AMD addresses SEV security vulnerability in Epyc CPUs with firmware update

Published 2019-06-28 07:51 by Hilbert Hagedoorn

Click here to post a comment for AMD addresses SEV security vulnerability in Epyc CPUs with firmware update on our message forum

#5685163

fantaskarsef

2019-06-28 09:08

Huh...

[...] if using the user-selectable AMD secure encryption feature on a virtual machine running the Linux operating system [...]

#5685185

Kaarme

2019-06-28 10:43

BlackZero:

IMAGE

What begins? You need to begin a round of updating Epyc servers' firmwares? I guess nobody would be looking forward to such a task, huh.

#5685215

Kaarme

2019-06-28 13:10

BlackZero:

I can't make out what you're trying to say, but I'm glad you tried. Better than dead silence.

That makes two of us since I also couldn't figure out what it is that you believe will begin.

#5685253

schmidtbag

2019-06-28 15:19

Aside from already being patched, the good news is this is really only an issue for VMs, and from what I can tell, shouldn't really have any impact on performance.

BlackZero:

What I am trying to say is that I just don't feel comfortable when majorities for a specific idea are formed, and invariably all dissent is assumed to need quashing.

I don't think even you understood what you said there...

#5685296

Alessio1989

2019-06-28 17:44

The fix involves restricting key generation to official NIST curves.

Nothing serious nor performance impacts, the fix simply discard some NIST keys on VM initialization... https://www.theregister.co.uk/2019/06/26/amd_epyc_key_security_flaw/

#5685464

rl66

2019-06-29 10:55

Despite i like the image, it doesn't began at all, every CPU (or any computer part) have fail, bug, security issue. (yes even an apple 🙂 or a Ryzen 🙂 ). it's not new, so patching/update is a good thing, it mean that they are working on it.

#5685465

rl66

2019-06-29 11:00

Alessio1989:

Nothing serious nor performance impacts, the fix simply discard some NIST keys on VM initialization... https://www.theregister.co.uk/2019/06/26/amd_epyc_key_security_flaw/

Security IS serious, and VM is widely used with this kind of CPU. This is a good point for AMD to work on the pro side of their CPU 😀

#5685468

Alessio1989

2019-06-29 11:31

"By collecting enough modular residues, an attacker can recover the complete PDH private key... ..The attacker has to have access to the management interfaces of SEV with sufficient privileges.

It is so serious that it depends only how the Linux VM guest is set regarding the user rights.

"At launch-start command, an attacker can send small order ECC points not on the official NIST curves, and force the SEV firmware to multiply a small order point by the firmware’s private DH scalar,"... ... The fix involves restricting key generation to official NIST curves....

And the fix is easy, they simply discard the ECC values the user may be able to send

"Certificates for PDH keys generated on a vulnerable system are still valid," said Cohen. "This means SEV might still be vulnerable to a migration attack, where a client’s VM is migrated from a non-vulnerable system to a vulnerable one."

The only real bother is this. The fix is regenerate the PDH keys.