayine ngokwedijithali okuqukethwe kwalezi zibuyekezo, kanye nokhiye osesidlangalaleni ofakwe kupeshi ukuze kuqinisekiswe ubuqiniso be-microcode ngesikhathi sokulayisha. Kodwa-ke, i-hashi yokhiye osesidlangalaleni okufanele iqinisekise lobu buqotho ikhiqizwa kusetshenziswa i-AES-CMAC, i-Cryptographic MAC leyo, ngokungafani nomsebenzi we-hashi oqinile, enikeza iziqinisekiso ngokumelene nokushayisana.
Lo mklamo, yengezwe eqinisweni lokuthi i-AMD isebenzise ukhiye wokubethela ojwayelekile kuwo wonke ama-CPU akho kusukela kuZen 1, ivumele abacwaningi ukuthi bakhiphe ukhiye kunoma iyiphi iphrosesa ethintekile futhi uphinde uyisebenzise ukuze uguqule amapeshi e-microcode kwamanye amakhompyutha. Kuyamangaza ukuthi lo khiye ufana nesibonelo esisesidlangalaleni sezinqubo zokubethela ze-NIST SP 800-38B, ezibonisa ukusetshenziswa ngokunganaki kwemikhuba emihle ye-cryptographic.
I-microcode mbumbulu, amasiginesha avumelekile
Kusukela kulobu buthakathaka, i Abacwaningi bakwazile ukukhiqiza okhiye basesidlangalaleni abakhiqiza i-hashi efanayo nokhiye wangempela we-AMD., abathi kuvumele ukwakhiwa kweziqephu zomgunyathi ezikwazi ukweqa izilawuli zobuqotho. Lokhu kungqubuzana kufinyelelwa ngokufaka amabhulokhi engeziwe ekugcineni kwe-microcode, abonakala engahleliwe kodwa abalwe ngokucophelela, okuvumela isiginesha yedijithali ukuthi ihlale injalo. Ngale ndlela, ukuziphatha kwangaphakathi kwephrosesa kungashintshwa ngaphandle kokucupha izindlela zokuxwayisa.
Le nqubo yenziwe lula ngamathuluzi okuhlaziya njengeZentool, isethi yezinsiza zomthombo ovulekile ezikuvumela ukuthi ufunde i-microcode ye-AMD futhi ulungiselele ama-patches aguquliwe. Ukuze lolu hlobo lokuhlasela lwenzeke, umhlaseli kufanele abe namalungelo e-Ring 0, okungukuthi, ukufinyelela ezingeni eliphezulu kakhulu lesistimu yokusebenza, okungenzeka ezindaweni ezingokoqobo uma i-hypervisor isengozini noma ngokulungiselelwa okungavikelekile kobuchwepheshe obufana ne-VT-x noma i-AMD-V.
Umthelela ku-AMD SEV kanye Nokuvikeleka Kwe-Virtualization
Ngaphandle kokukhohlisa nge-microcode, i-EntrySign ibeka usongo oluqondile ku-AMD SEV (Virtual Encrypted Virtualization) kanye nesandiso sayo SEV-SNP (Secure Nested Paging), ubuchwepheshe obuklanyelwe ukuqinisekisa ubuqotho nokugcinwa kuyimfihlo kwemishini ebonakalayo ngisho nalapho ibhekene nokuhlaselwa okuvela ku-hypervisor noma uhlelo lokusingatha. Lokhu kuba sengcupheni kwenza kube nokwenzeka ukuphazamisa amarejista okucubungula avikelwe, ukuguqula amathebula ekhasi akhiwe esidlekeni, futhi uguqule ukuziphatha kwezinhlelo zezihambeli, okufaka engozini ukuphepha kwazo ezingeni elijulile.
Ukuphendula kwe-AMD kanye nezinyathelo zokunciphisa
Ubhekene nalesi simo, I-AMD isiqalile ukusabalalisa izibuyekezo ze-microcode ezilungisa iphutha.noma, nakuba ezinhlelweni ezisebenzisa i-SEV-SNP kuyadingeka futhi ukuvuselela i-firmware yemojuli ye-SEV, edinga isibuyekezo se-BIOS. Inkampani isivele ithumele iphakethe elisha kubakhiqizi ebizwa nge-ComboAM5PI 1.2.0.3c AGESA, kodwa kulinganiselwa ukuthi amapheshana okugcina angathatha amaviki noma ngisho izinyanga ukuthi atholakale kubasebenzisi bokugcina.
Ngaphezu kwalokhu, i- Onjiniyela be-AMD bahlongoze isiqeshana se-Linux kernel esivimba i-microcode ekulayisheni. engekho emthethweni. Lesi silinganiso sihlose ukuvimbela ukusabalala kwamapeshi ashintshiwe enkampani yangaphandle, njengalawo adalwe abathanda izingcezu ze-BIOS ezikhishiwe. Okwamanje, kunconywa kakhulu ukuthi ulinde izibuyekezo ezisemthethweni ze-BIOS futhi uyeke ukufaka izinguqulo ezingaqinisekisiwe.
Ekugcineni, uma unentshisekelo yokwazi kabanzi ngakho, ungabheka imininingwane kufayela le- isixhumanisi esilandelayo.