Header Ads

Down the Intel Microcode Rabbit Hole

The aptly-named [chip-red-pill] team is offering you a chance to go down the Intel rabbit hole. If you learned how to build CPUs back in the 1970s, you would learn that your instruction decoder would, for example, note a register to register move and then light up one register to write to a common bus and another register to read from the common bus. These days, it isn’t that simple. In addition to compiling to an underlying instruction set, processors rarely encode instructions in hardware anymore. Instead, each instruction has microcode that causes the right things to happen at the right time. But Intel encrypts their microcode. Of course, what can be encrypted can also be decrypted.

Using vulnerabilities, you can activate an undocumented debugging mode called red unlock. This allows a microcode dump and the decryption keys are inside. The team did a paper for OffensiveCon22 on this technique and you can see a video about it, below.

So far, the keys for Gemini Lake and Apollo Lake processors are available. That covers quite a number of processors. Of course, there are many more processors out there if you want to try your hand at a similar exploit.

This same team has done other exploits, such as executing arbitrary microcode inside an Atom CPU. If you want to play along, you might find this useful. You do know that your CPU has instructions it is keeping from you, don’t you?


No comments