AMD Secure Technology PSP Firmware Now Explorable, Thanks to Researcher's Tool
A security researcher this week released the PSPtool, a software tool that "aims to lower the entry barrier for looking into the code running" on the AMD Platform Security Processor (PSP), officially known as AMD Secure Technology, and other AMD subsystems. The PSP serves similar functions to those of Intel's Management Engine (ME) processor. However, just like the Intel ME, the secretive and undocumented nature of the chip worries security and privacy advocates.
The researcher going by the online name of cwerling described the PSPTool as a "Swiss Army knife" for dealing with the AMD PSP's firmware. The tool is based on reverse-engineering efforts of AMD's proprietary file system that the company uses to pack firmware blobs into UEFI firmware images.
Usually, all firmware blobs can be parsed by another software program called the UEFITool. However, in this case AMD's firmware files are located in padding volumes that can't be parsed by the UEFITool. This is the reason for the PSPTool, which can locate the PSP firmware within UEFI images and parse it. Through this tool, more researchers can look into what their local PSP chip is doing to their computers, as its actions are normally hidden from the operating system or the main processor.
Previously: AMD to Consider Coreboot/Libreboot Support
AMD Confirms its Platform Security Processor Code will Remain Closed-Source
Related: Intel Management Engine Partially Defeated
EFF: Intel's Management Engine is a Security Hazard\
Disabling Intel ME 11 Via Undocumented Mode
Intel Management Engine Critical Firmware Update
HP Chip Protects Intel's Management Engine
Related Stories
In some shiny good news to us of the tinfoil hat crew, Phoronix is reporting:
Many free software advocates have been concerned by Intel's binary-only Management Engine (ME) built into the motherboards on newer generations of Intel motherboards. The good news is there is now a working, third-party approach for disabling the ME and reducing the risk of its binary blobs.
Via an open-source, third-party tool called me_cleaner it's possible to partially deblob Intel's ME firmware images by removing any unnecessary partitions from the firmware, reducing its ability to interface with the system. The me_cleaner works not only with free software firmware images like Coreboot/Libreboot but can also work with factory-blobbed images. I was able to confirm with a Coreboot developer that this program can disable the ME on older boards or devices with BootGuard and disable Secure Boot. This is all done with a Python script.
Those unfamiliar with the implications on Intel's ME for those wanting a fully-open system can read about it on Libreboot.org.
Looks like I may not have to go ARM on my next desktop build after all.
In AMD's AMA here, they say they will seriously consider releasing their Platform Security Processor (PSP) source code. This is their equivalent of the Intel Management Engine and would make AMD processors compatible with coreboot/libreboot.
This would be massive. It would make it possible to have a truly open-source machine, with all the security and privacy benefits that entails. At the moment secure boot relies primarily on aging Intel processors from nearly a decade ago.
In 2011, AMD began supporting coreboot, but stopped in 2013 and introduced the PSP. Why? Because they didn't think it was economically worthwhile.
Don't let that happen again! Let's tell AMD there is demand for this. Get into that thread and comment. And – more importantly – message them! If you're reading this after the AMA has ended, contact them anyway!
AMD's contact page (You can find details on AMD in your country)
You can also reach them on Facebook.
Submitted via IRC for TheMightyBuzzard
Since 2008, most of Intel's chipsets have contained a tiny homunculus computer called the "Management Engine" (ME). The ME is a largely undocumented master controller for your CPU: it works with system firmware during boot and has direct access to system memory, the screen, keyboard, and network. All of the code inside the ME is secret, signed, and tightly controlled by Intel. Last week, vulnerabilities in the Active Management (AMT) module in some Management Engines have caused lots of machines with Intel CPUs to be disastrously vulnerable to remote and local attackers. While AMT can be disabled, there is presently no way to disable or limit the Management Engine in general. Intel urgently needs to provide one.
