One Glitch to Rule Them All: Fault Injection Attacks Against the AMD Secure Processor

Presented at Black Hat Europe 2021, Nov. 10, 2021, 10:20 a.m. (40 minutes)

Today's AMD CPUs contain a dedicated security coprocessor that forms the root of trust of all modern AMD systems, the AMD Secure Processor (AMD-SP), formerly known as Platform Security Processor (PSP). Besides acting as the root of trust, the AMD-SP serves as a trust anchor for security features like AMD's Secure Encrypted Virtualization (SEV) technology or AMD's firmware Trusted Platform Module (fTPM). The AMD-SP is a highly privileged ARM coprocessor integrated into AMD CPUs, and its privileges surpass even those of the lowest ring on the X86 cores.

This talk will present a new hardware attack against the AMD SP that allows us to gain code execution on the AMD SPs of Ryzen and Epyc CPUs of all Zen microarchitectures, i.e., Zen 1 Zen 2 Zen 3. By manipulating the input voltage to the AMD SoC, we overcome the firmware verification mechanism of the AMD SP, allowing us to deploy custom payloads directly after the SP's ROM bootloader. In contrast to previous attacks against the AMD-SP, our method does not require the presence of firmware issues. To the best of our knowledge, all AMD CPUs of the Zen microarchitectures are affected. The hardware setup to mount the presented glitching attack is cheap and can be applied easily to new targets. Finally, we will demonstrate how an adversary with physical access to the target host can implant a custom SEV firmware that decrypts SEV-protected VMs.

Furthermore, we show how we can extract endorsement keys of SEV-enabled CPUs. These extracted keys allow an attacker to fake attestation reports or pose as a valid target for VM migration without requiring physical access to the target host. We reverse-engineered the Versioned Chip Endorsement Key (VCEK) mechanism introduced with SEV Secure Nested Paging (SEV-SNP). The VCEK binds the endorsement keys to the firmware version of TCB components relevant for SEV. We will show how to derive valid VCEKs for arbitrary firmware versions using secrets extracted from AMD SPs.


Presenters:

  • Niklas Jacob - Master Student, Technische Universität Berlin - Security in Telecommunications
    Niklas Jacob is currently finishing his master's degree in Computer Science at the Technische Universität Berlin. His IT security focused studies will soon be finalized with his analysis of voltage fault vulnerabilities of AMD CPUs.
  • Robert Buhren - PhD Student, Technische Universität Berlin - Security in Telecommunications
    Robert Buhren is a security researcher and firmware reverse engineer currently pursuing a PhD at the Technische Universität Berlin. His research focuses on cloud security and shielding systems. Previously he presented his work on the AMD Platform Security Processor at the Chaos Communication Congress and the Chaos Communication Camp.

Links:

Similar Presentations: