Last month, the Google Security Team identified a security vulnerability in AMD's CPUs ranging from Zen 1 to Zen 4 dubbed "EntrySign" that allowed malicious users with ring 0 access to load unsigned microcode patches. An update to the AMD security bulletin now adds Zen 5, in all its forms across server and mainstream product lines, to the list of impacted infrastructures.
The security flaw leverages an improper signature verification in AMD's microcode patch loader, allowing third parties to execute arbitrary microcode on your processor.
EntrySign (ID: AMD-SB-7033) targets your CPU's microcode, which are low-level instructions that essentially bridge the gap between machine code (binary) and the physical hardware. Your CPU ships with a base microcode from the factory, embedded in its Read-Only Memory (ROM), and is immutable. Now, in case a vulnerability is found after the CPU starts retailing, manufacturers like Intel and AMD can simply push out a new microcode as a fix (take the Raptor Lake instability case, for instance).
While it is true that the CPU's built-in microcode cannot be changed, modern Operating Systems or your system's firmware (BIOS/UEFI) can load microcode updates during the early boot stages. This patch only lasts for the duration of that specific session, however.
Exposing a weakness in AMD's hashing algorithm, EntrySign can bypass the signature validation process and execute potentially unsafe microcode. The vulnerability stems deeper in servers, and is capable of compromising AMD's SEV/SEV-SNP technologies (ID: AMD-SB-3019) — potentially resulting in unauthorized access to data from virtual machines.
The primary requirement is access to ring 0, or kernel-level privileges, on the target system. Likewise, these patches do not persist after a system restart, dialing down the security alarm a notch. More creative/academic avenues open up in turn, such as a challenge at the RVSPOC (RISC-V Software Porting and Optimization Championship) 2025 that tasks contestants with running RISC-V binaries on Zen-based hardware, by leveraging this exploit to load custom microcode.
All Zen 5 CPUs, including Ryzen 9000 (Granite Ridge), EPYC 9005 (Turin), Ryzen AI 300 (Strix Halo, Strix Point, Krackan Point), and Ryzen 9000HX (Fire Range) processors are prone to this vulnerability. AMD has already deployed the ComboAM5PI 1.2.0.3c AGESA firmware for motherboard makers as a fix, so keep an eye on your vendor's website for an upcoming BIOS update. The mitigation addressing the SEV vulnerability counterpart hasn't been released yet for EPYC Turin — though it's scheduled for release sometime later this month.
