Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

Page 85 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
I

igor_kavinski

Lifer
Jul 27, 2020
27,972
19,112
146
Nothingness said:
As I like naive questions: is it even possible to flash old microcode on a recently bought CPU?
Click to expand...
Maybe with MSI mobos since many users have been running AVX-512 workloads on old Alder Lake CPUs that way, before the newer steppings and later models got their AVX-512 balls physically fused off.

Someone should make a meme of Darth Vader slicing off Alder Lake's AVX-512 balls with his lightsaber.
 
  • Like
Reactions: ph4nt0m
H

Hitman928

Diamond Member
Apr 15, 2012
6,695
12,370
136
  • Like
Reactions: moinmoin and Ken g6
Markfw

Markfw

Moderator Emeritus, Elite Member
May 16, 2002
27,236
16,106
136
Hitman928 said:
The good news: the attacker has to have complete control of your system to begin with.
Click to expand...
Almost impossible to infect any cloud or enterprise servers, unless the data center managers are incompetent.

And a home user would also have to be pretty stupid.
 
J

JustViewing

Senior member
Aug 17, 2022
269
473
106
igor_kavinski said:
Still, one more mandatory BIOS update.

*groan*
Click to expand...
Why it is impossible to check if it is infected or not ? Couldn't the BIOS flashing tool check the version and its content of the existing BIOS and compare it with the correct version downloaded from motherboard web site? Should be easy to check since BIOS flash tools also allows to take backup. Am I missing something?
 
I

igor_kavinski

Lifer
Jul 27, 2020
27,972
19,112
146
JustViewing said:
Am I missing something?
Click to expand...
It's not the BIOS but rather the AMD equivalent of "Intel Management Engine" that gets compromised. There should be a way of detecting that and maybe AMD will give such guidance to the OEMs at a later date.

From Tom's:

Once this access is secured, the Sinkclose vulnerability allows the perpetrators to install bootkit malware that evades detection by standard antivirus tools, remaining nearly invisible within the system and can persist even after the operating system is reinstalled.
Click to expand...

So something would need to be implemented at the UEFI level for such detection. But I think right now AMD wants to close the loophole instead because they believe such infections are possibly extremely rare. I do think that they should create the UEFI detection mechanism too otherwise it could lead to future bad publicity.
 
  • Like
Reactions: Ken g6 and JustViewing
ridham05

ridham05

Junior Member
Aug 11, 2024
2
0
6
do not see, why AMD would not be affected. The attacks rely on runtime-difference of page table walks depending on if the page is mapped or not. This way an attacker could potentially figure out the page mappings for the kernel even though KASLR is in place.
However there must be runtime differences for AMD as well unless it can figure out if a page is mapped before the pagetable walk - which i think is impossible.
 
moinmoin

moinmoin

Diamond Member
Jun 1, 2017
5,242
8,456
136
Hitman928 said:
The bad news: if infected, you can’t remove it by standard anti-virus methods, including wiping the drive clean.
Click to expand...
That's real bad news btw. since it also affects sales of used CPUs. I really hope AMD handles this right and at the very least offers some fail proof way to detect affected SMMs regardless of how old the CPU is, even if they are unsupported and won't get any fix anymore.
 
  • Like
Reactions: cebri1 and igor_kavinski
J

JustViewing

Senior member
Aug 17, 2022
269
473
106
If hackers can write their own code, so can the MB tools. If you suspect it is infected, you can overwrite it with MB Tools to make sure it is clean.
 
DrMrLordX

DrMrLordX

Lifer
Apr 27, 2000
22,901
12,966
136
moinmoin said:
Yeah no, that's no good. AMD has to show significantly more commitment on that matter than that.
Click to expand...
Hmm. I kinda agree, but I'm sure their suits have a reason, even if that reason kinda sucks. Like "this CPU is out of warranty". Or whatever. Would it really cost them that much to plug the hole on AM4 across the board? I should think not!
 
  • Like
Reactions: igor_kavinski
I

igor_kavinski

Lifer
Jul 27, 2020
27,972
19,112
146
The real issue is people buying 2nd hand CPUs or those from Ali Express. Who's to say that the SMM on these CPUs isn't already compromised??? AMD needs to provide a detection tool or mechanism.
 
  • Like
Reactions: Steltek and moinmoin
Steltek

Steltek

Diamond Member
Mar 29, 2001
3,334
1,079
136
PingSpike said:
It isn't clear to me if it persists on the CPU or the motherboard. Both would be bad.
Click to expand...
The way I read it is that the CPU is used to, via SMM, access a sensitive persistent memory area of the the motherboard UEFI BIOS at a specific point during the boot process, explaining why physical access is needed. That CPU access is then used to inject malicious software via SMM into the UEFI in an area that is persistent and which can't be scanned or accessed at any other time.

So, it would seem to me that once this is done, the motherboard itself is infected with malware in a persistent memory area of the UEFI.

This is my take, anyway.

Further, the released AGESA mitigations AMD released for Ryzen 5000 and above will only prevent infection -- they won't mean anything if the motherboard UEFI is already infected.

If my understanding is correct, I won't be buying any more used AMD motherboards....
 
Last edited:
Markfw

Markfw

Moderator Emeritus, Elite Member
May 16, 2002
27,236
16,106
136
Steltek said:
The way I read it is that the CPU is used to, via SMM, access a sensitive persistent memory area of the the motherboard UEFI BIOS at a specific point during the boot process, explaining why physical access is needed. That CPU access is then used to inject malicious software via SMM into the UEFI in an area that is persistent and which can't be scanned or accessed at any other time.

So, it would seem to me that once this is done, the motherboard itself is infected with malware in a persistent memory area of the UEFI.

This is my take, anyway.

Further, the released AGESA mitigations AMD released for Ryzen 5000 and above will only prevent infection -- they won't mean anything if the motherboard UEFI is already infected.

If my understanding is correct, I won't be buying any more used AMD motherboards....
Click to expand...
In that case would not a bios refresh not that out ??? I mean ease the malware ????
 
Steltek

Steltek

Diamond Member
Mar 29, 2001
3,334
1,079
136
Markfw said:
In that case would not a bios refresh not that out ??? I mean ease the malware ????
Click to expand...
Because I believe that a UEFI BIOS update would not be able to write to the affected section of the UEFI. That section of the UEFI is normally locked down read only by the CPU -- it is only writeable at that specific instant of the boot cycle via SMM.

UEFI is gonna end up being the death of us all as none of the vendors seem to be willing to put the effort forward to truly secure it.
 
  • Like
Reactions: PingSpike and moinmoin
J

JustViewing

Senior member
Aug 17, 2022
269
473
106
Steltek said:
Because I believe that a UEFI BIOS update would not be able to write to the affected section of the UEFI. That section of the UEFI is normally locked down read only by the CPU -- it is only writeable at that specific instant of the boot cycle via SMM.

UEFI is gonna end up being the death of us all as none of the vendors seem to be willing to put the effort forward to truly secure it.
Click to expand...
So how does an attacker going to write in that location?
 
VirtualLarry

VirtualLarry

No Lifer
Aug 25, 2001
56,585
10,225
126
DrMrLordX said:
Hmm. I kinda agree, but I'm sure their suits have a reason, even if that reason kinda sucks. Like "this CPU is out of warranty". Or whatever. Would it really cost them that much to plug the hole on AM4 across the board? I should think not!
Click to expand...
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom