Google Security Researchers Uncover Vulnerability in AMD Zen Processors

Recently, Google security researchers have released detailed information about a critical vulnerability known as "EntrySign" that affects all AMD Zen processors up to Zen 4. This flaw allows attackers with local administrator privileges to install custom microcode updates on the affected CPUs, bypassing AMD's cryptographic verification system. The vulnerability is a result of AMD using AES-CMAC as a hash function in its signature verification process, which is a significant cryptographic error. CMAC is meant to be a message authentication code, not a secure hash function. The researchers found that AMD had been using a key from NIST documentation since Zen 1, enabling them to forge signatures and make arbitrary microcode modifications. These modifications can fundamentally change CPU behavior, leading to sophisticated attacks that persist until the next system reboot.

Google's security team has introduced "zentool," an open-source jailbreak toolkit that allows researchers to develop, sign, and deploy custom microcode patches on vulnerable processors. The toolkit includes features for microcode disassembly, patch creation with limited assembly support, and cryptographic signing functions. As a demonstration, the researchers showed how they could modify the RDRAND instruction to consistently return specific values, compromising the CPU's random number generation. AMD has released microcode updates that replace the compromised validation routine with a secure hash function. These patches also utilize the AMD Secure Processor to update the validation routine before x86 cores can process potentially tampered microcode. While the attack requires local administrator access and does not persist through power cycles, it poses significant risks to confidential computing environments using technologies like SEV-SNP and DRTM. The researchers believe their findings could lead to further CPU security research beyond exploit development, potentially resulting in the implementation of new security features similar to those found in Intel processors using similar techniques.