XFX Radeon RX 5600 XT THICC 3 review
Fractal Design Define 7 XL review
Guru3D Rig of the Month - January 2020
Palit GeForce RTX 2070 SUPER GamingPro review
Team Group T-Force DarkZα 3600 MHz DDR4 review
Corsair Scimitar Elite RGB gaming mouse review
Cougar 700K Evo keyboard review
Aorus Liquid Cooler 360 review
AMD Ryzen Threadripper 3990X review
Corsair A500 CPU air cooler review
AMD addresses SEV security vulnerability in Epyc CPUs with firmware update
A month or so ago. Cfir Cohen, a member of the Google Cloud security team, alerted AMD about a problem with the Secure Encrypted Virtualization (SEV) functionality of the Epyc processors. This vulnerability could allow an attacker to intercept a secret key that could give access to isolated virtual machines.
This specific vulnerability has been patched but did require a firmware update. The update is named CVE-2019-9836 and it is of course strongly recommended to install that update as quickly as possible. The news about the leak was announced after the problem could be identified and resolved, and that's the way it should go.
At AMD, security remains a top priority and we continue to work to identify any potential risks for our customers. Through ongoing collaboration with industry researchers AMD became aware that, if using the user-selectable AMD secure encryption feature on a virtual machine running the Linux operating system, an encryption key could be compromised by manipulating the encryption technology’s behavior. AMD released firmware-based cryptography updates to our ecosystem partners and on the AMD website to remediate this risk.
fantaskarsef
Senior Member
Posts: 11262
Joined: 2014-07-21
Senior Member
Posts: 11262
Joined: 2014-07-21
#5685163 Posted on: 06/28/2019 08:08 AM
Huh...
Huh...
if using the user-selectable AMD secure encryption feature on a virtual machine running the Linux operating system
Kaarme
Senior Member
Posts: 1784
Joined: 2013-03-10
Senior Member
Posts: 1784
Joined: 2013-03-10
#5685185 Posted on: 06/28/2019 09:43 AM
What begins? You need to begin a round of updating Epyc servers' firmwares? I guess nobody would be looking forward to such a task, huh.
IMAGE
What begins? You need to begin a round of updating Epyc servers' firmwares? I guess nobody would be looking forward to such a task, huh.
BlackZero
Senior Member
Posts: 8880
Joined: 2007-06-17
Senior Member
Posts: 8880
Joined: 2007-06-17
#5685197 Posted on: 06/28/2019 10:21 AM
I can't make out what you're trying to say, but I'm glad you tried.
Better than dead silence.
What begins? You need to begin a round of updating Epyc servers' firmwares? I guess nobody would be looking forward to such a task, huh.
I can't make out what you're trying to say, but I'm glad you tried.
Better than dead silence.
Kaarme
Senior Member
Posts: 1784
Joined: 2013-03-10
Senior Member
Posts: 1784
Joined: 2013-03-10
#5685215 Posted on: 06/28/2019 12:10 PM
I can't make out what you're trying to say, but I'm glad you tried.
Better than dead silence.
That makes two of us since I also couldn't figure out what it is that you believe will begin.
I can't make out what you're trying to say, but I'm glad you tried.
Better than dead silence.
That makes two of us since I also couldn't figure out what it is that you believe will begin.
BlackZero
Senior Member
Posts: 8880
Joined: 2007-06-17
Senior Member
Posts: 8880
Joined: 2007-06-17
#5685220 Posted on: 06/28/2019 12:25 PM
What I am trying to say is that I just don't feel comfortable when majorities for a specific idea are formed, and invariably all dissent is assumed to need quashing.
It's just no fun because then the primary purpose of ideas is lost.
That makes two of us since I also couldn't figure out what it is that you believe will begin.
What I am trying to say is that I just don't feel comfortable when majorities for a specific idea are formed, and invariably all dissent is assumed to need quashing.
It's just no fun because then the primary purpose of ideas is lost.
schmidtbag
Senior Member
Posts: 4702
Joined: 2012-11-10
Senior Member
Posts: 4702
Joined: 2012-11-10
#5685253 Posted on: 06/28/2019 02:19 PM
Aside from already being patched, the good news is this is really only an issue for VMs, and from what I can tell, shouldn't really have any impact on performance.
