Onjiniyela bethimba le-Google Cloud bakhombe ubungozi (I-CVE-2019-9836) ekusetshenzisweni kobuchwepheshe be-AMD SEV (i-virtualization encrypted virtualization), engabeka engcupheni idatha evikelwe ngalobu buchwepheshe.
I-AMD SEV ezingeni lehadiwee inikeza ukubethela kwememori okusobala kwemishini ebonakalayo, lapho kuphela uhlelo lwezivakashi lwamanje oluthola idatha ebetheliwe, kuyilapho yonke eminye imishini ebonakalayo ne-hypervisor ithola isethi yedatha ebethelwe lapho ifinyelela le memori.
Inkinga ekhonjiwe ivumela ukubuyisela ngokuphelele okuqukethwe kukhiye wangasese weP PDH ecutshungulwa ezingeni leprosesa eyodwa evikelwe ye-PSP (i-AMD Security Processor) engatholakali kuhlelo lokusebenza olukhulu.
Ngokuba nokhiye we-PDH, umhlaseli angabuyisa ukhiye weseshini nokulandelana okuyimfihlo icacisiwe lapho kudalwa umshini obonakalayo futhi ufinyelela idatha ebethelwe.
Ukuba sengozini kungenxa yamaphutha ekusetshenzisweni kwamajika e-elliptic (ECC) esetshenziselwa ukubethela, okuvumela ukuhlaselwa ukubuyisa amapharamitha wejika.
Ngesikhathi sokusetshenziswa komyalo wokuqala womshini obonakalayo ovikelekile, umhlaseli angathumela imingcele yejika engafani nemingcele enconywe yi-NIST, ezoholela ekusetshenzisweni kwamanani wamaphoyinti we-oda eliphansi ekusebenzeni kokuphindaphinda nedatha evela kwangasese ukhiye.
Ukuqaliswa kwe-SEV's Elliptical Curve (ECC) kutholakale kusengcupheni yokuhlaselwa ijika okungavumelekile. Kumyalo wokuqala ibhuthi, umhlaseli angathumela
Amaphoyinti amancane we-oda we-ECC awekho kumajika asemthethweni we-NIST, futhi aphoqa i-firmware ye-SEV ukuthi iphindaphinde iphoyinti elincane yi-DH yangasese ye-scalar firmware.
Ngokuqoqa imfucumfucu eyanele, umhlaseli angalulama ukhiye ophelele we-PDH. Nge-PDH, umhlaseli angalulama ukhiye weseshini futhi aqalise imfihlo yomshini obonakalayo. Lokhu kwephula iziqinisekiso zemfihlo ezinikezwa yi-SEV.
Ukuphepha kwephrothokholi ye-ECDH kuncike ngqo ku-oda lephuzu lokuqala elenziwe ijika, i-logarithm yalo ehlukile kungumsebenzi oyinkimbinkimbi kakhulu.
Kwesinye sezinyathelo zokuqala imvelo ye-AMD SEV, imingcele etholwe kumsebenzisi isetshenziswa ekubaleni ngokhiye oyimfihlo.
Empeleni, ukusebenza kokuphindaphinda amaphuzu amabili kuyenziwa, okukodwa okuhambisana nokhiye wangasese.
Uma iphoyinti lesibili libhekisa ezinombolweni ezisezingeni eliphansi ze-oda eliphansi, umhlaseli anganquma imingcele yephoyinti lokuqala (izingcezwana ze-modulo ezisetshenziswe ekusebenzeni kwe-modon exponentiation) ngokufaka kuhlu wonke amanani akhona. Izingcezu ezikhethiwe zezinombolo eziyinhloko zingahlanganiswa ukunquma ukhiye oyimfihlo kusetshenziswa i-theorem yaseChina ezinsaleleni.
Ukuhlaselwa kwejika okungavumelekile kulapho ukuphindaphindwa kwephoyinti le-ECDH kwenziwa khona ijika elihlukile - imingcele ehlukile (a, b). Lokhu kwenziwa ukuthi kufinyelele kwisamba esifushane se-Weierstrass samaphoyinti njengoba ipharamitha "b" ingasetshenzisiwe.
Kulelijika, iphuzu line-oda elincane eliyinhloko. Ngokuzama wonke amanani wephoyinti elincane le-oda, umhlaseli angabuyisa ama-scalar bits ayimfihlo (alingise i-oda).
Amapulatifomu wesiphakeli se-AMD EPYC asebenzisa i-SEV firmware kuze kufike kunguqulo engu-0.17 build 11 ayinkinga.
I-AMD isivele ikhiphe isibuyekezo se-firmware, engeze ukukhiya ekusetshenzisweni kwamaphoyinti angahambisani nejika le-NIST.
Ngasikhathi sinye, izitifiketi ezikhiqizwe ngaphambilini zokhiye be-PDH zihlala zivumelekile, zivumela umhlaseli ukuthi ahlasele ukufuduka komshini okubonakalayo kusuka ezindaweni ezivikelekile ekubeni sengozini kulabo ababhekene nenkinga.
Kungenzeka futhi ukuthi kuhlaselwe ukubuyela emuva kunguqulo ye-firmware yenguqulo yangaphambilini esengozini, kepha lesi sici asikaqinisekiswa.
Umthombo: https://seclists.org/