I-BadRAM ukuhlasela okudlula ukuvikelwa kwe-SEV-SNP ku-AMD

  • I-BadRAM isebenzisa ubungozi kumethadatha ye-SPD ye-DDR4 kanye namamojula wenkumbulo ye-DDR5
  • Ivumela umhlaseli ukuthi aguqule amapharamitha wemojuli yememori ukuze aphoqelele iphrosesa ukuthi ifinyelele amakheli angekho.
  • Ikuvumela ukuthi uphazamise idatha ebethelwe enkumbulweni futhi wephule izindlela zokuvikela ngaphandle kokuthi uguqule imininingwane, okuthinta ngokuqondile ubuqotho bemishini ebonakalayo evikelekile.
 
Darkcrizt

Imizuzu ye-4

I-BadRAM

Ezinsukwini ezimbalwa ezedlule iqembu le Abacwaningi baveze umqondo omusha wokuhlasela kubizwa "BadRAM" ibhalwe ngaphansi kwe-CVE-2024-21944, lokhu kuhlasela kunga Beka engcupheni izindawo ezivikelekile usebenzisa isandiso se-SEV-SNP kumaphrosesa e-AMD, ukweqa indlela yokuqinisekisa. Lokhu kuhlasela kudinga, ezimweni eziningi, ukufinyelela ngokomzimba kumamojula enkumbulo kanye nekhono lokukhipha ikhodi ezingeni lokuvikeleka elinguziro (ring0) kusistimu yokusingatha indawo evikelekile evikelekile.

Izandiso I-AMD SEV yakhelwe ukuqinisekisa ubuqotho benkumbulo yemishini ebonakalayo, ukuwavikela ekukhohliseni kanye nokuhlaziya okwenziwa abaphathi besistimu yokusingatha abasebenza ezingeni le-hypervisor.

Ekuqaleni, i-AMD SEV yayibhala inkumbulo yesivakashi kuphela namarejista angawodwa, kodwa Izinguqulo zakamuva kakhulu ze-EPYC processors zifake isandiso se-SEV-SNP (Vikela Ukuphega Okufakwe Isidleke). Lesi sandiso sithuthukisa ukuvikeleka ngokuhlola amathebula ekhasi lememori nokuqinisekisa ukuthi inkumbulo yesistimu yesivakashi ayikwazi ukuthikamezwa ukusuka ku-hypervisor.

Umshini I-SEV-SNP yasetshenziswa ngenhloso yokuvimbela amabhizinisi angaphandle, njengabasebenzi besikhungo sedatha noma abahlinzeki besevisi yefu, baphazamisa ukusebenza kwamasistimu avikelwe. Nokho, ukuhlasela I-BadRAM isebenzisa indlela ehlukile esebenzisa imethadatha ye-SPD (I-Serial Presence Detect) yamamojula e-DDR4 kanye ne-DDR5.

Ngokulungisa le metadata, umhlaseli angabhala phezu kwedatha ebethelwe kumemori kusuka ohlelweni lwezivakashi, ngaphandle kwesidingo sokucacisa okuqukethwe, futhi yephule indlela yobufakazi be-cryptographic eqinisekisa ubuqotho bemishini ebonakalayo. Lokhu kungase, isibonelo, kuvumele izicabha ezingemuva ukuthi zethulwe ezinhlelweni ezivikelekile ngaphandle kokutholwa.

Ukuhlasela kusebenza ngokukhohlisa amapharamitha e-SPD ukukhohlisa iprosesa, ukwenza efinyelela amakheli enkumbulo engelona iqiniso (lawa makheli angekho aqondiswe kabusha ezindaweni zangempela ze-DRAM esezivele zisetshenziswa).

Ngale nqubo, Umhlaseli angadala isabelo esiningi kumemori ephathekayoa, ukwenza amakheli ahlukene akhombe endaweni efanayo yenkumbulo. Lokhu akudluleli nje kuphela izindlela zokuvikela inkumbulo ye-CPU, kodwa futhi kunika amandla ukufinyelela kudatha yangempela ebethelwe ngamakheli angama-dummy. Ngamafuphi, indlela ivumela abahlaseli ukuthi baphazamise idatha ebethelwe futhi bephule iziqinisekiso zokuphepha ezisungulwe yi-SEV-SNP.

Ukubukeka okwethusayo yokuhlasela yi kalula okungenziwa ngayo. Ngefayela le- umhleli elula okubiza cishe amadola ayi-10, cYakhiwe nge-microcontroller ye-Raspberry Pi Pico, isixhumi samamojula wememori kanye nokunikezwa kwamandla, umhlaseli angenza izinguquko ezidingekayo.

Ngisho nakumasistimu lapho ama-memory chips angenakho ukuvinjwa kokubhala emuva ku-SPD, Ukuhlasela kungenziwa ngokuhlelekile ngokuphelele, ngaphandle kokufinyelela ngokomzimba kuhadiwe. Lokhu kungenzeka ngezibuyekezo ze-BIOS ezinonya noma ngokuphazamisa amamojula enkumbulo alungisekayo, njengalawo avela e-Corsair enokukhanya kwe-RGB. Ezindaweni ezinamafu, lokhu kuba sengcupheni kungaphinde kusetshenziswe abalawuli abangathembekile.

Ukuphumelela kokuhlasela kuye kwaboniswa ngezindlela ezimbili

  • Amathuba okuphindaphinda umbhalo we-cipher ogcinwe kumemori aqinisekisiwe, okuvumela ukulungisa idatha ebethelwe ngaphandle kokwazi okuqukethwe kwayo.
  • Indlela yesitifiketi se-SEV-SNP, esetshenziselwa ukuqinisekisa ubuqotho bemishini ebonakalayo evikelwe, yeqiwe. Lokhu kwakamuva kuvumela umhlaseli ukuthi amiselele umshini obambekayo osemthethweni awufake ebucayini, afihle imisebenzi enonya njengokufakwa kweminyango engemuva.

Inkinga ithinta isizukulwane sesithathu nesesine sochungechunge lwe-AMD EPYC kanye nenkinga AMD ukwaziswa lokho ukhiphe isibuyekezo okuhlose ukuvimbela lolu hlobo lokukhohlisa.

Mayelana nengxenye ye-Intel, kufanelekile ukusho ukuthi ubuchwepheshe be-Scalable SGX ne-TDX abukho sengozini yalokhu kuhlaselwa, ngoba zifaka phakathi izilawuli ezidingekayo ezivela kumklamo wazo. Ngakolunye uhlangothi, ubuchwepheshe be-Intel SGX bakudala, obabuphelelwe yisikhathi ngo-2021, busengozini kancane, buvumela kuphela ukufundwa kwedatha ebethelwe ngaphandle kokuphinda kubhalwe.

ekugcineni uma ukhona unentshisekelo yokwazi okwengeziwe ngayo, ungabheka imininingwane kufayela le- isixhumanisi esilandelayo.