Processors from AMD and Intel load microcode updates to repair bugs or to upgrade new functions. The exact functionality of these microcode updates is not publicly documented, rather they are usually encrypted and cryptographically signed. The security experts Maxim Goryachy, Dmitry Sklyarov and Mark Ermolov have now succeeded for the first time after long preparatory work in decoding the microcode updates for certain Intel processors.

Intel emphasizes that this is not associated with a security gap that can be used remotely, because the processors only carry out digitally signed microcode updates and the signature key is still secure.

But Goryachy, Sklyarov and Ermolov explain that it is now possible for the first time with (still) current processors to examine the functionality of Intel microcode updates. So far this was only possible with older processors, with AMD up to the generations K8 and K 10 ( Usenix Security 2017).

Maxim Goryachy has the US publication Ars Technica explains details of the microcode hack. Accordingly, the decryption of the microcode updates has so far only worked with Intel’s 2016 presented systems-on-chips (SoCs) “Goldmont” cores, especially Atom x5- / x7 – 3900 E and Celerons like N 3350, N 3450 and Pentium N 4200 / J 4205.

Mark Ermolov shows on Twitter how subroutines are structured in microcode.

(Image: Mark Ermolov / Twitter)

Through the gap The Goldmont microcode updates were accessed on the one hand via debugging functions that Goryachy, Sklyarov and Ermolov discovered in recent years (Chip Red Pill) and on the other hand via the 2017 Intel-SA security vulnerability revealed by them – 00086. Both the security hole and the debugging access require physical access to the respective system, for example via a debugging (JTAG) adapter.

The security researchers, two of them at the Russian company Positive Technologies ( PTE), enable the “Red Unlock” operating mode, which is actually only intended for internal Intel developers. This in turn gives access to the so-called microcode sequencer ROM (MSROM).

Interesting for security researchers Mark Ermolov has published some screenshots on his Twitter account @_markel___ showing excerpts from the microcode. The findings so far are primarily of interest to security researchers.

However, the experts explain that by analyzing the microcode and better understanding how it works, conclusions can be drawn about other embedded functions in Intel processors. This in turn could, for example, bypass security functions.

First of all, however, it is primarily possible to examine the microcode updates that were previously inaccessible due to encryption. (ciw)