Announcement

Collapse
No announcement yet.

AMD SMM Callout Privilege Escalation Bug Disclosed For APUs

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • AMD SMM Callout Privilege Escalation Bug Disclosed For APUs

    Phoronix: AMD SMM Callout Privilege Escalation Bug Disclosed For APUs

    AMD has made public "SMM Callout Privilege Escalation" or more formally CVE-2020-12890 as an AGESA vulnerability that could lead to arbitrary code execution on APUs...

    http://www.phoronix.com/scan.php?pag...lout-Privilege

  • #2
    That is not possible I tell you, only Intel cpu's have security vulnerabilities, AMD can do no wrong. I demand that you print a retraction and apology to AMD.

    Comment


    • #3
      Originally posted by Spooktra View Post
      That is not possible I tell you, only Intel cpu's have security vulnerabilities, AMD can do no wrong. I demand that you print a retraction and apology to AMD.
      When you spend 100s of £s/$s on something and end up having it nerfed every year with patches to mitigate something that isn't really being dealt into next year's lineup, anyone with sense would say that the approach isn't working and it needs a shakeup.
      Put brand loyalty aside - Any cpu can have vulnerabilities, it just so happens intel royally screwed the pooch somewhere in their architecture and we can't go 5 minutes now without discovering flaws with them on a fundamental level. When the same is true for AMD or Zhaoxin cpus, it should be reported as well - because we want problems to get fixed.



      Comment


      • #4
        It is not a CPU bug, it is a BIOS bug.

        Comment


        • #5
          Originally posted by Spooktra View Post
          That is not possible I tell you, only Intel cpu's have security vulnerabilities, AMD can do no wrong. I demand that you print a retraction and apology to AMD.
          Every company can go wrong and will and did ...etc. The same for AMD - but how often? Will they learn from it? Do they play it down? What is their policy? How do they tackle the issues on up comming devices?

          you can be sure if AMD fails as often as intel in the recent time - the same will be said about AMD... do you remember the FX bashing?

          Comment


          • #6
            Originally posted by Linux_Chemist View Post
            When you spend 100s of £s/$s on something and end up having it nerfed every year with patches to mitigate something that isn't really being dealt into next year's lineup, anyone with sense would say that the approach isn't working and it needs a shakeup.
            Put brand loyalty aside - Any cpu can have vulnerabilities, it just so happens intel royally screwed the pooch somewhere in their architecture and we can't go 5 minutes now without discovering flaws with them on a fundamental level. When the same is true for AMD or Zhaoxin cpus, it should be reported as well - because we want problems to get fixed.
            This.

            I've been a pretty unashamed AMD fanboy for a while now (15+ years, although I did skip straight from a Phenom II x6 to Ryzen... sorry bulldozer), but I don't think I've ever said that AMD didn't have undiscovered security issues in their chips. The relative lack of reported issues compared to Intel does seem to point to several possibilities:

            1. Security researchers haven't been looking into AMD nearly as much (either due to relative market size, or because of funding/priorities).
            2. Meltdown/Spectre gave just enough of a lever/insight into Intel's weak spots that they're prying it wide open.
            3. AMD's architecture may have skipped some of the shortcuts that Intel took, leading to a more secure design.

            AMD's chips may be swiss cheese, and we haven't discovered the holes yet. For now, until Intel straightens their chip design out and improves their pricing/performance/TDP, I'm not even bothering to recommend Intel-based systems to people. The Ryzen series is good enough for pretty much any use case someone would care to ask me for recommendations about.

            Comment


            • #7
              "The targeted attack described in the research requires privileged physical or administrative access to a system based on select AMD notebook or embedded processors."
              So, yeah, if that's the case, there are bigger problems to worry about.
              Now, I'm not saying, that this is not a bug - it is. But it looks to be fixable by updating the AGESA/UEFI/BIOS/FW itself.
              Anyone remember Ryzenfall?

              Comment


              • #8
                Originally posted by Spooktra View Post
                That is not possible I tell you, only Intel cpu's have security vulnerabilities, AMD can do no wrong. I demand that you print a retraction and apology to AMD.
                As far as straw men go this is a particularly weak one... Ever since the first speculative execution attacks it's been clear that all modern processors with speculative execution are vulnerable to some extent. The only modern processor core that I can recall being confirmed to be totally invulnerable is the ARM Cortex A53, but that's only because it doesn't even have branch prediction in the strictest sense of the word.

                However the big cross-vendor takeaway has been that Intel has, pardon my french, screwed the pooch way worse than anyone else in the market.

                Comment


                • #9
                  https://www.reddit.com/r/pics/commen...bug_a_feature/

                  Requisite Reddit link

                  Comment


                  • #10
                    Originally posted by johnp View Post
                    It is not a CPU bug, it is a BIOS bug.
                    This. It's a bug in the AGESA code run in by the UEFI board firmware, not a hardware bug.

                    Comment

                    Working...
                    X