Announcement

Collapse
No announcement yet.

AMD Posts Linux Patches For "Automatic IBRS" Feature New To Zen 4

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • AMD Posts Linux Patches For "Automatic IBRS" Feature New To Zen 4

    Phoronix: AMD Posts Linux Patches For "Automatic IBRS" Feature New To Zen 4

    A Friday patch series reveals a new security feature with Zen 4 previously not documented: Automatic IBRS...

    https://www.phoronix.com/news/AMD-Zen4-Automatic-IBRS

  • #2
    Well, this is all nice and shiny, when they do have (working and) performant spectre-style mitigations. But we do have all sorts of hardware improvements that are also targeted towards secure and safe computing, however, we still have the elephant in the room and that is a black box hidden deeply inside the CPU/APU/chipset which has complete control over your system, runs all the time (not just at early boot), that runs its own OS (TEE or that Minix derivative) ... however, it runs at ring -x and thus entirely transparent to the OS, the user... and nobody knows what this little black box with GOD-mode rights is doing all the time.

    So hello AMD, hello Lisa Su, remember that reddit AMA? Time to get back to this pesky PSP and kick it out or open it up.

    And for the record: No, I don't need digital restriction management for any so called "premium" netflix content. Thus I also do not require any of these components. I want to have _trustable_ computing, CPUs that _I_ can still trust. And not have the feeling that I am not being trusted.
    Stop TCPA, stupid software patents and corrupt politicians!

    Comment


    • #3
      Originally posted by Adarion View Post
      Well, this is all nice and shiny, when they do have (working and) performant spectre-style mitigations. But we do have all sorts of hardware improvements that are also targeted towards secure and safe computing, however, we still have the elephant in the room and that is a black box hidden deeply inside the CPU/APU/chipset which has complete control over your system, runs all the time (not just at early boot), that runs its own OS (TEE or that Minix derivative) ... however, it runs at ring -x and thus entirely transparent to the OS, the user... and nobody knows what this little black box with GOD-mode rights is doing all the time.

      So hello AMD, hello Lisa Su, remember that reddit AMA? Time to get back to this pesky PSP and kick it out or open it up.

      And for the record: No, I don't need digital restriction management for any so called "premium" netflix content. Thus I also do not require any of these components. I want to have _trustable_ computing, CPUs that _I_ can still trust. And not have the feeling that I am not being trusted.
      This goes well beyond IME/PSP. ANY part of the CPU and ANY part of the chipset could be made to have "secret" backdoor functions if the maker was so inclined. The danger of doing so would be likely complete loss of the vendors (or the fab's) business if it was ever discovered and proven. Also, anything on the board that has read access to RAM would be a potential spot to hide say, a search program to look for encryption keys. If it runs inside the CPU or any other chip's processor and in firmware (say the SATA or NVME controller) it could be just as OS transparent as if it were in the PSP. If it can be bus master it can even talk to the network any way the CPU could do so. This has been discussed before, on the subject of network cards/chips on the PCIe bus that could be vulnerable to outside attackers installing malicious firmware.

      Since I have never seen a court case against folks working at my level involving FBI or Secret Service use of an IME/PSP exploit against any faction,no matter how violent US politics has gotten, I figured over the years they either didn't have any IME/PSP backdoors or they were so valuable as to be reserved for things that could never be discussed in open court. Also if this was so easy why did those computers at the Chinese Embassy have to be diverted to an NSA custom shop for special firmware instead of allowed to ship and dealt with over the network?

      That said,when something new and untrustable comes along, I wait years before using it, just in case something ever DOES turn out to be a game-changer. The original worry about Intel's IME came from its use to run out-of-band management firmware for corporate networks, with the risk of v-Pro being exploited. At that time anyway, that only worked with always-on, hard-wired networking through the onboard Ethernet port. It was and remains a great place to hide spyware but nowhere near the only one.

      Comment


      • #4
        Meanwhile, it's nice to see hardware vulnerabilities being fixed in hardware, where the maximum ability to perserve performance while corking the holes exists

        Comment

        Working...
        X