In order to correct errors in the processors, Intel and AMD use so-called microcode, which can be updated. The three-person team of “Chip Red Pill” experts has now discovered two undocumented commands on Intel processors to change the microcode.
If this manipulation were possible in the normal operating mode of the processors, it would be a huge security breach. Because microcode updates serve, among other things, to close security gaps of the Specter type, for example. So far, security researchers have only been able to switch the CPU’s microcode into a special debugging mode, which they call “Red Unlock,” and which they activate through a security hole that was fixed three years ago. This, in turn, requires physical access to the respective system.
Mark Ermolov (@_markel___), Maxim Goryachy (@ h0t_max) and Dmitry Sklyarov (@_Dmit) – the latter two work for Positive Technologies (PTE) – have been researching Intel’s Management Engine (ME) and other internal processor functions Intel. Among other things, they discovered the Intel-SA-00086 ME security breach, cracked microcode updates for Intel Atom processors in Fall 2020, and discovered the “HAP” option with which the processors continue to function even when ME is disabled.
This preparatory work allows the three experts to examine the structure of the microcode updates in more detail; one They share some of their findings via GitHub..
Ermolov now has him on Twitter EFI program code (a UEFI BIOS can execute the published EFI bytecode), which reads the Control Register Bus (CRBUS) microcode on an Intel processor. Only in a second tweet did he send the information that the undocumented CPU commands used are always decoded by the processor, but only work in the “Red Unlock” debug mode mentioned above. Otherwise, the Microcode Sequencer ROM (MSROM) returns the error code “Invalid Operation Code” (#UD).
Signature protects microcode
On the occasion of the “Chip Red Pill” team’s posts on Goldmont microcodes, Intel emphasized that processors in normal operating mode only load and run microcode that has the correct digital signature. As a result, the commands that have now been discovered cannot yet be used for attacks. The information is of special interest to other security researchers.
Intel Trace Hub Functional Overview
(Image: Intel)
“Secret” CPU Commands
That Intel (and also AMD) Processors execute undocumented instructions has been known for decades. You can even search for it yourself, for example, with a sand sieve.
“Red Unlock” -Debugging
As the Chip Red Pill team demonstrated in 2018, Intel processors contain a kind of built-in logic analyzer: the “Trace Hub” with “Internal Signal Display Architecture” (VIS / VISA). The Trace Hub cannot be accessed during normal system operation because it also allows access to sensitive data as intended. Rather, it is intended for hardware and system developers who use it with a special USB 3.0 cable through the so-called Direct Connect Interface (USB DCI). To do this, you must switch the processor or system to a debugging mode, for which you typically need information that Intel only leaves to developers registered under a confidentiality agreement (NDA). Particularly sensitive information can be accessed in “red debugging mode” (Red Unlock).
(line)
Introvert. Beer guru. Communicator. Travel fanatic. Web advocate. Certified alcohol geek. Tv buff. Subtly charming internet aficionado.
