AMD_PE

Prévia do material em texto

AMD Sinkclose
Universal SMM Privilege Escalation
Enrique Nissim @kiqueNissim
Krzysztof Okupski @exminium
2
Outline
©2024 IOActive, Inc. All Rights Reserved.
• Technical background
– Privilege levels and SMM security
– Remapping attacks
• Exploitation
– Exploit development
– Demo
• Attack paths
• Conclusions
3©2023 IOActive, Inc. All Rights Reserved.
4
SMM Introduction
©2024 IOActive, Inc. All Rights Reserved.
5
 Introducing System Management Mode
©2024 IOActive, Inc. All Rights Reserved.
• One of the most powerful execution modes in x86
o Full access to system and I/O device memory
o Access to the SPI flash (potential for persistence)
• Invisible to the rest of the system
o Hidden from the OS and Hypervisor
o EDRs cannot help here
6
Privilege levels
©2024 IOActive, Inc. All Rights Reserved.
SMM
Hypervisor / VMM
OS
Apps
7©2024 IOActive, Inc. All Rights Reserved.
Ring 3
Ring 0
Ring -2
Firmware OS Loader OS
Apps
SMM
Boot-time Run-time
8
• SMM is entered using a special 
external interrupt called the system-
management interrupt (SMI)
• After an SMI is received by the 
processor, the processor saves the 
processor state in a separate 
address space, called System 
Management RAM (SMRAM)
 System Management Interrupts
©2024 IOActive, Inc. All Rights Reserved.
SW 
SMI
DRAM
SMM
OS
9
Previous research
©2024 IOActive, Inc. All Rights Reserved.
• Blogs
– Exploring the security configuration of AMD platforms (2022)
– Adventures in the Platform Security Coordinated Disclosure Circus (2023)
– Back to the Future with Platform Security (2023)
– Exploring AMD Platform Secure Boot (2023)
• Couple of CVEs
• Tooling: https://github.com/IOActive/Platbox
CVE-2023-20576 CVE-2023-20577 CVE-2023-20579
CVE-2023-20587 CVE-2023-20596 CVE-2023-31100
CVE-2023-28468 CVE-2023-2290 CVE-2023-5078
https://labs.ioactive.com/2022/11/exploring-security-configuration-of-amd.html
https://labs.ioactive.com/2023/02/adventures-in-platform-security.html
https://labs.ioactive.com/2023/06/back-to-future-with-platform-security.html
https://labs.ioactive.com/2024/02/exploring-amd-platform-secure-boot.html
https://github.com/IOActive/Platbox
10
SMM Security
©2024 IOActive, Inc. All Rights Reserved.
11©2024 IOActive, Inc. All Rights Reserved.
DRAM
SMRAMMemory
Controller
CPU
SMM
12©2024 IOActive, Inc. All Rights Reserved.
DRAM
SMRAMMemory
Controller
CPU
Normal mode
- Execution disallowed
- Reads FFs
- Writes are discarded
13
TSEG Region
©2024 IOActive, Inc. All Rights Reserved.
• How does the memory controller protects SMRAM?
o At boot-time BIOS configures two registers to setup the TSEG Region
Rsvd TSEG Base Reserved
63           39                                                                                                                     17                                                                                  
 0
MSRC001_0112 SMM TSeg Base Address (SMMAddr)
Rsvd TSEG Mask Rsvd
Tm
Type
Dram
Rsvd
Am
Type
Dram
Rsvd
Tm
Type
IoWc
Am
Type
IoWc
TClose AClose TValid AValid
63           39                            17                                                                                                      4                 3               2              1          
   0
MSRC001_0113 SMM TSeg Mask (SMMMask)
14©2024 IOActive, Inc. All Rights Reserved.
Physical 
Address Space
SMRAM
TSEG
Region
SMM Save State (CPUn)
SMI Handlers
SMM Core
TSeg Base (SMMAddr)
TSeg Mask (SMMMask)
SMM Base (SMM_BASE)
SMM Base + 8000h
SMM Base  + FE00h
...
SMM Save State (CPU0)
SMM Entrypoint (CPUn)
...
SMM Entrypoint (CPU0)
SMM Base (CPUn)
...
SMM Base (CPU0)
15
Summary of SMRAM Registers
©2024 IOActive, Inc. All Rights Reserved.
• MSRC001_0111 (SMM_BASE used for SMM base address)
• MSRC001_0112 (SMM TSeg Base Address (SMMAddr))
• MSRC001_0113 (SMM TSeg Mask (SMMMask))
• MSRC001_0015[SmmLock] (HWCR used for locking the config)
These need to be configured for each core
16
Differences between AMD and Intel MSRs
©2024 IOActive, Inc. All Rights Reserved.
