""The Reverse Map Table (RMP) is a structure that resides in DRAM and maps system physical addresses (sPAs) to guest physical addresses (gPAs)," according to AMD's specification documentation. "There is only one RMP for the entire system, which is configured using x86 model-specific registers (MSRs)." "The RMP also contains various security attributes of each that are managed by the hypervisor through hardware-mediated and firmware-mediated controls.""
"AMD makes use of what's called a Platform Security Processor (PSP) to initialize the RMP, which is crucial to enabling SEV-SNP on the platform. RMPocalypse exploits a memory management flaw in this initialization step, allowing attackers to access sensitive information in contravention of SEV-SNP's confidentiality and integrity protections."
"At the heart of the problem is a lack of adequate safeguards for the security mechanism itself -- something of a catch-22 situation that arises as a result of RMP not being fully protected when a virtual machine is started, effectively opening the door to RMP corruption."
RMPocalypse is a vulnerability that targets AMD Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) by corrupting the Reverse Map Paging (RMP) table. The RMP stores security metadata for all DRAM pages and is configured using x86 model-specific registers; it is initialized by the Platform Security Processor (PSP). Incomplete protections during RMP initialization permit a single memory write to alter RMP entries, enabling remote attackers to bypass isolation, access sensitive guest memory, and violate SEV-SNP confidentiality and integrity. The root cause is insufficient safeguards for the RMP when virtual machines start. AMD has released fixes to mitigate the issue.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]