Google engineers recently disclosed details of a vulnerability (CVE-2024-56161) that allows bypassing the digital signature verification mechanism when updating microcode in AMD processors based on 1-4 generations of the Zen microarchitecture. They have made available under the Apache 2.0 license an instrument called zentool, which was developed during the examination of Microcode processes in AMD processors. Additionally, they have provided a manual on RISC86 microarchitecture, AMD microcode usage, and instructions for creating custom microcode.
Zentool tools have been created to facilitate the analysis, manipulation, and patch creation for changing microcode in AMD Zen processors. Future plans involve expanding the tool’s capabilities to provide a similar tool like binutils, but for microcode instead of traditional machine code.
Zentool currently includes commands like “Zentool Edit” for microcode file editing, “Zentool Print” for displaying microcode information, “Zentool Load” for loading microcode into the CPU, and “Zentool Resign” for adjusting digital signatures. It also features MCAS and MCOP utilities with assembler and disassembler implementations for microcode.
The tool allows for the preparation and loading of custom patches into the processor’s microcode. An example provided is a patch that alters the behavior of the RDRAND processor instruction to return the number 4 instead of pseudo-random sequences.
The vulnerability that enabled the loading of custom patches into AMD Zen 1-4 processor microcode was due to the use of the algorithm cmac instead of a secure hash function for verification processes. AMD has addressed this vulnerability in a December microcode update by replacing CMAC with a cryptographically persistent hash function.