[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.43,0:00:06.60,Default,,0000,0000,0000,,{\i1}36C3 preroll music{\i0}
Dialogue: 0,0:00:06.60,0:00:12.73,Default,,0000,0000,0000,,{\i1}ominous bubbling, ebbing away{\i0}
Dialogue: 0,0:00:19.88,0:00:26.91,Default,,0000,0000,0000,,Herald: The next talk is called "Uncover,\NUnderstand and Own - Regaining Control
Dialogue: 0,0:00:26.91,0:00:34.26,Default,,0000,0000,0000,,Over Your AMD CPU", and I must say, the\Ndays where your homebrew PC would have
Dialogue: 0,0:00:34.26,0:00:40.65,Default,,0000,0000,0000,,been like one CPU plus a lot of discrete\Nlogic, those days are long, long gone. Now
Dialogue: 0,0:00:40.65,0:00:45.25,Default,,0000,0000,0000,,every single device, probably even this\Nmicrophone, is full of microprocessors.
Dialogue: 0,0:00:45.25,0:00:53.49,Default,,0000,0000,0000,,It's pretty crazy. Robert, Alexander and\NChristian discovered an actual ARM
Dialogue: 0,0:00:53.49,0:01:01.39,Default,,0000,0000,0000,,processor on an AMD CPU, which I find\Nquite mind boggling; and it actually
Dialogue: 0,0:01:01.39,0:01:06.54,Default,,0000,0000,0000,,includes its own firmware. To talk about\Nthat, I'd like to welcome them onto the
Dialogue: 0,0:01:06.54,0:01:12.58,Default,,0000,0000,0000,,stage. I'm really looking forward to\Nhearing all about this discovery and what
Dialogue: 0,0:01:12.58,0:01:16.36,Default,,0000,0000,0000,,it has for consequences for us. So thank\Nyou very much. Give them a hand!
Dialogue: 0,0:01:16.36,0:01:22.57,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:01:22.57,0:01:26.41,Default,,0000,0000,0000,,Robert Buhren: All right. Thanks. So,\Nbefore we dive into the topic, a quick
Dialogue: 0,0:01:26.41,0:01:32.32,Default,,0000,0000,0000,,introduction. This is Christian and this\Nis Alex, I'm Robert. And the reason why
Dialogue: 0,0:01:32.32,0:01:36.53,Default,,0000,0000,0000,,there's three of us today is, I'm a Ph.D.\Nstudent at the Technische Universität in
Dialogue: 0,0:01:36.53,0:01:42.72,Default,,0000,0000,0000,,Berlin, and beginning of 2018, I was\Nlooking into the Secure Encrypted
Dialogue: 0,0:01:42.72,0:01:47.48,Default,,0000,0000,0000,,Virtualization (SEV) technology from AMD.\NAnd this technology requires a firmware
Dialogue: 0,0:01:47.48,0:01:52.64,Default,,0000,0000,0000,,running on the Secure Processor of AMD.\NAnd that's where Christian came into play
Dialogue: 0,0:01:52.64,0:01:57.10,Default,,0000,0000,0000,,because he was looking for a master's\Nthesis. Now Christian is done with this
Dialogue: 0,0:01:57.10,0:02:03.47,Default,,0000,0000,0000,,thesis, and Alex here kind of took over his\Nwork. But today we're going to explain to
Dialogue: 0,0:02:03.47,0:02:09.69,Default,,0000,0000,0000,,you what the AMD Secure Processor is doing\Nand what we have uncovered. So with that,
Dialogue: 0,0:02:09.69,0:02:17.10,Default,,0000,0000,0000,,I'm going to hand over to Christian.\NChristian Werling: So let's dive right
Dialogue: 0,0:02:17.10,0:02:22.01,Default,,0000,0000,0000,,into our first part of the presentation,\Nwhich is about reverse engineering a
Dialogue: 0,0:02:22.01,0:02:27.95,Default,,0000,0000,0000,,completely unknown subsystem. And when we\Nstarted our research, we had to find out
Dialogue: 0,0:02:27.95,0:02:33.27,Default,,0000,0000,0000,,what the AMD Secure Processor, formerly\Ncalled Platform Security Processor, in
Dialogue: 0,0:02:33.27,0:02:38.22,Default,,0000,0000,0000,,this talk PSP, actually is. And it's a\Ndedicated security subsystem that is
Dialogue: 0,0:02:38.22,0:02:46.95,Default,,0000,0000,0000,,integrated into your AMD CPU both on\Nserver and desktop CPUs. It's an ARM
Dialogue: 0,0:02:46.95,0:02:56.97,Default,,0000,0000,0000,,Cortex A5 inside your x86 CPU and it's\Nthere since around 2013. It runs a so-
Dialogue: 0,0:02:56.97,0:03:05.17,Default,,0000,0000,0000,,called secure OS and a kernel. And it's\Nactually undocumented and proprietary. It
Dialogue: 0,0:03:05.17,0:03:12.34,Default,,0000,0000,0000,,has access to some secure off-chip storage\Nfor the firmware and some some data, and
Dialogue: 0,0:03:12.34,0:03:19.76,Default,,0000,0000,0000,,it mainly provides crypto functionality to\Nthe main CPU, as well as, yeah, key
Dialogue: 0,0:03:19.76,0:03:22.60,Default,,0000,0000,0000,,generation and key management\Nfunctionality.
Dialogue: 0,0:03:22.60,0:03:29.40,Default,,0000,0000,0000,,It is required for the early boot. In\Nfact, it's required for Secure Boot, and
Dialogue: 0,0:03:29.40,0:03:37.00,Default,,0000,0000,0000,,it acts as a trust anchor in in your\Nsystem. So the PSP is a security
Dialogue: 0,0:03:37.00,0:03:44.78,Default,,0000,0000,0000,,subsystem, so it adds security to our\Nsystem. And that's good, right? You might
Dialogue: 0,0:03:44.78,0:03:49.70,Default,,0000,0000,0000,,notice that this has some similarities\Nwith the Intel Management Engine, which on
Dialogue: 0,0:03:49.70,0:03:56.33,Default,,0000,0000,0000,,this very stage we heard a lot about three\Nhours ago. So let's look into the
Dialogue: 0,0:03:56.33,0:04:04.38,Default,,0000,0000,0000,,applications of this piece of hardware.\NFor that, we need to talk about trust.
Dialogue: 0,0:04:04.38,0:04:11.25,Default,,0000,0000,0000,,The one form of trust AMD tackles in what they\Ncall Secure Encrypted Virtualization (SEV).
Dialogue: 0,0:04:11.25,0:04:17.95,Default,,0000,0000,0000,,So you as a cloud customer can be\Nsure that your virtual machine can even
Dialogue: 0,0:04:17.95,0:04:24.21,Default,,0000,0000,0000,,run in an untrusted physical location, for\Nexample, in a data center. The PSP that is
Dialogue: 0,0:04:24.21,0:04:30.76,Default,,0000,0000,0000,,running inside that server CPU acts as a\Nremote, trusted entity for you as a
Dialogue: 0,0:04:30.76,0:04:38.93,Default,,0000,0000,0000,,customer. And it promises you to protect\Nyour memory, your data from the hypervisor
Dialogue: 0,0:04:38.93,0:04:43.62,Default,,0000,0000,0000,,and even from physical access. For\Nexample, through a data center
Dialogue: 0,0:04:43.62,0:04:52.93,Default,,0000,0000,0000,,administrator. The other form of trust\Nthat the PSP tries to establish is now
Dialogue: 0,0:04:52.93,0:05:01.88,Default,,0000,0000,0000,,arriving in the Linux kernel, and that's\Nan API to a trusted execution environment.
Dialogue: 0,0:05:01.88,0:05:08.00,Default,,0000,0000,0000,,What that actually is, is that the PSP\Nacts as a black box inside your system
Dialogue: 0,0:05:08.00,0:05:14.21,Default,,0000,0000,0000,,that is trusted by an external entity. For\Nexample, a content provider like Netflix.
Dialogue: 0,0:05:14.21,0:05:20.81,Default,,0000,0000,0000,,This would enable, for example, digital\Nrights management on an untrusted system
Dialogue: 0,0:05:20.81,0:05:29.19,Default,,0000,0000,0000,,that is your system, like Linux. So to sum\Nthis all up, the PSP runs code that you
Dialogue: 0,0:05:29.19,0:05:35.29,Default,,0000,0000,0000,,don't know and that you don't control. And\Nfirst of all, let's talk about the
Dialogue: 0,0:05:35.29,0:05:45.00,Default,,0000,0000,0000,,knowing. What you see here is a Supermicro\Nmotherboard, a server motherboard, from
Dialogue: 0,0:05:45.00,0:05:49.79,Default,,0000,0000,0000,,the top, and I highlighted three\Ncomponents here which are required or
Dialogue: 0,0:05:49.79,0:05:58.54,Default,,0000,0000,0000,,essential for boot up, of course. That is\Nthe CPU, the disk and so-called SPI flash.
Dialogue: 0,0:05:58.54,0:06:04.23,Default,,0000,0000,0000,,The SPI flash is a simple storage that is\Navailable during early boot. So if you
Dialogue: 0,0:06:04.23,0:06:09.37,Default,,0000,0000,0000,,look at the boot procedure in a simplified\Nmanner, then the CPU will first load the
Dialogue: 0,0:06:09.37,0:06:15.71,Default,,0000,0000,0000,,BIOS from this SPI flash. And only at a\Nlater stage of booting, when the necessary
Dialogue: 0,0:06:15.71,0:06:22.41,Default,,0000,0000,0000,,drivers are at hand, it will be able to\Naccess the hard disk to load the operating
Dialogue: 0,0:06:22.41,0:06:30.42,Default,,0000,0000,0000,,system. Now, as we saw from AMD's\Nmarketing slides, there is the PSP now.
Dialogue: 0,0:06:30.42,0:06:38.81,Default,,0000,0000,0000,,The PSP is actually part of the CPU and\Neven boots before the CPU boots and will
Dialogue: 0,0:06:38.81,0:06:45.64,Default,,0000,0000,0000,,only after successful initialization of\Nthe system release the x86 CPU. So the PSP
Dialogue: 0,0:06:45.64,0:06:52.26,Default,,0000,0000,0000,,firmware is loaded first, and after that,\Nthe boot is proceeding as we know it with
Dialogue: 0,0:06:52.26,0:07:00.29,Default,,0000,0000,0000,,the BIOS and the operating system. So\Nwhere is this PSP firmware coming from?
Dialogue: 0,0:07:00.29,0:07:07.34,Default,,0000,0000,0000,,Well, the BIOS is stored on the just-\Nmentioned SPI flash memory and it contains
Dialogue: 0,0:07:07.34,0:07:12.85,Default,,0000,0000,0000,,all the data and code that is used, of\Ncourse, during boot up. And it is arranged
Dialogue: 0,0:07:12.85,0:07:18.56,Default,,0000,0000,0000,,according to the UEFI image specification.\NSo it's a standardized format. That's
Dialogue: 0,0:07:18.56,0:07:28.47,Default,,0000,0000,0000,,that's good. So maybe we should have a\Nlook into a Supermicro UEFI update. You
Dialogue: 0,0:07:28.47,0:07:34.72,Default,,0000,0000,0000,,see screenshots from the open source tool,\NUEFI tool, which is able to parse the UEFI
Dialogue: 0,0:07:34.72,0:07:40.77,Default,,0000,0000,0000,,image specification. You see information,\Nfor example, like the full size. This is
Dialogue: 0,0:07:40.77,0:07:44.57,Default,,0000,0000,0000,,16 megabytes. That's the traditional,\Nthat's the size of a traditional SPI
Dialogue: 0,0:07:44.57,0:07:53.21,Default,,0000,0000,0000,,flash. And you see several volumes which\Ncontain BIOS code and data. What you can
Dialogue: 0,0:07:53.21,0:07:58.51,Default,,0000,0000,0000,,also spot are two so-called paddings, non\Nempty paddings. And these are called
Dialogue: 0,0:07:58.51,0:08:04.15,Default,,0000,0000,0000,,paddings by the tool because\Nthey are not part of the UEFI standard.
