Anyone owning an AMD CPU with Zen 1 - Zen 4 microarchitecture may want to double check their BIOS is up to date. According to Tom's Hardware, AMD CPUs with a BIOS patch earlier than 2014-12-17 have a vulnerability that allows anyone with local admin privileges to potentially upload new microcode to the units. This means altering the basic code which dictates how these CPUs run. This isn't something that's usually accessible or even visible outside of official AMD patches.
The exploit was discovered by a team of Google researchers who've been working alongside AMD, and it affects a tonne of chips released over the past eight years. This means if you're rocking something like the Ryzen 7 5700X3D from last year you could be vulnerable thanks to its Zen 3 architecture, whereas those with the AMD Ryzen 7 9800X3D should be safe with that newer Zen 5.
Now that the exploit is all fixed with the recent patch, the team have detailed their discovery and hacking processes made possible thanks to EntrySign, the microcode signature validation vulnerability in these chips. This includes how to hack it yourself, so if you're interested in jailbreaking your CPU maybe hold off on those updates.
EntrySign is exploitable thanks to a lack of proper encryption cryptographics. For these CPUs AMD was using the AES-CMAC function which is a message authentication code rather than a proper cryptographic hash function. With CMAC, anyone with the encryption key can see the steps in the encryption calculations, allowing them to reverse engineer and predict the outcome.
In this instance, AMD were using a publicly accessible NIST example key, making things all the more easier for potential bad actors. Hash functions that are properly designed for this kind of security don't have such keys to be exploited in the first case.
For security, this is pretty bad news. Having access to changing microcodes allows people to mess with the internal CPU buffers, and could have huge implications for security on virtual machines. The requirement of host ring 0 access is one of the saving graces in this exploit.
Host ring 0 refers to the most privileged layer of security as it talks directly to physical hardware. Basically we are talking about local admin privileges. The second ray of light is that any changes don't persist through a reboot, so power cycling any affected computers then immediately updating the BIOS should have you set.
The ability to remove changes on reboot also makes this a relatively safe project for anyone wanting to play with microcode on their CPU. It's not often we get such a close look at how processors actually run, so it's a good opportunity for the technology curious to get hands on.
The breakdown from Google gives you all the steps and tools you could need and Tavis Ormandy, one of Google's engineers on the project, proclaimed "jailbreak your AMD CPU" when sharing it on X, which isn't something you get the chance to do every day.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
