A few weeks ago we shared here on the blog the news of the EntrySign vulnerability which allows to evade the digital signature verification mechanism during microcode updates in AMD processors.
As Initially it seemed like a bug limited to the Zen 1 to Zen 4 generations, It has now spread to chips as recent as the Ryzen 9000, EPYC 9005, Ryzen AI 300, and Ryzen 9000HX. This flaw allows, under certain conditions, the CPU microcode to be modified by bypassing the digital signature verification mechanism, with serious implications for the security of virtualized systems.
The root of the problem it's in the inappropriate use of the CMAC algorithm during the microcode validation process. AMD traditionally uses a private RSA key to digitally sign the content of these updates, and a public key included in the patch to verify the authenticity of the microcode at upload time. However, the public key hash that should guarantee this integrity is generated using AES-CMAC, a cryptographic MAC that, unlike a robust hash function, offers no guarantees against collisions.
This design, added to the fact that AMD has used a common encryption key for all your CPUs since Zen 1, has allowed researchers to extract the key from any affected processor and reuse it to manipulate microcode patches on other computers. Surprisingly, this key matches a public example of the NIST SP 800-38B standard's encryption practices, demonstrating a careless use of good cryptographic practices.
Fake microcode, valid signatures
From this weakness, the Researchers managed to generate public keys that produce the same hash as AMD's original key., which they allowed the construction of fake patches capable of bypassing integrity controlsThese collisions are achieved by inserting additional blocks at the end of the microcode, seemingly random but carefully calculated, allowing the digital signature to remain apparently intact. This allows the processor's internal behavior to be altered without triggering alert mechanisms.
This process has been facilitated by analysis tools such as Zentool, a set of open-source utilities that allows users to study AMD's microcode and prepare modified patches. For this type of attack to materialize, the attacker must have Ring 0 privileges, that is, access to the highest level of the operating system, which is feasible in virtualized environments if the hypervisor is compromised or through insecure configurations of technologies such as VT-x or AMD-V.
Impact on AMD SEV and Secure Virtualization
Beyond microcode manipulation, EntrySign represents a direct threat to AMD SEV (Secure Encrypted Virtualization) and its extension, SEV-SNP (Secure Nested Paging), technologies designed to ensure the integrity and confidentiality of virtual machines even against attacks from the hypervisor or host system. This vulnerability makes it possible to interfere with protected processor registers, modify nested page tables, and alter the behavior of guest systems, compromising their security at a profound level.
AMD Response and Mitigation Measures
Given this situation, AMD has begun distributing microcode updates that fix the bug.or, although on systems using SEV-SNP it is also necessary to update the SEV module firmware, which requires a BIOS update. The company has already sent a new package to manufacturers called ComboAM5PI 1.2.0.3c AGESA, but it is estimated that final patches could take weeks or even months to be available to end users.
In addition to this, the AMD engineers have proposed a patch for the Linux kernel that blocks microcode from loading. Unofficial. This measure aims to prevent the spread of third-party modified patches, such as those created by enthusiasts from extracted BIOS fragments. In the meantime, it is strongly recommended to wait for official BIOS updates and refrain from installing unverified versions.
Finally, if you are interested in knowing more about it, you can check the details in the following link