Dialogue: 0,0:08:04.15,0:08:09.06,Default,,0000,0000,0000,,And we're not able to parse\Nthem with the standardized information
Dialogue: 0,0:08:09.06,0:08:16.85,Default,,0000,0000,0000,,available. So let's use another tool.\NProbably many of you know "binwalk", a
Dialogue: 0,0:08:16.85,0:08:24.19,Default,,0000,0000,0000,,command line tool for extracting firmware\Nfrom images and forensics in general. And
Dialogue: 0,0:08:24.19,0:08:30.08,Default,,0000,0000,0000,,let's look at the machine instructions we\Ncan find in that UEFI update for the
Dialogue: 0,0:08:30.08,0:08:37.22,Default,,0000,0000,0000,,Supermicro board. So the second block you\Nsee are Intel x86 instructions. This is
Dialogue: 0,0:08:37.22,0:08:44.94,Default,,0000,0000,0000,,what we expect, right? It's a BIOS update\Nfor an x86 CPU. So that's not surprising.
Dialogue: 0,0:08:44.94,0:08:51.57,Default,,0000,0000,0000,,What is more surprising are the ARM\Ninstructions. So we might be very close to
Dialogue: 0,0:08:51.57,0:09:03.43,Default,,0000,0000,0000,,the PSP firmware. And what we found out by\Nstaring at bytes and a hex editor a lot is
Dialogue: 0,0:09:03.43,0:09:08.54,Default,,0000,0000,0000,,what we call the firmware file system of\Nthe Platform Security Processor. And the
Dialogue: 0,0:09:08.54,0:09:14.23,Default,,0000,0000,0000,,central data structure in it is the\Ndirectory. A directory starts with a
Dialogue: 0,0:09:14.23,0:09:21.42,Default,,0000,0000,0000,,magic string, in this case, dollar PSP,\Nand it will have a checksum. It will have
Dialogue: 0,0:09:21.42,0:09:27.56,Default,,0000,0000,0000,,a number of elements that it will list and\Na field we don't know. And then with each
Dialogue: 0,0:09:27.56,0:09:35.42,Default,,0000,0000,0000,,line in the screenshot, you will have an\Nentry in this directory. And each entry
Dialogue: 0,0:09:35.42,0:09:42.26,Default,,0000,0000,0000,,has a type and a size and an address where\Nit is located inside that UEFI image. So
Dialogue: 0,0:09:42.26,0:09:47.32,Default,,0000,0000,0000,,the last entry of this directory is a\Nspecial entry. It points to a secondary
Dialogue: 0,0:09:47.32,0:09:56.68,Default,,0000,0000,0000,,directory or that's how we call it. It's a\Ncontinuation of this directory, and each
Dialogue: 0,0:09:56.68,0:10:02.52,Default,,0000,0000,0000,,entry points to something like a file. A\Nfile definitely has a body and it might
Dialogue: 0,0:10:02.52,0:10:08.26,Default,,0000,0000,0000,,have a header and a signature. But I'm\Ngonna go into detail about this in just a
Dialogue: 0,0:10:08.26,0:10:13.39,Default,,0000,0000,0000,,second. So now we just need a reliable\Nentry point to parse this whole firmware
Dialogue: 0,0:10:13.39,0:10:17.75,Default,,0000,0000,0000,,file system, and this is the Firmware\NEntry Table. The Firmware Entry Table
Dialogue: 0,0:10:17.75,0:10:22.50,Default,,0000,0000,0000,,begins with a specific byte sequence,\Nthat's how you can find it. And, it lists
Dialogue: 0,0:10:22.50,0:10:29.31,Default,,0000,0000,0000,,pointers to firmware blobs such as those\Ndirectories inside the UEFI image. Earlier
Dialogue: 0,0:10:29.31,0:10:33.17,Default,,0000,0000,0000,,versions of the Firmware Entry Table are\Ndocumented in source code of the Coreboot
Dialogue: 0,0:10:33.17,0:10:37.36,Default,,0000,0000,0000,,project, an open source BIOS\Nimplementation, and that was very helpful
Dialogue: 0,0:10:37.36,0:10:44.68,Default,,0000,0000,0000,,in the beginning of our research. So, to\Nmake use of all that knowledge and all
Dialogue: 0,0:10:44.68,0:10:50.62,Default,,0000,0000,0000,,that staring at bytes here, we developed\N"psptool", a command line utility that is
Dialogue: 0,0:10:50.62,0:11:01.63,Default,,0000,0000,0000,,able to parse any AMD firmware from UEFI\Nupdates such as the Supermicro update. And
Dialogue: 0,0:11:01.63,0:11:06.59,Default,,0000,0000,0000,,in the output you will see something like\Na directory header here, you will find
Dialogue: 0,0:11:06.59,0:11:12.17,Default,,0000,0000,0000,,entries like something called PSP Firmware\NBootloader. You will see that it has a
Dialogue: 0,0:11:12.17,0:11:17.49,Default,,0000,0000,0000,,version, and psptool will even try to\Nfind out whether it's compressed, signed,
Dialogue: 0,0:11:17.49,0:11:25.48,Default,,0000,0000,0000,,will try to verify the signature and so\Non. And, just as a recap here, you can see
Dialogue: 0,0:11:25.48,0:11:29.32,Default,,0000,0000,0000,,that the last entry of this directory\Nactually points to another directory,
Dialogue: 0,0:11:29.32,0:11:35.57,Default,,0000,0000,0000,,which psptool parses for you as well. So\Nin order to enable you to look into the
Dialogue: 0,0:11:35.57,0:11:41.38,Default,,0000,0000,0000,,code that is running on your AMD CPU right\Nnow, psptool is available on GitHub and
Dialogue: 0,0:11:41.38,0:11:50.58,Default,,0000,0000,0000,,you can check it out today. So the PSP\Nruns code we don't know. Well, now it's a
Dialogue: 0,0:11:50.58,0:11:56.18,Default,,0000,0000,0000,,matter of binary analysis to actually find\Nout what it does. Let's talk about the
Dialogue: 0,0:11:56.18,0:12:06.08,Default,,0000,0000,0000,,control. Are we able to alter the firmware\Nto run our own code? For that we had to
Dialogue: 0,0:12:06.08,0:12:13.97,Default,,0000,0000,0000,,play around with hardware, and more\Nspecifically we used an SPI programmer to
Dialogue: 0,0:12:13.97,0:12:21.95,Default,,0000,0000,0000,,flash any arbitrary UEFI image onto the\NSPI flash. After, for example, taking the
Dialogue: 0,0:12:21.95,0:12:27.73,Default,,0000,0000,0000,,original UEFI image and tinkering around\Nwith one byte or one bit we would then try
Dialogue: 0,0:12:27.73,0:12:37.41,Default,,0000,0000,0000,,to boot the system, and in most cases it\Njust wouldn't boot. This was insufficient
Dialogue: 0,0:12:37.41,0:12:42.24,Default,,0000,0000,0000,,because we only had binary output from\Nthese experiments. So we also used the
Dialogue: 0,0:12:42.24,0:12:49.34,Default,,0000,0000,0000,,logic analyzer that you can see in the top\Nof this picture. A logic analyzer is just
Dialogue: 0,0:12:49.34,0:12:54.40,Default,,0000,0000,0000,,an electronic instrument that can capture\Nthe data that runs through the logic
Dialogue: 0,0:12:54.40,0:13:06.03,Default,,0000,0000,0000,,lines. In this case, between the SPI flash\Nand the Supermicro board. So, looking into
Dialogue: 0,0:13:06.03,0:13:16.09,Default,,0000,0000,0000,,a recording of one of our boot procedures\Nwe would now be able to make sense of this
Dialogue: 0,0:13:16.09,0:13:21.59,Default,,0000,0000,0000,,data. So, for example, we can see that the\Nchipset here issues a read command that's
Dialogue: 0,0:13:21.59,0:13:28.24,Default,,0000,0000,0000,,defined by the byte three, but tried to\Nread the address E 2 0 0 0 0 and then the
Dialogue: 0,0:13:28.24,0:13:34.72,Default,,0000,0000,0000,,SPI flash would gladly respond with data\Nat that location. Now you might argue the
Dialogue: 0,0:13:34.72,0:13:38.56,Default,,0000,0000,0000,,data is not that interesting because\Nthat's what we control, that's what we can
Dialogue: 0,0:13:38.56,0:13:43.87,Default,,0000,0000,0000,,program, that's what we can look into with\Npsptool. So what we were more curious
Dialogue: 0,0:13:43.87,0:13:50.96,Default,,0000,0000,0000,,about is the order and timing of the\Nactual accesses. And to make that a bit
Dialogue: 0,0:13:50.96,0:14:00.05,Default,,0000,0000,0000,,more visual we wrote "psptrace". So,\Npsptrace takes such a SPI capture and
Dialogue: 0,0:14:00.05,0:14:09.14,Default,,0000,0000,0000,,correlates it to the output from psptool,\Nand we will get a enumeration of the
Dialogue: 0,0:14:09.14,0:14:15.46,Default,,0000,0000,0000,,specific components of the PSP during\Nboot, and I'll get into detail about this
Dialogue: 0,0:14:15.46,0:14:21.96,Default,,0000,0000,0000,,also in just a second. "psptrace" is\Navailable as part of the psptool
Dialogue: 0,0:14:21.96,0:14:28.63,Default,,0000,0000,0000,,repository. If you're more interested\Nabout our hardware in our hardware setup,
Dialogue: 0,0:14:28.63,0:14:36.43,Default,,0000,0000,0000,,you can check out our talk from the CCCamp\Nearlier this year where we actually had a
Dialogue: 0,0:14:36.43,0:14:42.97,Default,,0000,0000,0000,,Ryzen Pro CPU at hand, and just used the\NLenovo ThinkPad. So that might be more
Dialogue: 0,0:14:42.97,0:14:52.53,Default,,0000,0000,0000,,suitable for your homework. So I want to\Nshare two more insights that we gained
Dialogue: 0,0:14:52.53,0:14:57.81,Default,,0000,0000,0000,,through our experiments in the beginning.\NFirst of all, cryptographic protections on
Dialogue: 0,0:14:57.81,0:15:05.18,Default,,0000,0000,0000,,files. Files are protected by signature\Nand a field in the header determines the
Dialogue: 0,0:15:05.18,0:15:10.34,Default,,0000,0000,0000,,according public key that can be used to\Nverify that signature. And that's what
Dialogue: 0,0:15:10.34,0:15:17.78,Default,,0000,0000,0000,,the PSP does. So there are several keys\Nactually inside the firmware file system,
Dialogue: 0,0:15:17.78,0:15:22.58,Default,,0000,0000,0000,,and then all these keys are signed by the\NAMD root public key which does not have a
Dialogue: 0,0:15:22.58,0:15:32.24,Default,,0000,0000,0000,,trailing signature; but as we found out,\Nafter it is loaded from flash, it will be
Dialogue: 0,0:15:32.24,0:15:37.87,Default,,0000,0000,0000,,compared to a hash in Read Only Memory of\Nthe PSP. So we were not able to alter it
Dialogue: 0,0:15:37.87,0:15:47.04,Default,,0000,0000,0000,,like that. The second insight is how the\Nearly boot procedure of the PSP works.
Dialogue: 0,0:15:47.04,0:15:52.26,Default,,0000,0000,0000,,We have an on-chip bootloader that is\Nburnt into the chip, into the PSP.
Dialogue: 0,0:15:52.26,0:15:55.43,Default,,0000,0000,0000,,We have an off-chip bootloader that is\Nloaded from flash,
Dialogue: 0,0:15:55.43,0:15:59.57,Default,,0000,0000,0000,,and then we have several applications\Nthat are loaded subsequently.
Dialogue: 0,0:15:59.57,0:16:04.13,Default,,0000,0000,0000,,So now let's look a bit more closely at\Nthe output of psptrace.
