Uncover, Understand, Own

REGAINING CONTROL OVER YOUR AMD CPU

Uncover Christian Werling
Security Research Labs

Understand Alexander Eichner

Technische Universität Berlin

Own Robert Buhren

Technische Universität Berlin
 Uncover
REVERSE-ENGINEERING AN UNKNOWN SUBSYSTEM
 Server & Desktops
(Epyc & Ryzen)
1

integrated since 2013

undocumented,
proprietary firmware

required for Secure

Boot

acts as trust anchor

1 Formerly known as Platform Security Processor (i.e. PSP) 4

Applications
SECURE ENCRYPTED TRUSTED EXECUTION
VIRTUALIZATION ENVIRONMENT
• SEV protects virtual machines • Linux to support PSP TEE API
in untrusted physical locations (kernel patch pending)
(e.g. data centers)
• The PSP acts as a black box
• The PSP acts as remote trusted inside your system that is
entity for the Cloud customer trusted by an external entity
(e.g. Netflix)
• PSP promises to protect VM
memory from the hypervisor • This enables DRM on
and even physical access untrusted systems like Linux
5
 The PSP runs code you
don’t know and don’t control.
 Traditional Boot

Flash

1 – BIOS

2 – Operating System CPU

Disk

Source: Motherboard Manual Supermicro H11DSU-iN 7

 AMD Boot

1 – PSP FW
?

Flash

2 – BIOS

PSP

3 – Operating System CPU

Disk

Source: Motherboard Manual Supermicro H11DSU-iN 8

 Where is the PSP Firmware loaded from?
• The BIOS is stored in SPI flash memory
• It contains all code 1 – PSP FW
?
and data used by the Flash

BIOS during boot up 2 – BIOS

PSP
• Data is arranged
according to the UEFI CPU

image specification

Let’s inspect a Supermicro UEFI update!

Source: Motherboard Manual Supermicro H11DSU-iN 9

[Link] 10
 $ binwalk –A Supermicro_H11DSU9.715

DECIMAL HEXADECIMAL DESCRIPTION

--------------------------------------------------------------------------------

489764 0x77924 ARM instructions, function prologue

489836 0x7796C ARM instructions, function prologue

489852 0x7797C ARM instructions, function prologue

489868 0x7798C ARM instructions, function prologue

489964 0x779EC ARM instructions, function prologue

489976 0x779F8 ARM instructions, function prologue

[...]

14405063 0xDBCDC7 Intel x86 instructions, nops

14405071 0xDBCDCF Intel x86 instructions, nops

14405079 0xDBCDD7 `
Intel x86 instructions, nops

14405087 0xDBCDDF Intel x86 instructions, nops

14405095 0xDBCDE7 Intel x86 instructions, nops

[...]

[Link] 11
 FIRMWARE FILE SYSTEM
Magic Checksum Count ?
Type Size Address ?
Type …
…

Secondary
Directory
Directory

Entry Pointer to Secondary Directory

[Link] 12
FIRMWARE FILE SYSTEM File

Header optional

Secondary Body
Directory
Directory

Signature optional
Entry

13
 FIRMWARE FILE SYSTEM
Firmware Entry Table

• FET begins with specific byte sequence

Firmware Entry Table
(AA55AA55)

• Lists pointers to firmware blobs (e.g.

