Re: AMD Microcode Signature Verification Vulnerability

[Jacob Bachmeyer <jcb62281 () gmail com>]

On 2/6/25 17:04, trinity pointard wrote:
> > If an attacker is able to control the hypervisor (necessary to load
> > rogue microcode) and the processor microcode, how can the VM trust that
> > it is actually verifying that attestation and not being sent down a "oh
> > yes it is exactly what you want it to be" garden path?
> Attestations are cryptographically signed by the cpu, and meant to be sent
> elsewhere and verified remotely.

That resolves the issue for the VM owner, but still does not address the 
more interesting question:  is there a way on current AMD processors to 
perform calculations that cannot be upset by tampered microcode?  (There 
*was* a subset of instructions on the AMD K8 like that.)

> The key used to sign (VCEK) are dependent on
> the microcode version, so it shouldn't be possible to forge new-looking
> signature with old microcodes (i would hope this hold would someone be able to
> decrypt a microcode, though i couldn't find information on that subject).

If you are correct that the /actual signing key/ used depends on the 
microcode version, then (logically) the signing key *must* be somewhere 
in the microcode.  If someone finds a way to decrypt the microcode, for 
which all keys required must be *somewhere* in every processor that uses 
that microcode, they would clearly be able to extract the attestation 
signing key.

I would hope that you are mistaken in that statement that the signing 
key depends on the microcode version or that we are both missing 
something somewhere.


-- Jacob