• On Intel systems there are specific MSRs that are only accessible 
while the processor is executing at SMM
o Example: IA32_SMBASE (SMM base register)
o Obtaining this value could be considered a leak
• On AMD all the MSRs that are related to the security of SMM are 
accessible from ring 0
o Note that when SmmLock bit is set, accesibility does not imply the 
configuration can be changed even from SMM
17
Spotting the bug
©2024 IOActive, Inc. All Rights Reserved.
18©2024 IOActive, Inc. All Rights Reserved.
19©2024 IOActive, Inc. All Rights Reserved.
20©2024 IOActive, Inc. All Rights Reserved.
21
More explicit in earlier docs
©2024 IOActive, Inc. All Rights Reserved.
Source: 
https://www.amd.com/content/dam/amd/en/documents/archived-tech-
docs/revision-guides/41322_10h_Rev_Gd.pdf
https://www.amd.com/content/dam/amd/en/documents/archived-tech-docs/revision-guides/41322_10h_Rev_Gd.pdf
https://www.amd.com/content/dam/amd/en/documents/archived-tech-docs/revision-guides/41322_10h_Rev_Gd.pdf
22
MSR C001_0113 SMM TSeg Mask 
(SMMMask)
©2024 IOActive, Inc. All Rights Reserved.
23
X86 goes to Harvard
©2024 IOActive, Inc. All Rights Reserved.
DRAM
SPI Flash
TSEG
MMIO
FFFF_FFFF
h
B000_0000
h
4GB
Physical Address 
Space
Memory
PCIe ECAM
SPI Controller
APIC
E000_0000h
FEC1_0000h
FEE0_0000h
FF00_0000
h
SMRAM
MMIO Space
AE00_0000
h
0000_0000
h
Data fetch
Instruction fetch
Device X
Device Y
Device Z
Core 0
Normal mode
24
X86 goes to Harvard
©2024 IOActive, Inc. All Rights Reserved.
DRAM
SPI Flash
TSEG
MMIO
FFFF_FFFF
h
B000_0000
h
4GB
Physical Address 
Space
Memory
PCIe ECAM
SPI Controller
APIC
E000_0000h
FEC1_0000h
FEE0_0000h
FF00_0000
h
SMRAM
MMIO Space
Device X
Device Y
Device Z
Core 0
SMM
AE00_0000
h
0000_0000
h
TClose OFF
25
X86 goes to Harvard
©2024 IOActive, Inc. All Rights Reserved.
DRAM
SPI Flash
TSEG
MMIO
FFFF_FFFF
h
B000_0000
h
4GB
Physical Address 
Space
Memory
PCIe ECAM
SPI Controller
APIC
E000_0000h
FEC1_0000h
FEE0_0000h
FF00_0000
h
SMRAM
MMIO Space
Core 0
SMM
AE00_0000
h
0000_0000
h
Instruction fetch
TClose OFF
Device X
Device Y
Device Z
26
X86 goes to Harvard
©2024 IOActive, Inc. All Rights Reserved.
DRAM
SPI Flash
TSEG
MMIO
FFFF_FFFF
h
B000_0000
h
4GB
Physical Address 
Space
Memory
PCIe ECAM
SPI Controller
APIC
E000_0000h
FEC1_0000h
FEE0_0000h
FF00_0000
h
SMRAM
MMIO Space
TClose OFF
Core 0
SMM
AE00_0000
h
0000_0000
h
Data fetch
Instruction fetch
Device X
Device Y
Device Z
27
X86 goes to Harvard
©2024 IOActive, Inc. All Rights Reserved.
DRAM
SPI Flash
TSEG
MMIO
FFFF_FFFF
h
B000_0000
h
4GB
Physical Address 
Space
Memory
PCIe ECAM
SPI Controller
APIC
E000_0000h
FEC1_0000h
FEE0_0000h
FF00_0000
h
SMRAM
MMIO Space
Device X
Device Y
Device Z
Core 0
SMM
AE00_0000
h
0000_0000
h
TClose ON
28
X86 goes to Harvard
©2024 IOActive, Inc. All Rights Reserved.
DRAM
SPI Flash
TSEG
MMIO
FFFF_FFFF
h
B000_0000
h
4GB
Physical Address 
Space
Memory
PCIe ECAM
SPI Controller
APIC
E000_0000h
FEC1_0000h
FEE0_0000h
FF00_0000
h
SMRAM
MMIO Space
Core 0
SMM
AE00_0000
h
0000_0000
h
Instruction fetch
TClose ON
Device X
Device Y
Device Z
29
X86 goes to Harvard
©2024 IOActive, Inc. All Rights Reserved.
