Uma exhashazwa, lawa maphutha angavumela abahlaseli ukuthi bathole ukufinyelela okungagunyaziwe kulwazi olubucayi noma ngokuvamile babangele izinkinga.
Muva nje kwavela izindaba zokuthi bahlonze ubungozi obubili (esevele ifakwe kuhlu ngaphansi kwe-CVE-2023-1017, CVE-2023-1018) ngekhodi ngokusetshenziswa kwereferensi Ukucaciswa kwe-TPM 2.0 (I-Module Yesikhulumi Esithenjiwe).
Amaphutha atholiwe ziyaphawuleka, njengoba ziholela ekubhaleni noma ekufundeni idatha ngaphandle kwemingcele yebhafa eyabiwe. Ukuhlaselwa kokusetshenziswa kwe-cryptoprocessor kusetshenziswa ikhodi esengozini kungaholela ekukhishweni noma ekubhalweni phezu kolwazi olugcinwe ohlangothini lwe-chip, olufana nokhiye be-cryptographic.
Umhlaseli onokufinyelela kumyalo womyalo we-TPM angathumela imiyalo eklanywe ngonya kumojuli futhi aqalise lobu bungozi. Lokhu kuvumela ukufinyelela kokufunda kuphela kudatha ebucayi noma ukubhala ngaphezulu kwedatha evamile evikelwe etholakala kuphela ku-TPM (ngokwesibonelo, okhiye be-cryptographic).
Kushiwo lokho umhlaseli angasebenzisa amandla okubhala phezu kwedatha ku-firmware ye-TPM ukuze uhlele ukusetshenziswa kwekhodi yakho kumongo we-TPM, leyo, ngokwesibonelo, engasetshenziswa ukuze kusetshenziswe izicabha ezingemuva ezisebenza ohlangothini lwe-TPM futhi ezingatholakali ku-OS.
Kulabo abangajwayelene ne-TPM (Trusted Platform Module), kufanele wazi ukuthi lesi yisixazululo esisekelwe ku-hardware esihlinzeka ngemisebenzi eqinile ye-cryptographic ezinhlelweni zokusebenza zekhompuyutha yesimanje, okuyenza imelane nokukhwabanisa.
Umhlaseli wasendaweni ogunyaziwe angathumela imiyalo enonya ku-TPM esengozini evumela ukufinyelela kudatha ebucayi. Kwezinye izimo, umhlaseli angaphinda abhale phezu kwedatha evikelwe ku-firmware ye-TPM. Lokhu kungabangela ukuphahlazeka noma ukukhishwa kwekhodi okunganasizathu ngaphakathi kwe-TPM. Ngenxa yokuthi umthwalo okhokhelwayo umhlaseli usebenza ngaphakathi kwe-TPM, ungase ungatholwa ezinye izingxenye kudivayisi eqondiwe.
Njengoba i-cloud computing kanye ne-virtualization sekudume kakhulu eminyakeni yamuva nje, ukuqaliswa kwe-TPM okusekelwe kwisofthiwe nakho kukhule ngokuduma. I-TPM ingasetshenziswa njenge-TPM eqondile, eshumekiwe, noma ye-firmware ngendlela yayo yehadiwe. Ama-TPM abonakalayo akhona ngefomu le-hypervisor noma ekusetshenzisweni kwe-TPM okusekelwe kusofthiwe, isibonelo, i-swtpm.
Mayelana nokuba sengozini kutholiwe, kushiwo ukuthi lezi zibangelwa ukuhlola usayizi okungalungile wamapharamitha omsebenzi we-CryptParameterDecryption(), okuyinto ivumela ukubhala noma ukufunda amabhayithi amabili kuphume kusigcinalwazi esidluliselwe kumsebenzi we-ExecuteCommand() futhi equkethe umyalo we-TPM2.0. Kuye ngokusetshenziswa kwe-firmware, ukubhala phezu kwamabhayithi amabili kungonakalisa kokubili inkumbulo engasetshenzisiwe nedatha noma izikhombi kusitaki.
Ukuba sengozini kusetshenziswa ngokuthumela imiyalo yakhelwe ngokukhethekile imojula ye-TPM (umhlaseli kufanele abe nokufinyelela kusixhumi esibonakalayo se-TPM).
Okwamanje, izinkinga sezilungisiwe kakade ngokuthumela izinguqulo zokubuyekeza ze-TPM 2.0 ezikhishwe ngoJanuwari (1.59 Errata 1.4, 1.38 Errata 1.13, 1.16 Errata 1.6).
Ngakolunye uhlangothi, kuphinde kubikwe ukuthi libtpms Open Source Library, esetshenziselwa ukulingisa ngokuhlelekile amamojula we-TPM futhi ihlanganise ukwesekwa kwe-TPM kuma-hypervisors, iphinde ithinteke ngokuba sengozini. Nakuba kubalulekile futhi ukusho ukuthi ubungozi bulungisiwe ekukhishweni kwe-libtpms 0.9.6, ngakho-ke kulabo abasenguqulo endala, kuyanconywa ukuthi babuyekezele kunguqulo entsha ngokushesha okukhulu.
Mayelana nesixazululo salawa maphutha, i-TCG (Trusted Computing Group) ishicilele isibuyekezo ku-Errata yayo yemininingwane yomtapo wezincwadi we-TPM2.0 enemiyalelo yokubhekana nalobu bungozi. Ukuqinisekisa ukuvikeleka kwamasistimu abo, abasebenzisi kufanele basebenzise izibuyekezo ezihlinzekwa ihadiwe kanye nabakhiqizi besofthiwe ngochungechunge lwabo lokuhlinzeka ngokushesha.
Ekugcineni, uma unentshisekelo yokwazi kabanzi ngakho, ungaxhumana nemininingwane Kulesi sixhumanisi esilandelayo.