Epyc fail? We can defeat AMD’s virtual machine encryption, say boffins
German researchers reckon they have devised a method to thwart the security mechanisms AMD’s Epyc server chips use to automatically encrypt virtual machines in memory. So much so, they said they can exfiltrate plaintext data from an encrypted guest via a hijacked hypervisor and simple HTTP requests to a web server running in a second guest on the same machine. AMD’s data-center processors, as well as its Ryzen Pro line, support what’s called Secure Encrypted Virtualization.
This decrypts and encrypts virtual machines on the fly while stored in RAM so that the host operating system, hypervisor, and any malware on the host computer, cannot snoop on protected VMs. Each virtual machine is assigned an address space ID which is linked to a cryptographic key to cipher and decipher data as it moves between memory and the CPU cores. The key never leaves the system-on-chip, and each VM gets its own key.
That means, in theory, not even a malicious or hijacked hypervisor, kernel, driver, or other privileged code, should be able to inspect the contents of a protected virtual machine, which is a good safety feature for multi-tenant cloud platforms. Now you can be sure that a BOFH isn’t peeking into your guest instance. AMD marketed SEV as a feature to stop cloud and off-premises hosts from spying on sensitive virtual machines.
However, a technique dubbed SEVered can, it is claimed, be used by a rogue host-level administrator, or malware within a hypervisor, or similar, to bypass SEV protections and copy information out of a customer or user’s virtual machine.