Secondary
Directory
Directory directories) inside the UEFI image

• Earlier versions of the FET are

Entry
documented in source code of the
Coreboot Project

[Link] 14
$ psptool Supermicro_H11DSU9.715

+-----------+---------+---------+-------+---------------------+
| Directory | Addr | Type | Magic | Secondary Directory |
+-----------+---------+---------+-------+---------------------+
| 0 | 0x77000 | PSP_NEW | $PSP | 0x149000 |
+-----------+---------+---------+-------+---------------------+
+---+-------+----------+---------+---------------------------------+----------+-------------+------------------------------------+
| | Entry | Address | Size | Type | Magic/ID | Version | Info |
+---+-------+----------+---------+---------------------------------+----------+-------------+------------------------------------+
| | 0 | 0x77400 | 0x240 | AMD_PUBLIC_KEY~0x0 | 1BB9 | | |
| | 1 | 0x149400 | 0xe780 | PSP_FW_BOOT_LOADER~0x1 | $PS1 | [Link] | signed(1BB9), verified |
| | 2 | 0x77700 | 0xe780 | PSP_FW_RECOVERY_BOOT_LOADER~0x3 | $PS1 | FF.7.0.73 | signed(1BB9), verified |
| | 3 | 0x85f00 | 0x1e140 | SMU_OFFCHIP_FW~0x8 | | 4.19.7D.0 | compressed, signed(1BB9), verified |
| | 4 | 0xa4100 | 0x340 | OEM_PSP_FW_PUBLIC_KEY~0xa | 2793 | | |
| | 5 | 0xa4500 | 0x5640 | SMU_OFF_CHIP_FW_2~0x12 | | 4.19.7D.0 | compressed, signed(1BB9), verified |
| | 6 | 0xa9c00 | 0x10 | WRAPPED_IKEK~0x21 | | | |
| | 7 | 0xa9d00 | 0xc00 | SEC_GASKET~0x24 | $PS1 | [Link] | compressed, signed(1BB9), verified |
| | 8 | 0xaa900 | 0xc20 | ABL0~0x30 | 0BAR | [Link] | compressed, signed(2793), verified |
| | 9 | 0xab600 | 0xc020 | ABL1~0x31 | AR1B | [Link] | compressed, signed(2793), verified |
| | 10 | 0xb7700 | 0xb8f0 | ABL2~0x32 | AR2B | [Link] | compressed, signed(2793), verified |
| | 11 | 0xc3000 | 0xde70 | ABL3~0x33 | AR3B | [Link] | compressed, signed(2793), verified |
| | 12 | 0xd0f00 | 0xf1a0 | ABL4~0x34 | AR4B | [Link] | compressed, signed(2793), verified |
| | 13 | 0xe0100 | 0xf0a0 | ABL5~0x35 | AR5B | [Link] | compressed, signed(2793), verified |
| | 14 | 0xef200 | 0xc040 | ABL6~0x36 | AR6B | [Link] | compressed, signed(2793), verified |
| | 15 | 0x149000 | 0x0 | !PL2_SECONDARY_DIRECTORY~0x40 | | | |
+---+-------+----------+---------+---------------------------------+----------+-------------+------------------------------------+

+-----------+----------+-----------+-------+---------------------+
| Directory | Addr | Type | Magic | Secondary Directory |
+-----------+----------+-----------+-------+---------------------+
| 1 | 0x149000 | secondary | $PL2 | -- |
+-----------+----------+-----------+-------+---------------------+
+---+-------+----------+---------+-----------------------------+----------+-------------+------------------------------------+
| | Entry | Address | Size | Type | Magic/ID | Version | Info |
+---+-------+----------+---------+-----------------------------+----------+-------------+------------------------------------+
| | 0 | 0x149400 | 0xe780 | PSP_FW_BOOT_LOADER~0x1 | $PS1 | [Link] | signed(1BB9), verified |
| | 1 | 0x159400 | 0x1e140 | SMU_OFFCHIP_FW~0x8 | | 4.19.7D.0 | compressed, signed(1BB9), verified |
15
 PSPTOOL

Python-based Command-line interface

Parsing Extraction Manipulation

Decompression Signature verification

PEM export of keys Duplicate detection

Signature update Python API GPLv3

[Link] 16
 The PSP runs code you
don’t know and don’t control.
SPI Programming
and Tracing

Logic Analyzer

Flash
SPI
Programmer
18
SPI Programming
and Tracing

Chip Select (CS)

SPI Flash (MISO) Data at 0xE20000

Chipset (MOSI) Read 0xE20000

Clock (CLK)

19
 PSPTRACE $ psptrace -o Supermicro_SPI_trace.txt Supermicro_H11DSU9.715

+---------+---------------+----------+-----------------------------+
| No. | Lowest access | Range | Type |
+---------+---------------+----------+-----------------------------+
Python-based SPI command parsing | 0 | 0xE20000 | 0x000040 | Firmware Entry Table |
| 41 | 0x077000 | 0x00012a | PSP_DIRECTORY |
| 112 | 0x077400 | 0x000240 | AMD_PUBLIC_KEY |
Correlate file system information | 181 | 0x149400 | 0x00d780 | PSP_FW_BOOT_LOADER |
| | | | |
| | | | ~ 3415 µs delay ~ |
Aggregate duplicate reads GPLv3 | | | | |
| 7083 | 0x149000 | 0x000180 | PL2_SECONDARY_DIRECTORY |
| | | | |
Aggregate consecutive reads | | | | ~ 67 µs delay ~ |
| | | | |
| 7094 | 0x117000 | 0x000160 | BHD_DIRECTORY |

[...]

