This work demonstrates the first purely software-based attack chain against AMD’s SEV-SNP architecture on EPYC Milan processors that achieves code execution within the secure processor without requiring physical access (dubbed MilanLaunchy). By exploiting a critical vulnerability—namely, the absence of write protection in the fuse controller (termed BadFuse)—the authors successfully extract the VCEK hardware root seed. This breakthrough effectively bypasses SEV-SNP’s TCB version binding mechanism, enabling adversaries to forge attestation reports for arbitrary firmware versions. Consequently, the attack fundamentally undermines the security model of SEV-SNP by invalidating its trust anchor rooted in hardware-protected secrets, thereby exposing the architecture to TCB rollback attacks due to insufficient protection of its hardware root key.

In the official whitepaper of Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP), AMD explicitly emphasizes the capability to prevent Trusted Computing Base (TCB) rollback attacks. Cryptographically, this is realized by signing attestation reports with the Versioned Chip Endorsement Key (VCEK), which is derived by incorporating the TCB version into the hardware root seed. In this architecture, safeguarding the hardware root seed is the ultimate line of defense. However, our research reveals that this protection is insufficient on EPYC Milan by presenting a software-only exploit. Specifically, we firstly introduce MilanLaunchy attack, an exploit that achieves code execution on the AMD secure processor. Building on this foundation, we develop the BadFuse attack, which extracts the hardware root seed by exploiting a lack of write restrictions in the fuse controller. This end-to-end attack chain enables an adversary to forge valid attestation reports for any firmware version, thereby effectively undermining the security model of SEV-SNP.