DRAM
SPI Flash
TSEG
MMIO
FFFF_FFFF
h
B000_0000
h
4GB
Physical Address 
Space
Memory
PCIe ECAM
SPI Controller
APIC
E000_0000h
FEC1_0000h
FEE0_0000h
FF00_0000
h
SMRAM
MMIO Space
Core 0
SMM
AE00_0000
h
0000_0000
h
Data fetch
Instruction fetch
TClose ON
Device X
Device Y
Device Z
30
X86 goes to Harvard
©2024 IOActive, Inc. All Rights Reserved.
DRAM
SPI Flash
TSEG
MMIO
FFFF_FFFF
h
B000_0000
h
4GB
Physical Address 
Space
Memory
PCIe ECAM
SPI Controller
APIC
E000_0000h
FEC1_0000h
FEE0_0000h
FF00_0000
h
SMRAM
Attacker 
Controlled
MMIO Space
Core 0
SMMAE00_0000
h
0000_0000
h
Data fetch
Instruction fetch
TClose ON
Device X
Device Y
Device Z
31
Triggering the condition
©2024 IOActive, Inc. All Rights Reserved.
32
Why does this feature exist?
©2024 IOActive, Inc. All Rights Reserved.
• This allows to re-use the physical address space
• We have yet to see a vendor using this feature
33
When did this feature appear?
©2024 IOActive, Inc. All Rights Reserved.
• First mentioned for AMD 0Fh processor families (2006)
• BIOS and Kernel Developer's Guide for AMD NPT 
Family 0Fh Processors 
https://www.amd.com/content/dam/amd/en/documents/a
rchived-tech-docs/programmer-references/32559.pdf
• It's been around for 18 years...
https://www.amd.com/content/dam/amd/en/documents/archived-tech-docs/programmer-references/32559.pdf
https://www.amd.com/content/dam/amd/en/documents/archived-tech-docs/programmer-references/32559.pdf
34
Differences with the "Memory Sinkhole"
©2024 IOActive, Inc. All Rights Reserved.
• Cristopher Domas presented the Memory Sinkhole attack in 2015
o Affected Intel Sandy Bridge and previous generations
o Remaps the APIC over the TSEG area
o Causes data fetches to go to MMIO instead of SMRAM
• Key differences:
o The memory sinkhole only affects the 4K portion where the APIC gets 
mapped
o Sinkclose changes the behavior of the entire TSEG region
o Any device could be overlapped... right?
35
Brainstorming attack ideas
©2024 IOActive, Inc. All Rights Reserved.
36
Attack idea
©2024 IOActive, Inc. All Rights Reserved.
• Use a PCIe device with a BAR having register values such that when 
overlapped with the SMM entry point, we could take control of the execution
• There are multiple integrated devices in modern systems
• We can try re-mapping the PCI Base Address Register (BAR) from one of 
them to make it overlap with SMRAM
• The registers for the device should become visible for the OS at the TSEG 
location
37
PCI BARs failed
©2024 IOActive, Inc. All Rights Reserved.
38
PCI BARs failed
©2024 IOActive, Inc. All Rights Reserved.
Visible device registers 
39
PCI BARs failed
©2024 IOActive, Inc. All Rights Reserved.
Visible device registers 
Remap failed; registers are not 
available
40
PCI BARs failed
©2024 IOActive, Inc. All Rights Reserved.
Visible device registers 
Remap failed; registers are not 
available
The BAR was indeed 
moved from its original place
41
PCI BARs failed
©2024 IOActive, Inc. All Rights Reserved.
Visible device registers 
Remap failed; registers are not 
available
The BAR was indeed 
moved from its original place
After restoration
42
TOM - Top of Memory
©2024 IOActive, Inc. All Rights Reserved.
• This register dictates where the MMIO region below 4G starts
• On Intel this register has a lock bit and cannot be modified when set
• There is no such lock in AMD :)
43
Moving TOM down
©2024 IOActive, Inc. All Rights Reserved.
FFFFFFFFh
B0000000h
AE000000hTSEG_BASE
TOM
4GB
TSEG
MMIO
44
Moving TOM down
©2024 IOActive, Inc. All Rights Reserved.
FFFFFFFFh
B0000000h
AE000000hTSEG_BASE
TOM
4GB
TSEG
MMIO
TSEG_BASE
TOM
4GB FFFFFFFFh
AE000000h
MMIO
TSEG
45
Moving TOM down
©2024 IOActive, Inc. All Rights Reserved.
FFFFFFFFh
B0000000h
AE000000hTSEG_BASE
TOM
4GB
TSEG
MMIO
TSEG_BASE
TOM
4GB FFFFFFFFh
AE000000h
MMIO
TSEG
This worked in theory but not in practice...
