Device Guard VBS BSOD: SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M amdppm.sys

[bsoft16384]

I get the exact same error on my system if CPPC is enabled (it's enabled by default):

https://www.reddit.com/r/Amd/comments/hm23sd

It's possible that this issue is specific to Asus boards. I have an Asus B550-E and the other poster on my Reddit thread with the same issue had an Asus B450 board. Maybe there's something screwed up in their ACPI table?

Alternatively, it's possible that AMD's driver is just broken and the combination of CPPC + HVCI is broken on all Matisse systems?

 

[ravenize]

I get the exact same error on my system if CPPC is enabled (it's enabled by default):

https://www.reddit.com/r/Amd/comments/hm23sd

It's possible that this issue is specific to Asus boards. I have an Asus B550-E and the other poster on my Reddit thread with the same issue had an Asus B450 board. Maybe there's something screwed up in their ACPI table?

Alternatively, it's possible that AMD's driver is just broken and the combination of CPPC + HVCI is broken on all Matisse systems?

Thank you, problem is finally solved. I believe this is a security feature, rather than a bug. CPPC is designed to allow reporting of data between host O/S and the UEFI bios, which the NSA has suggested could lead to compromise, which is why they only recommend in their best practices that their employees use AMD based products without overclocking features, Aurora Sync etc, but despite their claims, with the right tweaking, you are as good as gold. nsacyber/Hardware-and-Firmware-Security-Guidance

To mitigate AMD Flaws, purchase business-class machines that lack or limit enthusiast features such as overclocking, fan control, custom thermal management, RGB lighting, and firmware modding support. Also ensure that all firmware, microcode, and software updates are applied. Carefully analyze software before using it in conjunction with the AMD Secure Processor (SP) or Platform Security Processor (PSP) protected enclaves.

THANK YOU SO MUCH! This solved my issue immediately. It was the CPPC, whos description referred to "mask" something or other.

 

[ravenize]

CPPC is designed to allow reporting of data between host O/S or hypervisor directly to the UEFI bios, CPPC's initialization upon boot in tandem with strict enforcement measures of SecureBoot, and with CSM disabled in UEFI settings, amdppm.sys attempts to to write or read to restricted areas of the BIOS, triggering the crash.

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
SYMBOL_NAME: amdppm!WriteIoMemRawEx+70
MODULE_NAME: amdppm
IMAGE_NAME: amdppm.sys
IMAGE_VERSION: 10.0.19041.208
STACK_COMMAND: .cxr 0xffffb087a33cc730 ; kb
BUCKET_ID_FUNC_OFFSET: 70
FAILURE_BUCKET_ID: AV_amdppm!WriteIoMemRawEx
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {b967e674-8d22-35dd-426e-01888346a4a7}
Followup: MachineOwner

 

[ravenize]

HVCI is broken on all Matisse systems?

No, HVCI is just not running as securely with CPPC enabled along with CSM, it allows communication through the hypervisor directly to the bios.

 

[ravenize]

Update 2:

I believe this is a security feature, rather than a bug.
CPPC is designed hand CPU preferred core control from the UEFI/chipset to the O/S, if CPPC initializes upon boot in tandem with strict enforcement measures of SecureBoot + CSM disabled, amdppm.sys attempts to to write or read to memory areas of the BIOS restricted by the hypervisor or UEFI, triggering the crash.
Enabling CSM allows one to use SecureBoot, HVCI, IMMOU, VBS, and CI-config, by relaxing UEFI/hypervisor security restrictions.
This allows greater compatibility at the expense of security.

O/S or OS: Operating System
CPU: Central Processing Unit
BIOS: Basic Input-Output System
UEFI: Unified Extensible Firmware Interface
CSM: Compatibility Support Module
HVCI: "Hypervisor-Enforced Code Integrity" or "Hypervisor-Protected Code Integrity"
VBS: Virtualization-based Security
CPPC: Collaborative Processor Performance Control
IOMMU: Input/Output Memory Management Unit
SMM: System Management Mode
MAT: (UEFI v2.6) Memory Attributes Table
TPM: Trusted Platform Module (2.0)

 

[ravenize]

Thanks everybody. Lots of important data for people looking to enable hardware security features on Ryzen I have posted here, see the comment section below:

https://www.reddit.com/r/Amd/comments/hm23sd

 

[x BlueRobot]

amdppm.sys attempts to to write or read to memory areas of the BIOS restricted by the hypervisor or UEFI, triggering the crash.

This directly coincides with what was happening with each crash too, the following error:

0: kd> !error ffffffffc0000005
Error code: (NTSTATUS) 0xc0000005 (3221225477) - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

This is usually related to either a null pointer deference, a corrupted address or a region of memory which is protected.

I'm glad you were able to find the cause of the issue, will certainly be helpful with anyone who experiences the same crash in the future.

 

[MrPepka]

@ravenize You have enabled in BIOS Modern Standby(state S0)?