A
new security vulnerability was found within AMD's Secure
Encrypted Virtualization (SEV) to have insecure cryptographic
implementations. The vulnerability was found by Cfir Cohen as part of the Google Cloud security team, and carries the CVE-2019-9836 designation. Fortunately, this vulnerability was addressed by a
firmware update.
What's affected?
AMD EPYC server platforms (codename "Naples") running SEV firmware version 0.17 build 11 and below.
An AMD
representative responded, saying:
"At
AMD, security remains a top priority and we continue to work to
identify any potential risks for our customers. Through ongoing
collaboration with industry researchers AMD became aware that, if using
the user-selectable AMD secure encryption feature on a virtual machine
running the Linux operating system, an encryption key could be
compromised by manipulating the encryption technology's behavior. AMD
released firmware-based cryptography updates to our ecosystem partners
and on the AMD website to remediate this risk."
AMD Secure Encrypted Virtualization (SEV) is a hardware memory encryption feature that protects guest virtual machines from the hypervisor. It does so by providing confidentiality guarantees at run-time and remote attestation at launch. SEV key management code runs inside the Platform
Security Processor (PSP).
The SEV elliptic-curve (ECC) implementation was found to be vulnerable to
an invalid curve attack. At launch-start command, an attacker can send
small order ECC points not on the official NIST curves, and force the SEV
firmware to multiply a small order point by the firmware's private DH
scalar.
By collecting enough modular residues, an attacker can recover the complete
PDH private key. With the PDH, an attacker can recover the session key and
the VM's launch secret. This breaks the confidentiality guarantees offered
by SEV.
AMD has released an update to the firmware which patches this issue. The fix is applied in SEV firmware version 0.17 build 22, which AMD rolled out to its OEM partners for firmware updates on June 4th. AMD also warns users that implemented SEV within their critical systems to reach out to their platform vendors for corresponding updates.