[...] EFF believes that Intel needs to provide a minimum level of transparency and user control of the Management Engines inside our computers, in order to prevent this cybersecurity disaster from recurring. Unless that happens, we are concerned that it may not be appropriate to use Intel CPUs in many kinds of critical infrastructure systems.
It's a crying shame the what the EFF says doesn't hold a whole lot of weight.
Source: The Electronic Frontier Foundation
Submitted via IRC for TheMightyBuzzard
Since the launch of AMD Ryzen, a small piece of hardware that handles basic memory initialization as well as many security functions has been the center of some controversy. Called the Platform Security Processor (the "PSP" for short) it is essentially an arm core with complete access to the entire system. Its actions can be considered "above root" level and are for the most part invisible to the OS. It is similar in this regard to Intel's Management Engine, but is in some ways even more powerful.
Why is this a bad thing? Well, let's play a theoretical. What happens if a bug is discovered in the PSP, and malware takes control of it? How would you remove it (Answer: you couldn't). How would you know you needed to remove it? (answer, unless it made itself obvious, you also wouldn't). This scenario is obviously not a good one, and is a concern for many who asked AMD to open-source the PSPs code for general community auditing.
Bit late to the reporting but we haven't covered it yet, so here it is. And I was so looking forward to a new desktop too. Guess this one will have to stay alive until ARM becomes a viable replacement.
Previous:
The Intel Management Engine, and How it Stops Screenshots
Intel x86 Considered Harmful
Of Intel's Hardware Rootkit
Intel Management Engine Partially Defeated
EFF: Intel's Management Engine is a Security Hazard
Malware uses Intel AMT feature to steal data, avoid firewalls
Positive Technologies has posted an interesting article about disabling the Intel Management Engine 11 via an undocumented mode.
Our team of Positive Technologies researchers has delved deep into the internal architecture of Intel Management Engine (ME) 11, revealing a mechanism that can disable Intel ME after hardware is initialized and the main processor starts. In this article, we describe how we discovered this undocumented mode and how it is connected with the U.S. government's High Assurance Platform (HAP) program.
[...] Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) chip and a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer. The ability to execute third-party code on Intel ME would allow for a complete compromise of the platform.
[...] Unfortunately, analysis of Intel ME 11 was previously impossible because the executable modules are compressed by Huffman codes with unknown tables. Nonetheless, our research team (Dmitry Sklyarov, Mark Ermolov, and Maxim Goryachy) managed to recover these tables and created a utility for unpacking images. The utility is available on our GitHub page.
Hey, the government isn't the only one who wants "high assurance" for their computers. We trolls and average peons would like to think our systems are secure as well.
But it gets better.
It's time to update your Management Engine:
Intel has issued a security alert that management firmware on a number of recent PC, server, and Internet-of-Things processor platforms are vulnerable to remote attack. Using the vulnerabilities, the most severe of which was uncovered by Mark Ermolov and Maxim Goryachy of Positive Technologies Research, remote attackers could launch commands on a host of Intel-based computers, including laptops and desktops shipped with Intel Core processors since 2015. They could gain access to privileged system information, and millions of computers could essentially be taken over as a result of the bug. Most of the vulnerabilities require physical access to the targeted device, but one allows remote attacks with administrative access.
The company has posted a detection tool on its support website for Windows and Linux to help identify systems that are vulnerable. In the security alert, members of Intel's security team stated that "in response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of its Intel® Management Engine (ME), Intel® Trusted Execution Engine (TXE), and Intel® Server Platform Services (SPS) with the objective of enhancing firmware resilience."
Intel® Management Engine Critical Firmware Update (Intel SA-00086)
HP's Endpoint Security Controller: More Details About A New Chip in HP Notebooks
One of HP's key announcements this spring was its revamped security initiative for PCs that includes hardware, software, and deep learning-based approaches. The software and DL parts of the things were discussed earlier this month, but the hardware-based Endpoint Security Controller remained more or less a mystery. This is why we asked HP to talk about it in more detail.
