Developers from the Google Cloud team have identified a vulnerability (CVE-2019-9836) in the implementation of AMD SEV (Secure Encrypted Virtualization) technology, which can compromise protected data using this technology. AMD SEV provides transparent memory encryption of virtual machines at the hardware level, in which only the current guest system has access to the decrypted data, and the rest of the virtual machines and the hypervisor get an encrypted data set when they try to access this memory.
The identified problem allows you to fully restore the contents of the private PDH key that is processed at the level of an individual protected PSP (AMD Security Processor) processor that is not available for the main OS. Having the PDH key, the attacker can then restore the session key and the secret sequence specified when creating the virtual machine and gain access to the encrypted data.
The vulnerability is caused by flaws in the implementation of elliptic curves (ECC) used for encryption, which allows an attack to restore the parameters of the curve. During the execution of the launch command of the protected virtual machine, the attacker may send curve parameters that do not match the parameters recommended by NIST, which will lead to the use of low-order point values in multiplication operations with private key data.
The security of the ECDH protocol directly depends on the order of the generated starting point of the curve, the discrete logarithm of which is a very complex task. At one of the steps of initializing the AMD SEV environment, the parameters obtained from the user are used in calculations with a private key. In essence, the operation of multiplying two points is performed, one of which corresponds to the private key. If the second point refers to low-order prime numbers, then the attacker can determine the parameters of the first point (the bits of the module used in the exponentiation modulo operation) by enumerating all possible values. Selected fragments of prime numbers can then be combined to determine the private key using the Chinese remainder theorem.
AMD EPYC server platforms that use SEV firmware up to version 0.17 build 11 are a problem. AMD has already published a firmware update, which has added a blockage on the use of points that do not match the NIST curve. At the same time, previously generated certificates for PDH keys remain valid, which allows an attacker to carry out an attack on the migration of virtual machines from environments that are protected from vulnerability to those that are subject to the problem. The possibility of making a rollback attack on the firmware version of the old vulnerable release is also mentioned, but this feature has not yet been confirmed.