Dialogue: 0,0:16:04.13,0:16:08.86,Default,,0000,0000,0000,,The first few read\Naccesses are to the firmware entry table,
Dialogue: 0,0:16:08.86,0:16:15.99,Default,,0000,0000,0000,,the global data structure, and then the\Non-chip boot loader will load the PSP
Dialogue: 0,0:16:15.99,0:16:21.30,Default,,0000,0000,0000,,directory, it will load the AMD public\Nkey, and verify it as I just told you by
Dialogue: 0,0:16:21.30,0:16:28.72,Default,,0000,0000,0000,,comparing it to a hash in Read Only\NMemory, it will load the PSP firmware
Dialogue: 0,0:16:28.72,0:16:32.83,Default,,0000,0000,0000,,bootloader. That's what we called the off-\Nchip to bootloader. And this one will be
Dialogue: 0,0:16:32.83,0:16:40.96,Default,,0000,0000,0000,,verified with the AMD public key. Then in\Nthe boot trace of psptrace, we see a delay
Dialogue: 0,0:16:40.96,0:16:46.30,Default,,0000,0000,0000,,that's due to some initialization work the\NPSP does, and then it will load more
Dialogue: 0,0:16:46.30,0:16:54.58,Default,,0000,0000,0000,,directories and will load and verify some\Napplications eventually. And with this
Dialogue: 0,0:16:54.58,0:17:00.08,Default,,0000,0000,0000,,rough overview of the boot procedure, I'm\Ngonna hand you over to Alex.
Dialogue: 0,0:17:00.60,0:17:05.90,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:17:06.42,0:17:10.66,Default,,0000,0000,0000,,Alexander Eichner: OK. So now that we\Nuncovered the basic modules of the
Dialogue: 0,0:17:10.66,0:17:14.00,Default,,0000,0000,0000,,firmware, we obviously wanted to gain\Ndeeper knowledge about what these
Dialogue: 0,0:17:14.00,0:17:18.12,Default,,0000,0000,0000,,individual modules do, how the firmware\Nfunctions of the PSP is constructed, what
Dialogue: 0,0:17:18.12,0:17:22.96,Default,,0000,0000,0000,,hardware it provides and how we can\Ninterface it. So in order to do that, we
Dialogue: 0,0:17:22.96,0:17:29.37,Default,,0000,0000,0000,,need to do a quick recap about how AMD\Nstructures the CPU itself. So what you see
Dialogue: 0,0:17:29.37,0:17:34.33,Default,,0000,0000,0000,,here is a little x86 core being able to\Nexecute two threads using simultaneous
Dialogue: 0,0:17:34.33,0:17:39.08,Default,,0000,0000,0000,,multi threading and AMD groups four of\Nthose cores into what they call a Core
Dialogue: 0,0:17:39.08,0:17:45.00,Default,,0000,0000,0000,,CompleX (CCX). It contains up to four\Ncores based on your exact model, and two
Dialogue: 0,0:17:45.00,0:17:50.33,Default,,0000,0000,0000,,of those complexes are put onto a CCD or\NCore Complex Die. That is what AMD also
Dialogue: 0,0:17:50.33,0:17:55.69,Default,,0000,0000,0000,,calls a chiplet. So it's a single silicon\Nchip on your CPU and you have multiple of
Dialogue: 0,0:17:55.69,0:18:02.54,Default,,0000,0000,0000,,those chips on your CPU. Among the two\NCCXs, it contains the memory controller
Dialogue: 0,0:18:02.54,0:18:08.23,Default,,0000,0000,0000,,for the DDR4 memory, PCI express lanes,\Ncommunication links to communicate with
Dialogue: 0,0:18:08.23,0:18:14.12,Default,,0000,0000,0000,,other CPUs in the system and much more.\NSo, in our setup you saw earlier already,
Dialogue: 0,0:18:14.12,0:18:22.29,Default,,0000,0000,0000,,we had a two socket system with two CPUs\Nand each of these CPUs had four CCDs. And
Dialogue: 0,0:18:22.29,0:18:29.47,Default,,0000,0000,0000,,now, we have not just one PSP in this\Nwhole system, but up to eight. So each of
Dialogue: 0,0:18:29.47,0:18:35.00,Default,,0000,0000,0000,,these CPUs or each of these little PSPs is\Nactually executing code even before the
Dialogue: 0,0:18:35.00,0:18:43.11,Default,,0000,0000,0000,,x86 cores have executed anything. So AMD\Ncalls the one on CCD 0 the Master PSP, and
Dialogue: 0,0:18:43.11,0:18:48.26,Default,,0000,0000,0000,,all the others are referred to as slaves.\NThe master coordinates the initial bring
Dialogue: 0,0:18:48.26,0:18:52.35,Default,,0000,0000,0000,,up of the platform. So for the whole\Ninitialization, for the memory controllers
Dialogue: 0,0:18:52.35,0:18:59.45,Default,,0000,0000,0000,,and so on and the slaves respond to\Nrequests made by the master PSP. So each
Dialogue: 0,0:18:59.45,0:19:05.08,Default,,0000,0000,0000,,of these PSP is identical in the system.\NBecause they are 32 bit ARM cores, they
Dialogue: 0,0:19:05.08,0:19:10.44,Default,,0000,0000,0000,,have a 32 bit address space layout. The\Nfirst 256KiB of this layout are backed by
Dialogue: 0,0:19:10.44,0:19:16.09,Default,,0000,0000,0000,,actual on-chip SRAM. The first, the on-\Nchip bootloader, will load the off-chip
Dialogue: 0,0:19:16.09,0:19:22.20,Default,,0000,0000,0000,,bootloader, "PSP_FW_BOOTLOADER", and\Nplace it into memory where it will be
Dialogue: 0,0:19:22.20,0:19:27.40,Default,,0000,0000,0000,,executed. Among [below] the actual\Nfirmware bootloader, you will also have
Dialogue: 0,0:19:27.40,0:19:31.98,Default,,0000,0000,0000,,the page tables for the MMU. Yes, the PSP\Nalso has a MMU and [is] virtual-memory-
Dialogue: 0,0:19:31.98,0:19:36.76,Default,,0000,0000,0000,,enabled. And the code is separated into a\Nsupervisor, or kernel, mode and the user
Dialogue: 0,0:19:36.76,0:19:43.39,Default,,0000,0000,0000,,mode part. So, the last page you see here\Nis the so-called boot ROM service page. It
Dialogue: 0,0:19:43.39,0:19:47.36,Default,,0000,0000,0000,,contains information about the PSP [that]\Nthe code is currently executing on, like
Dialogue: 0,0:19:47.36,0:19:52.50,Default,,0000,0000,0000,,number of sockets in the system, the\Ncurrent CCD ID where it's executed. It
Dialogue: 0,0:19:52.50,0:19:58.78,Default,,0000,0000,0000,,contains some other things, like number\Nof sockets and so on, and it will become
Dialogue: 0,0:19:58.78,0:20:04.61,Default,,0000,0000,0000,,important later on. Then the off-chip\Nbootloader will call the applications.
Dialogue: 0,0:20:04.61,0:20:08.42,Default,,0000,0000,0000,,They are executed in user mode. They\Ncontain the code and data to bring up the
Dialogue: 0,0:20:08.42,0:20:15.56,Default,,0000,0000,0000,,actual system and they also contain the\Nstack memory. And this is done during the
Dialogue: 0,0:20:15.56,0:20:22.18,Default,,0000,0000,0000,,initial boot-up process by using a fixed\Norder. And later on when the host OS runs,
Dialogue: 0,0:20:22.18,0:20:27.24,Default,,0000,0000,0000,,the application, for example, for the SEV\Nfunctionality will be loaded on demand.
Dialogue: 0,0:20:27.24,0:20:32.81,Default,,0000,0000,0000,,So, the rest of the space there we have\Nto fill is taken up by MMIO.
Dialogue: 0,0:20:32.81,0:20:36.89,Default,,0000,0000,0000,,So, this PSP has its own cryptographic code\Nprocessor which is not shared with the
Dialogue: 0,0:20:36.89,0:20:43.22,Default,,0000,0000,0000,,x86. You have the hardware registers to\Naccess x86 memory, to access the system
Dialogue: 0,0:20:43.22,0:20:47.31,Default,,0000,0000,0000,,management network (what this is, we will\Ncome to in a bit), and much more [that] we
Dialogue: 0,0:20:47.31,0:20:53.65,Default,,0000,0000,0000,,don't know about now, right now. So the\Nboot process in detail. So, Christian
Dialogue: 0,0:20:53.65,0:20:57.55,Default,,0000,0000,0000,,already gave you a rough overview how the\Nboot process is done and now we will take
Dialogue: 0,0:20:57.55,0:21:01.21,Default,,0000,0000,0000,,a deeper look into this. So first, of\Ncourse, you have the on-chip bootloader.
Dialogue: 0,0:21:01.21,0:21:05.17,Default,,0000,0000,0000,,It loads the off-chip bootloader from\Nflash and executes it. The off-chip
Dialogue: 0,0:21:05.17,0:21:09.50,Default,,0000,0000,0000,,bootloader will execute and initialize a\NPSP to a bare minimum and then call the
Dialogue: 0,0:21:09.50,0:21:13.01,Default,,0000,0000,0000,,apps. The first one we have here,\NDebugUnlock and Security Gasket. We have
Dialogue: 0,0:21:13.01,0:21:16.97,Default,,0000,0000,0000,,no idea what they are actually for, but we\Nnamed them after some strings we found in
Dialogue: 0,0:21:16.97,0:21:22.60,Default,,0000,0000,0000,,the binaries itself. So, the big chunk you\Nsee here is the actual bootstrapping
Dialogue: 0,0:21:22.60,0:21:27.41,Default,,0000,0000,0000,,phase. AMD calls it "AGESA BootLoader"\N(ABL) and it's not just a single binary,
Dialogue: 0,0:21:27.41,0:21:32.22,Default,,0000,0000,0000,,but it hosts a binary which loads binaries\Nfrom the flash furthermore, and then
Dialogue: 0,0:21:32.22,0:21:37.09,Default,,0000,0000,0000,,executes it in a specific order. So, you\Nsee here ABL one, two, three, four and
Dialogue: 0,0:21:37.09,0:21:41.78,Default,,0000,0000,0000,,six. ABL five is used for something like a\Nwarm resume from suspend to RAM, for
Dialogue: 0,0:21:41.78,0:21:48.44,Default,,0000,0000,0000,,example. So, later on, if the SEV app is\Nfor example loaded, if the OS requests a
Dialogue: 0,0:21:48.44,0:21:55.37,Default,,0000,0000,0000,,specific SEV functionality and not before\Nthat. Because we have the separation
Dialogue: 0,0:21:55.37,0:21:58.95,Default,,0000,0000,0000,,between supervisor and user mode, we\Nobviously need a way that the app can
Dialogue: 0,0:21:58.95,0:22:02.94,Default,,0000,0000,0000,,communicate with the off-chip bootloader\Nand that is done using the ARM instruction
Dialogue: 0,0:22:02.94,0:22:09.75,Default,,0000,0000,0000,,"Supervisor Call" or "SVC". So we\Nidentified 76 syscalls in total. We have
Dialogue: 0,0:22:09.75,0:22:14.20,Default,,0000,0000,0000,,mostly reverse-engineered 30 by now. We\Ncan access the x86 memory. We can
Dialogue: 0,0:22:14.20,0:22:18.74,Default,,0000,0000,0000,,communicate with other PSPs in a system.\NWe can load entries from flash and so on.
Dialogue: 0,0:22:18.74,0:22:24.40,Default,,0000,0000,0000,,28 are partly reverse-engineered. Those\Nare mostly CCP operations for RSA public
Dialogue: 0,0:22:24.40,0:22:28.17,Default,,0000,0000,0000,,key verification, AES encryption and so\Non. And there are also more elaborate
Dialogue: 0,0:22:28.17,0:22:32.43,Default,,0000,0000,0000,,functions to communicate with other PSPs\Nwhich are required during the AGESA
Dialogue: 0,0:22:32.43,0:22:37.08,Default,,0000,0000,0000,,BootLoader stage. And then, we have 18\Nleft, and these we don't know about yet
Dialogue: 0,0:22:37.08,0:22:41.94,Default,,0000,0000,0000,,because they are not called at all or\Nthey have exactly one call site and are
Dialogue: 0,0:22:41.94,0:22:45.84,Default,,0000,0000,0000,,non-trivial to reverse-engineer.