[Link] 20
 More details on our hardware setups:
Watch our talk from CCCamp19

AMD Ryzen 5 Pro 2500U

Lenovo Thinkpad A285

[Link] 21
 Cryptographic protections on files
File

Header
• Files are protected by a signature

Body
• Header field determines the according
PublicKey1 Signature

• AMD Root Public Key for signature checking

is loaded from Flash, but protected by hash
in ROM

1 [Link] 22
 Early PSP Boot Procedure
On-Chip Off-Chip Bootloader
Bootloader (PSP_FW_BOOT_LOADER)

$ psptrace -o Supermicro_SPI_trace.txt Supermicro_H11DSU9.715

1. Load PSP_DIRECTORY

+---------+---------------+----------+-----------------------------+
2. Load AMD_PUBLIC_KEY
| No. | Lowest access | Range | Type |
+---------+---------------+----------+-----------------------------+
3. Verify AMD_PUBLIC_KEY
| 0 | 0xe20000 | 0x180007 | Firmware Entry Table |
| 41 | 0x077000 | 0x00012a | PSP_DIRECTORY | 4. Load PSP_FW_BOOT_LOADER
| 112 | 0x077400 | 0x000240 | AMD_PUBLIC_KEY |
| 181 | 0x149400 | 0x00d780 | PSP_FW_BOOT_LOADER |
5. Verify with AMD_PUBLIC_KEY
| | | | |
| | | | ~ 3415 µs delay ~ |
| | | | |
| 7083 | 0x149000 | 0x000180 | PL2_SECONDARY_DIRECTORY |
| | | | | 1. Initialize PSP
| | | | ~ 67 µs delay ~ |
| | | | |
2. Load more directories
| 7094 | 0x117000 | 0x000160 | BHD_DIRECTORY |
3. Load and verify applications

23
 Understand
HOW DEEP DOES THE RABBIT HOLE GO?
 x86 x86 x86 x86
Core Core Core Core
CCD CCD 0 CCD 1
x86 x86 x86 x86
Core Core Core Core CPU0
CCX CCX
CCD 2 CCD 3

ONE PSP TO RULE

THEM ALL … CCD 4 CCD 5
• CCX (Core CompleX): Up to 4 x86 cores (8 threads) CPU1
• CCD (Core Complex Die): 2 CCX, Memory controller,
etc. CCD 6 CCD 7
• One PSP per CCD (Naples)
• PSP on CCD 0 is the Master
• Master coordinates initial bringup of platform
25
 0x00000000
On-Chip Off-Chip Bootloader Header
Applications
Bootloader (PSP_FW_BOOT_LOADER) 0x00000100
PSP_FW_BOOTLOADER
0x00013000
SRAM Page Tables
0x00015000
App code/data
0x0003D000
App stack memory
0x0003F000
Boot ROM service page
0x00040000

0x01000000
MEMORY LAYOUT
• 256KB on chip SRAM MMIO mapping space
• Code separated in SVC and USR CCP
mode parts MMIO
SMN access
• USR mode parts loaded during X86 memory access
boot and later on demand (SEV) …

0xFFFFFFFF 26
On-Chip Bootloader Off-Chip Bootloader
(PSP_FW_BOOT_LOADER)

ABL0
DebugUnlock SecGasket ABL1 ABL2 ABL3 ABL4 ABL6 SEV

BOOT PROCESS
• On-Chip Bootloader loads Off-Chip bootloader from flash
• Off-Chip Bootloader loads and executes apps in specific order
• System is initialized by different ABL stages
• SEV app is loaded during runtime upon the request of the OS
 Hardware

Off-Chip Bootloader
(PSP_FW_BOOT_LOADER)
76 Syscalls

30 mostly reverse engineered:

• Access SMN
App
• Access DRAM
• Communicate with PSPs
THE SYSCALL • Query SMM region
INTERFACE • Busy wait
• Load entries from flash
• Invalidate/Clean PSP memory ranges

