[Code-Crunchers] Fwd: Re: [funsec] Description of the Intel CPU bugs

Thu Jun 28 13:17:23 CDT 2007

There was a small paper about stuff like this 3 years ago.

http://packetstormsecurity.org/0407-exploits/OpteronMicrocode.txt

Aaron

Gadi Evron wrote:
> ----- Forwarded message from Valdis.Kletnieks at vt.edu -----
> 
> To: Larry Seltzer <Larry at larryseltzer.com>
> Subject: Re: [funsec] Description of the Intel CPU bugs
> From: Valdis.Kletnieks at vt.edu
> Date: Thu, 28 Jun 2007 11:45:31 -0400
> Cc: funsec at linuxbox.org
> 
> On Thu, 28 Jun 2007 11:08:08 EDT, Larry Seltzer said:
> 
>> Does this mean that microcode in these CPUs is actually
>> field-upgradable? I wonder if Joanna Rutkowska knows about this.
> 
> Yes, it's designed as field-upgradable and loadable into the CPU for
> the current power-on cycle (in other words, it evaporates at power-off).
> Most sane BIOS include a "upload current microcode from ROM into CPU as
> part of POST".  If your BIOS hasn't been upgraded, you can upload it during
> boot (as the Microsoft patch presumably does, and the Linux microcode_ctl
> utility does -  http://www.urbanmyth.org/microcode/ ).
> 
> Yes, flashing your own microcode into the CPU would be the ultimate pwn-the-box,
> except (a) you'd still have to arrange for it to get re-flashed at power-on,
> and (b) the format is incredibly undocumented, and dependent on the exact
> internal design, down to processor family and probably stepping (the current
> microcode update from Intel covers 125, yes 125, different CPUs).  So unless
> you have docs for what bit 57 of a format-7 microcode control word for a T6500
> processor does, you will almost certainly just lock the damned thing up and
> require a power cycle... ;)
> 
> 
> 
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
> 
> ----- End forwarded message -----
> 