Dialogue: 0,0:22:45.84,0:22:48.86,Default,,0000,0000,0000,,So, "System Management Network".\NI already saw on the
Dialogue: 0,0:22:48.86,0:22:52.58,Default,,0000,0000,0000,,slide already that there was access SMN.\NIf you Google for "System Management
Dialogue: 0,0:22:52.58,0:22:57.94,Default,,0000,0000,0000,,Network" or SMN, you won't find much\Ninformation about it by AMD or otherwise.
Dialogue: 0,0:22:57.94,0:23:02.19,Default,,0000,0000,0000,,The only reference you may find is code in\Nthe Linux kernel to read out the thermal
Dialogue: 0,0:23:02.19,0:23:06.75,Default,,0000,0000,0000,,sensors on the CPU. So the System\NManagement Network actually is a hidden
Dialogue: 0,0:23:06.75,0:23:11.22,Default,,0000,0000,0000,,control network inside your CPU. Each and\Nevery hardware block which is in there is
Dialogue: 0,0:23:11.22,0:23:16.33,Default,,0000,0000,0000,,connected to it and is used for the PSP to\Ncontrol and initialize the hardware blocks
Dialogue: 0,0:23:16.33,0:23:21.30,Default,,0000,0000,0000,,during the boot up phase. So it is a\Ndedicated address space, so the PSP can't
Dialogue: 0,0:23:21.30,0:23:26.63,Default,,0000,0000,0000,,directly access it using MMIO\Ninstructions. And we have the PSP there.
Dialogue: 0,0:23:26.63,0:23:30.82,Default,,0000,0000,0000,,We have identified the memory controller,\Nthe System Management Unit for which there
Dialogue: 0,0:23:30.82,0:23:35.56,Default,,0000,0000,0000,,was a talk about I think two years ago on\Nthis very Congress, the x86 cores are
Dialogue: 0,0:23:35.56,0:23:41.36,Default,,0000,0000,0000,,there as well and a lot of other things we\Ndidn't reverse engineer so far. One other
Dialogue: 0,0:23:41.36,0:23:45.91,Default,,0000,0000,0000,,thing. OK. So to access the System\NManagement Network, the PSP has to map a
Dialogue: 0,0:23:45.91,0:23:49.82,Default,,0000,0000,0000,,certain region of the System Management\NNetwork address space into its own address
Dialogue: 0,0:23:49.82,0:23:53.93,Default,,0000,0000,0000,,space and then can access the register,\Nwrite, read and so on. And it has to unmap
Dialogue: 0,0:23:53.93,0:23:58.37,Default,,0000,0000,0000,,it again. And one of the functions we\Nidentified is what we call memory
Dialogue: 0,0:23:58.37,0:24:04.62,Default,,0000,0000,0000,,protection slots. So the PSP has the\Npossibility [stutters] to configure the
Dialogue: 0,0:24:04.62,0:24:09.61,Default,,0000,0000,0000,,memory controller, to revoke access to\Ncertain regions of the DDR4 memory from
Dialogue: 0,0:24:09.61,0:24:14.21,Default,,0000,0000,0000,,the x86 cores. This is done by using three\Nregisters. We have a start register with a
Dialogue: 0,0:24:14.21,0:24:18.45,Default,,0000,0000,0000,,physical start address, an end register to\Ndenote the physical end address of the
Dialogue: 0,0:24:18.45,0:24:22.55,Default,,0000,0000,0000,,region you want to protect, and a control\Nregister where we only know yet so far the
Dialogue: 0,0:24:22.55,0:24:26.62,Default,,0000,0000,0000,,enable bit to flip it on or off. And what\Nit does is, if the protection is flipped
Dialogue: 0,0:24:26.62,0:24:31.11,Default,,0000,0000,0000,,on, the x86 will only read "all bits\Nset"[?] when it tries to access this
Dialogue: 0,0:24:31.11,0:24:36.32,Default,,0000,0000,0000,,particular region and writes will have no\Neffect through this region as well. And
Dialogue: 0,0:24:36.32,0:24:40.60,Default,,0000,0000,0000,,this is, for example, used for the system\Nmanagement mode UEFI code, and for certain
Dialogue: 0,0:24:40.60,0:24:44.80,Default,,0000,0000,0000,,functionality for the Secure Encrypted\NVirtualization feature of AMD.
Dialogue: 0,0:24:46.96,0:24:50.02,Default,,0000,0000,0000,,So, the next thing we did was running
Dialogue: 0,0:24:50.02,0:24:53.51,Default,,0000,0000,0000,,[the] `strings` [command] over all\Nmodules, obviously. And, what we found
Dialogue: 0,0:24:53.51,0:24:57.52,Default,,0000,0000,0000,,there were a lot of interesting debug\Nstrings and even a lot of format strings.
Dialogue: 0,0:24:57.52,0:25:02.32,Default,,0000,0000,0000,,And, we wanted to know what the values\Nwere during the runtime. So, when we
Dialogue: 0,0:25:02.32,0:25:06.14,Default,,0000,0000,0000,,disassembled the firmware and analyzed it,\Nwe saw that most of these strings were
Dialogue: 0,0:25:06.14,0:25:09.95,Default,,0000,0000,0000,,referenced right before a special call\Ncalled SVC 6, so this must be some sort of
Dialogue: 0,0:25:09.95,0:25:16.26,Default,,0000,0000,0000,,debug print for the PSP. The problem is,\NSVC 6 is not implemented in the release
Dialogue: 0,0:25:16.26,0:25:22.21,Default,,0000,0000,0000,,firmware. So, we had to find another way\Nto gain access to these debug strings. And
Dialogue: 0,0:25:22.21,0:25:28.65,Default,,0000,0000,0000,,this is what I will talk about now. So,\Nthe problem here is, first we need to know
Dialogue: 0,0:25:28.65,0:25:34.77,Default,,0000,0000,0000,,where we want to store these debug strings,\Nand we don't have any x86 memory available
Dialogue: 0,0:25:34.77,0:25:39.03,Default,,0000,0000,0000,,at this time in the process. So we need to\Nfind another device or buffer where you
Dialogue: 0,0:25:39.03,0:25:44.93,Default,,0000,0000,0000,,can store it for later use. But, the only\Ndevice we did know about at this time was
Dialogue: 0,0:25:44.93,0:25:50.67,Default,,0000,0000,0000,,the SPI flash. Luckily for us, right into\Nthis SPI flash area from, the PSP
Dialogue: 0,0:25:50.67,0:25:57.56,Default,,0000,0000,0000,,generated the necessary bus cycles on the\NSPI bus, without altering the flash. Then
Dialogue: 0,0:25:57.56,0:26:02.03,Default,,0000,0000,0000,,we need a code execution on the PSP to\Ninject our own SVC handler. And how we
Dialogue: 0,0:26:02.03,0:26:05.85,Default,,0000,0000,0000,,gained code execution, Robert will talk\Nabout in the third part of this talk. But
Dialogue: 0,0:26:05.85,0:26:09.56,Default,,0000,0000,0000,,for now, we assume that we have code\Nexecution on the PSP already, can inject
Dialogue: 0,0:26:09.56,0:26:16.54,Default,,0000,0000,0000,,our own SVC 6 handler and then leave, let\Nit run. So the app will call SVC 6, it
Dialogue: 0,0:26:16.54,0:26:20.18,Default,,0000,0000,0000,,will be forwarded on to the SPI bus where\Nwe can collect it with our already
Dialogue: 0,0:26:20.18,0:26:25.76,Default,,0000,0000,0000,,existing setup. [We] use a tool to filter\Nthe debug strings from the rest of the
Dialogue: 0,0:26:25.76,0:26:30.61,Default,,0000,0000,0000,,traffic on the SPI bus [that] we don't\Nwant to have [...] in the debug output and
Dialogue: 0,0:26:30.61,0:26:38.86,Default,,0000,0000,0000,,then hopefully get a raw PSP log. And we\Nhad success with that. So what you see
Dialogue: 0,0:26:38.86,0:26:43.79,Default,,0000,0000,0000,,here is the initial boot-up or the very\Nfirst stage of the boot-up state. The logs
Dialogue: 0,0:26:43.79,0:26:49.17,Default,,0000,0000,0000,,are several megabytes long and we didn't\Nhave the chance to go through all of them.
Dialogue: 0,0:26:49.17,0:26:57.01,Default,,0000,0000,0000,,So, there is a lot of interesting stuff\Nhiding there already.
Dialogue: 0,0:26:57.01,0:27:05.44,Default,,0000,0000,0000,,{\i1}applause{\i0}\NSo, the next step was to explore what is
Dialogue: 0,0:27:05.44,0:27:09.51,Default,,0000,0000,0000,,hidden inside the System Management\NNetwork. And we didn't want to always
Dialogue: 0,0:27:09.51,0:27:13.43,Default,,0000,0000,0000,,reflash the whole system all the time and\Nwrite code for it, debug, because that is
Dialogue: 0,0:27:13.43,0:27:20.67,Default,,0000,0000,0000,,error prone and tedious. So we created our\Nown setup where we could dynamically use
Dialogue: 0,0:27:20.67,0:27:25.28,Default,,0000,0000,0000,,the x86 calls on the system to write and\Nread from the System Management Network.
Dialogue: 0,0:27:25.28,0:27:29.61,Default,,0000,0000,0000,,For that, we replaced the SEV app with a\Nstub and the stub provides three
Dialogue: 0,0:27:29.61,0:27:33.43,Default,,0000,0000,0000,,primitives. We can read-write a System\NManagement Network address, we can execute
Dialogue: 0,0:27:33.43,0:27:37.85,Default,,0000,0000,0000,,an arbitrary syscall from the off-chip\Nbootloader and we can read-write general
Dialogue: 0,0:27:37.85,0:27:45.29,Default,,0000,0000,0000,,PSP memory. And because the PSP is exposed\Nas a separate PCIe device to the x86, we
Dialogue: 0,0:27:45.29,0:27:49.65,Default,,0000,0000,0000,,use the existing Linux kernel driver and\Nmodified it to expose these requests to
Dialogue: 0,0:27:49.65,0:27:53.85,Default,,0000,0000,0000,,user land, where we created a user space\Nlibrary wrapper and some Python bindings.
