Determining AGESA PI version - AMD Platform Security Processor (PSP)

Special Topics AMD Platform Security Processor
1

How can I determine the currently installed AGESA PI version on an Acer Swift 3 SF314-43 laptop with an AMD 5700U CPU / SoC?

Acer does not list the AGESA PI version in its BIOS release notes (they document hardly any release notes at all).

I want that information in order to identify security vulnerabilities that the laptop is exposed to.

Here is where I’ve looked so far:

With the tool HWiNFO I retrieved the following information from an Acer Swift 3 SF314-43 running BIOS update V1.04 2021/08/3 (the latest BIOS update available by Acer at this moment):

  • Current MCU (CPU Microcode Update revision): 8608102
  • BIOS: V1.04 07/28/2021
  • SMU Firmware: 55.75.0 (System Management Unit)

The BIOS settings neither contain an AGESA PI version string.

I also text searched in the V1.04 BIOS image, but couldn’t make sense of it.

The most promising I found in the image. 
00389980: 56e4 0000 98e9 0000 4657 2074 7970 653a  V.......FW type:
00389990: 3078 2530 3258 2076 6572 7369 6f6e 3a30  0x%02X version:0
003899a0: 7825 3038 580a 0000 94f1 0000 2573 3a20  x%08X.......%s:

Here is what the version string should look like:
In AMD’s may 2022 security bulletin (Bulletin ID: AMD-SB-1027) the latest AGESA PI update for the AMD Ryzen 5700U processor is listed as:

  • Platform: AMD Ryzen™ 5000 Series Mobile processor with Radeon™ graphics
  • Internal name: “Lucienne”
  • AGESA PI version: Cezanne PI-FP6 1.0.0.9a 02/28/2022
List of used abbreviations

AGESA = AMD’s Generic Encapsulated Software Architecture
APU = AMD Accelerated Processing Unit, general purpose processors that feature integrated graphics processors
BIOS = Basic Input/Output Systen (is a legacy term that nowadays denotes UEFI firmware code)
MCU = CPU Microcode
PI = Platform Initialization
PSP = Platform Security Processor (the PSP itself is a simple ARM Cortex processor core)
SMU = System Management Unit
SoC = System on a Chip

2

You can try the tool RYZEN SMU checker, look in web for it or looking at AGESA module with UEFI tool/Hex editor, when possible.

EDIT: Google is the first tool to use when someone points you what to look for…

AM4 platform tool: SMU Checker for pre-reading of the SMU version - Hardwareluxx

LongSoft/UEFITool: UEFI firmware image viewer and editor (github.com)

Advice: Its well know the degree of difficulty and almost no success in handling this module in modding terms, even worse in laptop bioses… almost sure you’ll get a broken system, good luck.

3

@MeatWar Thanks for your updated reply, I updated my post accordingly. Please correct me if I’m wrong. I’m new to these tools.

If I understand correctly I can try the following tools on a BIOS/UEFI image file to find out the AGESA PI version:

  • Ryzen SMU Checker (AM4-Platform-Tool): it operates on a BIOS/UEFI image file (before installation)
  • UEFITool: is for parsing of full BIOS/UEFI images and extracting / inspecting UEFI modules within the BIOS image, a Hex editor is contained in UEFITool
4

Results:

The AGESA PI version is: Cezanne PI-FP6 1.0.0.1a inside the V1.04 BIOS image (finding place: Insyde H2O SetupUtility module of the BIOS/UEFI image)

Ryzen SMU Checker 1.2.0.8.exe:

RyzenSMUChecker_Screenshot 2022-05-17 001653

SMU 64.34.0

UEFITool NE A59:

UEFITool_Screenshot 2022-05-17 004759
UEFITool_Screenshot 2022-05-17 004759899×99 2.59 KB

With the builtin Hex-editor I found:
UEFITool-setup-module_AGESA_Screenshot 2022-05-17 010113

Cezanne PI-FP6 1.0.0.1a

Conclusion:

My hypothesis that the Acer Swift 3 SF314-43 laptop contains unpatched security vulnerabilities in the PSP is correct. The latest v1.04 UEFI/BIOS firmware release contains AGESA PI version Cezanne PI-FP6 1.0.0.1a. In AMD’s latest security bulletin AGESA PI release Cezanne PI-FP6 1.0.0.9a 02/28/2022 was published that patches them. These patches need to be propagated by OEM supplier Acer via a new UEFI/BIOS firmware update for their laptops.

