security-research icon indicating copy to clipboard operation
security-research copied to clipboard
verified publisher icon google

Inquiry on Zentool Instruction Coverage and Symbol-to-ROM Mapping

Open kuchhu96 opened this issue 3 months ago • 6 comments

Hi, I was wondering if you have evaluated microcode patches for instructions other than RDRAND? I'm curious whether Zentool provides (or can generate) a canonical list of instructions eligible for patching on Zen2 or 4.

Additionally, when writing a patch, I see the 'edit' command accepts symbolic targets (e.g., --match 0=@rdrand) instead of raw ROM addresses. Is there a way to trace an instruction to its microcode footprint (ROM or RAM addresses), or a reference (e.g., symbol table, etc.) that maps each @ to its corresponding ROM address or entry index for match-register configuration?

Thanks, Khushboo

kuchhu96 avatar Sep 23 '25 18:09 kuchhu96

Hi,

The symbolic targets come from files like these https://github.com/google/security-research/blob/master/pocs/cpus/entrysign/zentool/data/cpu8181_matchreg.json We found that those addresses correspond to those instructions by trial and error or brute force scanning. If you would like to patch a different instruction you would have to find out where in the ROM it is implemented.

matrizzo avatar Oct 14 '25 15:10 matrizzo

Thank you for your reply, Matteo. I was wondering if it is possible to apply a microcode patch to all instructions in the Zen2 or Zen4 architecture, including hardwired instructions like ADD, MOV, etc. I would appreciate any thoughts or feedback on this.

Thanks, Khushboo

kuchhu96 avatar Oct 14 '25 17:10 kuchhu96

It's possible to patch any microcoded instructions as long as the address in the ROM where they are implemented is known.

It's also be possible to patch fastpath (non-microcoded) instructions using the mask registers but we don't fully understand how those work yet. More research is needed to discover exactly how to use them and what the limitations are.

matrizzo avatar Oct 14 '25 17:10 matrizzo

Hi Matteo,

I'm curious if this applies to all Zen machines or just Zen 4 and 5. I would greatly appreciate it if you could point me toward any resources on utilizing mask registers for fast path instructions.

Thanks, Khushboo

kuchhu96 avatar Oct 14 '25 18:10 kuchhu96

It should apply to at least Zen 2 and newer but possibly all generations. We don't have any examples of how to use them I'm afraid, our understanding of them is still very limited.

matrizzo avatar Oct 14 '25 18:10 matrizzo

Thanks for clarifying! I'll focus on Zen 2 and newer for now. I understand the documentation is limited. I'll experiment a bit and see what insights I can gather. I'll share any findings that might help build our understanding.

Best, Khushboo

kuchhu96 avatar Oct 14 '25 19:10 kuchhu96