Dialogue: 0,0:27:53.85,0:27:58.97,Default,,0000,0000,0000,,And with that we were able to use a Python\Nshell to dynamically read, write
Dialogue: 0,0:27:58.97,0:28:02.86,Default,,0000,0000,0000,,registers, headers, spurious reboot in\Nbetween if you did the wrong thing, but
Dialogue: 0,0:28:02.86,0:28:06.92,Default,,0000,0000,0000,,could start over very quickly. So what you\Nsee here in the code snippet is, what we
Dialogue: 0,0:28:06.92,0:28:12.48,Default,,0000,0000,0000,,did to discover what these memory\Nprotection slots where about. You can see
Dialogue: 0,0:28:12.48,0:28:16.48,Default,,0000,0000,0000,,that we call an syscall handler, that we\Nwrite some System Management Network
Dialogue: 0,0:28:16.48,0:28:20.89,Default,,0000,0000,0000,,address and so on. And we do it for all\Nthe different PSPs in the system, so the
Dialogue: 0,0:28:20.89,0:28:25.55,Default,,0000,0000,0000,,master PSP can also forward these requests\Nto all of the other PSPs in the whole
Dialogue: 0,0:28:25.55,0:28:34.22,Default,,0000,0000,0000,,system. Next thing, we wanted to also\Nanalyze the SEV app further and see how
Dialogue: 0,0:28:34.22,0:28:39.60,Default,,0000,0000,0000,,the code is executed and how the data\Nflows in this SEV app. But because we
Dialogue: 0,0:28:39.60,0:28:43.73,Default,,0000,0000,0000,,already had a PSP stub running there and\Ncouldn't share it on the PSP, we had to
Dialogue: 0,0:28:43.73,0:28:48.73,Default,,0000,0000,0000,,find another method. And we created a PSP\Nemulator for that and using our
Dialogue: 0,0:28:48.73,0:28:55.01,Default,,0000,0000,0000,,libpspproxy to forward requests onto the\NPSP. So the current state can run the SEV
Dialogue: 0,0:28:55.01,0:29:00.89,Default,,0000,0000,0000,,app to a certain point and we are still\Nactively developing that. So, that started
Dialogue: 0,0:29:00.89,0:29:08.55,Default,,0000,0000,0000,,a few weeks ago, and this will continue in\Nthe development. So, what it does is, what
Dialogue: 0,0:29:08.55,0:29:12.59,Default,,0000,0000,0000,,you see here is the AMD sev-tool to manage\Nthe host and configure all the keys and
Dialogue: 0,0:29:12.59,0:29:16.32,Default,,0000,0000,0000,,certificates on the system. And we\Nmodified the Linux kernel driver to
Dialogue: 0,0:29:16.32,0:29:21.04,Default,,0000,0000,0000,,reroute these requests out to our own PSP\Nemulator running in user space, which is
Dialogue: 0,0:29:21.04,0:29:25.20,Default,,0000,0000,0000,,based on the unicorn engine. Any hardware\Naccess, because we don't know much about
Dialogue: 0,0:29:25.20,0:29:29.45,Default,,0000,0000,0000,,the hardware yet, is forwarded to the real\NPSP, results are collected, and when the
Dialogue: 0,0:29:29.45,0:29:35.08,Default,,0000,0000,0000,,SEV app finishes, it will return the\Nresult back to the AMD sev-tool. And with
Dialogue: 0,0:29:35.08,0:29:39.58,Default,,0000,0000,0000,,that we are able to execute some of the\Nrequests the SEV app implements
Dialogue: 0,0:29:39.58,0:29:46.13,Default,,0000,0000,0000,,successfully so far. Yeah. What you see\Nhere is a small snippet from one of the
Dialogue: 0,0:29:46.13,0:29:50.60,Default,,0000,0000,0000,,traces. You can see a syscall being made.\NIt's a CCP request. We don't know
Dialogue: 0,0:29:50.60,0:29:55.45,Default,,0000,0000,0000,,exactly how the arguments are used by now.\NThat's why there's a lot of unknown stuff,
Dialogue: 0,0:29:55.45,0:29:59.99,Default,,0000,0000,0000,,but this will aid us in development. And\Nfurthermore, in addition to allowing a
Dialogue: 0,0:29:59.99,0:30:04.07,Default,,0000,0000,0000,,tracing code execution and observe the\Ndata flow, we later on may be able to
Dialogue: 0,0:30:04.07,0:30:08.24,Default,,0000,0000,0000,,provide functionality which is currently\Nonly available on the EPYC server platform
Dialogue: 0,0:30:08.24,0:30:12.60,Default,,0000,0000,0000,,from AMD, like Secure Encrypted Virtual\Nmachine. The problem here is we don't know
Dialogue: 0,0:30:12.60,0:30:16.20,Default,,0000,0000,0000,,yet if all the hardware is there which is\Nsupported, and whether it's only a
Dialogue: 0,0:30:16.20,0:30:18.41,Default,,0000,0000,0000,,firmware limitation by AMD.
Dialogue: 0,0:30:20.77,0:30:24.80,Default,,0000,0000,0000,,If you're interested, the code is here\Non the repository,
Dialogue: 0,0:30:24.80,0:30:27.98,Default,,0000,0000,0000,,it will be made available in\Nthe next few days. We have a number of
Dialogue: 0,0:30:27.98,0:30:32.63,Default,,0000,0000,0000,,repositories available. You already saw\NPSPTool. We have some repository where we
Dialogue: 0,0:30:32.63,0:30:36.55,Default,,0000,0000,0000,,collect documentation about hardware\Ninterfaces, syscalls and so on. We have
Dialogue: 0,0:30:36.55,0:30:41.64,Default,,0000,0000,0000,,our PSP emulator there and also the psp-\Napps repository, if you want to dive into
Dialogue: 0,0:30:41.64,0:30:47.11,Default,,0000,0000,0000,,writing your own apps for the PSP. And\Nwith that I will hand over to Robert, who
Dialogue: 0,0:30:47.11,0:30:51.87,Default,,0000,0000,0000,,will talk about how we gained code\Nexecution on the PSP itself.
Dialogue: 0,0:30:51.87,0:30:59.11,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:30:59.11,0:31:02.20,Default,,0000,0000,0000,,Robert: OK, so for everything that Alex\Ntalked about,
Dialogue: 0,0:31:02.20,0:31:15.16,Default,,0000,0000,0000,,we need code execution on the PSP.\N… [inaudible]. Mike? Better? All right.
Dialogue: 0,0:31:15.16,0:31:22.18,Default,,0000,0000,0000,,So, this part of owning the PSP is again\Nsplit into two parts. Now, Christian
Dialogue: 0,0:31:22.18,0:31:27.18,Default,,0000,0000,0000,,already talked about the firmware and the\NSPI flash. So, this is something we can
Dialogue: 0,0:31:27.18,0:31:31.11,Default,,0000,0000,0000,,control because we have physical access to\Nthe device. We can flash everything we
Dialogue: 0,0:31:31.11,0:31:36.91,Default,,0000,0000,0000,,want. So, what can we do with that? So, on\Nthe SPI flash, we have these directories
Dialogue: 0,0:31:36.91,0:31:41.77,Default,,0000,0000,0000,,which have a header and entries and an\Nentry is actually compromised (composed)
Dialogue: 0,0:31:41.77,0:31:48.07,Default,,0000,0000,0000,,of an ID, an address and a size. We've\Ntalked about files. So an entry could be a
Dialogue: 0,0:31:48.07,0:31:54.42,Default,,0000,0000,0000,,reference to a file. And, we also talked\Nabout these secondary directories. So, an
Dialogue: 0,0:31:54.42,0:31:59.44,Default,,0000,0000,0000,,entry could refer to another directory.\NNow, if you look at the files you see that
Dialogue: 0,0:31:59.44,0:32:04.24,Default,,0000,0000,0000,,they have a signature usually. So, we\Ncannot manipulate those files directly. If
Dialogue: 0,0:32:04.24,0:32:08.04,Default,,0000,0000,0000,,we touch them, this will be noticed and\Nthey won't be loaded and the system will
Dialogue: 0,0:32:08.04,0:32:13.62,Default,,0000,0000,0000,,immediately reboot. Now, what we can\Nmanipulate is the directories themselves,
Dialogue: 0,0:32:13.62,0:32:19.40,Default,,0000,0000,0000,,because they are not protected at all. So,\Nspecifically, what we can do is, we can,
Dialogue: 0,0:32:19.40,0:32:24.73,Default,,0000,0000,0000,,for example, add additional entries. These\Nentries might point to the same files.
Dialogue: 0,0:32:24.73,0:32:29.26,Default,,0000,0000,0000,,That doesn't matter. We can add entries.\NWhat we also can do is, we can remove some
Dialogue: 0,0:32:29.26,0:32:35.86,Default,,0000,0000,0000,,of those entries or we can change entries.\NSo, for example, this reference to the
Dialogue: 0,0:32:35.86,0:32:40.68,Default,,0000,0000,0000,,secondary directory, this has a size\Nparameter. Right. And this size refers to
Dialogue: 0,0:32:40.68,0:32:44.48,Default,,0000,0000,0000,,the size of that directory. And actually,\Nwhat we can do is, we can change that
Dialogue: 0,0:32:44.48,0:32:49.23,Default,,0000,0000,0000,,size. So we can make the directory appear\Nto be smaller without removing any of
Dialogue: 0,0:32:49.23,0:32:57.14,Default,,0000,0000,0000,,those entries. Now, during boot, this PSP\Ndirectory, that Christian already talked
Dialogue: 0,0:32:57.14,0:33:03.16,Default,,0000,0000,0000,,about, is parsed. So this PSP directory\Ncontains, among other things, the
Dialogue: 0,0:33:03.16,0:33:07.29,Default,,0000,0000,0000,,reference to the AMD public key, which is\Nused to authenticate all the applications
Dialogue: 0,0:33:07.29,0:33:12.84,Default,,0000,0000,0000,,which are loaded. Now, this directory also\Nhas a secondary directory. The content is
Dialogue: 0,0:33:12.84,0:33:18.89,Default,,0000,0000,0000,,not really relevant here. So the on-chip\Nbootloader that executes first will set up
Dialogue: 0,0:33:18.89,0:33:23.68,Default,,0000,0000,0000,,this boot ROM service page that Alex\Ntalked about. And this boot ROM service
Dialogue: 0,0:33:23.68,0:33:31.90,Default,,0000,0000,0000,,page contains a copy of those directory\Nentries, just for the first directory. And
Dialogue: 0,0:33:31.90,0:33:36.27,Default,,0000,0000,0000,,also the on-chip bootloader will copy the\NAMD public key itself to the boot room
Dialogue: 0,0:33:36.27,0:33:42.53,Default,,0000,0000,0000,,service page. So it only copies the AMD\Npublic key if it's been verified before.
Dialogue: 0,0:33:42.53,0:33:47.58,Default,,0000,0000,0000,,OK. So now this boot room service page\Ncontains this AMD public key and this
Dialogue: 0,0:33:47.58,0:33:54.05,Default,,0000,0000,0000,,public key in memory is from then on used\Nto authenticate applications. So the off-
Dialogue: 0,0:33:54.05,0:33:59.92,Default,,0000,0000,0000,,chip bootloader, which executes later,\Nwill use that boot ROM service page and
Dialogue: 0,0:33:59.92,0:34:05.07,Default,,0000,0000,0000,,will extend it. Specifically, it will copy\Nthe entries of the secondary directory to
Dialogue: 0,0:34:05.07,0:34:10.91,Default,,0000,0000,0000,,that boot ROM service page. So I guess you\Ncan already see where this is going.
Dialogue: 0,0:34:10.91,0:34:16.42,Default,,0000,0000,0000,,So, what could possibly go wrong here?\N{\i1}Laughter{\i0}
Dialogue: 0,0:34:16.42,0:34:20.70,Default,,0000,0000,0000,,Well, we have space for 64 entries here.\NAnd if
Dialogue: 0,0:34:20.70,0:34:26.53,Default,,0000,0000,0000,,we write more entries to that page, we'll\Nhit the AMD public key. So the off-chip
Dialogue: 0,0:34:26.53,0:34:32.31,Default,,0000,0000,0000,,bootloader should better check that we\Nonly copy at most 64 entries. There it is.
Dialogue: 0,0:34:32.31,0:34:37.13,Default,,0000,0000,0000,,There is a check. Let's say this is the\Nfunction that appends entries and it says:
Dialogue: 0,0:34:37.13,0:34:43.41,Default,,0000,0000,0000,,okay, if the number of entries exceeds 64,\Nwe return an error code and do not copy.
Dialogue: 0,0:34:43.41,0:34:48.89,Default,,0000,0000,0000,,Sounds good. Thing is, that number refers\Nto the number of entries in the secondary
Dialogue: 0,0:34:48.89,0:34:56.92,Default,,0000,0000,0000,,directory. So this has a maximum size of\N64. But there is already space, there are
Dialogue: 0,0:34:56.92,0:35:00.75,Default,,0000,0000,0000,,entries there on this boot ROM service\Npage. So, actually, what we enforce with
Dialogue: 0,0:35:00.75,0:35:07.69,Default,,0000,0000,0000,,this check is, whatever we append can have\Nat most 64 entries, and within that 64
Dialogue: 0,0:35:07.69,0:35:13.58,Default,,0000,0000,0000,,entries, well, there's the AMD public key.\NSuper convenient. So what we do now, we
Dialogue: 0,0:35:13.58,0:35:18.31,Default,,0000,0000,0000,,place our own public key inside the\Ndirectory structures of the firmware file
Dialogue: 0,0:35:18.31,0:35:24.58,Default,,0000,0000,0000,,system. The off-chip bootloader copies the\Nentries and copies the AMD public key.
Dialogue: 0,0:35:24.58,0:35:35.37,Default,,0000,0000,0000,,{\i1}Applause{\i0}\NSo what does it mean for us? Now, all this
Dialogue: 0,0:35:35.37,0:35:41.47,Default,,0000,0000,0000,,parsing happens before the first\Napplication is loaded. So that means we
Dialogue: 0,0:35:41.47,0:35:46.18,Default,,0000,0000,0000,,control the very first application and can\Nreplace the content. And from there on, we
Dialogue: 0,0:35:46.18,0:35:50.24,Default,,0000,0000,0000,,control the userland part of the Secure\NProcessor.
