Announcement

Collapse
No announcement yet.

AMD PSP Affected By Vulnerability

Collapse
X
Collapse
 
  • Page of 9
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 3 4 5 6 7 8 9 template Next
  • #51
    Originally posted by Spazturtle View Post
    "Without access to a real AMD hardware, we used an ARM emulator"

    "As far as we know, general exploit mitigation technologies (stack cookies, NX stack, ASLR) are not implemented in the PSP environment."

    So they tested this exploit on a generic ARM core and assumed it works on the PSP too, but they couldn't test it on the PSP because they couldn't get access to the PSP.
    So this is a hypothetical exploit which cannot be tested to see if it exists because you can't get access to the ARM core due to security systems stopping you.
    With their method, they presumably still found something real as there's this line here at the end:
    Code:
    12-07-17 - Fix is ready. Vendor works on a rollout to affected partners.

    Comment

    • #52
      Originally posted by artivision View Post
      Also AMD said years before that they will have enthusiast platform without all this stuff, there is no point deactivate them if some day half the web pressures you to reactivate it (in order to have access).
      You DO in fact have the option to boycott websites that demand you turn on DRM support such as PSP or ME to have access. Pressure can and should be resisted, just like the groping hand of Roy Moore should be slapped away.

      Same as my years long practice of closing browser windows that open to a blank page when initial load is with JS disabled. I presume such sites to be malicious and don't load them. There is not and never can be any site that I value so much I will compromise my computers to see. Keep in mind, I am someone who blocks facebook and google in /etc/hosts to keep them from getting my surfing history off other websites, and aggressively block trackers. Well over half of all websites are broken on my setup, I consider that a cheap price to pay for privacy and control. I could care less about Hulu and Netflix not working, in fact I have never even seen the front page of either site and probably would not recognize them on sight.

      I would no more take a security critical machine to a random website that demands low level hardware access to load than I would follow a link from Signal to a Facebook page on a phone.
      • Likes 4

      Comment

      • #53
        This is better news than this hypothetical false remote, tested on emulator, blah, blah

        Intel faces class action lawsuits regarding Meltdown and Spectre
        Class action lawsuits have been filed in California, Indiana, and Oregon... and to be continued

        Last edited by dungeon; 06 January 2018, 12:55 AM.
        • Likes 1

        Comment

        • #54
          Originally posted by debianxfce View Post
          http://www.amd.com/en-us/innovations...ogies/security


          "AMD gives you a dedicated AMD Secure Processor1 built into select AMD Accelerated Processing Units (APUs). ARM® TrustZone®, a system-wide approach to security, runs on top of the hardware creating a secure environment by partitioning the CPU into two virtual “worlds.””

          Not a Ryzen, Threadtripper or Epyc problem.
          Wrong!

          Binary situation - coreboot
          https://www.coreboot.org/Binary_situation#recent_AMD


          That old AMD page keeps getting dredged up. Zen, EPYC, ThreadRipper, etc. are Family 17h and most definitely have a non-removable PSP that is integral to platform startup.

          Comment

          • #55
            Originally posted by wizard69 View Post

            The problem is we as individuals have little influence here. The big corporations are the drivers for this technology. It is no surprise at all that a Google researcher found this issue as they have some of the most massive server farms out there. Remote management is very important to them and many other similar technology firms.

            So how does one create influence when you might have one or a couple of servers deployed and Google (and many others) have tens of thousands of servers deployed. You would have to get a 100,000 IT professionals to band together to demand a removal of this tech. Even if you could get a 100,000 to agree to the need you would still have to overcome the massive influence of the corporate world that does give a damn about your server rack with 3 machines in it.
            Customers vote with money. Buy stuff, which you want to support. The wolf, which you feed, wins.

            But, there there are millions of people out there. Influence made by individual is close to none. But, society is composed from individuals,...

            Comment

            • #56
              Just goes to show that adding all these "cryptographic processors" to improve security just makes stuff worse by adding extra vectors of attack. The CPU's themselves are already vulnerable enough as it is, we don't need an extra weakness that is supposedly designed for security.

              Comment

              • #57
                I wish these companies would stop implementing nonsense features. Just please, put a little more effort in engineering a secure CPU. PLEASE.

                Comment

                • #58
                  Originally posted by WolfpackN64 View Post
                  Just goes to show that adding all these "cryptographic processors" to improve security just makes stuff worse by adding extra vectors of attack. The CPU's themselves are already vulnerable enough as it is, we don't need an extra weakness that is supposedly designed for security.
                  Platform Security Processor, Intel Management Engine..
                  Absolute power corrupts absolutely.

                  Comment

                  • #59
                    Originally posted by debianxfce View Post

                    Suit AMD for false marketing information then. I trust more AMD than core boot hippies.
                    AMD themselves said many times, that there is PSP in Ryzen - it's integral part and enables things like memory encryption, TPM and so on.

                    Look here for direct conformation: http://amd-dev.wpengine.netdna-cdn.c..._v7-Public.pdf

                    "The encryption key used by the AES engine
                    with SME is randomly generated on each system reset and is not visible
                    to any software running on the CPU cores. This key is managed
                    entirely by the AMD SecureProcessor (AMD-SP), a 32 - bit microcontroller (ARM® Cortex®-A5)
                    that functions as a dedicated security subsystem integrated within the AMD SOC."

                    Or have a look at reddit, AMD AMA concerning Ryzen - it was requested by people there that AMD open sources PSP found in Ryzen.. Engineer responded that he'd be positive but have to take it to management. Sadly, they cannot really open source it, since it's partially licensed but yeah.. another confirmation
                    • Likes 2

                    Comment

                    • #60
                      Originally posted by arakan94 View Post
                      "The encryption key used by the AES engine with SME is randomly generated on each system reset and is not visible to any software running on the CPU cores. This key is managed
                      entirely by the AMD SecureProcessor (AMD-SP), a 32 - bit microcontroller (ARM® Cortex®-A5)that functions as a dedicated security subsystem integrated within the AMD SOC."
                      Thank you for digging that up. I was wondering if that was possible, looks like it is.

                      Comment

                      Previous 1 3 4 5 6 7 8 9 template Next
                      Working...
                      X