Announcement

**wizard69** · 08 August 2019, 07:50 PM

Originally posted by agd5f View Post

As I've said before, there's no fundamental issues, it was more of a cost/benefit review. It's a huge amount of work to do the coreboot enablement and back when we did it consistently, we didn't get much return on investment.

This is an interesting comment but why the lack of return? Is it the result of a lack of design ins, often due to the lack of competitive products? or was it a lack of interest from manufactures?

By the way I really believe that AMD would do well to offer up standard boards and systems with coreboot built in. Effectively similar to Intels Nuc platforms but with open source firmware.

**wizard69** · 08 August 2019, 07:58 PM

I think for most people the goal is to get PSP dropped from the processor. Frankly I think the obsession with PSP and similar devices is way over blown. Sure it is a potential back door into a processor but any modern operating system is full of such back doors. I run Linux and frankly wouldn't trust it on an open network with anything I thought was critical to survival. It could take decades before anybody could seriously say there are no security risks with Linux, the same with Mac OS. Windows I really doubt will ever become really secure.

Originally posted by madscientist159 View Post

Several points of caution / red flags here...

1.) The PSP checks an AMD signature. The PSP is required to even release the x86 cores from reset. Even if AMD released PSP source tomorrow, you still wouldn't be able to modify it or remove any parts you didn't like.

2.) More and more platform init is being pulled into the PSP. It's already doing large chunks of the coreboot romstage per my current understanding. Open source ramstage isn't really going to fix the security loss versus just using one of the already fully open products on the market -- remember AMD doesn't financially or legally guarantee your data confidentiality, data integrity, or even system availability against bugs or malware in the PSP.

3.) AMD has made this type of statement before, presumably to stoke interest and help sell chips. They have then quietly backed away from it at a later date. Example:

March 2, 2017 AMD AMA: "efforts to have source code released having "CEO level attention""
July 19, 2017: No open source possible: https://hothardware.com/news/amd-con...processor-code

I wonder how many CPUs were sold in the interim to people that actually thought they might be getting PSP source or control of the PSP...

As has been the trend for nearly a decade, AMD has a great core that is rendered insecure by design. In the modern age of "data as the new oil", not to mention the recent push for strong encryption to be made illegal, "performance for security" may or may not be a tradeoff you or your company can make.

**madscientist159** · 08 August 2019, 09:07 PM

Originally posted by wizard69 View Post

I think for most people the goal is to get PSP dropped from the processor. Frankly I think the obsession with PSP and similar devices is way over blown. Sure it is a potential back door into a processor but any modern operating system is full of such back doors. I run Linux and frankly wouldn't trust it on an open network with anything I thought was critical to survival. It could take decades before anybody could seriously say there are no security risks with Linux, the same with Mac OS. Windows I really doubt will ever become really secure.

I know some people don't consider it a concern. Just like there are a lot of people that choose to think Office 365 and Windows 10 aren't a concern -- of course now if you try using the former in parts of the EU on private data you're going to get slapped with a massive GDPR fine, but hey, it's convenient right?

I also know a lot of organizations and individuals that recognize it for the threat it is -- not so much for it being a binary, but for the fact that you can't modify or replace it yourself. Full stop. Yet the vendor can change it in any way desired, including creating tailored malware. That kind of imbalance in power is a significant concern for a lot of people for good reason -- fundamentally it's the exact same problem seen in the backdoored encryption proposals, but because AMD is currently dethroning Intel they're seen as the "good guy" here and these obvious design defects are being purposefully overlooked.

I get it, Intel having competition is a Very Good Thing. However, let's not turn a blind eye to the fact that with the PSP and its associated NDA-restricted documentation / top secret source code, AMD is currently just as bad as Intel in terms of data sovereignty for users of their machines. If data sovereignty isn't a concern, AMD does look like the better buy nowadays. If it is a concern, you need to look elsewhere than either AMD or Intel. Period.

