The Google security team identified EntrySign, an AMD Zen-based CPU security vulnerability issue. This is a perfect opportunity to understand various CPU instruction concepts, including ISA, CISC, microcode, and microcode patching.
What is ISA?
An Instruction Set Architecture (ISA) defines the fundamental instruction set a CPU understands, and it creates a boundary between CPU hardware and software.
What is CISC and RISC?
Reduced Instruction Set Computer (RISC) is a type of CPU architecture that prioritizes speed and efficiency by using a smaller, simplified set of instructions. ARM and MIPS are both RISC architectures.
On the contrary, Complex Instruction Set Computer (CISC), allows individual instructions to perform more complex operations, often including multiple low-level tasks in a single command. X86 architecture is a prime example of CISC.
What is microcode?
In modern CPUs, Instruction Decode Unit (IDU) can be divided into 2 categories: hardware instruction decoder and microcode instruction decoder. Hardware instruction decoders are completely implemented at the circuit level, typically using Finite State Machine (FSM) and hardwiring. Hardware instruction decoders play an important role in RISC CPUs.
In CISC CPUs, it is impossible to decode all instructions solely with hardware instruction decoder, and each CISC instruction may be broken down into multiple RISC-like micro-ops by microcode instruction decoders. In x86 architecture, each instruction could be broken down into 1 to 4 micro-ops, depending on the instruction complexity. Each micro-ops can be individually scheduled in the CPU pipeline, increasing instruction-level parallelism. Separately, the CISC instruction to microcode mapping is defined in a ROM.
The existence of micro-ops and microcode, blurred the boundaries between RISC and CISC.
How does microcode help with CPU patching?
Back in 1994, Thomas Nicely, a professor of mathematics, reported the Intel’s flagship Pentium processor floating-point divide problem caused by circuit-design errors. Intel had to initiate a large scale of recall, causing tremendous loss of its revenue and reputation.
Intel engineers later came up with the idea of microcode patching, allowing bug fixes after product shipping. They attached a small piece of microcode RAM after the microcode ROM, enabling microcode reprogramming / patching.
Since microcode patching is implemented using RAM, the patching needs to be done each time the computer is powered on. Microcode patching can be done through either BIOS or Operating System (OS). Patching through BIOS benefits all OSs running on a CPU, while patching through OS offers better user experience by eliminating user intervention.
Microcode Hacking
Google Security Team has identified a security vulnerability in some AMD Zen-based CPUs. This vulnerability allows an adversary with local administrator privileges to load malicious microcode patches, or microcode hacking. The vulnerability is that the AMD CPU uses an insecure hash function in the signature validation for microcode updates. We recommend interested readers to check out this post from Google.
References:
Chipress 
Leave a comment