When it was announced, the company said that the HP Endpoint Security Controller is indeed a separate piece of silicon that sits inside HP's PCs and performs certain security-based tasks. The ESC features a general-purpose processor core, HP's custom hardware IP blocks, and embedded software. What is interesting is that HP has been installing the controller into its laptops since the EliteBook 800 G1 series launched in 2013, but has been very secretive about it until recently.
Initially, HP used the Endpoint Security Controller only for its Sure Start technology that can 'heal'/recover the system BIOS. Fast forward to 2019, and the controller has gained capabilities. HP now uses it to protect Intel's Management Engine, and to enable its Sure Run and Sure Recover capabilities.
Would you rather purchase a Huawei or HP laptop?
[We have covered the Intel Management Engine many times before. --Ed]
(Score: 2, Informative) by Anonymous Coward on Friday June 07 2019, @01:27PM (9 children)
So you're free to peek into AMD's black heart.
(Score: 0) by Anonymous Coward on Friday June 07 2019, @02:05PM (2 children)
kuro kokoro is always free...
(Score: 0) by Anonymous Coward on Friday June 07 2019, @02:39PM (1 child)
(Score: 0) by Anonymous Coward on Friday June 07 2019, @04:56PM
Or kuroi kokoro, using the adjective form.
(Score: 3, Insightful) by Anonymous Coward on Friday June 07 2019, @07:06PM (5 children)
Ah, BSD/MIT style licenses, supposed so much moar free. Very libertarian licenses granting "maximum freedom." With BSD/MIT, somebody can take all your code, modify it slightly to be incompatible, refuse to release their changes, and use market dominance to crush you. Thus, a BSD/MIT licensed software becomes effectively closed-source, because the open source version that nobody uses is incompatible, and your time working on it went totally uncompensated in either a capitalist or socialist sense.
It should not be too hard to see why a nice, socialist license is better, comrade. Tar up your source code and throw another file into your installer. Sooooo hard! Call the waaaaaaaambulance!
(Score: 2, Disagree) by epitaxial on Friday June 07 2019, @07:14PM (4 children)
How can you be crushed when you are releasing free code? You aren't pushing a product or anything. You're about as crazy as RMS having webpages emailed to him because no browser was "free enough".
(Score: 5, Insightful) by pTamok on Friday June 07 2019, @08:37PM (1 child)
RMS is not crazy. He is often (but not always) extremely prescient, and as far as software is concerned, lives by his (strong) principles.
He has a disadvantage of having a negative persona. People who abide by high principles in an area of endeavour often come across as unfeeling, because their refusal to compromise is perceived negatively. RMS's principled stand on software freedom has provided wonderful resources for many people to use and share.
(Score: 1, Interesting) by Anonymous Coward on Tuesday June 11 2019, @09:33AM
I've learned this being a strongly principled person about privacy. And how little other people respect yours.
It's extremely ironic when you start 'invading their privacy', by say telling others what they said to you in confidence, or what activities you saw them doing in public they might not want their current clique knowing about. The arms race to give up privacy needs to stop, because everyone has something they're rather not have others know, whether for embarassment reasons or for their health, safety, and wellbeing in an unforgiving world.
(Score: 1, Informative) by Anonymous Coward on Friday June 07 2019, @11:06PM
Quite a few companies release GPL code. Exactly for the reason GP states. Many of them dual license with a proprietary license so they receive revenue / maintain control in case users of the software want to incorporate it into a proprietary product.
(Score: 0) by Anonymous Coward on Saturday June 08 2019, @09:03PM
just because it is Free. doesn't mean it's free,
(Score: 0) by Anonymous Coward on Saturday June 08 2019, @09:06PM
maybe initiatives like this will encourage the windows-using suits at AMD to quit being such condescending morons and Free the source code of the PSP (platform slaveware processor).