46
Memory routing priorities
©2024 IOActive, Inc. All Rights Reserved.
47
Memory routing priorities
©2024 IOActive, Inc. All Rights Reserved.
48
Memory routing priorities
©2024 IOActive, Inc. All Rights Reserved.
49
Memory routing priorities
©2024 IOActive, Inc. All Rights Reserved.
50
Memory routing priorities
©2024 IOActive, Inc. All Rights Reserved.
?
51
Analysis of the SMM entry point
©2023 IOActive, Inc. All Rights Reserved.
SMM 
Mode
Real mode 
(16 bit)
Protected mode 
(32 bit)
Long mode 
(64 bit)
SMI handlers
52
Global Descriptor Table (GDT)
©2024 IOActive, Inc. All Rights Reserved.
Descriptor 0
(NULL)
Code Descriptor
Base: 0x00000000
Data Descriptor
Base: 0x00000000
GDT
Descriptor N
jmp 0x8:0x1000
Limit Base
GDTR
53
Global Descriptor Table (GDT)
©2024 IOActive, Inc. All Rights Reserved.
Descriptor 0
(NULL)
Code Descriptor
Base: 0x00000000
Data Descriptor
Base: 0x00000000
GDT
Descriptor N
jmp 0x8:0x1000
Limit Base
GDTR
54
Global Descriptor Table (GDT)
©2024 IOActive, Inc. All Rights Reserved.
Descriptor 0
(NULL)
Code Descriptor
Base: 0x00000000
Data Descriptor
Base: 0x00000000
GDT
Descriptor N
jmp 0x8:0x1000
Linear address
0x1000
Limit Base
GDTR
55
Analysis of the EDKII SMM entry point
©2024 IOActive, Inc. All Rights Reserved.
56
Analysis of the EDKII SMM entry point
©2024 IOActive, Inc. All Rights Reserved.
SMM entry point + 0x4D
57
Analysis of the EDKII SMM entry point
©2024 IOActive, Inc. All Rights Reserved.
SMM entry point + 0x4D
58
Analysis of the EDKII SMM entry point
©2024 IOActive, Inc. All Rights Reserved.
Loads GDTR
SMM entry point + 0x4D
59
Analysis of the EDKII SMM entry point
©2024 IOActive, Inc. All Rights Reserved.
Loads GDTR
SMM entry point + 0x4D
Jumps to 32-bit (protected) code
60
Analysis of the EDKII SMM entry point
©2024 IOActive, Inc. All Rights Reserved.
Loads GDTR
SMM entry point + 0x4D
Jumps to 32-bit (protected) code
We need to control the BAR of the overlapped device at offset 0x4D
61
Problems with the APIC
©2024 IOActive, Inc. All Rights Reserved.
• The system becomes unstable when the APIC is moved
• The APIC registers are not useful for taking control at 
the SMM entry point
62
APIC Registers
©2024 IOActive, Inc. All Rights Reserved.
Reserved region
Writes are discarded
63
Introducing the SPI controller
©2024 IOActive, Inc. All Rights Reserved.
64
SPI controller
©2024 IOActive, Inc. All Rights Reserved.
• Used to read / write / erase the SPI flash
• Key features:
o The BAR can be relocated over the SMM entry point
o Portions of the BAR are attacker-controlled
o Takes precedence over SMRAM when TClose is enabled
65©2024 IOActive, Inc. All Rights Reserved.
SMRAM
SMM Save State (CPUn)
SMI Handlers
SMM Core
...
SMM Save State (CPU0)
SMM Entrypoint (CPUn)
...
SMM Base (CPUn)
...
SMM Base (CPU0) MMIO
SPI BARSMM Entrypoint (CPU0)
Core 0
SMM
Data fetch
Instruction fetch
66©2024 IOActive, Inc. All Rights Reserved.
67
SPI BAR
©2024 IOActive, Inc. All Rights Reserved.
• GDTR is loaded from offset 0x4D
• Controllable fields:
o 0x4C-50: FCH::LPCPCICFG::memoryrange
o 0x50-54: FCH::LPCPCICFG::rom_protect_0
68
Debugging setup
©2024 IOActive, Inc. All Rights Reserved.
69
Debugging Setup
©2024 IOActive, Inc. All Rights Reserved.
• BAR buffer
o PCI Squirrel with PCILeech firmware
o Used for persistent memory across boot cycles
• SMM backdoor
o Used for modifying code in SMM on-demand
70©2024 IOActive, Inc. All Rights Reserved.
Power supply
PCIe Squirrel
M2 to PCI 4x
adapter
71
Exploitation
©2024 IOActive, Inc. All Rights Reserved.
