Today's AMD CPUs contain a dedicated security coprocessor that forms the root of trust of all modern AMD systems, the AMD Secure Processor (AMD-SP), formerly known as Platform Security Processor (PSP). Besides acting as the root of trust, the AMD-SP serves as a trust anchor for security features like AMD's Secure Encrypted Virtualization (SEV) technology or AMD's firmware Trusted Platform Module (fTPM). The AMD-SP is a highly privileged ARM coprocessor integrated into AMD CPUs, and its privileges surpass even those of the lowest ring on the X86 cores.
This talk will present a new hardware attack against the AMD SP that allows us to gain code execution on the AMD SPs of Ryzen and Epyc CPUs of all Zen microarchitectures, i.e., Zen 1 Zen 2 Zen 3. By manipulating the input voltage to the AMD SoC, we overcome the firmware verification mechanism of the AMD SP, allowing us to deploy custom payloads directly after the SP's ROM bootloader. In contrast to previous attacks against the AMD-SP, our method does not require the presence of firmware issues. To the best of our knowledge, all AMD CPUs of the Zen microarchitectures are affected. The hardware setup to mount the presented glitching attack is cheap and can be applied easily to new targets. Finally, we will demonstrate how an adversary with physical access to the target host can implant a custom SEV firmware that decrypts SEV-protected VMs.
Furthermore, we show how we can extract endorsement keys of SEV-enabled CPUs. These extracted keys allow an attacker to fake attestation reports or pose as a valid target for VM migration without requiring physical access to the target host. We reverse-engineered the Versioned Chip Endorsement Key (VCEK) mechanism introduced with SEV Secure Nested Paging (SEV-SNP). The VCEK binds the endorsement keys to the firmware version of TCB components relevant for SEV. We will show how to derive valid VCEKs for arbitrary firmware versions using secrets extracted from AMD SPs.