**discordian** · 09 August 2019, 12:13 AM

Originally posted by wizard69 View Post

I think for most people the goal is to get PSP dropped from the processor. Frankly I think the obsession with PSP and similar devices is way over blown. Sure it is a potential back door into a processor but any modern operating system is full of such back doors. I run Linux and frankly wouldn't trust it on an open network with anything I thought was critical to survival. It could take decades before anybody could seriously say there are no security risks with Linux, the same with Mac OS. Windows I really doubt will ever become really secure.

The problem with PSP and a likes are, that unlike a Linux installation which you can always wipe and replace, those hidden systems are basically invisible.
If you buy a used CPU, someone could have compromised the PSP, and you have no way to detect this. Even if you buy new, this could be a cpu another customer had compromised and returned (once got some mobo with bent pins from Amazon), or someone in the delivery chain did that.

Also im not sure you are aware how much those modules can do. With a fitting Intel nic for example the Intel me can filter (or modify) all network traffic.

**Fanboy80** · 09 August 2019, 03:51 AM

Coreboot is totally useless if your CPU is compromised with the AMD PSP. So far only 2 people in the comments stated the obvious and that is actually the thing which is mind-boggling. Almost nobody seems to notice and nobody seems to care. I'm just baffled by this article and most of the responses.

**discordian** · 09 August 2019, 05:24 AM

Originally posted by Fanboy80 View Post

Coreboot is totally useless if your CPU is compromised with the AMD PSP. So far only 2 people in the comments stated the obvious and that is actually the thing which is mind-boggling. Almost nobody seems to notice and nobody seems to care. I'm just baffled by this article and most of the responses.

It's not useless as it would free you from crap the mobo manufacturer unload on you.
In my case I would like to add nvme support to a haswell era mobo (can't really afford the downtime to doctor on my main PC).

So Coreboot does not bring us world peace, but its still a step forward to properly being able to mess with your hardware

**agd5f** · 09 August 2019, 10:51 AM

Originally posted by wizard69 View Post

This is an interesting comment but why the lack of return? Is it the result of a lack of design ins, often due to the lack of competitive products? or was it a lack of interest from manufactures?

I guess the market for PCs with coreboot is relatively limited? There weren't many companies that needed it.

**timofonic** · 09 August 2019, 09:49 PM

Originally posted by wizard69 View Post

Well possibly, but we all know what happened to AMD in the recent past! Passing off the lack of staff as a legal issues sounds a lot better to many. Frankly it takes considerable staff just to review software form the legal standpoint so it could be the lack of lawyers too.

In any event I'm very optimistic with regards to AMD and the cash influx a successful Ryzen 2 launch could give them. This should lead to better GPU drivers across the board, more money put into low power tech and other things that have been holding them back. Plus I have to express confidence in the new management staff, tech companies really need somebody at the top that really understands technology.

I'm not a big fan of the professional manager, some can do wonders but man when they screw up companies fold and people lose good jobs. Often it is in fact the lack of technical insight that causes the bad decision making.

Professional managers are often professional scammers that steal the money of a corporation and make them bankrupt, IMHO. Please see the Nokia case with an "ex"-Microsoftie, for example.

**chithanh** · 12 August 2019, 05:09 PM

Originally posted by agd5f View Post

I guess the market for PCs with coreboot is relatively limited? There weren't many companies that needed it.

That is because corporate buyers are easily placated with security snake oil and placebo audits. AMD of course also plays this game.

Plus, much like OpenWrt for Wifi routers, you realize that you need it often only after you bought the product. This is when you get hit by the firmware bugs, basic unimplemented functions, security vulnerabilities, etc. that the vendor refuses to address because there is no business case.

With AMD for whatever reason having a much harder time ensuring the quality of firmware that OEMs inflict on users, that should be a concern to them. When someone buys an AMD product with bug-ridden firmware with no way to help themselves, then next time they are not going to ask for Coreboot. They are going to ask for an Intel product.

Announcement

How Can AMD EPYC "Rome" 7002 Series Be Even Better? Open-Source BIOS / Coreboot

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment