Fabricked Attack Bypasses AMD SEV‑SNP by Subverting Infinity Fabric Configuration

Image credit: AMD

Announcement

In a paper presented at USENIX Security 2026, a team from ETH Zurich revealed a deterministic, 100 % successful exploit that silently defeats AMD’s Secure Encrypted Virtualization – Secure Nested Paging (SEV‑SNP) on EPYC processors. The technique, dubbed Fabricked, requires no physical access, no code execution inside the victim VM, and works purely through a compromised UEFI firmware. By manipulating the Infinity Fabric interconnect during the early boot phase, the researchers can corrupt the Reverse Map Table (RMP) that underpins SEV‑SNP’s memory isolation, allowing a malicious cloud host to read or write any confidential VM page and to forge attestation reports.

Technical specifications

1. Infinity Fabric’s role in SEV‑SNP

• The Infinity Fabric is AMD’s chip‑let interconnect that routes traffic between cores, memory controllers, and peripheral devices.
• During boot, the motherboard firmware (UEFI) programs a set of configuration registers that lock the Data Fabric – the memory‑routing segment of the interconnect – into a read‑only state once the Platform Security Processor (PSP) has completed initialization.
• SEV‑SNP’s security model treats the UEFI as untrusted because cloud operators control it. The model assumes the firmware will call two PSP APIs (lock_fabric_cfg and seal_fabric_cfg) before handing control to the hypervisor.

2. The two‑step flaw exploited by Fabricked

Step	Expected behavior	Flaw exploited
A	UEFI invokes PSP APIs to lock the Data Fabric registers.	A malicious UEFI simply omits those calls, leaving the Data Fabric writable after SEV‑SNP activation.
B	PSP writes the RMP entries (per‑page access control) to DRAM using standard routing rules.	PSP memory requests are first checked against MMIO routing rules. By pre‑configuring MMIO mappings that shadow the RMP region, the attacker forces the PSP’s writes to be discarded silently.

Because the PSP reports a successful RMP initialization, the platform believes the isolation guarantees are intact, while the RMP remains uninitialized and fully under attacker control.

3. Concrete consequences

• Arbitrary CVM memory access – With the RMP disabled, the hypervisor can issue reads or writes to any page of a Confidential VM (CVM). Decryption keys stored in the PSP’s internal registers become reachable, enabling full memory extraction.
• Attestation forgery – The attestation report, which cryptographically binds a VM’s measurement to the platform state, is generated from the (now bogus) RMP state. An attacker can fabricate a report that matches any expected measurement, allowing a rogue image to be accepted as trusted.
• Debug mode activation – By flipping the hidden debug flag in the PSP after attestation, the attacker can enable a privileged debugging interface that bypasses all encryption layers.

4. Platforms affected

• The proof‑of‑concept was run on Zen 5 EPYC 9004 silicon.
• AMD’s advisory (CVE‑2025‑54510, advisory AMD‑SB‑3034) lists firmware updates for Zen 3, Zen 4, and Zen 5 processors, indicating that the same Infinity Fabric configuration path exists across three generations.

Market implications

Immediate impact on cloud providers

• Providers that expose SEV‑SNP‑enabled instances (e.g., AWS Nitro, Microsoft Azure Confidential Compute, Google Confidential VMs) must verify that their host firmware has been patched. The patch replaces the vulnerable UEFI calls with a hardened sequence that forces a hardware‑enforced lock on the Data Fabric, making it immutable after PSP activation.
• Customers with compliance requirements (PCI‑DSS, HIPAA, GDPR) that rely on SEV‑SNP for data‑in‑use protection will need to re‑audit their environments once the firmware update is confirmed.

Supply‑chain considerations

• The exploit demonstrates that firmware integrity is the weakest link in the confidential‑computing chain. Even though the silicon itself is unchanged, a compromised firmware image can nullify hardware guarantees.
• AMD’s response includes a signed firmware rollout and a recommendation to enable UEFI Secure Boot with keys anchored to AMD’s root of trust. Cloud operators that previously disabled Secure Boot for flexibility now face a clear incentive to reinstate it.

Competitive dynamics

• Intel’s SGX and upcoming TDX have faced similar firmware‑level attacks (e.g., the 2023 “Plundervolt” and 2024 “Rogue TDX” exploits). The Fabricked disclosure adds pressure on both AMD and Intel to provide transparent firmware attestation that tenants can verify independently of the host.
• Nvidia’s confidential‑computing stack for GPUs (CUDA Confidential Compute) relies on a separate hardware root of trust, but still depends on the host CPU’s memory isolation. Customers may reconsider mixed‑CPU/GPU workloads until the firmware issue is fully mitigated.

Outlook for the confidential‑computing market

• Short‑term: Expect a wave of firmware patches across all major hyperscalers, followed by a brief slowdown in SEV‑SNP adoption as customers validate the fixes.
• Mid‑term: Vendors are likely to introduce immutable boot‑time configuration registers that lock the Infinity Fabric at the silicon level, removing reliance on firmware‑issued API calls.
• Long‑term: The incident reinforces the need for end‑to‑end attestation that includes firmware measurements. Standards bodies such as the Confidential Computing Consortium may accelerate specifications that bind firmware hashes into the attestation payload.

---

What operators should do now

1. Confirm that the latest AMD firmware (revision 2026‑01 or later) is deployed on all EPYC hosts running SEV‑SNP.
2. Enable UEFI Secure Boot with AMD‑signed keys and verify the boot chain via TPM‑based measurements.
3. Re‑run attestation checks on existing CVM instances after the firmware update to ensure the RMP is correctly initialized.
4. Review incident‑response plans for potential memory‑exfiltration scenarios, even if the platform reports a clean attestation.

The Fabricked attack underscores that hardware‑based confidentiality is only as strong as the software that configures it. By targeting the Infinity Fabric’s boot‑time programming, the researchers have shown that a purely software vector can nullify an entire class of hardware protections.