A critical vulnerability in AMD’s Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP), a cornerstone of confidential computing deployed by major cloud providers like AWS, Azure, and Google Cloud.
Dubbed RMPocalypse, the attack exploits a flaw in the initialization of the Reverse Map Table (RMP), which enforces memory integrity to prevent hypervisors from tampering with encrypted virtual machines (VMs).
This breakthrough, detailed in a paper presented at the ACM Conference on Computer and Communications Security (CCS) 2025 in Taipei, allows malicious hypervisors to corrupt RMP entries, shattering SEV-SNP’s guarantees of data confidentiality and integrity.
The vulnerability, tracked as CVE-2025-0033, stems from a “Catch-22” in RMP setup: the table must protect itself, but during bootstrapping, AMD’s Platform Security Processor (PSP) fails to fully isolate it from interfering with x86 cores.
Disclosed to AMD on February 3, 2025, the issue affects Zen 3, Zen 4, and Zen 5 processors, including EPYC server chips used in production environments.rmpocalypse-CCS2025.pdf
Flaw In RMP Initialization Exposed
At the heart of SEV-SNP is the RMP, a massive data structure up to 16GB for large DRAM setups that maps host physical addresses to guest virtual addresses, blocking attacks like page swapping seen in predecessors SEV and SEV-ES.
Normally, the RMP self-protects by denying hypervisor mappings to its own pages, but initialization poses a dilemma: no RMP exists yet to enforce this.
The PSP, an ARM-based coprocessor, handles setup by creating barriers, Trusted Memory Regions (TMRs) at the memory controller, and x86 core locks to block writes during this phase.
However, researchers Benedict Schlüter and Shweta Shinde from ETH Zurich found these barriers incomplete. Asynchronous timing allows x86 cores to create dirty cache lines in RMP memory before full protection activates.
Once TMRs are lifted post-initialization, these stale entries flush to DRAM, overwriting RMP state with arbitrary values.
Experiments on EPYC 9135 (Zen 5), 9124 (Zen 4), and 7313 (Zen 3) confirmed overwrites succeed without triggering faults, as coherency issues in Zen 3 exacerbate the problem.
The PSP’s source code hints at intended safeguards, like cache flushes, but proprietary OS components and missing TLB invalidations leave gaps.
RMPocalypse’s corruption primitive unlocks full compromise of SEV-SNP VMs. Attackers can transition RMP-protected pages, firmware, context, guest-valid, and VMSA states to hypervisor-writable, enabling four key exploits.
First, forging attestation reports by replaying benign context page ciphertexts tricks guests into trusting malicious VMs, bypassing integrity checks since context pages lack encryption integrity.
Second, enabling debug mode on production confidential VMs (CVMs) flips a policy bit in the context page, granting hypervisors read/write access via SNPDEBUGDECRYPT/ENCRYPT APIs undetected as attestation remains unaltered.
Success rates exceed 99.9% in under 15 milliseconds after multiple trials. Third, VMSA state replay resets CVM registers to prior snapshots, breaking execution integrity for rollback attacks.
Finally, arbitrary code injection targets guest pages: using SNPPAGEMOVE to swap tweak values, attackers replay IO-channel payloads (e.g., network packets) into kernel code, evading encryption tweaks.
End-to-end, this takes about 5 milliseconds, including KASLR breaks. These primitives render SEV-SNP useless against untrusted hypervisors, exposing sensitive data like AI models or enterprise workloads to exfiltration and tampering.
Mitigations
AMD acknowledged the flaw and is working on fixes, but no patches exist yet for affected hardware.
Researchers propose aligning barriers at the core level to check caches pre-TMR lift, or forcing global cache/TLB flushes post-RMP setup, though Zen 3’s domain incoherency demands extra invalidations.
Firmware checks on RMP self-protection could hinder exploits via TOCTOU detection, albeit with overhead.
As confidential computing grows, RMPocalypse joins side-channels like CacheWarp and Heckler, highlighting SEV-SNP’s fragility despite its post-SEV-ES hardening.
Cloud tenants must audit providers for updates, while AMD’s partial open-sourcing of PSP firmware aids scrutiny but underscores proprietary risks.
This attack, exploitable in under 234 milliseconds during SNPINITEX, urges reevaluation of hardware roots of trust.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