I don't think even you understood what you said there...
Aside from already being patched, the good news is this is really only an issue for VMs, and from what I can tell, shouldn't really have any impact on performance.
What I am trying to say is that I just don't feel comfortable when majorities for a specific idea are formed, and invariably all dissent is assumed to need quashing.
I don't think even you understood what you said there...
BlackZero
Senior Member
Posts: 8880
Joined: 2007-06-17
Senior Member
Posts: 8880
Joined: 2007-06-17
#5685275 Posted on: 06/28/2019 03:07 PM
I don't think even you understood what you said there...
Saying it like that felt more appropriate than explaining nepotism.
You're still correct, though. I find having to put thoughts in to specific, expected words can at times remove meaning and effect.
I don't think even you understood what you said there...
Saying it like that felt more appropriate than explaining nepotism.
You're still correct, though. I find having to put thoughts in to specific, expected words can at times remove meaning and effect.
Alessio1989
Senior Member
Posts: 1483
Joined: 2015-06-11
Senior Member
Posts: 1483
Joined: 2015-06-11
#5685296 Posted on: 06/28/2019 04:44 PM
Nothing serious nor performance impacts, the fix simply discard some NIST keys on VM initialization... https://www.theregister.co.uk/2019/06/26/amd-epyc-key-security-flaw/
The fix involves restricting key generation to official NIST curves.
Nothing serious nor performance impacts, the fix simply discard some NIST keys on VM initialization... https://www.theregister.co.uk/2019/06/26/amd-epyc-key-security-flaw/
rl66
Senior Member
Posts: 2288
Joined: 2007-05-31
Senior Member
Posts: 2288
Joined: 2007-05-31
#5685464 Posted on: 06/29/2019 09:55 AM
Despite i like the image, it doesn't began at all, every CPU (or any computer part) have fail, bug, security issue. (yes even an apple
or a Ryzen ).
it's not new, so patching/update is a good thing, it mean that they are working on it.
Despite i like the image, it doesn't began at all, every CPU (or any computer part) have fail, bug, security issue. (yes even an apple
or a Ryzen ).it's not new, so patching/update is a good thing, it mean that they are working on it.
rl66
Senior Member
Posts: 2288
Joined: 2007-05-31
Senior Member
Posts: 2288
Joined: 2007-05-31
#5685465 Posted on: 06/29/2019 10:00 AM
Security IS serious, and VM is widely used with this kind of CPU.
This is a good point for AMD to work on the pro side of their CPU
Nothing serious nor performance impacts, the fix simply discard some NIST keys on VM initialization... https://www.theregister.co.uk/2019/06/26/amd-epyc-key-security-flaw/
Security IS serious, and VM is widely used with this kind of CPU.
This is a good point for AMD to work on the pro side of their CPU
Alessio1989
Senior Member
Posts: 1483
Joined: 2015-06-11
Senior Member
Posts: 1483
Joined: 2015-06-11
#5685468 Posted on: 06/29/2019 10:31 AM
It is so serious that it depends only how the Linux VM guest is set regarding the user rights.
And the fix is easy, they simply discard the ECC values the user may be able to send
The only real bother is this. The fix is regenerate the PDH keys.
"By collecting enough modular residues, an attacker can recover the complete PDH private key...
..The attacker has to have access to the management interfaces of SEV with sufficient privileges.
..The attacker has to have access to the management interfaces of SEV with sufficient privileges.
It is so serious that it depends only how the Linux VM guest is set regarding the user rights.
"At launch-start command, an attacker can send small order ECC points not on the official NIST curves, and force the SEV firmware to multiply a small order point by the firmware’s private DH scalar,"...
... The fix involves restricting key generation to official NIST curves....
... The fix involves restricting key generation to official NIST curves....
And the fix is easy, they simply discard the ECC values the user may be able to send
"Certificates for PDH keys generated on a vulnerable system are still valid," said Cohen. "This means SEV might still be vulnerable to a migration attack, where a client’s VM is migrated from a non-vulnerable system to a vulnerable one."
The only real bother is this. The fix is regenerate the PDH keys.
Click here to post a comment for this news story on the message forum.
Senior Member
Posts: 8880
Joined: 2007-06-17