Unpatched Security vulnerabilities in v1.04 UEFI/BIOS image

During security reviews in collaboration with Google, Microsoft, and Oracle, potential vulnerabilities in the AMD Secure Processor (ASP), AMD System Management Unit (SMU), AMD Secure Encrypted Virtualization (SEV) and other platform components were discovered and have been mitigated in AMD AGESA™ PI packages.

For the AMD 5700U processor (an AMD Ryzen™ 5000 Series Mobile processor with Radeon™ graphics, internal name: “Lucienne”) the vulnerabilities are:

  • CVE-2020-12944
  • CVE-2020-12946
  • CVE-2020-12951
  • CVE-2021-26312
  • CVE-2021-26361
  • CVE-2021-26362
  • CVE-2021-26363
  • CVE-2021-26366
  • CVE-2021-26368
  • CVE-2021-26369
  • CVE-2021-26386
  • CVE-2021-26388
  • CVE-2021-26382
  • CVE-2021-26317
  • CVE-2021-39298
  • CVE-2021-26339
  • CVE-2021-26384

(For details look here.)

Discussion:

I found the AGESA PI value in the UEFI module SetupUtility. That probably is in the UEFI firmware setup program (the BIOS screens). I looked through all the BIOS settings screens, but no AGESA PI version was to be found there.

Additional questions:

  1. Does anybody know if there would be a hidden option to make the AGESA PI version visible in the BIOS/UEFI Setup screens?
  2. How does the SMU version relate to the AGESA PI version?
5

Acer released a new bios update for the Acer Swift 3 SF314-43 laptop with an AMD 5700U CPU / SoC.
The latest BIOS release is now: v 1.06
(v 1.05 doesn’t seem to have been released).

I analyzed the new BIOS image for AGESA PI version and found the following disturbing result:

The AGESA PI version is now: Cezanne PI-FP6 1.0.0.1 inside the V1.06 BIOS image (finding place: Insyde H2O AmdVersionDxe module of the BIOS/UEFI image), which is a regression to an even older version with even more security holes.

Ryzen SMU Checker 1.2.0.8.exe:

RyzenSMU-Checker_Screenshot 2022-11-14 153950

Still the same version: SMU 64.34.0

UEFITool NE A59:

UEFITool_b0_Screenshot 2022-11-14 190508
UEFITool_b0_Screenshot 2022-11-14 190508844×77 2.66 KB

With the builtin Hex-editor I found:
UEFITool_b1_Screenshot 2022-11-14 190508

They digressed back to version: Cezanne PI-FP6 1.0.0.1

Conclusion:

My hypothesis that the Acer Swift 3 SF314-43 laptop contains unpatched security vulnerabilities in the PSP is correct. The latest v1.06 UEFI/BIOS firmware release even digressed to AGESA PI version Cezanne PI-FP6 1.0.0.1. In AMD’s latest security bulletin AGESA PI release Cezanne PI-FP6 1.0.0.9a 02/28/2022 was published that patches them. These patches still need to be propagated by OEM supplier Acer via a new UEFI/BIOS firmware update for their laptops.

Unpatched Security vulnerabilities in v1.06 UEFI/BIOS image

During security reviews in collaboration with Google, Microsoft, and Oracle, potential vulnerabilities in the AMD Secure Processor (ASP), AMD System Management Unit (SMU), AMD Secure Encrypted Virtualization (SEV) and other platform components were discovered and have been mitigated in AMD AGESA™ PI packages.

For the AMD 5700U processor (an AMD Ryzen™ 5000 Series Mobile processor with Radeon™ graphics, internal name: “Lucienne”) the vulnerabilities are:

  • CVE-2020-12944
  • CVE-2020-12946
  • CVE-2020-12951
  • CVE-2021-26312
  • CVE-2021-26361
  • CVE-2021-26362
  • CVE-2021-26363
  • CVE-2021-26366
  • CVE-2021-26368
  • CVE-2021-26369
  • CVE-2021-26386
  • CVE-2021-26388
  • CVE-2021-26382
  • CVE-2021-26317
  • CVE-2021-39298
  • CVE-2021-26339
  • CVE-2021-26384

(For details look here.)

Discussion:

I found the AGESA PI value in the UEFI module AmdVersionDxe. I looked through all the BIOS settings screens, but no AGESA PI version was to be found there.

The SMU version does not seem to relate to the AGESA PI version, because the version number stayed the same in de regression to Cezanne PI-FP6 1.0.0.1.

Remaining question:

  1. Does anybody know if there is a more easy way to find out the AGESA PI version in the BIOS/UEFI Setup screens, maybe via a hidden option?
6

InsydeH2O bios?
Maybe the Insyde tools H20EZE \ H2OSDE \ H2OUVE