28 partly reverse engineered:

• CCP operations
• More inter-PSP communication

18 completely unknown
28
| Region | Size | WP | MPsp | Offset | RegSz | Description | Register description |
|------------|------|----|------|--------|--------|----------------------------------------------------------------------------------------|----------------------------------|
| 0x0001c880 | 128 | + | - | | | Memory protection slots | |
| | | | | 0x00 | 32bit | Slot 0: Start address of protected region X86PADDR[47:20] + 4 flags | aaaaaaaaaaaaaaaaaaaaaaaaaaaa???? |
| | | | | 0x04 | 32bit | Slot 0: End address (inclusive) of protected region X86PADDR[47:20] + 4 flags | aaaaaaaaaaaaaaaaaaaaaaaaaaaa???? |
| | | | | 0x08 | 32bit | Slot 0: Control register (seen 0x600000a | 0x6000006) | ???????????????????????????????e |
| | | | | 0x0c | 32bit | Slot 0: Unused/Reserved (no access observed anywhere) | xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
| | | | | ... | ... | Slot 1 - 7 | ... |

SYSTEM
MANAGEMENT PSP UMC SMU

NETWORK (SMN)
• Hidden control network
System Management Network (SMN)
• Dedicated address space
• PSP maps regions into own ? ???????
address space to access device
registers x86
?
29
 Off-Chip Bootloader
(PSP_FW_BOOT_LOADER) $ strings [Link]

[…]

!!!ATTENTION: Simnow r30138 or later is required for the following

polling loop.

ABL0 Send following data to slaves:

ABL2 mixedWithNvdimmInSystem = %x

mixedWithNvdimmInSocket = %04x

mixedWithNvdimmInDie = %08x %08x

----------------------------------------------------------------------
----------

ENABLE DEBUG Sync Speed Disabled - Gathering Speed Data for single die only

OUTPUT Master: Retrieve debug data from the slaves at debug sync
point %04x

[…]
• Lots of interesting debug strings $ arm-none-eabi-objdump -b binary --adjust-vma 0x16000 -D [Link] -m
armv5 -Mforce-thumb |grep -B 5 "svc\t6“
• SVC 0x6 uses string address as […]
the first argument 2191c: a0be add r0, pc, #760 ; (adr r0,
0x21c18)
• Not implemented in release 2191e: df06 svc 6
firmware L

30
 Off-Chip Bootloader
(PSP_FW_BOOT_LOADER)

SVC 6 injection code SPI Bus

App

EXFILTRATING DEBUG SPI [Link]

OUTPUT
• Problem: No x86 memory available at this time [Link]

• Only known/accessible device is SPI flash

[Link]
• Dump it on the SPI bus without altering flash

• Filter the SPI trace

31
 […]
MEM PARAMS:
AGESA BL Heap Size : 7800
BottomIo : 0080
MemHoleRemap : 1
LimitBelow1TB : 1
UserTimingMode : 0
MemClockValue : 1200
MemRestoreCtl : 0
SaveMemContextCtl : 1
ExternalVrefCtl : 0
ForceTrainMode : 2
AMP : 0

0x00800F12 (32b)
0x00006031 (32b)
0x00800F12 (32b)
0x00006031 (32b)
ZP DDR4 DRAM Initialization - Phase 2

Mem Phase 2 Start

Start PState Sync
SUCCESS! DDR Phy Initialization
Start DDR Training using PMU

Begin PMU Based DRAM Init and Training

PspBootRomServices:SystemSocketCount: 2
PspBootRomServices:SystemDieCount: 8
PspBootRomServices:DiesPerSocket DieNum: 4
PspBootRomServices:SocketId: 0
PspBootRomServices:PhysDieId: 0

No 'UMCF' singature at FCH BiosRam offset 0

Sending Agesa memory test UMC MCA failure result to slave

[…]

32
 Master PSP
X86 Core Ring 0
Off-Chip Bootloader
(PSP_FW_BOOT_LOADER)

SVC 6 injection code PCIe [Link]/psp-sev.c

device
PspStub

Ring 3

pypspproxy libpspproxy
EXPLORING THE SMN
DEVICES
import pypspproxy;