Dialogue: 0,0:35:51.41,0:35:54.30,Default,,0000,0000,0000,,So, now coming to the next part.
Dialogue: 0,0:35:54.30,0:35:59.81,Default,,0000,0000,0000,,So, the natural next target is, of course,\NI mean, we have userland code execution,
Dialogue: 0,0:35:59.81,0:36:06.61,Default,,0000,0000,0000,,we want to have the rest. Kernel mode. So,\Nhow can we take over the kernel mode? Now,
Dialogue: 0,0:36:06.61,0:36:11.40,Default,,0000,0000,0000,,let's have a look at how this distinction\Nbetween kernel and user mode happens. So,
Dialogue: 0,0:36:11.40,0:36:15.99,Default,,0000,0000,0000,,if we look at the virtual memory layout,\Nwe'll see that there is a user mode part
Dialogue: 0,0:36:15.99,0:36:21.69,Default,,0000,0000,0000,,and a fixed split with the kernel mode\Nwhere our off-chip bootloader resides. So,
Dialogue: 0,0:36:21.69,0:36:26.56,Default,,0000,0000,0000,,our application, which we already control,\Ncan try to access that memory, of course,
Dialogue: 0,0:36:26.56,0:36:30.33,Default,,0000,0000,0000,,but that won't work. Right. The MMU\Nwill prevent any access to privileged
Dialogue: 0,0:36:30.33,0:36:39.73,Default,,0000,0000,0000,,memory. Okay. So let's see how this works\Nat runtime. So, this bootloader component,
Dialogue: 0,0:36:39.73,0:36:43.82,Default,,0000,0000,0000,,if we specify the privileged memory a\Nlittle bit more, we have code and data
Dialogue: 0,0:36:43.82,0:36:48.96,Default,,0000,0000,0000,,there. And at runtime another type of\Ndirectory is parsed. And this is called
Dialogue: 0,0:36:48.96,0:36:53.41,Default,,0000,0000,0000,,the BIOS directory. I mean, it's a similar\Nstructure as the directory before. We have
Dialogue: 0,0:36:53.41,0:36:58.02,Default,,0000,0000,0000,,entries and the reference to a secondary\Ndirectory. The entries here, again, of no
Dialogue: 0,0:36:58.02,0:37:04.90,Default,,0000,0000,0000,,relevance. So during boot, the off-chip\Nbootloader will copy those entries into
Dialogue: 0,0:37:04.90,0:37:10.48,Default,,0000,0000,0000,,its data section. OK? So, for the copy\Noperation, we need some some information.
Dialogue: 0,0:37:10.48,0:37:15.87,Default,,0000,0000,0000,,So, let's say this is the copy operation,\Nkind of looks like `memcopy`. What we need
Dialogue: 0,0:37:15.87,0:37:21.41,Default,,0000,0000,0000,,is destination, where to copy? We need\Nsource. This is the secondary directory,
Dialogue: 0,0:37:21.41,0:37:26.60,Default,,0000,0000,0000,,this is the thing we want to copy, which\Nis already under our control. So,
Dialogue: 0,0:37:26.60,0:37:33.16,Default,,0000,0000,0000,,convenient, we control whatever data is\Ncopied. And, we need a size value. So,
Dialogue: 0,0:37:33.16,0:37:39.62,Default,,0000,0000,0000,,where do we get that size? Oh yeah, this\Nentry here has a size value. Super. It's
Dialogue: 0,0:37:39.62,0:37:44.72,Default,,0000,0000,0000,,ours also, right? We control the directory\Nstructures. We can manipulate the size. So
Dialogue: 0,0:37:44.72,0:37:49.23,Default,,0000,0000,0000,,to sum up, we have a copy operation into\Nprivileged memory with attacker-controlled
Dialogue: 0,0:37:49.23,0:37:56.69,Default,,0000,0000,0000,,data and attacker-controlled size. This is\Na very old meme, and I think it's
Dialogue: 0,0:37:56.69,0:38:02.17,Default,,0000,0000,0000,,appropriate because this this bug is so\Neasy to prevent, actually. But for us it's
Dialogue: 0,0:38:02.17,0:38:09.82,Default,,0000,0000,0000,,good, because now we control everything in\Nred here. So, we control that part. The
Dialogue: 0,0:38:09.82,0:38:16.05,Default,,0000,0000,0000,,thing is, as you can see, code is not part\Nof what we control. So, what might be here?
Dialogue: 0,0:38:16.05,0:38:26.91,Default,,0000,0000,0000,,What is of interest for us to overwrite?\NThing is, it's the page tables. The page
Dialogue: 0,0:38:26.91,0:38:31.17,Default,,0000,0000,0000,,tables are part of the data section within\Nthe privileged part of the virtual memory
Dialogue: 0,0:38:31.17,0:38:36.64,Default,,0000,0000,0000,,space. So again, what we do, we place our\Nown page tables here. The data is copied
Dialogue: 0,0:38:36.64,0:38:41.68,Default,,0000,0000,0000,,and replaces the page tables in memory of\Nthe Secure Processor. So, now, if we look
Dialogue: 0,0:38:41.68,0:38:47.71,Default,,0000,0000,0000,,at that virtual memory overview again,\Nwell, our page tables define the virtual
Dialogue: 0,0:38:47.71,0:38:53.53,Default,,0000,0000,0000,,memory a bit different. We make everything\Nuser-writeable. So, we control the
Dialogue: 0,0:38:53.53,0:38:58.76,Default,,0000,0000,0000,,application, our application now can touch\Nthe privileged memory and just overwrite
Dialogue: 0,0:38:58.76,0:39:04.14,Default,,0000,0000,0000,,everything there, if we want to. For that,\Nwe need to reimplement everything. But, we
Dialogue: 0,0:39:04.14,0:39:09.87,Default,,0000,0000,0000,,can patch now the Secure Operating System,\Nif we want.
Dialogue: 0,0:39:09.87,0:39:16.98,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:39:16.98,0:39:19.33,Default,,0000,0000,0000,,So, that means, this parsing of the
Dialogue: 0,0:39:19.33,0:39:23.17,Default,,0000,0000,0000,,directory also happens before the first\Napplication. So, we control the first
Dialogue: 0,0:39:23.17,0:39:27.59,Default,,0000,0000,0000,,application, that takes over the\Nbootloader, if you want. And from there
Dialogue: 0,0:39:27.59,0:39:34.25,Default,,0000,0000,0000,,on, we have everything. All those issues I\Npresented were fixed, were even fixed
Dialogue: 0,0:39:34.25,0:39:39.43,Default,,0000,0000,0000,,before we discovered them. Right? So, we\Nmight not be the first one that discovered
Dialogue: 0,0:39:39.43,0:39:43.16,Default,,0000,0000,0000,,them. Some of you (may) remember that\Nthere was some web site called
Dialogue: 0,0:39:43.16,0:39:49.20,Default,,0000,0000,0000,,AMDFlaws[.com]. They did not present too\Nmany technical details. Maybe what they
Dialogue: 0,0:39:49.20,0:39:54.87,Default,,0000,0000,0000,,discovered was something I present here. I\Ndon't know. Thing is, it does not really
Dialogue: 0,0:39:54.87,0:39:58.34,Default,,0000,0000,0000,,matter for us because the Secure Processor\Ndoes not implement any rollback
Dialogue: 0,0:39:58.34,0:40:03.65,Default,,0000,0000,0000,,prevention. So we can always go back and\Nrefresh a vulnerable firmware. And from
Dialogue: 0,0:40:03.65,0:40:12.09,Default,,0000,0000,0000,,that, use whatever code we want to place\Nthere. So, what what we did is, we used
Dialogue: 0,0:40:12.09,0:40:18.79,Default,,0000,0000,0000,,all this on an Epyc Naples based server\Nsystem. And, you cannot just use that
Dialogue: 0,0:40:18.79,0:40:25.02,Default,,0000,0000,0000,,issue on every AMD system, because the\Nbootloader we're using was signed with a
Dialogue: 0,0:40:25.02,0:40:31.67,Default,,0000,0000,0000,,key specific for the Epyc Naples CPU\Nseries. However, we believe, we have not
Dialogue: 0,0:40:31.67,0:40:35.90,Default,,0000,0000,0000,,tested it thoroughly yet, but we believe\Nthe same kind of issues exist in
Dialogue: 0,0:40:35.90,0:40:43.13,Default,,0000,0000,0000,,bootloaders which are signed with a Ryzen\Nfirst generation key. And, for the rest,
Dialogue: 0,0:40:43.13,0:40:48.33,Default,,0000,0000,0000,,we don't know yet. So, maybe for\NThreadripper or Epyc Rome, there are
Dialogue: 0,0:40:48.33,0:40:54.48,Default,,0000,0000,0000,,similar issues, maybe not. We don't know.\NSo the question is, is this really a
Dialogue: 0,0:40:54.48,0:41:00.19,Default,,0000,0000,0000,,security issue? I mean, of course it's a\Nsecurity issue, but, for whom? So,
Dialogue: 0,0:41:00.19,0:41:06.52,Default,,0000,0000,0000,,everything we did requires physical access\Nto the device. So, if it were my laptop,
Dialogue: 0,0:41:06.52,0:41:12.91,Default,,0000,0000,0000,,personally, I wouldn't be concerned too\Nmuch. However, there are some things where
Dialogue: 0,0:41:12.91,0:41:17.88,Default,,0000,0000,0000,,this is a real issue. For example, if you\Nrely on Secure Boot. Because the Secure
Dialogue: 0,0:41:17.88,0:41:22.40,Default,,0000,0000,0000,,Processor is the first part that boots up,\Nand if that is broken, everything later on
Dialogue: 0,0:41:22.40,0:41:28.39,Default,,0000,0000,0000,,is also broken. So, Christian already told\Nyou that AMD plans to use this Secure
Dialogue: 0,0:41:28.39,0:41:32.09,Default,,0000,0000,0000,,Processor [as] a trusted execution\Nenvironment. If your application relies on
Dialogue: 0,0:41:32.09,0:41:38.13,Default,,0000,0000,0000,,that, you better not have any security\Nissues in that Secure Processor. And, for
Dialogue: 0,0:41:38.13,0:41:43.76,Default,,0000,0000,0000,,the last part, the Secure Encrypted\NVirtualization technology from AMD is
Dialogue: 0,0:41:43.76,0:41:48.82,Default,,0000,0000,0000,,dependent on the integrity of the Secure\NProcessor. If that is broken, this
Dialogue: 0,0:41:48.82,0:41:54.30,Default,,0000,0000,0000,,technology is also broken. So, Christian\Nand I published a paper about that. If
Dialogue: 0,0:41:54.30,0:42:00.26,Default,,0000,0000,0000,,you're interested, you can read it up.\NBut, for us here, this is actually more of
Dialogue: 0,0:42:00.26,0:42:04.86,Default,,0000,0000,0000,,an opportunity, right? Because we can gain\Nmore insight into this PSP with code
Dialogue: 0,0:42:04.86,0:42:10.69,Default,,0000,0000,0000,,execution. We can do a lot of cool things\Nwith that. So, it allows to do further
Dialogue: 0,0:42:10.69,0:42:15.95,Default,,0000,0000,0000,,research on other subsystems which are\Npresent in the AMD CPUs. For example, the
Dialogue: 0,0:42:15.95,0:42:22.50,Default,,0000,0000,0000,,PSP is responsible to load the SMU\Nfirmware. The PSP allows access to the SMM
Dialogue: 0,0:42:22.50,0:42:28.94,Default,,0000,0000,0000,,mode. So, this is a "ring -2 mode" on the\Nx86 CPUs. So, [it is] higher privileged
Dialogue: 0,0:42:28.94,0:42:34.75,Default,,0000,0000,0000,,than your kernel, and there is proprietary\Ncode running in that mode. With the PSP,
Dialogue: 0,0:42:34.75,0:42:40.59,Default,,0000,0000,0000,,you have access to that code and could\Nreplace it, analyze it, whatever. And, the
Dialogue: 0,0:42:40.59,0:42:44.23,Default,,0000,0000,0000,,PSP is responsible to kick off the x86\Ncalls at all. So everything that comes
Dialogue: 0,0:42:44.23,0:42:50.78,Default,,0000,0000,0000,,later is, in theory, now under our\Ncontrol. Thank you. That's it.
