Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday June 28 2019, @04:08AM   Printer-friendly
from the my-curves-are-elliptical-baby dept.

Thomas Claburn over at El Reg is reporting on a firmware update released by AMD which addresses flaw(s) in their Secure Encrypted Virtualization (SEV) technology, which is designed to isolate memory used by virtual machines from hypervisors and each other.

According to the article:

Microchip slinger AMD has issued a firmware patch to fix the encryption in its Secure Encrypted Virtualization technology (SEV), used to defend the memory of Linux KVM virtual machines running on its Epyc processors.

"Through ongoing collaboration with industry researchers AMD became aware that, if using the user-selectable AMD secure encryption feature on a virtual machine running the Linux operating system, an encryption key could be compromised by manipulating the encryption technology's behavior," an AMD spokesperson told The Register last night.

"AMD released firmware-based cryptography updates to our ecosystem partners and on the AMD website to remediate this risk."

SEV isolates guest VMs from one another and the hypervisor using encryption keys, which are managed by the AMD Secure Processor. Each guest VM has its own cryptographic key, which is used directly with the underlying hardware and Secure Processor to transparently and automatically encrypt and decrypt sections of RAM on the fly as it is accessed.
[...]
What went wrong

When a VM is launched, it generates a key by multiplying points on a curve against the Platform Diffie-Hellman (PDH) key. Typically, the curve would be from America's National Institute of Standards and Technology's (NIST) list of curves. In an invalid curve attack, a different curve is used and the results of that computation can be used to defeat the encryption.
[...]
The flaw, disclosed to AMD in February, affects AMD Epyc servers running SEV firmware version 0.17 build 11 and below. AMD made the firmware update available to hardware partners on June 4 to distribute to customers and installations; it can be downloaded directly from here[.zip]. The fix involves restricting key generation to official NIST curves.

The vulnerability has been assigned CVE-2019-9836.

More coverage of the firmware release can be found at Phoronix and Anandtech.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2) by coolgopher on Friday June 28 2019, @10:45AM (1 child)

    by coolgopher (1157) on Friday June 28 2019, @10:45AM (#860894)

    Complexity is the enemy of secure.

    • (Score: 0) by Anonymous Coward on Friday June 28 2019, @12:00PM

      by Anonymous Coward on Friday June 28 2019, @12:00PM (#860903)

      See also Life 101 - beware of curves.

  • (Score: 0) by Anonymous Coward on Friday June 28 2019, @06:14PM

    by Anonymous Coward on Friday June 28 2019, @06:14PM (#861030)

    "Through ongoing collaboration with industry researchers"

    so closed source then? industry researchers should refuse to help them until they open source the shit. vuln compromise and bad press/lost money is the only thing that will make them understand that closed source is inherently insecure.

(1)