oss-sec mailing list archives

Re: AMD Microcode Signature Verification Vulnerability

From: Jacob Bachmeyer <jcb62281 () gmail com>
Date: Wed, 5 Mar 2025 23:03:49 -0600

On 3/5/25 21:30, Solar Designer wrote:

[...] I'll focus on what the vulnerability and its fix are:

[...]

Forging On
We noticed that the key from an old Zen 1 CPU was the example key of the
NIST SP 800-38B publication (Appendix D.1 2b7e1516 28aed2a6 abf71588
09cf4f3c) and was reused until at least Zen 4 CPUs. [...]

They... used... the... example... key... in... a... real...production... system...


[I have no words.]


-- Jacob

Current thread:

AMD Microcode Signature Verification Vulnerability Tavis Ormandy (Jan 21)
- Re: AMD Microcode Signature Verification Vulnerability Demi Marie Obenour (Jan 22)
  - Re: AMD Microcode Signature Verification Vulnerability Tavis Ormandy (Jan 22)
    - Re: AMD Microcode Signature Verification Vulnerability Solar Designer (Feb 04)
    - Re: AMD Microcode Signature Verification Vulnerability Jacob Bachmeyer (Feb 05)
    - Re: AMD Microcode Signature Verification Vulnerability trinity pointard (Feb 06)
    - Re: AMD Microcode Signature Verification Vulnerability Jacob Bachmeyer (Feb 06)
    - Re: AMD Microcode Signature Verification Vulnerability Solar Designer (Mar 05)
    - Re: AMD Microcode Signature Verification Vulnerability Jacob Bachmeyer (Mar 05)
    - Re: AMD Microcode Signature Verification Vulnerability Solar Designer (Mar 05)
    - Re: AMD Microcode Signature Verification Vulnerability Jacob Bachmeyer (Mar 05)
    - Re: AMD Microcode Signature Verification Vulnerability Solar Designer (Mar 05)
    - Re: AMD Microcode Signature Verification Vulnerability Taylor R Campbell (Mar 06)