Real World Technologies - Forums - Thread: Microinstruction format in older Atom CPUs

By: Adrian (a.delete@this.acm.org), July 19, 2022 4:57 am

For the older Goldmont/Goldmont Plus cores inside Apollo Lake, Gemini Lake and Denverton CPUs, the microcode update files (encrypted with RC4) have been decrypted and the format of the micro-instructions has been reverse-engineered.

There is a presentation about it at:

https://www.youtube.com/watch?v=V1nJeV0Uq0M

A microcode disassembler and a few extracted microcode updates are at:

https://github.com/chip-red-pill

The micro-instruction format for Apollo Lake is a kind of VLIW format somewhat similar to the format of an Intel Itanium instruction bundle, with 3 simultaneous micro-operations, each of them encoding, besides an opcode, three 6-bit register addresses and one 13-bit immediate constant.

It is likely that this does not offer much information about the micro-instruction format used in the mainstream Core and Xeon CPUs, which must be much more complex.

The decryption and the reverse-engineering of the microcode format has been possible only because these older Atom CPUs have a bug in the Management Engine that can be exploited to allow the CPU to be switched in a mode where JTAG debugging is enabled.

By running test programs and studying the bits read simultaneously from the internal buses and from the microcode memory, after a lot of work, the encryption algorithm, the decryption keys and the microinstruction format could be determined.

One of the more surprising facts, which has been published by Intel only last year (without details), several years after being implemented in many CPUs, and of which I was not aware, is that there is a feature of Intel SGX, named XuCode, which allows an instruction to initiate not only the execution of a microprogram, as in CPUs without SGX, to alter the instruction behavior, but also the execution of an entire executable file, which is hidden inside the microcode update, as an ELF file.

When executing XuCode, the Intel CPU is in a special mode, where only a subset of the x86-64 ISA is recognized, but there are available additional instructions and MSRs.

https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/xucode-implementing-complex-instruction-flows.html

Next Post in Thread >

Topic	Posted By	Date
Microinstruction format in older Atom CPUs	Adrian	2022/07/19 04:57 AM
Microinstruction format in older Atom CPUs	zArchJon	2022/07/19 11:51 AM
Microinstruction format in older Atom CPUs	dmcq	2022/07/20 05:58 AM
Microinstruction format in older Atom CPUs	Linus Torvalds	2022/07/19 01:29 PM
Microinstruction format in older Atom CPUs	Adrian	2022/07/19 10:16 PM

Reply to this Topic
Name:
Email:
Topic:
Body:	No Text Adrian (a.delete@this.acm.org) on July 19, 2022 4:57 am wrote: > > For the older Goldmont/Goldmont Plus cores inside Apollo Lake, Gemini Lake and > Denverton CPUs, the microcode update files (encrypted with RC4) have been decrypted > and the format of the micro-instructions has been reverse-engineered. > > There is a presentation about it at: > > <a href="https://www.youtube.com/watch?v=V1nJeV0Uq0M" rel=nofollow>https://www.youtube.com/watch?v=V1nJeV0Uq0M</a> > > > A microcode disassembler and a few extracted microcode updates are at: > > <a href=https://github.com/chip-red-pill rel=nofollow>https://github.com/chip-red-pill</a> > > > The micro-instruction format for Apollo Lake is a kind of VLIW format somewhat similar to the format > of an Intel Itanium instruction bundle, with 3 simultaneous micro-operations, each of them encoding, > besides an opcode, three 6-bit register addresses and one 13-bit immediate constant. > > It is likely that this does not offer much information about the micro-instruction > format used in the mainstream Core and Xeon CPUs, which must be much more complex. > > > The decryption and the reverse-engineering of the microcode format has been possible > only because these older Atom CPUs have a bug in the Management Engine that can be exploited > to allow the CPU to be switched in a mode where JTAG debugging is enabled. > > By running test programs and studying the bits read simultaneously from the internal > buses and from the microcode memory, after a lot of work, the encryption algorithm, > the decryption keys and the microinstruction format could be determined. > > > One of the more surprising facts, which has been published by Intel only last year (without details), > several years after being implemented in many CPUs, and of which I was not aware, is that there is > a feature of Intel SGX, named XuCode, which allows an instruction to initiate not only the execution > of a microprogram, as in CPUs without SGX, to alter the instruction behavior, but also the execution > of an entire executable file, which is hidden inside the microcode update, as an ELF file. > > When executing XuCode, the Intel CPU is in a special mode, where only a subset of the > x86-64 ISA is recognized, but there are available additional instructions and MSRs. > > <a href=https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/xucode-implementing-complex-instruction-flows.html rel=nofollow>https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/xucode-implementing-complex-instruction-flows.html</a> > >
How do you spell tangerine? 🍊

Microinstruction format in older Atom CPUs

Editor’s Picks

Intel’s Sandy Bridge Microarchitecture

AMD’s Bulldozer Microarchitecture

Silvermont, Intel’s Low Power Architecture

RWT on Twitter