A team of Google researchers working with AMD recently discovered a major CPU exploit on Zen-based processors. The exploit allows anyone with local admin privileges to write and push custom microcode updates to affected CPUs. The same Google team has released the full deep-dive on the exploit, including how to write your own microcode. Anyone can now effectively jailbreak their own AMD CPUs.
The exploit affects all AMD CPUs using the Zen 1 to Zen 4 architectures. AMD released a BIOS patch plugging the exploit shortly after its discovery, but any of the above CPUs with a BIOS patch before 2024-12-17 will be vulnerable to the exploit. Though a malicious actor wishing to abuse this vulnerability needs an extremely high level of access to a system to exploit it, those concerned should update their or their organization's systems to the most recent BIOS update.
You can now jailbreak your AMD CPU! 🔥We've just released a full microcode toolchain, with source code and tutorials. https://t.co/4NYerRuFo1March 5, 2025
The vulnerability is based on microcode, the low-level instructions determining how a CPU performs calculations. AMD and Intel have built their own custom RISC instruction sets (similar to alternative ISAs like RISC-V and ARM), which then internally contribute to a complex instruction set; in AMD and Intel's case, x86. Both companies create their custom microcode specifically for their CPU architectures and have built-in systems to push microcode updates at runtime if a vulnerability is found later. The alternative would be hard-locking the microcode at fabrication, redesigning chips from the ground up, and issuing recalls if severe enough vulnerabilities were discovered.
The AMD vulnerability, named "EntrySign", allows users to send custom microcode to any Zen 1 to Zen 4 CPU, changing how the processor runs and allowing users to do anything from accessing internal CPU buffers, strengthen or weaken security for VMs, and more. When the bug was first revealed, AMD's bulletin focused on EPYC server-grade CPUs and how bad actors could make secure links to remote client PCs accessing a larger server lose their SEV-based protection. Now, it is clear that the microcode exploit spreads to many more CPUs than just EPYC and that the possibilities expand far beyond simply making a secure link unsecured. Google engineer Tavis Ormandy bullishly declares that the vulnerability allows anyone to "jailbreak your AMD CPU" in an X post sharing his technical breakdown.
Microcode updates are double-checked against a series of strings and keys, signed by AMD, and confirmed against a hard-coded public key into the CPU itself. The EntrySign exploit works because AMD uses the AES-CMAC function (a message authentication code) as a cryptographic hash function. CMAC being used in this out-of-spec manner allowed Google's researchers to reverse engineer the security keys, preventing end users from pushing their unsigned microcode updates to the CPU (helped in no small part by AMD reusing a publicly-accessible NIST example key as its security key).
Google's Bughunters security team published a full technical outline of the vulnerability and the path they took to exploit it on Google's blog. Those with an unpatched AMD CPU from Zen 1 to Zen 4 can use Google's toolkit to jailbreak the processor themselves and share their findings and use cases with the research team. Luckily, microcode updates do not persist through reboots, so the experiments are largely harmless.
Edit: 3/7/2025: Clarified that microcode does not persist through reboots.
