AMD K8 has reprogrammable microcode

August 16, 2004 | Hardware, Security | By: Mark VandeWettering

Real World Technologies lists an interesting article about the AMD K8 processor and its previously unnoticed ability to patch its own microcode. Apparently AMD has used this to repair a couple of bugs in the processor in the past, but nobody really noticed it before.

A couple of quotes from the article:

The ability to fundamentally alter instruction decoding and execution on AMD K8 processors is sure to interest hardware hackers everywhere.

For instance, by patching the appropriate microcode lines, it may be possible to catch an opcode that would normally be illegal, and instead handle it by tricking the TLB into thinking we’re in kernel mode when in fact the attacker has only compromised a userspace process. From there, the attacker could control the entire machine, all without altering a single bit of “software”.

That sounds scary. But wait: there is more!

There may also be a hidden danger to altering K8 microcode without complete information. It is possible (though very unlikely) that the microcode could electrically reconfigure signal routing in a fashion similar to FPGAs, for instance to cut off defective logic and reroute signals to redundant arrays. This approach has been used in the past and the AMD patents even suggest it.

If this were the case, there is a very remote chance the CPU itself could be permanently damaged, for instance, by tri-stating pass transistors into a high current draw state or adjusting the K8’s voltage and frequency scaling controls out of spec. This is not meant to discourage potential hackers; I have just seen programmable logic literally destroyed by buggy “software” bitstreams.

Gee, that doesn’t sound very good.