Dialogue: 0,0:42:50.78,0:43:00.25,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:43:00.25,0:43:03.79,Default,,0000,0000,0000,,Herald: Yes. Thank you very much, Robert,\NAlexander and Christian. That was
Dialogue: 0,0:43:03.79,0:43:10.14,Default,,0000,0000,0000,,fantastic. Wow. I have a lot of questions\NI guess [in my?] head going on. But do we
Dialogue: 0,0:43:10.14,0:43:13.72,Default,,0000,0000,0000,,have any questions from the audience? And\Nif you have any questions, we have
Dialogue: 0,0:43:13.72,0:43:18.38,Default,,0000,0000,0000,,microphones lined up here. A question is,\Njust so that you know what we're talking
Dialogue: 0,0:43:18.38,0:43:22.93,Default,,0000,0000,0000,,about with questions, is a sentence with a\Nquestion mark behind it and not your life
Dialogue: 0,0:43:22.93,0:43:29.19,Default,,0000,0000,0000,,story. And I think I saw number one first.\NSo, let's start with number one.
Dialogue: 0,0:43:29.19,0:43:34.100,Default,,0000,0000,0000,,Mic 1: Hey, is there a reason why the page\Ntable is located at the end of the data
Dialogue: 0,0:43:34.100,0:43:38.28,Default,,0000,0000,0000,,segment?\NRobert: I don't think so. I mean, ...
Dialogue: 0,0:43:38.28,0:43:41.26,Default,,0000,0000,0000,,Mic 1: "Just because"?
Dialogue: 0,0:43:41.26,0:43:44.56,Default,,0000,0000,0000,,Robert: You have to place it somewhere.\Nshould be in the [interrupted]
Dialogue: 0,0:43:44.56,0:43:48.79,Default,,0000,0000,0000,,Mic 1: Why not in the beginning?\NRobert: I don't know. No idea.
Dialogue: 0,0:43:48.79,0:43:53.20,Default,,0000,0000,0000,,Herald: That's what I meant with "a lot of\Nweird questions" here. From the signal
Dialogue: 0,0:43:53.20,0:43:56.23,Default,,0000,0000,0000,,angel we had one question.\NSignal Angel: And this question goes to
Dialogue: 0,0:43:56.23,0:44:02.21,Default,,0000,0000,0000,,the first lecturer. Didn't you have access\Nto an SPI flasher relay(?) to attempt a
Dialogue: 0,0:44:02.21,0:44:06.60,Default,,0000,0000,0000,,"Time of Use versus Time of Check"\N[TOCTOU] attack?
Dialogue: 0,0:44:06.60,0:44:13.81,Default,,0000,0000,0000,,Christian: So, we had access to different\Ntools, but the TOCTOU attack that you
Dialogue: 0,0:44:13.81,0:44:21.09,Default,,0000,0000,0000,,mentioned was not even necessary to mount\Nthe attacks we talked about. And actually
Dialogue: 0,0:44:21.09,0:44:26.59,Default,,0000,0000,0000,,so far, we don't see any possibility to\Nmount a TOCTOU attack.
Dialogue: 0,0:44:26.59,0:44:34.03,Default,,0000,0000,0000,,Herald: OK. So I think I saw microphone 5\Nnext up. Is there somebody at the
Dialogue: 0,0:44:34.03,0:44:37.04,Default,,0000,0000,0000,,Microphone?\NMic 5: Yes. So, I was wondering if you
Dialogue: 0,0:44:37.04,0:44:40.33,Default,,0000,0000,0000,,considered looking at the boot ROM for\Nissues.
Dialogue: 0,0:44:40.33,0:44:49.01,Default,,0000,0000,0000,,Robert: Yes, of course. The thing is, we\Ncannot find its code in the memory any
Dialogue: 0,0:44:49.01,0:44:55.81,Default,,0000,0000,0000,,more after we mounted our attacks. So, I\Nbelieve, the boot ROM code is not there
Dialogue: 0,0:44:55.81,0:45:03.01,Default,,0000,0000,0000,,anymore, which would make it much easier\Nto analyze. We tried simple things, like
Dialogue: 0,0:45:03.01,0:45:09.24,Default,,0000,0000,0000,,increasing directory sizes, which are\Nprocessed by the boot ROM itself. We
Dialogue: 0,0:45:09.24,0:45:12.68,Default,,0000,0000,0000,,haven't found any suspicious thing there,\Nyet.
Dialogue: 0,0:45:12.68,0:45:18.47,Default,,0000,0000,0000,,Herald: Microphone 2.\NMic 2: Thanks for your research. You have
Dialogue: 0,0:45:18.47,0:45:26.39,Default,,0000,0000,0000,,really nice big power over the system\Nright now. Do you have plans to make a PSP
Dialogue: 0,0:45:26.39,0:45:35.91,Default,,0000,0000,0000,,firmware which is minimal and which makes\Nyour system work, but without some strange
Dialogue: 0,0:45:35.91,0:45:43.08,Default,,0000,0000,0000,,untrusted code?\NRobert: I wouldn't call it plans yet. Of
Dialogue: 0,0:45:43.08,0:45:46.84,Default,,0000,0000,0000,,course there are ideas to do that. The\Nthing is, some of the functionality which
Dialogue: 0,0:45:46.84,0:45:52.02,Default,,0000,0000,0000,,is implemented from AMD is really\Nrequired. So, the stages that Alex talked
Dialogue: 0,0:45:52.02,0:45:58.05,Default,,0000,0000,0000,,about, they configure and train(?) your\NDRAM. So without those stages, you don't
Dialogue: 0,0:45:58.05,0:46:04.84,Default,,0000,0000,0000,,have access to memory. Your x86 cores\Nwouldn't work. And to reimplement that
Dialogue: 0,0:46:04.84,0:46:10.48,Default,,0000,0000,0000,,without having access to any manuals is\Nreally, really hard work. So, I'm not too
Dialogue: 0,0:46:10.48,0:46:13.68,Default,,0000,0000,0000,,confident that this will be possible in\Nthe near future.
Dialogue: 0,0:46:13.68,0:46:19.25,Default,,0000,0000,0000,,Mic 2: I just refer to a Management Engine\Ncleaner, and there is such a project,
Dialogue: 0,0:46:19.25,0:46:23.76,Default,,0000,0000,0000,,which makes your Management Engine\Nfirmware slim.
Dialogue: 0,0:46:23.76,0:46:30.04,Default,,0000,0000,0000,,Robert: So, the AMD firmware is already\Nkind of slim. The only thing that is not
Dialogue: 0,0:46:30.04,0:46:35.71,Default,,0000,0000,0000,,strictly required on the systems we have\Nbeen looking at would be the SEV firmware,
Dialogue: 0,0:46:35.71,0:46:40.68,Default,,0000,0000,0000,,which is loaded on request, and you can,\Nlike, disable that by just flipping a bit
Dialogue: 0,0:46:40.68,0:46:47.19,Default,,0000,0000,0000,,inside that file. The system would still\Nboot, but when it tries to initialize the
Dialogue: 0,0:46:47.19,0:46:52.18,Default,,0000,0000,0000,,SEV technology, the kernel would say, "OK.\NThis does not work." The system will still
Dialogue: 0,0:46:52.18,0:46:56.11,Default,,0000,0000,0000,,work after that.\NMic 2: Thanks. And last little question.
Dialogue: 0,0:46:56.11,0:47:03.48,Default,,0000,0000,0000,,Does PSP work with microcode somehow?\NAlexander: We didn't find anything related
Dialogue: 0,0:47:03.48,0:47:06.22,Default,,0000,0000,0000,,to any microcode there so far.\NMic 2: Thanks.
Dialogue: 0,0:47:06.22,0:47:11.82,Default,,0000,0000,0000,,Herald: So let's move on to Microphone 3.\NMic 3: Thank you first for the great talk.
Dialogue: 0,0:47:11.82,0:47:17.84,Default,,0000,0000,0000,,I have one question. Do you have maybe\Nfound something evil or potentially evil
Dialogue: 0,0:47:17.84,0:47:23.67,Default,,0000,0000,0000,,in the code that it does?\NAlexander: No. So far, they didn't find
Dialogue: 0,0:47:23.67,0:47:30.38,Default,,0000,0000,0000,,anything which could be used for an\Nattack, for example. So, what the PSP
Dialogue: 0,0:47:30.38,0:47:35.94,Default,,0000,0000,0000,,might be able to do is, access PCIe\Ndevices. We found some code related to
Dialogue: 0,0:47:35.94,0:47:41.21,Default,,0000,0000,0000,,that, but we are [stutters] not sure yet\Nwhether it's actually used, because also
Dialogue: 0,0:47:41.21,0:47:46.93,Default,,0000,0000,0000,,the PSPs executed or is existing on graphics\Ncards made by AMD. So, that might be also
Dialogue: 0,0:47:46.93,0:47:51.07,Default,,0000,0000,0000,,ready to[?] that. We couldn't find\Nanything there yet, but so far, the PSP
Dialogue: 0,0:47:51.07,0:47:53.96,Default,,0000,0000,0000,,looks rather clean compared to the entire\NManagement Engine.
Dialogue: 0,0:47:53.96,0:47:58.09,Default,,0000,0000,0000,,Mic 3: Thank you.\NHerald: So, we have a question from the
Dialogue: 0,0:47:58.09,0:48:03.12,Default,,0000,0000,0000,,Internet.\NSignal: Is the AMD public key an RSA one,
Dialogue: 0,0:48:03.12,0:48:08.68,Default,,0000,0000,0000,,only 576 bits?\NRobert: It's an RSA key, yes, but it's
Dialogue: 0,0:48:08.68,0:48:17.03,Default,,0000,0000,0000,,2048 bits for the first generation Epyc\NCPUs and I think 4069 [meaning 4096] for
Dialogue: 0,0:48:17.03,0:48:20.26,Default,,0000,0000,0000,,later generations.\NHerald: Microphone 2.
Dialogue: 0,0:48:20.26,0:48:27.47,Default,,0000,0000,0000,,Mic 2: For me, it seems like preventing to\Nflash old vulnerable firmware is really
Dialogue: 0,0:48:27.47,0:48:33.07,Default,,0000,0000,0000,,important for a scenario like Secure\NEncrypted Virtualization. Can you comment
Dialogue: 0,0:48:33.07,0:48:40.43,Default,,0000,0000,0000,,on how difficult it is for AMD to add this\Nretrospectively?
Dialogue: 0,0:48:40.43,0:48:47.51,Default,,0000,0000,0000,,Robert: Okay. So technically, rollback\Nprevention is there for, I guess, mobile
Dialogue: 0,0:48:47.51,0:48:53.22,Default,,0000,0000,0000,,devices, for example. You have that. It\Nshould be possible. For adding this
Dialogue: 0,0:48:53.22,0:48:57.44,Default,,0000,0000,0000,,functionality afterwards, I don't think\Nthat's really possible, because the on-
Dialogue: 0,0:48:57.44,0:49:02.67,Default,,0000,0000,0000,,chip bootloader is the thing that loads\Nthe off-chip bootloader and verifies it.
Dialogue: 0,0:49:02.67,0:49:09.08,Default,,0000,0000,0000,,And that software component has to, like,\Nstop loading if the firmware version does
Dialogue: 0,0:49:09.08,0:49:14.07,Default,,0000,0000,0000,,not match, for example. And you have to\Nchange that. And that functionality is not
Dialogue: 0,0:49:14.07,0:49:18.54,Default,,0000,0000,0000,,there and you cannot update the on-chip\Nboot ROM. So, in that sense, I don't think
Dialogue: 0,0:49:18.54,0:49:24.09,Default,,0000,0000,0000,,that that's possible to change. And if you\Nlook at our paper, you will see that the
Dialogue: 0,0:49:24.09,0:49:29.29,Default,,0000,0000,0000,,former issues are kind of devastating for\Nthe SEV technology, because there are some
Dialogue: 0,0:49:29.29,0:49:36.21,Default,,0000,0000,0000,,keys which are now accessible, which can\Nbe used for attacking SEV-protected
Dialogue: 0,0:49:36.21,0:49:38.92,Default,,0000,0000,0000,,guests.\NMic 2: Thanks.
