If I have local access to a computer and a hammer I can also smash it. I don't even need root rights for that.
That whole campaign was so flimsy in making, so obviously wrong. Make some fancy logos, some catchy names and tell utter bullshit and hope people without technical knowledge won't grasp what's actually going on.
And have some greenscreen video takes, omfg!

Holy crap. And then this strange Viceroy stock market enterprise in the background...

Later, after tech folks are really upset, publish some lame excuses and "explain" why you informed the hardware (!) vendor just 20 h before you went disclosure with your bullshit.


Nonetheless I'd rather have no PSP at all.
I also guess that it will take fairly long for these updates to actually arrive in firmware. If at all. A lot of mainboard makers are "shy" to roll out firmware updates, probably because they have to invest (probably little) money. The boards are already sold, that's it. Unless it explodes in your face in more than 10% of boards some rarely issue updates.
And this is nothing the kernel can do; like ucode.

This is another reason why we need Libre/Coreboot!

maybe all CPU vendors should simply stop putting remote access functionality in their CPU enablement stack?

So let's say I'm your computer distributor (not even manufacturer). Let's say some 3 letter agency, or some less-than-savoury friends come and tell me to put this in your Ryzens. I just boot a USB to "root" because BIOS is unlocked and all that and put my own PSP firmware in. Then proceed to do whatever else as usual and give you the machine (possibly without an OS).

You're now hosed without a way to know it whatsoever. I can't understand why all the AMD fanboys refuse to see this gaping hole for what it is.

The "root required" is completely irrelevant.

I don't think the issue is that there is a vulnerability that has to be patched, but instead with the way this whole thing was reported, and the fact that it seems to want to paint AMD in the worst possible light. IOW, it was a hit-job.

Also, I can understand why all the Intel fanboys want to blow this out of proportion; so that everyone will stop looking at the gaping holes in current Intel CPUs (Spectre and Meltdown). See, I can turn this into an AMD vs. Intel fanboy argument too.

Your scenario can happen with or without these "vulnerabilities", and no matter what the CPU vendor is. If one of the three letter agencies want to bug a machine, they'll bug a machine, plain and simple.

It's absolutely relevant. The fact is -anyone- can boot -any- LiveUSB to -any- computer -anyway-. Period. That's kinda the whole point of LiveUSB's, so that users -can- get that highest tier of access. It's not a security hole if it's a root user. Now if that root user wants to rip off his customers then he can, but is his own damn fault and he can do it with or without this.

Then they will loose market share to the other CPU vendor who still puts in remote access functionality. This is not added by Intel and AMD in order to be evil, they put it there because it's a wanted feature by big corporate it departments so that they can more easily administrate the entire companies computers.

I don't think that we will see these features disable in the near future. For one it's a highly sought after feature by a large portion of Intels and AMDs large customers. And secondly these subsystems handle various things that are needed (boot, setup of various motherboard and cpu systems and so on) so they cannot be selectively disabled either, i.e they are built in so hard that they are needed in order to use the CPU at all.

Enterprises don’t give a crap about security related firmware updates. They only care about “drama queen” cases like Adobe, Windows, Java. They don’t even update their network edge devices, VPNs, which is pretty dangerous. D-link even got sued by the FTC for their devil may care attitude towards updates.

Easy solution: sell these big corporate IT departments something different from what you sell to the regular public.

There were some legit vulnerabilities though, not anywhere near as bad as they made it look like, but it makes sense to publish updated firmwares for that.