To fix bugs in processors, Intel and AMD use so-called microcodes that can be updated. A three-member team called the “Chip Red Bill” has now discovered two undocumented commands in Intel processors to change the microcode.
If this manipulation is possible in the normal operating system of the processor, it will be the largest security gap. Microcode updates, among other things, help close spectrum-type security gaps. So far, security researchers have only been able to convert the CPU microcode into a special debug mode, called the “Red Unlock”, and they operate through a security hole three years ago. This in turn requires physical access to the respective organization.
Mark Ermolov (@_Markel ___), Maxim Correachi (@ h0t_max) and Dmitry Schliarov (@_ Dimit) – the latter two works for Positive Technologies (PTE) – have been researching Intel’s Management Machine (ME) and other internal functions of Intel-processors. Among other things, they discovered the ME security gap Intel-SA-00086, the encrypted microcode updates for Intel Atom processors in the fall of 2020, and the “HAP” option for processors to continue running even when ME is down.
This preparatory work allows three experts to explore in more detail the structure of microcode updates; One They share some of their findings via GitHub.
Ermolov is now on Twitter Code of the EFI project (A UEFI BIOS can run EFI bytecode), which reads the microcode from the control log bus (CRBUS) on the Intel processor. In the second tweet he submitted information that undocumented CPU commands that he did not use were always decoded by the processor, but would only work in the aforementioned “Red Unlock” debug mode. Otherwise the Microcode Sequence ROM (MSRM) provides the error code “Invalid Opcode” (#UD).
The signature protects the microcode
In the case of the releases of the “Chip Red Bill” group on the Goldmond Microcodes, Intel emphasized that processors in the normal operating system only load and operate the microcode with the correct digital signature. As a result, commands now being discovered can no longer be used for attacks. This information is of particular interest to other security researchers.
Functional Overview of the Intel Trace Center
(Image: Intel)
“Secret” CPU commands
That Intel (and Also AMD) It has been known for decades that processors implement undocumented algorithms. You can search for it yourself, for example a sand borer.
“Red Unlock” – Fix
As the Chip Red Bill team 2018 showed, Intel processors have a kind of built-in logic analyzer: “Trace Hub” “Architectural visualization of internal signals” (VIS / Visa). The Trace Hub cannot be reached during normal computer operation because it allows access to sensitive data on purpose. Instead, it is designed for hardware and computer developers using a special USB 3.0 cable via a so-called direct connection interface (USB DCI). To do this, you need to switch the processor or system to debug mode, which requires information that is only left to developers registered under the Intel Non-Disclosure Agreement (NDA). Particularly important information can be accessed in “red debug mode” (red unlock).
(Order)
“Avid writer. Subtly charming alcohol fanatic. Total twitter junkie. Coffee enthusiast. Proud gamer. Web aficionado. Music advocate. Zombie lover. Reader.”
More Stories
What Does the Future of Gaming Look Like?
Throne and Liberty – First Impression Overview
Ethereum Use Cases