Skip to content

Latest commit

 

History

History
101 lines (74 loc) · 5.65 KB

Readme.md

File metadata and controls

101 lines (74 loc) · 5.65 KB
Raw

Introduction

This repository contains supplemental data to our paper:

Insecure Until Proven Updated: Analyzing AMD SEV's Remote Attestation.

The paper will be presented at the 26th ACM Conference on Computer and Communications Security (CCS'19) in London. You can find a pre-print version of the paper here.

In the paper we show that we were able to obtain the chip-endorsement-key (CEK) from AMD EPYC cpus of the Naples series. This key plays a central role in the trust model of the Secure Encrypted Virtualization technology from AMD. Based on the key extraction, we propose attacks against AMD SEV protected virtual machines that allow an attacker to fully circumvent the protection granted by the SEV technology.

Please refer to our paper for the details.

This repository contains a signature, created with an extracted CEK, over the title of our paper. This allows to verify our claims without actually releasing the extracted CEK key. Additionally, the repository contains helper scripts to convert AMD provided keys into a format suitable for openssl.

We have published a proof-of-concept of our proposed migration attack here

This repository contains the following files:

Filename Description
convert_amd_key.py Script that converts AMD provided keys into the pem format, readable by openssl.
create_sig.py Script that was used to sign data. For reference purposes only.
data Text file containing the paper title.
data.sig ECDSA signature over the data file, created with an extracted CEK.
keys_org/ask_ark_naples.cert ASK and ARK certificates for EPYC Naples CPU's (can also be obtained directly from AMD).
keys_org/5E1...cert Signed CEK key (can also be obtained from the AMD CEK certificate webpage)

The convert_amd_key.py and create_sig.py scripts make use of the python cryptography.io library.
Install it e.g. using pip:

$ pip install cryptography

Background

In order to authenticate a remote SEV system, a cloud customer can validate the following certificate chain (a -> denotes "signed by"):

PDH -> PEK -> CEK -> ASK -> ARK

Both the PDH and PEK are generated by the firmware running on the PSP. The CEK, however, is derived from "secrets stored in chip-unique OTP fuses", see AMD SEV API Chapter 2.1.3. It is valid throughout the life time of the corresponding CPU. The ASK and ARK are held by AMD. Their private keys are only available to AMD.

Before validating the authenticity of an SEV system, the client must retrieve the following keys:

  1. ASK (AMD SEV Signing Key) from AMD
  2. ARK (AMD Root Key) from AMD.
  3. The signed CEK certificate corresponding to the CPU ID from the AMD CEK certificate webpage.
    • The ID is provided by the cloud provider and is unique per system.
  4. The PDH and PEK from the cloud provider.

After that, the client can validate the authenticity of the remote SEV system by performing the following steps:

  1. Verify the signature of the ASK using the ARK
  2. Verify the signature of the CEK using the ASK
  3. Verify the signature of the PEK using the CEK
  4. Verify the signature of the PDH using the PEK

The exact details are described in the AMD SEV API 0.22 specification, Appendix C.5.

Usage

To verify the signature of the data file the following steps must be performed:

  1. Obtain the required files, (see Background):
    • The file keys_org/ask_ark_naples.cert contains both the signed ASK and the ARK. It can also be obtained directly from AMD.
    • The signed CEK can be found in: keys_org/5E1...cert. Alternatively, it can be obtained from the AMD CEK certificate webpage. The CPU ID corresponding to our extracted CEK is:
    5E1FDB617787B6D516F5CC5A5BB48FAE868DD57C71EC81F3FD59AD7C84A761C7453289287481DEA46C010E25304DA3FDFCE63DF87C5AE735537975EEE069CB14
  2. Convert the AMD certificates into the pem format. 
    $ ./convert_amd_key.py keys_org/ask_ark_naples.cert keys_org/5E1FDB617787B6D516F5CC5A5BB48FAE868DD57C71EC81F3FD59AD7C84A761C7453289287481DEA46C010E25304DA3FDFCE63DF87C5AE735537975EEE069CB14.cert
    The script will convert the ASK, ARK and CEK certificates into the pem format and extract their signatures as well as the raw certificates.
  3. Verify the certificate chain using openssl:
    • Verify the ASK signature:
    openssl dgst -sha256 -sigopt rsa_padding_mode:pss -signature ask.sig -verify ark.pem ask.raw
    • Verify the CEK signature:
    openssl dgst -sha256 -sigopt rsa_padding_mode:pss -signature cek.sig -verify ask.pem cek.raw
    • Verify the data signature:
    openssl dgst -sha256 -signature data.sig -verify cek.pem data

If all signatures are valid, then data has been signed by an authentic CEK. An attacker who is able to sign data with an authentic CEK can create arbitrary, valid, PEK and PDH certificates. Please refer to our paper for further details on the implication this has on the security of SEV.