Black Hat Europe 2025 | RMPocalypse: A Catch-22 Breaking AMDs Confidential Computing

The Black Hat Europe 2025 talk, titled “RMPocalypse: A Catch‑22 Breaking AMD’s Confidential Computing,” revealed a novel attack on AMD’s SEV‑SNP technology. The researchers, a PhD student and advisor from ETH Zurich, focused on the Reverse Map Table (RMP), a hardware‑maintained metadata structure that guarantees memory‑access integrity for confidential virtual machines.

By deliberately creating dirty cache lines before the platform security processor (PSP) boots the RMP, the team demonstrated that a racing kernel thread can overwrite RMP entries, effectively breaking the integrity guarantees of SEV‑SNP. Initial experiments showed the attack failed when the RMP was mapped as uncachable, pointing to a cache‑coherency issue. Further analysis of AMD’s open‑source firmware revealed that the PSP writes to the RMP without enforcing cache coherence, leaving a narrow window for exploitation.

The presenters highlighted several technical details: the PSP’s boot sequence, the role of the AMD Infinity Fabric in inter‑core communication, and the mistaken early hypothesis that a “cash concurrency” bug was responsible. After additional testing on Zen cores lacking full coherency for certain addresses, they concluded the vulnerability stemmed from the chiplet architecture’s handling of cache lines during the PSP’s non‑coherent writes.

The discovery has immediate implications for cloud providers and enterprises relying on AMD’s confidential computing to protect data in use. Mitigations include enforcing explicit cache flushes before RMP initialization and updating PSP firmware to ensure coherent writes, underscoring the need for rigorous validation of hardware‑level security mechanisms.