The microcode of the Zen 2 to Zen 4 processors has been hacked by
security people from Google:

https://bughunters.google.com/blog/5424842357473280/zen-and-the-art-of-microcode-hacking

Apart from breaking getting updates past AMD's signature
verificiation process, they also created a toolbox for
playing around with the microcode. There is also quite
some information on the internal microcode format at https://github.com/google/security-research/blob/master/pocs/cpus/entrysign/zentool/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 18 Apr 2025 21:48:19 +0000, Thomas Koenig wrote:

The microcode of the Zen 2 to Zen 4 processors has been hacked by
security people from Google:

https://bughunters.google.com/blog/5424842357473280/zen-and-the-art-of-microcode-hacking

Apart from breaking getting updates past AMD's signature
verificiation process, they also created a toolbox for
playing around with the microcode. There is also quite
some information on the internal microcode format at https://github.com/google/security-research/blob/master/pocs/cpus/entrysign/zentool/

I was an architect at AMD when we put microcode patching in the chips.
We did understand that the encryption and keys were not sufficiently
strong at that instant in time, and there were other driving factors.

But, I am surprised that it took this long to break (~22 years).

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Anton Ertl <[email protected]> schrieb:

[email protected] (MitchAlsup1) writes:

I was an architect at AMD when we put microcode patching in the chips.
We did understand that the encryption and keys were not sufficiently
strong at that instant in time, and there were other driving factors.

But, I am surprised that it took this long to break (~22 years).

I have heard at least one talk (IIRC at 34C3, 35C3, or 36C3) about
patching microcode for some then-older AMD processors (IIRC Phenoms).
They could not do it for then-current AMD CPUs because of the
encryption, so maybe AMD improved the encryption between your time and Zen2-Zen4. But obviously not enough.

They used the default AES key from the original publication :-)

While it's interesting if you can play around with the microcode of
your hardware, the perspective that an attacker might subvert your
hardware at the microcode level is worrying.

Which is why it has a CVE number.

But I liked them modifying the random number instruction so
it always returned 4. Somebody's been reading the classics... https://xkcd.com/221/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

[email protected] (MitchAlsup1) writes:

I was an architect at AMD when we put microcode patching in the chips.
We did understand that the encryption and keys were not sufficiently
strong at that instant in time, and there were other driving factors.

But, I am surprised that it took this long to break (~22 years).

I have heard at least one talk (IIRC at 34C3, 35C3, or 36C3) about
patching microcode for some then-older AMD processors (IIRC Phenoms).
They could not do it for then-current AMD CPUs because of the
encryption, so maybe AMD improved the encryption between your time and Zen2-Zen4. But obviously not enough.

While it's interesting if you can play around with the microcode of
your hardware, the perspective that an attacker might subvert your
hardware at the microcode level is worrying.

- anton
--
'Anyone trying for "industrial quality" ISA should avoid undefined behavior.'
Mitch Alsup, <[email protected]>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)