I don't know what y'all were expecting anyway. This is low-level closed hardware. They likely have licensed crap from someone else, because that's how it works in the real world.

There was also another AMD driver that installed a web service accessible from outside, the PSP drivers https://www.reddit.com/r/Amd/comment...y_pc_publicly/

Anyway, AMD still has a huge lead on this, as they aren't integrating this broken webserver bs in the chipset itself like some other unnamed company does. They are cutting on development of non-critical stuff, which is unfortunate but can be understandable for now, and PSP is still much less dangerous than ME.

This is just plain crappy utility software developed by some random intern in half the time needed to make a decent job, that can be easily reconfigured or locked down or firewalled from inside the OS, and on Linux does not work and isn't even remotely necessary.

The fact that the software stack shipped with the RAID utilities contains known vulnerabilities, is remotely accessible by default, and runs with system privileges says all. This clearly shows that nobody with knowledge in security has oversight over what software AMD ships.

And while AMD not open sourcing PSP is deplorable, the reasoning "we show it to 3rd party auditors instead" is much worse than if they had simply said "no". This also shows a total lack of understanding about security.

yeah, because all AMD software, from drivers to random crap like this utility uses the same QA, and is under the same pressure.

Just look at Intel. Their Raid configuration utility is done decently, it is stable and isn't comically unsafe. But their ME runs a server that allows you to login without a password (more or less). And in december there is another ME vulnerability being discussed, and the more white hats dig into the hole the more crap they will find.

If they used the same QA that vetted their Raid utility they might have catched some of that bugs, but they didn't.

Oh man, how bad they are. They could have:
-not answered at all, not even an acknowledge (Intel)
-not given their code to 3rd party auditors at all (Intel)

That's totally better and safer.

They can't opensource licensed stuff so having third party auditors is the best they can realistically do.

They could, like Intel does with their "High-Assurance Program", provide a way to disable the PSP. And if they wanted to be good citizens, they could have had that option available to everyone and not just 3-letter agencies like Intel does. But no, instead we get BS about 3rd party auditors. Sheesh..

Then allow us to turn it off. Is AMD going to pay for data loss, loss of use, loss of revenue, etc. when the PSP is inevitably hacked, or are they just providing lip service here with no real financial skin in the game?

The only way the current closed source, non-replaceable, non-disableable PSP might be possibly acceptable is if AMD permanently indemnifies all machine owners against all forms of loss and/or financial harm traceable in any way to the presence of the PSP. No "your system is no longer supported" or "you can't prove the PSP did that", but actual, real indemnification including for all time lost.

So, what do you say AMD? Are you confident enough in the PSP to offer this?

Having that option available to everyone seems to not be what whoever asked for these feature wants.

Is this even a real question? They won't unless sued by someone that can stand their ground against them, same story as with Intel (that is also much bigger).

Oh spare me the whataboutism.

Plus Intel ME is vulnerable in this case not because of the poor design. Software bugs happen and sometimes lead to vulnerabilities. The AMD RAID utility issue is not a simple software bug, but instead displays a shocking amount of ignorance (and lack of oversight) when it comes to security.

Often it is better to remain silent than to say things that trigger bullshit detectors in a major way. And it is obviously something which AMD said to placate their customers.

SMM is not for _CPU_ firmware at all, it is for board control logic, fans and such. Which is much more scary that "CPU" firmware, as board / BIOS vendors are not particularly known for writing the most awesome code, ... :-/