AMD closes a severe microcode vulnerability: through microcode update

The secure encrypted virtualization function (SEV) of AMD server processors is less safe than suggests that Google researchers discovered that EPYC processors are neglected when it comes to the verification of the signing of microcoding updates.

Anzeige

Because such microcoded updates intervene deeply in the functions of the CPU, they allow serious manipulations. He Google Team published a concept test (PIC) which breaks the RDDAND instruction: instead of a random number, it always returns the value 4. This weakens the cryptographic algorithms used by RDRAND. And this in turn can also be used to cancel the Sev Ram encryption mentioned above, which is used, among other things, to safely separate virtual machines (VM) that are executed in parallel on the same server, for example for Confidential computer science.

Google himself uses AMD SEV (or SEV-SNP), for example, to Synchronize raisin passes between different devices of registered Google users (Google Password Manager, GPM). The real rare raisins are not synchronized at all, but only exist in safe enclaves on the cloud servers.

Confidential computing

To inject a manipulated microcode update in an EPYC processor, the attacker must have administrator rights. However, confidential computer functions such as AMD Sev, Intel SGX/TDX or ARMV9-CCA aim to deny administrators access to protected data by creating reliable execution environments (TEE) with a cryptographically verifiable operational state ( remote certification).

According to the theory, users of such shirts only have to trust the manufacturer of the respective CPU, which embeds the signature chain for the remote certificate in their hardware and firmware.

Because these security functions are very important, many experts are working on them. The gaps are frequently discovered.

The first bios updates are available

AMD describes the “confidential computer vulnerability of SEV” in the Safety Bulletin AMD-SB-3019It also carries the CVE-2024-56161. The risk was classified as high with 7.2 points.

Consequently, the Epyc 7001 (Naples) series, 7002 (Rome), 7003 (Milan/Milan-X) and 9004 (Genoa, Genoa-X, Bergamo, Siena) are affected.

Microcoded updates can also be distributed to servers through the update functions of operating systems. However, additional BIOS updates are required for the SEAV-SNP remote certificate to function properly. AMD has already distributed them to server and main plate manufacturers in the form of new ages firmware modules. Some companies are already providing BIOS updates:

According SupermicroThey are working on it.

Asus already had inadvertently released BIOS updates at the end of January with reference to a vulnerability of AMD microcode signature.

(CIW)