Replace SEV app with a stub

[…]
• proxy = [Link]("/dev/sev");
if [Link]() == 0:
rc, virtAddr, physAddr = proxy.allocX86Mem(2 * 1024 * 1024);
• Executes requests on a target if rc == 0:

PSP:
[…]
for idCcd in xrange(8):
[Link](idCcd);
• Read/Write SMN address _, uR0 = [Link](0x28, 0x14, 0x1, 0x0, 0x0);
[Link](idCcd, 0x1c890, 4, (physAddr >> 20) |

• Execute syscall
5);
[Link](idCcd, 0x1c894, 4, physAddr >> 20);
[Link](idCcd, 0x1c898, 4, 0x600000a);
• Read/Write PSP memory _, uR0 = [Link](0x28, 0x14, 0x0, 0x0, 0x0);

33
 Master PSP
X86 Core Ring 0
Off-Chip Bootloader
(PSP_FW_BOOT_LOADER)

SVC 6 injection code PCIe [Link]/psp-sev.c

device
PspStub

/dev/sev
Ring 3

libpspproxy
PSP EMULATOR
• Emulate a PSP using
Unicorn engine PSPEmu
AMD sev-tool
• Current state can run SEV SEV App
app to a certain point

34
 Master PSP
X86 Core Ring 0
Off-Chip Bootloader
(PSP_FW_BOOT_LOADER)

SVC 6 injection code PCIe [Link]/psp-sev.c

device
PspStub

[…] /dev/sev
Mapping SMN address 0x1d700 on CCD 0
>>> SMN read at 0x0211d700 Ring 3
[…]
Syscall 0x33 happened at 0x19e24
R0 > 0x00021e2c | R1 > 0x000024b4 | R2 > 0x00000000 | R3 > 0x00000000
R4 > 0x00000000 | R5 > 0x00021e2c | R6 > 0x000024b4 | R7 > 0x00000007
R8 > 0x0001d4b8 | R9 > 0x0001ca98 | R10> 0x00000000 | R11> 0x00000000

[…] libpspproxy
R12> 0x00000000 | SP > 0x00061f00 | LR > 0x0001b727 | PC > 0x00019e26

PSP EMULATOR
Syscall 0x38 happened at 0x19ec0
CCP Request:
PspAddrBufUnk0: 0
cbBufUnk0: 0
dwUnk1: 0x2

• Emulate a PSP using

PspAddrBufUnk1: 0x619ac
cbBufUnk1: 0x20
PspAddrBufUnk2: 0

Unicorn engine
dwUnk3: 0
dwUnk4: 0x1
PSPEmu
dwUnk5: 0
[…]
AMD sev-tool
• Current state can run SEV SEV App
app to a certain point

35
 Master PSP
X86 Core Ring 0
Off-Chip Bootloader
(PSP_FW_BOOT_LOADER)

SVC 6 injection code PCIe [Link]/psp-sev.c

device
PspStub
Emulator advantages:
[…] /dev/sev
Mapping SMN address 0x1d700 on CCD 0
>>> SMN read at 0x0211d700 Ring 3
[…]
Syscall 0x33 happened at 0x19e24
R0 > 0x00021e2c | R1 > 0x000024b4 | R2 > 0x00000000 | R3 > 0x00000000

Allows tracing code execution and observe data flow

R4 > 0x00000000 | R5 > 0x00021e2c | R6 >
R8 > 0x0001d4b8 | R9 > 0x0001ca98 | R10>
0x000024b4
0x00000000
|
|
R7 >
R11>
0x00000007
0x00000000

[…] libpspproxy
R12> 0x00000000 | SP > 0x00061f00 | LR > 0x0001b727 | PC > 0x00019e26

PSP EMULATOR
Syscall 0x38 happened at 0x19ec0

Later on maybe provide server functionality on desktop

CCP Request:
PspAddrBufUnk0: 0
cbBufUnk0: 0
dwUnk1: 0x2

• Emulate a PSP using platforms PspAddrBufUnk1: 0x619ac

cbBufUnk1:
PspAddrBufUnk2: 0
0x20

Unicorn engine (SEV on Ryzen anyone?)

dwUnk3:
dwUnk4:
0
0x1
PSPEmu
dwUnk5: 0
[…]
AMD sev-tool
• Current state can run SEV SEV App
app to a certain point

