TBone
May 18th, 2005, 17:17
The article posted over in this thread:
http://www.woodmann.com/forum/showthread.php?t=7090
about defeating self-CRC-checking code brought up the idea of messing with the processor's microcode ROM to implement the attack in hardware rather than software. Most processors utilize a separate instruction uop cache and memory uop cache, so it's at least within the realm of possibility.
At any rate, until I read that, I was aware of microcode on CISC processors, but I didn't know of the existance of the microcode ROM, let alone that it could be accessed and updated via software. Well, the More You Know™...
I've been trying to find out how this is done, but haven't had much luck in getting details. There is, of course, a linux utility for updating the microcode ROM:
http://freshmeat.net/projects/intelp6microcodeupdateutility/
I've downloaded this and looked at the source code, but that really wasn't much help since the code is in the context of interacting with the linux microcode ROM driver rather than direct access. I suppose there might me be something more direct in the kernel source itself. Perhaps this will get me slapped for being lazy, but I really don't want to resort to digging through all of that to find out how their driver works just yet. Moreover, I don't have much of a grasp on C code or the linux kernel's internals, so I'm not sure it would do me much good even if I found it.
The text file included with the kernel update utility said:
The microcode updates themselves are included in the update utility, but I can't find that Intel has published any specifications that pertain to accessing the microcode ROM.
A similar explanation and source code is available for K8 processors:
http://www.a42.com/node/view/443
Again, it seems that all of the "guts" are handled outside of the source code, so I'm still not sure what's actually being done.
Does anyone know how this is done at the assembly level? I doubt its possible to do much with this information anyway. If the rumors are true, both AMD and Intel have designed their Microcode ROMs not to accept arbitrary data, but only patches which have somehow been "signed" by the company and can be verified against some internal key wired into the ROM. Still, I'm curious.
http://www.woodmann.com/forum/showthread.php?t=7090
about defeating self-CRC-checking code brought up the idea of messing with the processor's microcode ROM to implement the attack in hardware rather than software. Most processors utilize a separate instruction uop cache and memory uop cache, so it's at least within the realm of possibility.
At any rate, until I read that, I was aware of microcode on CISC processors, but I didn't know of the existance of the microcode ROM, let alone that it could be accessed and updated via software. Well, the More You Know™...
I've been trying to find out how this is done, but haven't had much luck in getting details. There is, of course, a linux utility for updating the microcode ROM:
http://freshmeat.net/projects/intelp6microcodeupdateutility/
I've downloaded this and looked at the source code, but that really wasn't much help since the code is in the context of interacting with the linux microcode ROM driver rather than direct access. I suppose there might me be something more direct in the kernel source itself. Perhaps this will get me slapped for being lazy, but I really don't want to resort to digging through all of that to find out how their driver works just yet. Moreover, I don't have much of a grasp on C code or the linux kernel's internals, so I'm not sure it would do me much good even if I found it.
The text file included with the kernel update utility said:
Quote:
| *************************************************************************** >>> Special thanks *************************************************************************** o Intel Corporation, for supplying microcode update data and publishing the specifications that enabled us to write microcode driver for Linux. |
The microcode updates themselves are included in the update utility, but I can't find that Intel has published any specifications that pertain to accessing the microcode ROM.
A similar explanation and source code is available for K8 processors:
http://www.a42.com/node/view/443
Quote:
Modern x86 microprocessors from Intel and AMD contain a feature known as "microcode update", or as the vendors prefer to call it, "BIOS update". Essentially the processor can reconfigure parts of its own hardware to fix bugs ("errata" in the silicon that would normally require a recall.This is done by loading a block of "patch data" created by the CPU vendor into the processor using special control registers. Microcode updates essentially override hardware features with sequences of the internal RISC-like micro-ops (uops) actually executed by the processor. They can also replace the implementations of microcoded instructions already handled by hard-wired sequences in an on-die microcode ROM. |
Again, it seems that all of the "guts" are handled outside of the source code, so I'm still not sure what's actually being done.
Does anyone know how this is done at the assembly level? I doubt its possible to do much with this information anyway. If the rumors are true, both AMD and Intel have designed their Microcode ROMs not to accept arbitrary data, but only patches which have somehow been "signed" by the company and can be verified against some internal key wired into the ROM. Still, I'm curious.