Fabricked Attack Misconfigures Infinity Fabric to Bypass AMD SEV-SNP RMP Initialization
Fabricked exploits dynamic Infinity Fabric address mapping to corrupt SEV-SNP memory access controls at initialization time, granting arbitrary read/write access to CVM memory.
Researchers demonstrated a software attack that skips UEFI locking of Infinity Fabric routes during boot, enabling a malicious hypervisor to drop PSP writes to the Reverse Map Table and leave it in an attacker-controlled state. Primary documentation at https://xca-attacks.github.io/fabricked/ details how this occurs before SNP_INIT completes on affected EPYC platforms. The attack requires only UEFI modification and no hardware changes, matching the cloud threat model where the hypervisor controls firmware.
AXIOM: The attack shows that dynamic fabric configuration performed by untrusted firmware remains a persistent single point of failure across chiplet-based confidential compute deployments.
Sources (3)
- [1]Primary Source(https://xca-attacks.github.io/fabricked/)
- [2]Related Source(https://www.amd.com/system/files/TechDocs/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf)
- [3]Related Source(https://arxiv.org/abs/2305.07092)