36
 INTERESTED? HERE IS THE CODE

• Code will be available on [Link]

• Repositories
• PSPTool Display, extract, and manipulate firmware images
• psp-docs Documentation about hardware interfaces, syscalls
• psp-includes Shared interface headers
• psp-apps Build your own apps running on the PSP
• linux Linux kernel with our modifications
• libpspproxy Userspace PSP proxy library for the stub
• PSPEmu Unicorn-based PSP emulator
• sev-tool AMDs sev-tool with our modifications

37
 Own
PART 1:
BOUNDS CHECKING IS HARD
 Attacker Capabilities
Directory File Secondary directory

Header
Header Header
Body
ID | Address
Entry | Size ID | Address | Size

ID | Address | Size Signature ID | Address | Size

ID | Address | Size ID | Address | Size

ID | Address | Size • We cannot manipulate files.

• We can manipulate the directories!

39
 Attacker Capabilities
Directory File Secondary directory

Header
Header Header
Body
ID | Address
Entry | Size ID | Address | Size

ID | Address | Size Signature ID | Address | Size

ID | Address | Size ID | Address | Size

ID | Address | Size
• We can:
• Add Entries
• Remove Entries
• Change Entries
40
 On-Chip Bootloader Off-Chip Bootloader
(PSP_FW_BOOT_LOADER)

PSP Directory Boot ROM Service Page

Header

AMD_PUBLIC_KEY
… …
AMD_PUBLIC_KEY
Second. Directory

Header

ID | Address | Size

ID | Address | Size

41
 On-Chip Bootloader Off-Chip Bootloader
(PSP_FW_BOOT_LOADER)

PSP Directory Boot ROM Service Page

Header Header

AMD_PUBLIC_KEY AMD_PUBLIC_KEY
… …
AMD_PUBLIC_KEY
Second. Directory Second. Directory

ID | Address | Size
Header
ID | Address | Size
ID | Address | Size

ID | Address | Size
AMD_PUBLIC_KEY
42
43
 On-Chip Bootloader Off-Chip Bootloader
(PSP_FW_BOOT_LOADER)

PSP Directory Boot ROM Service Page

Header
Header
AMD_PUBLIC_KEY AMD_PUBLIC_KEY
… …
AMD_PUBLIC_KEY 64
Second. Directory Second. Directory Entries

ID | Address | Size
Header
ID | Address | Size
ID | Address | Size

ID | Address | Size Max. 64 AMD_PUBLIC_KEY

44
 On-Chip Bootloader Off-Chip Bootloader
(PSP_FW_BOOT_LOADER)

PSP Directory Boot ROM Service Page

Header
Header
int append_second(void) {
AMD_PUBLIC_KEY ... AMD_PUBLIC_KEY
… if (nr_entries > 64u) …
return -1;
AMD_PUBLIC_KEY
Second. Directory ... Second. Directory
return 0;
}
ID | Address | Size
Header
ID | Address | Size
ID | Address | Size 64
Entries
ID | Address | Size Max. 64 AMD_PUBLIC_KEY
PUBLIC KEY
45
PUBLIC KEY
 On-Chip Bootloader Off-Chip Bootloader
(PSP_FW_BOOT_LOADER)

ABL0
ABL0
DebugUnlock SecGasket ABL1 ABL2 ABL3 ABL4 ABL6 SEV

BOOT PROCESS
• Directory parsing takes place
before loading any application.
-> We control the user mode
beginning from the first application.
 Own
PART 2:
INPUT VALIDATION IS HARD
 On-Chip Bootloader Off-Chip Bootloader
(PSP_FW_BOOT_LOADER)

ABL0
ABL0
DebugUnlock SecGasket ABL1 ABL2 ABL3 ABL4 ABL6 SEV

BOOT PROCESS
• Directory parsing takes place
before loading any application. How can we take over
We control the user mode beginning the kernel mode?
from the first application.
 Virtual memory
0x0

Off-Chip Bootloader
(PSP_FW_BOOT_LOADER)
Kernel Mode PSP_FW_BOOT_LOADER

VIRTUAL ADDRESS SPACE Application

User space applications can’t
access kernel space memory. User Mode
The “split” is enforced by the …
Memory Management Unit
0xFFF….
49
 int copy_from_flash(void* dst, void* src,int size);
Flash
Virtual memory
BIOS Directory
Header CODE

