Announcement

Collapse
No announcement yet.

AMD To Issue PSP/BIOS Firmware Updates For Recent Vulnerabilities

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • AMD To Issue PSP/BIOS Firmware Updates For Recent Vulnerabilities

    Phoronix: AMD To Issue PSP/BIOS Firmware Updates For Recent Vulnerabilities

    Last week was the controversial publishing of the "AMD Flaws" CPU vulnerabilities for Ryzen and EPYC processors. AMD has now issued their first public update on the matter and have said they will be issuing PSP firmware and BIOS updates for mitigation...

    http://www.phoronix.com/scan.php?pag...rmware-Updates

  • #2
    What is the point? According to this scummy "amdflaws" site, most of the exploits need modifying the firmware anyway... LOL.

    Comment


    • #3
      Did the hardware vulnerabilities turned out to be false ? Or will even Ryzen 2 users be stuck with an insecure cpu ?

      Comment


      • #4
        Hardware flaws are only limited to the Promntory chip-set. AMD is already working with ASMedia which are the designers of the chip-set to find proper solution to close these security holes with BIOS/firmware update.

        I suppose later versions of chip-set for the next generation of Ryzen CPU's will have the proper hardware fixes.

        Comment


        • #5
          Someone wanted to buy AMD stocks for cheap here. That's all this was.

          Comment


          • #6
            Originally posted by GunpowaderGuy View Post
            Did the hardware vulnerabilities turned out to be false ?
            It's only a "hardware" vulnerability if you consider the fact that the security-related function of AMD PSP run in a separate ARM core.
            (Not dissimilar to the IntelME's ARC core running their management functions).

            The attack is about flaws in the firmware running on these extra core
            (and requiring root access on a the machine in order to be able to access and communicate with these core or even upload a new firmwar. - i.e.: at that point an attacker has tons of options to hose your system. The fact that now a few of these options happens to rely on AMD PSP core is merely a footnote compared to the fact that by that point the attacker is already root).

            The fix is simply about fixing the firmware that runs on these cores.

            There's no fundamental hardware design problem that needs to be redesigned (beyond the fact that there are extra administrative cores such as AMD PSP / Intel ME in our CPUs) and it's not going to be changed
            (though it would be great if cpu manufacturers conceded to let a way for end users to upload their own opensource firmware instead, like Secure UEFI can be allowed to boot Linux. Or end users could replace the firmware with a gutted down version "bare strict minimum in order to bring the hardware up during boot and won't to anything afterward" like the replacement IntelME that got popular last autumn).

            Ryzen2 will still feature AMD PSP. Wether it will be insecure will depend on the quality of the firmware running there. By then the current bugs in the firmware will be definitely sorted out. But there's no guarantee that there aren't other bugs not yet discovered in the firmware. Nor that future version of the firmware won't introduce new exploitable bugs. Nonetheless, if that were to happens, newer fixed firmware will be all that's needed.

            This whole thing is nothing much impressive.

            CTSlab have blown it way out of proportion, probably to profit of it, betting on AMD stock diving a bit.

            Comment


            • #7
              FUD everywhere

              Comment


              • #8
                Can they actually provide open firmware for PSP, or at least a way to completely disable it?

                Comment


                • #9
                  Originally posted by TemplarGR View Post
                  What is the point? According to this scummy "amdflaws" site, most of the exploits need modifying the firmware anyway... LOL.
                  Well, you can either insist on there not being any flaws and then endlessly fight against the bad press for denying any flaws, or say that you "fixed some issues/vulnerabilities" (even if there were none) and put everyone's mind at ease.

                  Comment


                  • #10
                    This is like a "no duh" moment. Isn't the whole point of root to have the highest tier of access? Isn't it literally the job of hardware and software designers to make certain that root in fact does have that highest tier of access? In that sense doesn't this mean that the hardware and the software is doing exactly what it's supposed to do?

                    EDIT: In other words, wouldn't the fix necessarily mean root would no longer have that highest tier of access? If that's true then their is no doubt at all that whatever "fix" is involved most definitely introduces an even higher tier of vulnerability. That would be retarded and anti-consumer.
                    Last edited by duby229; 21 March 2018, 09:28 AM.

                    Comment

                    Working...
                    X