AMD addresses SEV security vulnerability in Epyc CPUs with firmware update

by Hilbert Hagedoorn on: 06/28/2019 06:51 AM | source: phoronix | 12 comment(s)

A month or so ago. Cfir Cohen, a member of the Google Cloud security team, alerted AMD about a problem with the Secure Encrypted Virtualization (SEV) functionality of the Epyc processors. This vulnerability could allow an attacker to intercept a secret key that could give access to isolated virtual machines.

This specific vulnerability has been patched but did require a firmware update. The update is named CVE-2019-9836 and it is of course strongly recommended to install that update as quickly as possible. The news about the leak was announced after the problem could be identified and resolved, and that's the way it should go.

At AMD, security remains a top priority and we continue to work to identify any potential risks for our customers. Through ongoing collaboration with industry researchers AMD became aware that, if using the user-selectable AMD secure encryption feature on a virtual machine running the Linux operating system, an encryption key could be compromised by manipulating the encryption technology’s behavior. AMD released firmware-based cryptography updates to our ecosystem partners and on the AMD website to remediate this risk.

BlackZero
Senior Member

Posts: 8880
Joined: 2007-06-17

#5685156 Posted on: 06/28/2019 07:20 AM

fantaskarsef
Senior Member

Posts: 10937
Joined: 2014-07-21

#5685163 Posted on: 06/28/2019 08:08 AM

Huh...

if using the user-selectable AMD secure encryption feature on a virtual machine running the Linux operating system

Kaarme
Senior Member

Posts: 1669
Joined: 2013-03-10

#5685185 Posted on: 06/28/2019 09:43 AM

IMAGE

What begins? You need to begin a round of updating Epyc servers' firmwares? I guess nobody would be looking forward to such a task, huh.

BlackZero
Senior Member

Posts: 8880
Joined: 2007-06-17

#5685197 Posted on: 06/28/2019 10:21 AM

What begins? You need to begin a round of updating Epyc servers' firmwares? I guess nobody would be looking forward to such a task, huh.

I can't make out what you're trying to say, but I'm glad you tried.

Better than dead silence.

Kaarme
Senior Member

Posts: 1669
Joined: 2013-03-10

#5685215 Posted on: 06/28/2019 12:10 PM

I can't make out what you're trying to say, but I'm glad you tried.

Better than dead silence.

That makes two of us since I also couldn't figure out what it is that you believe will begin.

BlackZero
Senior Member

Posts: 8880
Joined: 2007-06-17

#5685220 Posted on: 06/28/2019 12:25 PM

That makes two of us since I also couldn't figure out what it is that you believe will begin.

What I am trying to say is that I just don't feel comfortable when majorities for a specific idea are formed, and invariably all dissent is assumed to need quashing.

It's just no fun because then the primary purpose of ideas is lost.

schmidtbag
Senior Member

Posts: 4507
Joined: 2012-11-10

#5685253 Posted on: 06/28/2019 02:19 PM

Aside from already being patched, the good news is this is really only an issue for VMs, and from what I can tell, shouldn't really have any impact on performance.

What I am trying to say is that I just don't feel comfortable when majorities for a specific idea are formed, and invariably all dissent is assumed to need quashing.

I don't think even you understood what you said there...

BlackZero
Senior Member

Posts: 8880
Joined: 2007-06-17

#5685275 Posted on: 06/28/2019 03:07 PM

I don't think even you understood what you said there...

Saying it like that felt more appropriate than explaining nepotism.

You're still correct, though. I find having to put thoughts in to specific, expected words can at times remove meaning and effect.

Alessio1989
Senior Member

Posts: 1404
Joined: 2015-06-11

#5685296 Posted on: 06/28/2019 04:44 PM

The fix involves restricting key generation to official NIST curves.

Nothing serious nor performance impacts, the fix simply discard some NIST keys on VM initialization... https://www.theregister.co.uk/2019/06/26/amd-epyc-key-security-flaw/

rl66
Senior Member

Posts: 2174
Joined: 2007-05-31

#5685464 Posted on: 06/29/2019 09:55 AM

Despite i like the image, it doesn't began at all, every CPU (or any computer part) have fail, bug, security issue. (yes even an apple

or a Ryzen

).
it's not new, so patching/update is a good thing, it mean that they are working on it.

rl66
Senior Member

Posts: 2174
Joined: 2007-05-31

#5685465 Posted on: 06/29/2019 10:00 AM

Nothing serious nor performance impacts, the fix simply discard some NIST keys on VM initialization... https://www.theregister.co.uk/2019/06/26/amd-epyc-key-security-flaw/

Security IS serious, and VM is widely used with this kind of CPU.
This is a good point for AMD to work on the pro side of their CPU

Alessio1989
Senior Member

Posts: 1404
Joined: 2015-06-11

#5685468 Posted on: 06/29/2019 10:31 AM

"By collecting enough modular residues, an attacker can recover the complete PDH private key...
..The attacker has to have access to the management interfaces of SEV with sufficient privileges.

It is so serious that it depends only how the Linux VM guest is set regarding the user rights.

"At launch-start command, an attacker can send small order ECC points not on the official NIST curves, and force the SEV firmware to multiply a small order point by the firmware’s private DH scalar,"...
... The fix involves restricting key generation to official NIST curves....

And the fix is easy, they simply discard the ECC values the user may be able to send

"Certificates for PDH keys generated on a vulnerable system are still valid," said Cohen. "This means SEV might still be vulnerable to a migration attack, where a client’s VM is migrated from a non-vulnerable system to a vulnerable one."

The only real bother is this. The fix is regenerate the PDH keys.

Post New Comment

Click here to post a comment for this news story on the message forum.