Fabricked: Breaking AMD SEV-SNP via Infinity Fabric Misconfiguration
Confidential computing aims to provide a secure environment where cloud tenants can process sensitive data without trusting the cloud service provider. One of the primary mechanisms for this is the use of Confidential Virtual Machines (CVMs), which are hardware-shielded environments that isolate workloads from the host. AMD's Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) is a key hardware extension designed to achieve this isolation.
However, a newly discovered vulnerability known as Fabricked (CVE-2025-54510) demonstrates that these hardware guarantees can be undermined by manipulating the underlying system interconnect. By misconfiguring the Infinity Fabric, a malicious hypervisor can effectively "brick" the security protections of SEV-SNP, gaining arbitrary read and write access to the memory of a confidential VM.
The Role of the Infinity Fabric
To understand Fabricked, one must first understand the architecture of modern AMD System-on-Chips (SoCs). AMD uses a chiplet-based design where individual CPU blocks are manufactured on separate dies and linked via a high-speed interconnect called the Infinity Fabric.
This fabric is responsible for critical system functions, including coherent data transport, memory routing, and address mapping across CPU cores, memory controllers, and peripheral devices. Because platform configurations vary, the Infinity Fabric must be dynamically configured during every boot sequence. AMD delegates parts of this configuration to the motherboard firmware (UEFI/BIOS), which is considered untrusted in the confidential computing threat model.
How the Fabricked Attack Works
The Fabricked attack exploits two critical flaws in how the Infinity Fabric is locked down and how the security co-processor (PSP) interacts with it.
1. Bypassing the Configuration Lock
In a secure setup, the UEFI should call specific APIs to lock down the Infinity Fabric configuration. The attacker, acting as a malicious hypervisor with UEFI privileges, modifies the UEFI to skip these API calls. This ensures that the Infinity Fabric remains configurable even after SEV-SNP has been activated on the machine.
2. Manipulating Memory Routing
Once the fabric is unlocked, the attacker re-routes DRAM memory transactions. Because the Infinity Fabric connects the secure co-processor (PSP) to the DRAM, the attacker can manipulate the PSP's read and write operations.
During the initialization of SEV-SNP (the SNP_INIT process), the PSP sets up the Reverse Map Table (RMP). The RMP is the critical data structure that enforces memory access control rules for CVM memory. To do this, the PSP must perform memory writes to the DRAM.
By misconfiguring the Infinity Fabric just before these writes occur, the attacker can cause these writes to be dropped. This results in an uninitialized RMP that retains the insecure default entries set up by the malicious hypervisor. The PSP is tricked into believing the initialization succeeded, but the RMP enforcement is effectively useless.
Attack Complexity and Impact
Fabricked is a fully deterministic, software-only exploit with a 100% success probability. It requires no physical access to the hardware and does not depend on any code running inside the victim CVM.
Affected Hardware
While confirmed on AMD Zen 5 EPYC processors, AMD's advisory indicates that Zen 3 and Zen 4 processors are also affected. This means a significant portion of AMD's server-grade hardware is vulnerable to this attack if not patched.
Discussion and Counterpoints
While the technical achievement of the attack is impressive, some critics in the community have pointed out that the requirements for the attack are steep. As some noted, the attack requires an already compromised hypervisor and UEFI.
"Requires an already compromised hypervisor / UEFI. Yawn."
However, the researchers argue that this fits perfectly within the AMD SEV-SNP threat model. The goal of confidential computing is specifically to protect data from a cloud provider who controls the UEFI and hypervisor. Therefore, assuming a malicious UEFI is a realistic scenario for a cloud environment.
Conclusion
Fabricked highlights a critical vulnerability in the chiplet-based architecture of modern CPUs. By targeting the interconnect rather than the CPU cores themselves, the researchers have shown that the security of a Trusted Execution Environment (TEE) can be compromised by the process of initialization.
AMD has acknowledged the vulnerability and released microcode and firmware updates to mitigate the attack. Users of AMD SEV-SNP are urged to update their systems to the following advisory: AMD-SB-3034.