72©2024 IOActive, Inc. All Rights Reserved.
Attempt #1
73
SMM Entrypoint
©2024 IOActive, Inc. All Rights Reserved.
DRAM
Core 0
SMM
Data fetch
Instruction fetch
MMIO
SPI BAR
TSEG
1. Remap
74
SMM Entrypoint
©2024 IOActive, Inc. All Rights Reserved.
DRAM
Core 0
SMM
Data fetch
Instruction fetch
MMIO
SPI BAR
TSEG
1. Remap
2. Tweak
75
SMM Entrypoint
©2024 IOActive, Inc. All Rights Reserved.
DRAM
Payload
Fake GDT
Core 0
SMM
Data fetch
Instruction fetch
MMIO
SPI BAR
TSEG
1. Remap
2. Tweak
3. Map + 
tweak
76
SMM Entrypoint
©2024 IOActive, Inc. All Rights Reserved.
DRAM
Payload
Fake GDT
Core 0
SMM
Data fetch
Instruction fetch
MMIO
SPI BAR
TSEG
1. Remap
2. Tweak
3. Map + 
tweak
77
SMM Entrypoint
©2024 IOActive, Inc. All Rights Reserved.
DRAM
Payload
Fake GDT
Core 0
SMM
Data fetch
Instruction fetch
MMIO
SPI BAR
TSEG
1. Remap
2. Tweak
3. Map +tweak
GDTR
Size: 0x100
Address: 0x00000000
78
SMM Entrypoint
©2024 IOActive, Inc. All Rights Reserved.
DRAM
Payload
Fake GDT
Core 0
SMM
Data fetch
Instruction fetch
MMIO
SPI BAR
TSEG
1. Remap
2. Tweak
3. Map + 
tweak
GDTR
Size: 0x100
Address: 0x00000000
79
SMM Entrypoint
©2024 IOActive, Inc. All Rights Reserved.
DRAM
Payload
Fake GDT
Core 0
SMM
Data fetch
Instruction fetch
MMIO
SPI BAR
TSEG
1. Remap
2. Tweak
3. Map + 
tweak
GDTR
Size: 0x100
Address: 0x00000000
80
GDT far jmp wrap-around
©2024 IOActive, Inc. All Rights Reserved.
Limit Base
GDTR
Descriptor 0
Descriptor 1
Base: 0x00000000
Descriptor 2
GDT
Descriptor N
jmp 0x8:0xaef4b053
Linear address
0xaef4b053
81
GDT far jmp wrap-around
©2024 IOActive, Inc. All Rights Reserved.
Limit Base
GDTR
Descriptor 0
Descriptor 1
Base: 0x510b4fad
Descriptor 2
GDT
Descriptor N
jmp 0x8:0xaef4b053
Linear address
0x00000000
82©2024 IOActive, Inc. All Rights Reserved.
It worked, but the system crashed… why?
83
The SMM save state
©2024 IOActive, Inc. All Rights Reserved.
• The SMM save state is automatically saved upon 
entering SMM and restored when leaving it
o With TClose enabled these writes are dropped
o The SMM save state from the last SMI is still there
• Solution: Trigger SMI twice
o Once without TClose to prime SMM save state
o Once with TClose to trigger bug
• Does not require overwriting SMM save state values
84©2024 IOActive, Inc. All Rights Reserved.
Attempt #2
85©2024 IOActive, Inc. All Rights Reserved.
The system crashed again... why?
86
Enabling TClose
©2024 IOActive, Inc. All Rights Reserved.
87
Bingo...
©2024 IOActive, Inc. All Rights Reserved.
88©2023 IOActive, Inc. All Rights Reserved.
Symmetric Multi-Threading
• Physical cores are split into two logical cores (threads)
• Some resources are shared between logical cores
o SMM base MSR is separate but
o TSEG mask MSR is not
• Is it an issue if only one core goes into SMM at a time? 
89
SMIs explained
©2024 IOActive, Inc. All Rights Reserved.
xor eax, eax
xor eax, eax
Normal mode
xor eax, eax
xor eax, eax
xor eax, eax
xor eax, eax
xor eax, eax
xor eax, eax
Normal mode Normal mode Normal mode
90
SMIs explained
©2024 IOActive, Inc. All Rights Reserved.
xor eax, eax
xor eax, eax
smi
Normal mode
xor eax, eax
xor eax, eax
xor eax, eax
xor eax, eax
xor eax, eax
xor eax, eax
Normal mode Normal mode Normal mode
91
SMIs explained
©2024 IOActive, Inc. All Rights Reserved.
xor eax, eax
xor eax, eax
smi
Normal mode
xor eax, eax
xor eax, eax
xor eax, eax
xor eax, eax
xor eax, eax
xor eax, eax
Normal mode Normal mode Normal mode
92
SMIs explained
©2024 IOActive, Inc. All Rights Reserved.
xor eax, eax
xor eax, eax
smi
SMM mode
mov bs, 0x804d
mov ax, cs:0xfdd8
...
xor eax, eax
xor eax, eax
mov bs, 0x804d
mov ax, cs:0xfdd8
...
xor eax, eax
xor eax, eax
mov bs, 0x804d
mov ax, cs:0xfdd8
...
xor eax, eax
xor eax, eax
mov bs, 0x804d
mov ax, cs:0xfdd8
...
