One of the major hardware requirements for Windows 11 was to have a PC that supports TPM 2.0. Not only that, but on the AMD side, even CPUs a couple of generations old, like Ryzen 1000 (Zen architecture) were deemed incompatible with Windows 11 due to them lacking certain hardware security features like HVCI. Hence, one needed a Ryzen 2000 (Zen+), Ryzen 3000 (Zen2), and newer chips, to run the OS.
Despite meeting these criteria though, systems can still be vulnerable. Security researchers Hans Niklas Jacob, Christian Werling, Robert Buhren, and Jean-Pierre Seifer, have dug up a new AMD Secure Processor (AMD-SP) Trusted Execution Environment (TEE) vulnerability that helps bypass firmware TPM (fTPM). Dubbed "faulTPM", this in turn can lead to the compromise of the BitLocker-encryption as well under certain conditions, like when a strong PIN is not used, leading to unauthorized code execution.
Hence, any cryptographic information can potentially be stolen upon successful exploitation. The researchers were able to identify an active side-channel attack vulnerability via voltage fault injection, an attack method known as "TPM sniffing". The fTPM is generally considered less susceptible and more resistant to such attacks than discrete TPM since there is no exposed bus that connects the fTPM to the CPU.
The researchers explain:
.. we use a voltage fault injection attack to gain code execution on the AMD-SP of the newer Zen 2 and Zen 3 CPU generations as introduced by Buhren et al. in [14]. This attack leverages the Serial Voltage Identification Interface 2.0 (SVI2) bus, allowing the AMD SoC to update its supply voltages dynamically. By injecting packets onto this bus, an attacker causes a short drop in the AMD-SP’s supply voltage and induces a fault in the AMD-SP
[..] With PSPTool’s capabilities to replace and resign various AMD-SP firmware components, this fault injection attack can be used to gain code execution in various stages of the AMD-SP’s runtime.
Here is a step-by-step summary of the exploit carried out by the security researchers:
In summary, our contributions are:
- We reverse-engineer the NV storage format of AMD’s fTPM and the derivation of the chip-unique keys protecting its confidentiality and integrity.
- We leverage previously published hardware vulnerabilities on the AMD-SP to extract the cryptographic seeds used to derive the NV storage keys.
- Using the decrypted NV storage, we can extract any cryptographic secret and unseal arbitrary TPM objects protected with the fTPM.
- We use this ability to successfully attack Microsoft BitLocker’s TPM-only key protector.
- We analyze the security of TPM and PIN protectors for FDE keys and describe how BitLocker withstands a compromised TPM when a strong PIN is used while a naive implementation does not.
- We publish all required tools to mount the attack
AMD says it is aware of this new flaw affecting Ryzen 3000 (Zen 2) and Ryzen 5000 (Zen 3) chips. The company provided the following statement to Tom"s Hardware:
AMD is aware of the research report attacking our firmware trusted platform module which appears to leverage related vulnerabilities previously discussed at ACM CCS 2021. This includes attacks carried out through physical means, typically outside the scope of processor architecture security mitigations. We are continually innovating new hardware-based protections in future products to limit the efficacy of these techniques. Specific to this paper, we are working to understand potential new threats and will update our customers and end-users as needed.
You can read about the new faulTPM vulnerability in much more detail on the arvix website (PDF).