exploit the possibilities

AMD Secure Encrypted Virtualization (SEV) Key Recovery

AMD Secure Encrypted Virtualization (SEV) Key Recovery
Posted Jun 26, 2019
Authored by Google Security Research, Cfir Cohen

AMD Secure Encrypted Virtualization (SEV) is a hardware memory encryption feature. SEV protects guest virtual machines from the hypervisor, provides confidentiality guarantees at runtime and remote attestation at launch time. The SEV elliptic-curve (ECC) implementation was found to be vulnerable to an invalid curve attack. At launch-start command, an attacker can send small order ECC points not on the official NIST curves, and force the SEV firmware to multiply a small order point by the firmware's private DH scalar. By collecting enough modular residues, an attacker can recover the complete PDH private key. With the PDH, an attacker can recover the session key and the VM's launch secret. This breaks the confidentiality guarantees offered by SEV.

tags | advisory, remote
advisories | CVE-2019-9836
MD5 | 559575654f299416a1c983c68aaf13ba

AMD Secure Encrypted Virtualization (SEV) Key Recovery

Change Mirror Download
Overview
========
AMD Secure Encrypted Virtualization (SEV) is a hardware memory encryption
feature. SEV protects guest virtual machines from the hypervisor, provides
confidentiality guarantees at runtime and remote attestation at launch
time. See [1] for details. SEV key management code runs inside the Platform
Security Processor (PSP) [2].

The SEV elliptic-curve (ECC) implementation was found to be vulnerable to
an invalid curve attack. At launch-start command, an attacker can send
small order ECC points not on the official NIST curves, and force the SEV
firmware to multiply a small order point by the firmware’s private DH
scalar.

By collecting enough modular residues, an attacker can recover the complete
PDH private key. With the PDH, an attacker can recover the session key and
the VM’s launch secret. This breaks the confidentiality guarantees offered
by SEV.


Key exchange during VM launch
=========================

1. The PSP publishes its PDH public key through SEV_PDH_CERT_EXPORT
command. This key is computed by multiplying the ECC generator (NIST
P256/P384 curves are supported) by the PDH private key: A<-G*k, where k,
the private key, is randomly generated in the range (1, order(G)).


2. The client generates its private DH key, s, and computes the shared key
C<-A*s=G*k*s. C is the shared point on the curve. Its x-coordinate is
hashed and used as the master shared secret. Two keys KEK/KIK are derived
from the master secret, and used to protect (encryption+integrity) the
session keys.


3. The client computes its public key B<-G*s and sends it to the PSP
through the SEV_LAUNCH_START command.


4. The PSP computes the shared key C by multiplying the client’s public key
by its PDH private scalar: C<-B*k=G*s*k. Like the client, the PSP takes C’s
x coordinate, computes the master shared secret and derives the KEK/KIK.
These are used to unwrap the session keys. See API specification [3] for
details.

ECDH security relies on the generator point, G, having a large order and on
the discrete logarithm problem being hard for the curve.

Note that in step 4, the PSP performs a computation with its private key on
user supplied data - the client’s public point.


Invalid curve attack
===============

ECC point multiplication relies on a point addition primitive. There are
different implementations for ECC point addition. A common one is based on
the short Weierstrass ECC form, as described in [4]. Note that the curve’s
"b" equation parameter is never used.

An invalid curve attack is where the ECDH point multiplication is done on a
different curve - different (a,b) parameters. This becomes possible in the
short Weierstrass point addition function since the "b" parameter is not
used. On this curve, the point has a small prime order. By trying all
possible values for the small order point, an attacker can recover the
private scalar bits (modulo the order). The modular residues are assembled
offline using the Chinese Remainder Theorem, leading to a full key
recovery. See the original paper [5] on invalid curve attacks, or a more
recent paper [6] on the topic.


Affected products
=============

AMD EPYC server platforms (codename "Naples") running SEV firmware version
0.17 build 11 and below are affected.


Fix
===

We were able to verify the fix is properly implemented in build 22 [7]: PSP
rejects points not on the NIST curve, and fails with INVALID_CERT error.


Additional issues
=============

Certificates for PDH keys generated on a vulnerable system are still valid.
This means SEV might still be vulnerable to a migration attack, where a
client’s VM is migrated from a non-vulnerable system to a vulnerable one.

In addition, at this point, it is not clear whether SEV is vulnerable to a
FW downgrade attack.


Credits
======


This vulnerability was discovered and reported to AMD by Cfir Cohen of the
Google Cloud security team.


Timeline
=======

2-19 - Vulnerability disclosed to AMD PSIRT
2-23 - AMD confirms the bug
2-25 - POC shared with AMD
5-13 - AMD requests a 30 day extension
6-04 - AMD releases fixed firmware [7]
6-07 - AMD requests a 2 week extension
6-25 - Public disclosure


[1] - https://developer.amd.com/sev/
[2] - https://en.wikipedia.org/wiki/AMD_Platform_Security_Processor
[3] - https://developer.amd.com/wp-content/resources/55766.PDF
[4] - https://www.hyperelliptic.org/EFD/g1p/auto-shortw.html
[5] - https://www.iacr.org/archive/crypto2000/18800131/18800131.pdf
[6] -
http://www.cs.technion.ac.il/~biham/BT/bt-fixed-coordinate-invalid-curve-attack.pdf
[7] -
https://developer.amd.com/wp-content/resources/amd_sev_fam17h_model0xh_0.17b22.zip


Comments (1)

RSS Feed Subscribe to this comment feed
archer064

Thanks for providing the information with this post. Post is very nice! By the way, I want to share with you information about the best.we are providing epson printer repairing services if you are face any problem you can visit our site. <a href="www.epsonprintersupport247.com/epson-l355-wifi-set… l355 wifi setup</a> and more information dial toll free UK: +44-808-164-5280 and USA: +1-888-633-7151

Comment by archer064
2019-07-01 06:20:40 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close