SMM mode SMM mode SMM mode
93
SMIs explained
©2024 IOActive, Inc. All Rights Reserved.
• We assumed that SMIs are local, but they are global
• Initially we thought that:
– we could control exactly which core enters into SMM first
– each core would later reach the rendezvous routine and
– send Inter-Processor-Interrupts (IPI) to bring the rest of the cores into 
SMM before continuing
• We were wrong: The I/O Hub sends the SMI to all cores at once
94
Problem summarized
©2024 IOActive, Inc. All Rights Reserved.
• SMIs make all cores go to SMM at the same time
• TClose is enabled on two logical cores at a time
o They will read 0xFFs since no device is mapped there
o Writes to SMM save state will be dropped
• This will make core 1 triple-fault and crash the system
95
Tackling the problem
©2024 IOActive, Inc. All Rights Reserved.
• We had:
o Control of data fetches on core 0
o No control of data fetches on core 1
• We tried many things to solve the problem:
o Finding another device to overlap with the SMM entry point
o Disabling Simultaneous Multi-Threading (SMT)
o Sending an INIT IPI / executing SKINIT to ignore SMIs
o Sending an SMI IPI to trigger an SMI on individual cores
96©2023 IOActive, Inc. All Rights Reserved.
Running out of options
• Taking a step back:
o Our lgdt is the issue
o What happens if the GDTR is loaded all with FFs?
• Let's look into that...
97
GDTR wrap-around
©2024 IOActive, Inc. All Rights Reserved.
Limit Base
0xAED030B8
GDTR
Descriptor 0
Descriptor 1
Base: 0x00000000
Descriptor 2
GDT
Descriptor N
jmp 0x8:0xaef4b053
Linear address
0xaef4b053
0xAED030C0
98
GDTR wrap-around
©2024 IOActive, Inc. All Rights Reserved.
Limit
0xFFFF
Base
0xFFFFFFFF
GDTR
Descriptor 0
Descriptor 1
Descriptor 2
GDT
Descriptor N
jmp 0x8:0xaef4b053
Linear address
0x00000007
99
Wrap-arounds in x86
©2024 IOActive, Inc. All Rights Reserved.
• The are two instances of wrap-arounds:
– The addition between GDT descriptor base and far jmp offset 
can overflow
– The addition between the GDTR base and far jmp segment 
selector can overflow
• We can use the same fake GDT for core 0 and 1
• Added bonus: No need for the SPI BAR remapping
10
0
SMM save state (again)
©2024 IOActive, Inc. All Rights Reserved.
• For core 0 we use the same technique as before
• For core 1 we:
o Need to bring core 1 into a known / controlled state
o We use kernel synchronization APIs to achieve that
 Deferred Procedure Calls (DPC) on Windows
 Symmetric Multi-Processing (SMP) on Linux
10
1
©2024 IOActive, Inc. All Rights Reserved.
Attempt #3
10
2
Core 1
SMM
0xFF
Core 0
SMM
0xFF
©2024 IOActive, Inc. All Rights Reserved.
DRAM
TSEG
SMM Entrypoint 1
SMM Entrypoint 0
10
3
Core 1
SMM
0xFF
Core 0
SMM
0xFF
©2024 IOActive, Inc. All Rights Reserved.
DRAM
TSEG
SMM Entrypoint 1
SMM Entrypoint 0
Payload 0
Fake GDT
(1st byte truncated)
1. Map + tweak
Payload 1
10
4
Core 1
SMM
0xFF
Core 0
SMM
0xFF
©2024 IOActive, Inc. All Rights Reserved.
DRAM
TSEG
SMM Entrypoint 1
SMM Entrypoint 0
Payload 0
Fake GDT
(1st byte truncated)
1. Map + tweak
Payload 1
10
5
Core 1
SMM
0xFF
Core 0
SMM
0xFF
©2024 IOActive, Inc. All Rights Reserved.
