A group of Security researchers from the uCode team released project source code release microcode decryptor and that allows to do exactly what the name suggests: it is a tool, which consists of three Python scripts and is available on GitHub.
Microcode Decryptor allows to decode the microcode of some Intel processors such as Atom, Pentium, and Celeron based on Goldmont and Goldmont Plus microarchitectures, which opens the door to different scenarios, such as understanding how Intel has implemented certain processor features or implemented various features and security fixes.
The Red Unlock technique developed by the same researchers in 2020 can be used to extract the encrypted microcode. The proposed possibility of deciphering the microcode allows to explore the internal structure of the microcode and the methods to implement x86 machine instructions. In addition, the researchers recovered the firmware update format, the encryption algorithm, and the key used to protect the microcode (RC4).
To determine which encryption key to use, a vulnerability in Intel TXE was used to enable an undocumented debug mode, codenamed “Red Unlock” by the researchers. In debug mode, we managed to load a dump with a working microcode directly from the CPU and extract the algorithm and keys from it.
Microcode Decryptor it only allows to decipher the microcode, but it does not allow to change it, since the integrity of the microcode is additionally verified by a digital signature based on the RSA algorithm.
As for how the development of Microcode Decryptor was possible, they mention that it happened three years ago when Goryachy and Ermolov found a critical vulnerability, indexed as Intel SA-00086, that allowed them to execute the code of their choice within the chip-independent kernel. which included a subsystem known as the Intel Management Engine.
Intel has fixed the bug and released a patch, but because chips can always be rolled back to a previous firmware version and then exploited, there is no way to effectively remove the vulnerability.
After that (five months ago), the trio of scientists were able to use the vulnerability to access a service mode built into Intel chips, in a nod to the movie The Matrix, the researchers named their tool to access this debugger previously undocumented Chip Red Pill, because it allows researchers to experience the inner workings of a chip that is usually off limits.
An Intel spokesperson said that:
"There should be no security risk" as a result of the availability of the tool. In fact, the company said allowing more people to review Intel's microcode could help the chipmaker identify more vulnerabilities in the future. For anyone who is successful in doing so, that means potentially earning some money through Intel's bug bounty program.
“Researchers' ability to analyze microcode could enable the discovery of new vulnerabilities. Since this microcode has been exposed, Intel invites researchers to participate in the microcode bug bounty program in case any issues are discovered,” they told us.
For their part, the developers of this tool commented that
"The opportunity to read CPU microcode could help understand how Intel implemented technologies like Intel Trusted Execution Technology ( TXT ) or mitigated serious vulnerabilities like Meltdown and Specter."
Yermolov, one of the other scientists, added that the availability of the tool means that the people now you can explore XuCode, a 86-bit mode x64 code variant used to implement parts of Intel SGX that is downloaded as a microcode update. SGX is Intel's technology for creating secure memory enclaves: These are protected areas that other programs and users, including the operating system or hypervisor, cannot interfere with.
XuCode is quite interesting: the x86-specific instructions for managing SGX enclaves are so complex that they are broken down into sequences of XuCode instructions that perform the necessary operations.
These XuCode instructions are standard for the 86-bit x64 architecture with some extensions, and are broken down into regular x86 micro-operations by the processor. When an application uses a high-level SGX instruction, the processor can jump to its XuCode to work.
These XuCode sequences are stored in microcode and can now be extracted with the above Python scripts and analyzed with standard x86 reverse engineering kits.
Finally if you are interested in knowing more about it About the tool, you can check the details at the following link.