Google security researchers have released comprehensive details about a major vulnerability discovered in AMD processors. The flaw, named "EntrySign" (CVE-2024-56161), allowed unauthorized microcode execution on AMD's Zen-based CPUs from generations 1 through 4.
The vulnerability exploited weaknesses in AMD's microcode signature verification system, which is designed to protect CPU instruction updates. Modern processors use microcode to implement complex instructions and allow manufacturers to patch hardware bugs without replacing physical components.
Google's team found that AMD had used AES-CMAC, a less secure hash function, in their verification process. More concerning was the discovery that AMD utilized an example encryption key from NIST documentation across multiple CPU generations, making it possible to forge signatures and create unauthorized microcode patches.
To demonstrate the security gap, researchers developed "zentool" - a utility suite capable of examining, creating, signing, and loading custom microcode patches. In their proof of concept, they modified the RDRAND instruction to output a fixed value instead of random numbers.
While exploiting the vulnerability requires kernel-level access and doesn't survive system reboots, it poses potential risks to AMD's confidential computing technologies, including SEV-SNP and DRTM.
AMD has addressed the issue through microcode updates implementing stronger hash functions. The fix includes both a microcode update and an AMD Secure Processor update to prevent validation bypasses.
The research team has made their Zentool suite publicly available to support further security research, potentially enabling new security feature development and detection techniques.