DRAM
TSEG
SMM Entrypoint 1
SMM Entrypoint 0
Payload 0
Fake GDT
(1st byte truncated)
1. Map + tweak
Payload 1
GDTR
Size: 0xFFFF
Address: 0xFFFFFFFF
10
6
Core 1
SMM
0xFF
Core 0
SMM
0xFF
©2024 IOActive, Inc. All Rights Reserved.
DRAM
TSEG
SMM Entrypoint 1
SMM Entrypoint 0
Payload 0
Fake GDT
(1st byte truncated)
1. Map + tweak
Payload 1
GDTR
Size: 0xFFFF
Address: 0xFFFFFFFF
10
7
Core 1
SMM
0xFF
Core 0
SMM
0xFF
©2024 IOActive, Inc. All Rights Reserved.
DRAM
TSEG
SMM Entrypoint 1
SMM Entrypoint 0
Payload 0
Fake GDT
(1st byte truncated)
1. Map + tweak
Payload 1
GDTR
Size: 0xFFFF
Address: 0xFFFFFFFF
10
8
©2024 IOActive, Inc. All Rights Reserved.
And it worked!
10
9
©2023 IOActive, Inc. All Rights Reserved.
Extra steps
• We can execute code in SMM but in protected mode
• Our payload performs the following steps:
o Reload the GDT to avoid IP misalignments
o Setup long mode (including page tables)
o Install an SMI handlers to avoid re-exploiting the issue
11
0
©2024 IOActive, Inc. All Rights Reserved.
DEMO
11
1
Next attack paths
©2024 IOActive, Inc. All Rights Reserved.
• Next steps depend on the platform configuration
• The firmware is responsable for:
o Restricting access to the SPI flash (e.g. via ROM Armor)
o Verifying the firmware chain-of-trust (via Platform Secure Boot)
• If everything is enabled, we can at least break secure boot
• If not, there is potential for firmware implants
11
2
©2024 IOActive, Inc. All Rights Reserved.
Ring 3
Ring 0
Ring -2
FW
(SEC+PEI)
FW
(DXE) OS Loader OS
Apps
AMD 
Security 
Processor
FW
(SMM)
HDDFW CFG
Read / write SPI
Read / write SPI
Load and 
verify FW
11
3
©2024 IOActive, Inc. All Rights Reserved.
Ring 3Ring 0
Ring -2
FW
(SEC+PEI)
FW
(DXE) OS Loader OS
Apps
AMD 
Security 
Processor
FW
(SMM)
HDDFW CFG
Read / write SPI
Read / write SPI
Load 
without 
verification
11
4
©2024 IOActive, Inc. All Rights Reserved.
Ring 3
Ring 0 FW
(SEC+PEI)
FW
(DXE) OS Loader OS
Apps
AMD 
Security 
Processor
FW
(SMM)
HDDFW CFG
Read / write SPI
Ring -2
Load and 
verify FW
11
5
©2024 IOActive, Inc. All Rights Reserved.
Ring 3
Ring 0 FW
(SEC+PEI)
FW
(DXE) OS Loader OS
Apps
AMD 
Security 
Processor
FW
(SMM)
HDDFW CFG
Load 
without 
verification
Ring -2
Read / write SPI
11
6
Platform security (overview from 2023)
©2024 IOActive, Inc. All Rights Reserved.
Vendor Model PSB State ROM Armor State
Acer Swift 3 SF314-42 Not configured Not configured
Acer TravelMate P414-41 Not configured Configured
ASUS Strix G513QR Not configured Not configured
Lenovo Thinkpad P16s Configured* Not configured
Lenovo IdeaPad 1 Not configured Not configured
Lenovo Thinkpad T495s Not configured Not configured
Huawei Matebook D16 Not configured Not configured
HP 15s Not configured Not configured
Microsoft Surface 4 Configured Unknown
MSI Bravo 15 Not configured Not configured
11
7
©2023 IOActive, Inc. All Rights Reserved.
Platform security continued
• We took a look ROM Armor and Platform Secure Boot 
before
• See our "Back to the Future with Platform Security" from 
Hexacon 2023 presentation
https
://www.youtube.com/watch?v=xSp38lFQeRE&ab_channel
=Hexacon
https://www.youtube.com/watch?v=xSp38lFQeRE&ab_channel=Hexacon
https://www.youtube.com/watch?v=xSp38lFQeRE&ab_channel=Hexacon
https://www.youtube.com/watch?v=xSp38lFQeRE&ab_channel=Hexacon
11
8
Outro
©2024 IOActive, Inc. All Rights Reserved.
11
9
©2023 IOActive, Inc. All Rights Reserved.
