AMD and Intel processors load microcode updates to fix bugs or update new features. However, the exact functioning of these microcode updates is not publicly documented, but they are usually encrypted and cryptographically signed. Security experts Maxim Goryachy, Dmitry Sklyarov and Mark Ermolov have now succeeded for the first time in deciphering the microcode updates for certain Intel processors after long preparatory work.
Intel emphasizes that this does not imply any remotely exploitable security hole, because the processors only ie digitally signed microcode updates and the signature key remains secure.
However, Goryachy, Sklyarov and Ermolov explain that it is now possible for the first time to examine the functioning of Intel microcode updates on (still) current processors. Until now, this was only possible with older processors, with AMD up to the K8 and K10 generations (Usenix Security 2017).
Maxim Goryachy has explained details of the microcode hack to the US publication Ars Technica. According to this, the decryption of microcode updates has so far only worked on Intel’s systems-on-chips (SoCs) introduced in 2016 with "Goldmont"-nuclei, i.e. mainly atom x5-.
Mark Ermolov shows on Twitter how subroutines are built in microcode.
Through the hatch
The Goldmont microcode updates were accessed via debugging functions discovered by Goryachy, Sklyarov and Ermolov in the past few years (Chip Red Pill) and via the Intel-SA-00086 security hole, which they exposed in 2017. Both the security hole and debugging access require physical access to the system, for example via a debugging (JTAG) adapter.
The security researchers, two of whom work at the Russian company Positive Technologies (PTE), thus switch on the operating mode that is actually only intended for Intel-internal developers "Red Unlock" free. This in turn gives access to the so-called Microcode Sequencer ROM (MSROM), among other things.
Interesting for security researchers
Mark Ermolov has published some screenshots on his Twitter account @_markel___, which show excerpts from the microcode. The findings so far are interesting especially for security researchers.
However, the experts explain that by analyzing the microcode and gaining a better understanding of how it works, conclusions can also be drawn about other embedded functions in Intel processors. This, in turn, could allow security functions to be leveraged, for example.
First of all, however, it is possible to examine the microcode updates that were previously inaccessible due to sealing.