ID | Address | Size
PSP_FW_BOOT_LOADER
DATA
…
ID | Address | Size
? ? ?
?PAGE TABLES

Application
Header

ID | Address | Size

ID | Address | Size …
PAGE TABLES
50
 int copy_from_flash(void* dst, void* src,int size);
Flash
Virtual memory
BIOS Directory
Header CODE

ID | Address | Size
Copy operation into privileged memory.
… Attacker controlled data.
PSP_FW_BOOT_LOADER
DATA

Attacker controlled size.

ID | Address | Size
? ? ?
? PAGE TABLES

Application
Header

ID | Address | Size

ID | Address | Size …
PAGE TABLES
51
 int copy_from_flash(void* dst, void* src,int size);
Flash
Virtual memory
BIOS Directory
Header CODE

ID | Address | Size
Copy operation into privileged memory.
… Attacker controlled data.
PSP_FW_BOOT_LOADER
DATA

Attacker controlled size.

ID | Address | Size
? ? ?
? PAGE TABLES

Application
Header

ID | Address | Size

ID | Address | Size …
PAGE TABLES
52
 Virtual memory
0x0

Off-Chip Bootloader
(PSP_FW_BOOT_LOADER)
Kernel Mode v PSP_FW_BOOT_LOADER

User-writable
VIRTUAL ADDRESS SPACE Application
Overwriting the page tables
allows us to declare all User Mode
memory as user-writable.
…
0xFFF….
53
 On-Chip Bootloader Off-Chip Bootloader
(PSP_FW_BOOT_LOADER)

ABL0
ABL0
DebugUnlock SecGasket ABL1 ABL2 ABL3 ABL4 ABL6 SEV

BOOT PROCESS
• Directory parsing takes place before
loading any application.
AMD has fixed these issues!
-> We control the user mode beginning
from the first application.
-> We control the kernel mode
beginning from the first application.
 On-Chip Bootloader Off-Chip Bootloader
(PSP_FW_BOOT_LOADER)

ABL0
ABL0
DebugUnlock SecGasket ABL1 ABL2 ABL3 ABL4 ABL6 SEV

The PSP does not implement roll-back

prevention.
BOOT PROCESS
We can always re-flash a vulnerable firmware.
• Directory parsing takes place before
loading any application.
AMD has fixed these issues!
-> We control the user mode beginning
from the first application.
-> We control the kernel mode
beginning from the first application.
 Off-Chip Bootloader
(PSP_FW_BOOT_LOADER)

Header
Epyc Naples

Affected Systems Body Ryzen 1st gen.

• Epyc Naples (Zen1) Signature

• Proven with our setup Threadripper
• Ryzen 1st gen.
• *probably*
• The rest Epyc Rome
• ???
…
56
Is this an (security) issue?
Depends …
• Physical access is required (UEFI flashing)

Issue for:
• Secure boot.
• Trusted Execution Environment.
• Secure Encrypted Virtualization (SEV)
• Paper: Insecure Until Proven Updated
Buhren, Robert, Christian Werling, and Jean-Pierre Seifert. "Insecure Until Proven
Updated: Analyzing AMD SEV's Remote Attestation." Proceedings of the 2019 ACM
SIGSAC Conference on Computer and Communications Security. ACM, 2019.
57
This is an opportunity!
Gain more insight into the PSP!

Allows further research on other subsystems

• PSP loads SMU firmware
• PSP allows access to SMM code
• PSP loads UEFI code

58
 Idea
By Adrien Coquet, FR

magnifier
By Desainer Kanan, ID
UNCOVER, UNDERSTAND, OWN
Regaining Control Over Your AMD CPU

THANK YOU
Christian Werling Alexander Eichner Robert Buhren
Security Research Labs Technische Universität Berlin Technische Universität Berlin

Security in Telecommunications

59
Further details
• Github repository [Link]

• Reverse engineering Talk at Camp’19

Dissecting the AMD Platform Security Processor

[Link]

• Cloud security Paper at CCS’19

Insecure Until Proven Updated: Analyzing AMD SEV‘s Remote Attestation

[Link]

• Linux TEE kernel patches: [Link]

60