Dialogue: 0,0:49:38.92,0:49:45.38,Default,,0000,0000,0000,,Herald: Microphone 3, please.\NMic 3: One question. Did you analyze the
Dialogue: 0,0:49:45.38,0:49:54.64,Default,,0000,0000,0000,,API to the x86 core? Did you find anything\Nthat could be exploited without flashing
Dialogue: 0,0:49:54.64,0:49:59.69,Default,,0000,0000,0000,,anything so that you could directly go\Nfrom x86 to PSP exploitation?
Dialogue: 0,0:49:59.69,0:50:06.60,Default,,0000,0000,0000,,Alexander: Yeah, we tried to find the\Nnecessary code to interface with the x86.
Dialogue: 0,0:50:06.60,0:50:12.18,Default,,0000,0000,0000,,We think we found one place where the x86\Ncores are released after the PSP
Dialogue: 0,0:50:12.18,0:50:15.90,Default,,0000,0000,0000,,initialized the whole system. But\Nobviously, we can't do much with it except
Dialogue: 0,0:50:15.90,0:50:21.78,Default,,0000,0000,0000,,preventing the x86 to boot at all. And\Notherwise we couldn't find anything there
Dialogue: 0,0:50:21.78,0:50:26.70,Default,,0000,0000,0000,,yet. So we focused on, on a bit of other,\Nlike the memory controller, and didn't
Dialogue: 0,0:50:26.70,0:50:32.87,Default,,0000,0000,0000,,have a deeper look at the x86 interface.\NSo what there is, the BIOS can interface
Dialogue: 0,0:50:32.87,0:50:38.72,Default,,0000,0000,0000,,with the PSP using a special mailbox\Nregister which is mapped in MMIO space in
Dialogue: 0,0:50:38.72,0:50:44.14,Default,,0000,0000,0000,,x86 for requests. So, it can, for example,\Nthe UEFI init boots, it will say to the
Dialogue: 0,0:50:44.14,0:50:48.03,Default,,0000,0000,0000,,PSP "Hey, this is my system management\Nmode code region, please protect that for
Dialogue: 0,0:50:48.03,0:50:52.91,Default,,0000,0000,0000,,me" and it will execute this request. But\Napart from that, we couldn't find anything
Dialogue: 0,0:50:52.91,0:50:55.04,Default,,0000,0000,0000,,so far.\NMic 3: Thank you.
Dialogue: 0,0:50:55.04,0:51:00.20,Default,,0000,0000,0000,,Herald: So, Microphone 4.\NMic 4: Hi. So, is it correct that your
Dialogue: 0,0:51:00.20,0:51:08.65,Default,,0000,0000,0000,,work enables 100% open source firmware for\Nthis kind of processors? And if so, have
Dialogue: 0,0:51:08.65,0:51:12.98,Default,,0000,0000,0000,,you already contacted the CoreBoot team to\Nmake that actually happen?
Dialogue: 0,0:51:12.98,0:51:21.85,Default,,0000,0000,0000,,Robert: So. 100 percent open source. As\Nfor the PSP, there is this on-chip boot
Dialogue: 0,0:51:21.85,0:51:27.24,Default,,0000,0000,0000,,ROM which we can't replace, right? So,\Nthis will be closed source. Then there is
Dialogue: 0,0:51:27.24,0:51:33.10,Default,,0000,0000,0000,,code of the off-chip bootloader, until the\Nfirst exploit, which runs, which is not
Dialogue: 0,0:51:33.10,0:51:38.72,Default,,0000,0000,0000,,open source. In theory, you could from now\Non take over the PSP, write your own code.
Dialogue: 0,0:51:38.72,0:51:44.15,Default,,0000,0000,0000,,But, as I said before, you have to\Nreimplement a lot of functionality without
Dialogue: 0,0:51:44.15,0:51:49.37,Default,,0000,0000,0000,,having any documentation, right? So,\Ntechnically it's possible, I guess, to do
Dialogue: 0,0:51:49.37,0:51:54.09,Default,,0000,0000,0000,,something like that. Practically, I'm not\Ntoo sure.
Dialogue: 0,0:51:54.09,0:51:57.39,Default,,0000,0000,0000,,Herald: So we're gonna go to the internet\Nfor another question.
Dialogue: 0,0:51:57.39,0:52:03.04,Default,,0000,0000,0000,,Signal: Is it possible to block PSP from\Nwithin Linux or BSD, for the system's
Dialogue: 0,0:52:03.04,0:52:09.13,Default,,0000,0000,0000,,runtime, by using search and boot flags?\NRobert: Sorry, to block what?
Dialogue: 0,0:52:09.13,0:52:14.63,Default,,0000,0000,0000,,Signal: To block the PSP from the Linux or\NBSD.
Dialogue: 0,0:52:14.63,0:52:19.68,Default,,0000,0000,0000,,Alexander: So, what you can do is, like\NRobert mentiond already, you can flip a
Dialogue: 0,0:52:19.68,0:52:25.19,Default,,0000,0000,0000,,bit in the SPI flash and then the PSP,\Nonce it initialized the whole system, it
Dialogue: 0,0:52:25.19,0:52:29.72,Default,,0000,0000,0000,,won't run the SEV app, for example,\Nbecause the signatures won't match
Dialogue: 0,0:52:29.72,0:52:36.08,Default,,0000,0000,0000,,anymore. And there is no other sort of\Ninterface where the PSP is actually
Dialogue: 0,0:52:36.08,0:52:41.50,Default,,0000,0000,0000,,triggered. Or we couldn't find it so far.\NHerald: Microphone 3.
Dialogue: 0,0:52:41.50,0:52:45.50,Default,,0000,0000,0000,,Someone: I think he was first.\NHerald: Oh, okay, all right. Right.
Dialogue: 0,0:52:45.50,0:52:49.10,Default,,0000,0000,0000,,Microphone 2 then. Sorry.\NMic 2: Did you try to enable any
Dialogue: 0,0:52:49.10,0:52:56.42,Default,,0000,0000,0000,,superpowers from PSP like JTAG or special\Ntricks with voltage or something else?
Dialogue: 0,0:52:56.42,0:53:01.58,Default,,0000,0000,0000,,Robert: When the first application that is\Nloaded has some strings in it like Debug
Dialogue: 0,0:53:01.58,0:53:08.32,Default,,0000,0000,0000,,Unlock. Sounds interesting. But then\Nagain, JTAG, where would you access the
Dialogue: 0,0:53:08.32,0:53:13.19,Default,,0000,0000,0000,,JTAG of the PSP? You need to have some\Nconnection to the lines, right?
Dialogue: 0,0:53:13.19,0:53:18.13,Default,,0000,0000,0000,,Mic 2: Intel supports USB debugging.\NRobert: Yeah, I know. With special
Dialogue: 0,0:53:18.13,0:53:21.21,Default,,0000,0000,0000,,devices, right?\NMic 2: No, even wire cable.
Dialogue: 0,0:53:21.21,0:53:26.59,Default,,0000,0000,0000,,Robert: Okay. So anyhow, I have the\Nsuspicion that this DebugUnlock app is
Dialogue: 0,0:53:26.59,0:53:32.07,Default,,0000,0000,0000,,responsible to to allow some debug mode.\NWhich then, I assume, with special
Dialogue: 0,0:53:32.07,0:53:36.88,Default,,0000,0000,0000,,hardware, you can have JTAG. But we have\Nnot touched it yet.
Dialogue: 0,0:53:36.88,0:53:39.47,Default,,0000,0000,0000,,Mic 3: Thanks.\NHerald: Now Microphone 3
Dialogue: 0,0:53:39.47,0:53:45.62,Default,,0000,0000,0000,,Mic 3: So I'm as far from a liar\N{\i1}laughing{\i0}, um, a lawyer as possible, but
Dialogue: 0,0:53:45.62,0:53:51.65,Default,,0000,0000,0000,,could AMD in any way file a cease and\Ndesist for anything you do?
Dialogue: 0,0:53:51.65,0:53:57.09,Default,,0000,0000,0000,,Robert: Probably not, I guess.\NMic 3: Just curious.
Dialogue: 0,0:53:57.09,0:54:01.07,Default,,0000,0000,0000,,Robert: I have no idea.\NMic 3: Thank you.
Dialogue: 0,0:54:01.07,0:54:06.92,Default,,0000,0000,0000,,Robert: And, as I said before, we're not\Nthe ones that initially discovered, or
Dialogue: 0,0:54:06.92,0:54:10.45,Default,,0000,0000,0000,,probably not the ones that initially\Ndiscovered these issues. And it's not
Dialogue: 0,0:54:10.45,0:54:15.68,Default,,0000,0000,0000,,really about these issues. I mean, for me\Npersonally, these issues are a nice way to
Dialogue: 0,0:54:15.68,0:54:21.14,Default,,0000,0000,0000,,get more insight into the PSP. And it's\Nnot about having the super new security
Dialogue: 0,0:54:21.14,0:54:26.32,Default,,0000,0000,0000,,issue, whatever. So if AMD wants to file\Nsomething, I guess they would have also
Dialogue: 0,0:54:26.32,0:54:32.62,Default,,0000,0000,0000,,filed other people that did similar\Nresearch before. Maybe they did. I don't
Dialogue: 0,0:54:32.62,0:54:34.85,Default,,0000,0000,0000,,know.\NHerald: So we had another question from
Dialogue: 0,0:54:34.85,0:54:37.62,Default,,0000,0000,0000,,the Internet.\NSignal: How long did it take you to
Dialogue: 0,0:54:37.62,0:54:43.39,Default,,0000,0000,0000,,reverse engineer and develop all this\Nstuff?
Dialogue: 0,0:54:43.39,0:54:51.73,Default,,0000,0000,0000,,Robert: So I think beginning of 2018,\NChristian was starting with his master's
Dialogue: 0,0:54:51.73,0:54:57.64,Default,,0000,0000,0000,,thesis. And we spent a lot of time on\Nfiguring out how this firmware file system
Dialogue: 0,0:54:57.64,0:55:03.58,Default,,0000,0000,0000,,works, and the boot process and writing\Nthese PSPTrace and PSPtool to better
Dialogue: 0,0:55:03.58,0:55:11.95,Default,,0000,0000,0000,,understand the components of the firmware.\NAnd Alex joined in May, May-ish this year.
Dialogue: 0,0:55:11.95,0:55:19.05,Default,,0000,0000,0000,,And, well, we're still working on it,\Nright? So the emulator, once we figured
Dialogue: 0,0:55:19.05,0:55:26.44,Default,,0000,0000,0000,,out a lot of information about the PSP, I\Nthink the emulator was easy to develop,
Dialogue: 0,0:55:26.44,0:55:30.98,Default,,0000,0000,0000,,in the sense that it didn't take too\Nmuch time. But of course, there was a lot
Dialogue: 0,0:55:30.98,0:55:37.57,Default,,0000,0000,0000,,of work going into it before that.\NHerald: So I do not see, oh yes I do see
Dialogue: 0,0:55:37.57,0:55:40.36,Default,,0000,0000,0000,,another question from the internet. Let's\Ngo for that.
Dialogue: 0,0:55:40.36,0:55:44.73,Default,,0000,0000,0000,,Signal: Yeah, last question. Did you try\Nto glitch the PSP by manipulating the
Dialogue: 0,0:55:44.73,0:55:53.83,Default,,0000,0000,0000,,voltage of the socket(?)?\NRobert: Why? I think our approach is
Dialogue: 0,0:55:53.83,0:55:59.90,Default,,0000,0000,0000,,easier, but no, seriously, we did not try.\NHerald: So with that, I don't see any
Dialogue: 0,0:55:59.90,0:56:06.44,Default,,0000,0000,0000,,further questions. And I would like you to\Nhelp me thank Robert, Alexander and
Dialogue: 0,0:56:06.44,0:56:08.16,Default,,0000,0000,0000,,Christian for this fantastic talk.
Dialogue: 0,0:56:08.16,0:56:09.88,Default,,0000,0000,0000,,{\i1}postroll music{\i0}
Dialogue: 0,0:56:09.88,0:56:21.46,Default,,0000,0000,0000,,Subtitles created by c3subtitles.de\Nin the year 2020. Join, and help us!