Insecure Despite Proven Updated: Extracting the Root VCEK Seed on EPYC Milan via a Software-Only Attack

TL;DR

This paper presents a software-only attack on AMD EPYC Milan that extracts the hardware root seed, enabling forging of attestation reports and undermining SEV-SNP security.

Contribution

It introduces MilanLaunchy and BadFuse attacks that compromise the hardware root seed without physical access or hardware modifications.

Findings

Successfully extracted the hardware root seed on EPYC Milan.

Enabled forging of valid attestation reports for any firmware version.

Demonstrated the insufficiency of existing protections against software-only attacks.

Abstract

In the official whitepaper of Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP), AMD explicitly emphasizes the capability to prevent Trusted Computing Base (TCB) rollback attacks. Cryptographically, this is realized by signing attestation reports with the Versioned Chip Endorsement Key (VCEK), which is derived by incorporating the TCB version into the hardware root seed. In this architecture, safeguarding the hardware root seed is the ultimate line of defense. However, our research reveals that this protection is insufficient on EPYC Milan by presenting a software-only exploit. Specifically, we firstly introduce MilanLaunchy attack, an exploit that achieves code execution on the AMD secure processor. Building on this foundation, we develop the BadFuse attack, which extracts the hardware root seed by exploiting a lack of write restrictions in the fuse controller. This end-to-end attack chain enables an adversary to forge valid attestation reports for any firmware version, thereby effectively undermining the security model of SEV-SNP.