AMD fixes borked SEV encryption
 

Epyc fail

AMD has issued a firmware patch to fix its Secure Encrypted Virtualization technology (SEV) encryption.

The tech protects Linux KVM virtual machine memory running on Epyc processors.

AMD said that it had become aware that, if using the user-selectable AMD secure encryption feature on a virtual machine running the Linux operating system, an encryption key could be compromised by manipulating the encryption technology’s behaviour.

"AMD released firmware-based cryptography updates to our ecosystem partners and on the AMD website to remediate this risk."

SEV isolates guest VMs from one another and the hypervisor using encryption keys, which are managed by the AMD Secure Processor. Each guest VM has its own cryptographic key, which is used directly with the underlying hardware and Secure Processor to transparently and automatically encrypt and decrypt sections of RAM on the fly as it is accessed.

Cfir Cohen, a security researcher with the Google Cloud security team, the SEV's implementation of elliptic-curve cryptography (ECC), was flawed.

When a VM is launched, it generates a key by multiplying points on a curve against the Platform Diffie-Hellman (PDH) key. Typically, the curve would be from America's National Institute of Standards and Technology's (NIST) list of curves. In an invalid curve attack, a different curve is used, and the results of that computation can be used to defeat the encryption.

Cohen said that at launch-start command, an attacker can send small order ECC points, not on the official NIST curves, and force the SEV firmware to multiply a small order point by the firmware’s private DH scalar.

https://fudzilla.com/news/48960-amd-...sev-encryption