Affected systems
• Pretty much all of them
o Ryzen series
o Ryzen Threadripper series
o EPYC series
• Total number of affected chips: 100s of millions
• AMD advisory AMD-SB-7014 published at 
https://www.amd.com/en/resources/product-security/bulletin/amd
-sb-7014.html
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7014.html
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7014.html
12
0
©2023 IOActive, Inc. All Rights Reserved.
Mitigations
• AMD:
o A microcode update is available
o Con: Might not cover all affected systems due to product EOL
• OEMs:
o Modify SMM entry point code to detect if TClose bit is enabled and abort execution
o Can be done at the reference code level
o Con: Specific to one OEM or even specific systems
• Users:
o A hypervisor could be used to trap accesses on the TSEG mask MSR
12
1
©2023 IOActive, Inc. All Rights Reserved.
Timeline
Vulnerability 
reported to AMD 
PSIRT
(30th Oct 2023)
Assigned
CVE-2023-31315
(30th Nov 2023)
Mitigations will be 
developed
(11th Dec 2023)
AMD publishes 
advisory SB-7014
(9th Aug 2024)
Hexacon
(Today)
12
2
Conclusions
©2024 IOActive, Inc. All Rights Reserved.
• The vulnerability has been around for nearly two decades
• The complexity of modern architectures plays in favor of attackers
• The flexibility of segmentation played a crucial role for exploitation
• Exploitation requires in-depth understanding of the architecture
Exploit code will be released mid November
Stay tuned!
12
3
©2024 IOActive, Inc. All Rights Reserved.
Questions?
	AMD Sinkclose Universal SMM Privilege Escalation
	Outline
	Slide 3
	SMM Introduction
	 Introducing System Management Mode
	Privilege levels
	Slide 7
	 System Management Interrupts
	Previous research
	SMM Security
	Slide 11
	Slide 12
	TSEG Region
	Slide 14
	Summary of SMRAM Registers
	Differences between AMD and Intel MSRs
	Spotting the bug
	Slide 18
	Slide 19
	Slide 20
	More explicit in earlier docs
	MSR C001_0113 SMM TSeg Mask (SMMMask)
	X86 goes to Harvard
	X86 goes to Harvard (2)
	X86 goes to Harvard (3)
	X86 goes to Harvard (4)
	X86 goes to Harvard (5)
	X86 goes to Harvard (6)
	X86 goes to Harvard (7)
	X86 goes to Harvard (8)
	Triggering the condition
	Why does this feature exist?
	When did this feature appear?
	Differences with the "Memory Sinkhole"
	Brainstorming attack ideas
	Attack idea
	PCI BARs failed
	PCI BARs failed (2)
	PCI BARs failed (3)
	PCI BARs failed (4)
	PCI BARs failed (5)
	TOM - Top of Memory
	Moving TOM down
	Moving TOM down (2)
	Moving TOM down (3)
	Memory routing priorities
	Memory routing priorities (2)
	Memory routing priorities (3)
	Memory routing priorities (4)
	Memory routing priorities (5)
	Analysis of the SMM entry point
	Global Descriptor Table (GDT)
	Global Descriptor Table (GDT) (2)
	Global Descriptor Table (GDT) (3)
	Analysis of the EDKII SMM entry point
	Analysis of the EDKII SMM entry point (2)
	Analysis of the EDKII SMM entry point (3)
	Analysis of the EDKII SMM entry point (4)
	Analysis of the EDKII SMM entry point (5)
	Analysis of the EDKII SMM entry point (6)
	Problems with the APIC
	APIC Registers
	Introducing the SPI controller
	SPI controller
	Slide 65
	Slide 66
	SPI BAR
	Debugging setup
	Debugging Setup
	Slide 70
	Exploitation
	Slide 72
	Slide 73
	Slide 74
	Slide 75
	Slide 76
	Slide 77
	Slide 78
	Slide 79
	GDT far jmp wrap-around
	GDT far jmp wrap-around (2)
	Slide 82
	The SMM save state
	Slide 84
	Slide 85
	Enabling TClose
	Bingo...
	Symmetric Multi-Threading
	SMIs explained
	SMIs explained (2)
	SMIs explained (3)
	SMIs explained (4)
	SMIs explained (5)
	Problem summarized
	Tackling the problem
	Running out of options
	GDTR wrap-around
	GDTR wrap-around (2)
	Wrap-arounds in x86
	SMM save state (again)
	Slide 101
	Slide 102
	Slide 103
	Slide 104
	Slide 105
	Slide 106
	Slide 107
	Slide 108
	Extra steps
	Slide 110
	Next attack paths
	Slide 112
	Slide 113
	Slide 114
	Slide 115
	Platform security (overview from 2023)
	Platform security continued
	Outro
	Affected systems
	Mitigations
	Timeline
	Conclusions
	Slide 123