Earlier this year, a Google researcher discovered a security vulnerability in Secure Encrypted Virtualization (SEV) within AMD’s EPYC processor that allowed an attacker to obtain a security key and access an otherwise isolated virtual machine. The SEV function of the EPYC processors allows multiple virtual machines on a system to be completely isolated from each other. At the same time, the elliptic curve algorithm is used to generate different encryption keys from the hardware level, ensuring that each virtual machine has its own independent security protection.
On February 19 this year, the above vulnerability was first reported back to AMD. Four days later, AMD confirmed the vulnerability, and Google immediately provided proof of concept attack code. However, AMD’s repair process has some twists and turns. On May 13th, AMD requests a 30-day extension before full disclosure. On June 4th, the 0.17 Build 22 version of the repair code was released, and the application was extended for another 7 days.
Until June 25th, the details of this vulnerability were made public, but at this time AMD has completed the repair, and the AMD’ user can upgrade the firmware.