About CVE-2024-21980, SNP firmware design weakness! (5th Aug 2024)

Preface: Confidential node pools use VMs with hardware-based Trusted Execution Environments (TEEs). AMD SEV-SNP Confidential VM denies hypervisor and other host management code access to VM memory and state, and adds defense-in-depth against operator access.

Background: The SNP firmware may exist in two states: UNINIT and INIT.

UNINIT – The platform is uninitialized. This is the reset state of the PSP firmware.

Allowed Platform Commands: SNP_INIT, SNP_PLATFORM_STATUS,

DOWNLOAD_FIRMWARE, GET_ID

INIT – The platform is initialized

Allowed Platform Commands: All SNP commands except SNP_INIT, DOWNLOAD_FIRMWARE

Ref: The behavior of the SEV-legacy commands is altered when the SNP firmware is in the INIT state. In this case, the SEV-legacy commands require any page that the SEV-legacy command writes to be a Firmware or Default page.

Vulnerability details: CVE-2024-21980 – Improper restriction of write operations in SNP firmware could allow a malicious hypervisor to overwrite a guest’s memory or UMC seed potentially resulting in loss of confidentiality and integrity.

Official announcement: Please refer to the link for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3011.html

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.