kvidndnc

🎉 ...and my work here is done for the night! :) 🎉 @idolion_ @uri_farkas works a charm; great work! @Liran_Alon - I'll test the IOMMU bypass tomorrow

@depletionmode @uri_farkas @Liran_Alon Yess Great work @depletionmode !

Still struggling with my Ryzenfall-1 repro. Writing 0x10000 to *MSR[0xc00110a2]+0x10500+0x44 does, in fact, dump some info string to a provided location. However, the PSP mailbox should be at *MSR[0xc00110a2]+0x70 and writing there is to no response. ?!?!?

@depletionmode Haha, this comment confused us too. It was not actually enforced.

Is it that this mechanism didn't work? Or perhaps it was added after your vuln disclosure? (but the git history dates seem to be prior to that..)?

@idolion_ Hi Ido. I'm trying to repro Ryzenfall-1. Just wondering about this comment in the coreboot psp mailbox code. It seems that non-SMM code on platforms that correctly notify psp of boot done should not be able to send MBOX_BIOS_CMD_S3_DATA_INFO. What am I missing here?

@Rewt_1 @uri_farkas Hi David, I'm glad you liked it! Both EPYC and Ryzen lines of processors are vuln to #amdflaws, with similar implications on both (credential guard bypass, PSP firmware patching, etc). We haven't tested older CPUs like Opteron

@idolion_ @uri_farkas Hi ! we loved your presentation ! And I imagine the personal investment on it... I was wondering if all AMD proc can be abused or if only specific model are subject to this ? New models etc ?

@BlueHatIL #BlueHatIL your event was totally awesome. Thanks for inviting us! See you next year 😁

@RecordingExpert @binitamshah Yes remote access is needed. One use case we showed in our lecture is Mimikatz that's able to bypass Crdential Guard mitigations

AMD Flaws - A technical Deep Dive : storage.googleapis.com/wzukusers/user… (pdf) cc @idolion_