Posted by Uri Farkas, VP R&D at CTS-Labs
Until now, the PSP bootloader firmware has been accessible and could be audited by any security researcher who put in the effort to locate it. But in the latest AGESA 1.0.0.2a, the bootloader has been encrypted using a secret key stored inside an immutable part of the PSP hardware, in the PSP ROM.
In this article, we offer a technical description of this new layer of encryption by AMD.
PSP Firmware - Background
The Boot Process
In an AMD machine that contains a PSP, the boot process starts when the CPU is in a halted state, only the PSP is granted execution.
The PSP starts execution in its Boot ROM (Read Only Memory that was programmed at manufacturing), which contains a simple code that verifies and then loads the off-chip PSP Bootloader located in SPI Flash. The Bootloader then reads and authenticates the first block of BIOS code, and upon success it releases the processor from its halted state. At this point the x86 processor resumes execution in parallel with the PSP. This is the procedure behind Hardware Validated Boot - AMD's extension of Secure Boot, where the PSP acts as the hardware Root of Trust.
The Boot ROM starts by looking for the magic value 0x55AA55AA, which is part of the FIRMWARE_ENTRY_TABLE structure. This structure, also known as ROMSIG, resides at a predefined location inside the SPI flash. This structure tells the Boot ROM where to find the PSP Directory
Firmware Entry Table -- from coreboot |
The PSP Directory
The off-chip PSP Bootloader, along with other modules loaded by the PSP, is stored as part of the PSP Directory. The PSP Directory is a simple file system containing the types, locations and sizes of PSP modules (or “PSP Blobs”). It is a table-like structure stored in SPI flash as part of the BIOS Image.
Structure of a PSP Directory |
PSP Modules are stand-alone binaries that contain code, keys, signatures or configuration data.
List of documented directory entry types |
The New Update - PSP Firmware Encryption
As a reminder, the first piece of code that runs on the PSP’s ARM Cortex A5 processor is the Boot ROM. The Boot ROM is an immutable ARM firmware hardcoded into the processor.
In this new update, the Boot ROM loads a hardcoded decryption key (“The Chip Key”) into the PSP Cryptographic Coprocessor, also known as CCP. The CCP keeps this key inside its Key Storage Block, from which it does not allow reading out the key. From that point on, the key may only be used for encryption and decryption operations
The Boot ROM firmware then reads and decrypts the now encrypted PSP bootloader from the BIOS image located in SPI flash, and then executes it.
The bootloader decryption process works as follows:
Figure 2 – Decryption of the PSP Bootloader
|
Because of the way the PSP is designed, directly extracting the “Chip Key” is very hard. However, it is still possible to use one of the AMDFlaws code execution vulnerabilities to make the Cryptographic Coprocessor perform decryption operations on our behalf.
With this in mind, we can manually perform the decryption operations outlined in Figure 2 to retrieve a single decrypted bootloader. Additionally, across all Ryzen and EPYC BIOS images that we’ve seen, the value of Blob 21h is the same. Therefore, simply decrypting it would allow us to decrypt all PSP firmware blobs for those platforms.
With this in mind, we can manually perform the decryption operations outlined in Figure 2 to retrieve a single decrypted bootloader. Additionally, across all Ryzen and EPYC BIOS images that we’ve seen, the value of Blob 21h is the same. Therefore, simply decrypting it would allow us to decrypt all PSP firmware blobs for those platforms.
Conclusion
It appears the latest AGESA update encrypts portions of the PSP firmware, making it harder for security researchers to examine the code.