Thursday, May 3, 2018

New AMD Update Encrypts PSP Firmware

Posted by Uri Farkas, VP R&D at CTS-Labs

Today marks six weeks since AMD gave its initial response to CTS Labs research findings.  Our team has been waiting for updates, and while fixes have yet to come out for the AMD vulnerabilities, we’ve seen a new AGESA version released and distributed by AMD on April 17th, which contains some interesting changes to the firmware of the Security Processor.

Until now, the PSP bootloader firmware has been accessible and could be audited by any security researcher who put in the effort to locate it. But in the latest AGESA 1.0.0.2a, the bootloader has been encrypted using a secret key stored inside an immutable part of the PSP hardware, in the PSP ROM. 

In this article, we offer a technical description of this new layer of encryption by AMD.

PSP Firmware - Background

The Boot Process


In an AMD machine that contains a PSP, the boot process starts when the CPU is in a halted state, only the PSP is granted execution.

The PSP starts execution in its Boot ROM (Read Only Memory that was programmed at manufacturing), which contains a simple code that verifies and then loads the off-chip PSP Bootloader located in SPI Flash. The Bootloader then reads and authenticates the first block of BIOS code, and upon success it releases the processor from its halted state. At this point the x86 processor resumes execution in parallel with the PSP. This is the procedure behind Hardware Validated Boot - AMD's extension of Secure Boot, where the PSP acts as the hardware Root of Trust.

The Boot ROM starts by looking for the magic value 0x55AA55AA, which is part of the FIRMWARE_ENTRY_TABLE structure. This structure, also known as ROMSIG, resides at a predefined location inside the SPI flash. This structure tells the Boot ROM where to find the PSP Directory


Firmware Entry Table -- from coreboot


The PSP Directory

The off-chip PSP Bootloader, along with other modules loaded by the PSP, is stored as part of the PSP Directory. The PSP Directory is a simple file system containing the types, locations and sizes of PSP modules (or “PSP Blobs”). It is a table-like structure stored in SPI flash as part of the BIOS Image.

Structure of a PSP Directory 


PSP Modules are stand-alone binaries that contain code, keys, signatures or configuration data.

List of documented directory entry types

The New Update - PSP Firmware Encryption


As a reminder, the first piece of code that runs on the PSP’s ARM Cortex A5 processor is the Boot ROM. The Boot ROM is an immutable ARM firmware hardcoded into the processor.

In this new update, the Boot ROM loads a hardcoded decryption key (“The Chip Key”) into the PSP Cryptographic Coprocessor, also known as CCP. The CCP keeps this key inside its Key Storage Block, from which it does not allow reading out the key. From that point on, the key may only be used for encryption and decryption operations

The Boot ROM firmware then reads and decrypts the now encrypted PSP bootloader from the BIOS image located in SPI flash, and then executes it.

The bootloader decryption process works as follows:

Figure 2 – Decryption of the PSP Bootloader





               




Because of the way the PSP is designed, directly extracting the “Chip Key” is very hard. However, it is still possible to use one of the AMDFlaws code execution vulnerabilities to make the Cryptographic Coprocessor perform decryption operations on our behalf.

With this in mind, we can manually perform the decryption operations outlined in Figure 2 to retrieve a single decrypted bootloader. Additionally, across all Ryzen and EPYC BIOS images that we’ve seen, the value of Blob 21h is the same. Therefore, simply decrypting it would allow us to decrypt all PSP firmware blobs for those platforms.

Conclusion


It appears the latest AGESA update encrypts portions of the PSP firmware, making it harder for security researchers to examine the code.