Epyc crypto flaw? AMD emits firmware fix for server processors after Googler smashes RAM encryption algorithms

SEV code cracked to leak secret keys

AMD underwater

Updated Microchip slinger AMD has issued a firmware patch to fix the encryption in its Secure Encrypted Virtualization technology (SEV), used to defend the memory of Linux KVM virtual machines running on its Epyc processors.

"Through ongoing collaboration with industry researchers AMD became aware that, if using the user-selectable AMD secure encryption feature on a virtual machine running the Linux operating system, an encryption key could be compromised by manipulating the encryption technology’s behavior," an AMD spokesperson told The Register last night.

"AMD released firmware-based cryptography updates to our ecosystem partners and on the AMD website to remediate this risk."

SEV isolates guest VMs from one another and the hypervisor using encryption keys, which are managed by the AMD Secure Processor. Each guest VM has its own cryptographic key, which is used directly with the underlying hardware and Secure Processor to transparently and automatically encrypt and decrypt sections of RAM on the fly as it is accessed.

The goal is to securely shield software and data held in memory from the prying eyes and meddling fingers of the host server's administrators, hypervisor, and guests sharing the same box. A guest using SEV to encrypt and decrypt its code and data in RAM should be the only one to do so on a machine: no one else can successfully access it.

The technology allows cloud hosting providers to assure their subscribers that their guest VMs, when running on Epyc-powered servers, cannot be accessed or tampered with by unauthorized parties.

Or it would, were it secure. According to Cfir Cohen, a security researcher with the Google Cloud security team, the SEV's implementation of elliptic-curve cryptography (ECC) is flawed.

What went wrong

When a VM is launched, it generates a key by multiplying points on a curve against the Platform Diffie-Hellman (PDH) key. Typically, the curve would be from America's National Institute of Standards and Technology's (NIST) list of curves. In an invalid curve attack, a different curve is used and the results of that computation can be used to defeat the encryption.

"At launch-start command, an attacker can send small order ECC points not on the official NIST curves, and force the SEV firmware to multiply a small order point by the firmware’s private DH scalar," Cohen explained in a disclosure notice on Tuesday. "By collecting enough modular residues, an attacker can recover the complete PDH private key. With the PDH, an attacker can recover the session key and the VM’s launch secret. This breaks the confidentiality guarantees offered by SEV."

The data recovered using this attack must be pieced together offline using the Chinese Remainder Theorem to obtain the full key. We're still investigating exactly how much damage can be done by a rogue guest or administrator armed with these keys; it seemingly was enough for AMD to push out a firmware fix.

Epyc fail? We can defeat AMD's virtual machine encryption, say boffins


The flaw, disclosed to AMD in February, affects AMD Epyc servers running SEV firmware version 0.17 build 11 and below. AMD made the firmware update available to hardware partners on June 4 to distribute to customers and installations; it can be downloaded directly from here [.zip]. The fix involves restricting key generation to official NIST curves.

According to Cohen's disclosure, PDH certs created on vulnerable systems are still valid, and that could allow client VMs to be moved from a safe system to a vulnerable one. So VMs should be restarted after the patch is applied.

"Certificates for PDH keys generated on a vulnerable system are still valid," said Cohen. "This means SEV might still be vulnerable to a migration attack, where a client’s VM is migrated from a non-vulnerable system to a vulnerable one."

Elliptic curve cryptography dates back to 1985, emerging from the work of Neal Koblitz, professor of mathematics at the University of Washington, and Victor Miller, a mathematician then with IBM. ECC entered widespread use about 15 years ago.

In 2009, the NSA touted the technique, saying ECC has remained strong while other algorithms like RSA and Diffie-Hellman have given ground to attacks. Then in 2015, the NSA reversed course, abandoning its ECC-based Suite B algorithms to push for encryption algorithms better suited to resist the theoretical code-breaking power of future quantum computers. NIST is presently evaluating algorithms for "post-quantum crypto." ®

Updated to add

On the question of whether software or users within guest VMs can exploit this SEV vulnerability to spy on and tamper with other guests, or if you need administrative access on the host to exploit it, a spokesperson for AMD somewhat cryptically told us:

The attacker has to have access to the management interfaces of SEV with sufficient privileges. That may or may not be admin privileges depending on how SEV is being used.

So, depending on the system configuration, guest VMs and/or host administrators may be able to meddle with other guests via this cryptography blunder. To be safe for sure, apply the fix.

Sponsored: Balancing consumerization and corporate control

Biting the hand that feeds IT © 1998–2019