“Anybody who’s written software, anybody who’s created hardware knows that it’s impossible to be perfect,” Hollingsworth says. “Over the years that we’ve been working together with Google, we’ve been providing them as much access as we possibly can and thinking about the problem from two different sides. And somewhere in the middle of that push and pull, we end up finding things that benefit everyone.”
The audit specifically delved into the defenses of the AMD Secure Processor (ASP) and the firmware of the AMD technology known as “SEV-SNP,” or Secure Encrypted Virtualization-Secure Nested Paging. SEV-SNP underlies Google Cloud’s Confidential Virtual Machines, a premium offering within Google Cloud’s general product that segments and encrypts a customer’s systems and manages the encryption keys to box out Google Cloud such that the company can’t access the customer’s data.
The two companies haven’t said specifically how many vulnerabilities were found and addressed through the recent audit, but the report outlines multiple specific findings, attack scenarios, and general areas for improvement. AMD says it has released firmware fixes for all the issues discovered through the audit and Google Cloud says it has applied all of these patches and mitigations.
Both Google Cloud’s Porter and AMD’s Hollingsworth emphasize, though, that the true value of the partnership is in the repeated collaboration and review over time. The goal is that the findings will safeguard Google Cloud, but also improve security across the industry, and that the partnership can perhaps be a model for increased transparency between chipmakers and customers in general. As organizations increasingly rely on cloud providers to deliver most or all of their infrastructure, there are major security gains, but always the lurking fear that something could go wrong.
“You need to assume breach, you need to assume that things might happen,” Porter says. “And that’s why I think it’s so critical to have all the bugs fixed, but also to be talking very openly about this continuously. It’s not something we’re doing once and it’s finished. It’s ongoing.”