One Glitch to Rule Them All: Fault Injection Attacks Against the AMD Secure Processor

The presentation discusses various attacks on the AMD Secure Processor (ASP) and the Secure Virtualization (SUV) ecosystem, including compromising the chip endorsement keys and disabling the debug decrypt command.

• Attacks on the ASP and SUV ecosystem can compromise the chip endorsement keys and disable the debug decrypt command
• Replacing the SUV firmware with malicious firmware can disable the remote attestation feature
• The hierarchy of firmware components and versions can tie chip endorsement keys to specific firmware versions
• Compromising the chip endorsement keys breaks the remote attestation feature
• Physical access to the system is required for some attacks

The presentation explains how compromising the chip endorsement keys can allow an attacker to set up a VM on another system and generate a fake attestation report, which can be used to deceive the customer into thinking that the system is secure when it is not.

Today's AMD CPUs contain a dedicated security coprocessor that forms the root of trust of all modern AMD systems, the AMD Secure Processor (AMD-SP), formerly known as Platform Security Processor (PSP). Besides acting as the root of trust, the AMD-SP serves as a trust anchor for security features like AMD's Secure Encrypted Virtualization (SEV) technology or AMD's firmware Trusted Platform Module (fTPM). The AMD-SP is a highly privileged ARM coprocessor integrated into AMD CPUs, and its privileges surpass even those of the lowest ring on the X86 cores.This talk will present a new hardware attack against the AMD SP that allows us to gain code execution on the AMD SPs of Ryzen and Epyc CPUs of all Zen microarchitectures, i.e., Zen 1 Zen 2 Zen 3. By manipulating the input voltage to the AMD SoC, we overcome the firmware verification mechanism of the AMD SP, allowing us to deploy custom payloads directly after the SP's ROM bootloader. In contrast to previous attacks against the AMD-SP, our method does not require the presence of firmware issues. To the best of our knowledge, all AMD CPUs of the Zen microarchitectures are affected. The hardware setup to mount the presented glitching attack is cheap and can be applied easily to new targets. Finally, we will demonstrate how an adversary with physical access to the target host can implant a custom SEV firmware that decrypts SEV-protected VMs.Furthermore, we show how we can extract endorsement keys of SEV-enabled CPUs. These extracted keys allow an attacker to fake attestation reports or pose as a valid target for VM migration without requiring physical access to the target host. We reverse-engineered the Versioned Chip Endorsement Key (VCEK) mechanism introduced with SEV Secure Nested Paging (SEV-SNP). The VCEK binds the endorsement keys to the firmware version of TCB components relevant for SEV. We will show how to derive valid VCEKs for arbitrary firmware versions using secrets extracted from AMD SPs.