AMD IS FUCKED AS WELL AMD PSP Affected By Remote Code Execution Vulnerability
While all eyes have been on Intel this week with the Spectre and Meltdown vulnerabilities, a disclosure was publicly made this week surrounding AMD's PSP Secure Processor in an unrelated security bulletin.
AMD's Secure Processor / Platform Security Processor (PSP) that is akin to Intel's Management Engine (ME) is reportedly vulnerable to remote code execution.
A member of Google's Cloud Security Team discovered through static analysis that a function in PSP's firmware TPM code is vulnerable to a stack-based overflow due to missing bounds checks. Submitting a specially-crafted certificate to the fTPM trustlet code can lead to an overflow and then full control on the program counter.
Google reported this issue to the AMD Security Team in September and then in December began rolling out a software fix. Following the 90-day disclosure process, the information was made public here.
>Google reported this issue to the AMD Security Team in September and then in December began rolling out a software fix itsfuckingnothing.tiff
Grayson Lee
And I continue regretting my FX purchase less and less every day. All I get hit with is Specter.
Caleb Mitchell
It's already taken care of.
Joseph Ward
does this mean a specially crafted certificate could nuke the PSP all together? maybe it's best not to patch it.
Isaac Wood
It depends on how botnet the PSP is. If it controls power management and ACPI calls like intel's ME does then no you can't just nuke it and be safe. Another problem with just deleting it would be that a virus could still write to the memory it was located in and hide in that section. So even if it isn't as botnet as the (((ME))) it still is a fucking botnet due to being R/W'able to begin with.
Gavin Gutierrez
PSP is practically optional. OEMs even have the option to allow the user to disable it in upcoming releases.
Nolan Cooper
Yup. And yes, I'm running Chrome. Sue me.
Josiah Clark
...
Tyler Fisher
the fact that's it's on there at all and YOU CANT USE IT, is concerning.
Atleast with Intel ME you could use it if you really felt like it. With PSP it's totally locked off. I haven't seen one piece of information on anyone who actually uses it, or how to use it if I wanted to.
Charles Perry
Actually purchased it because it was cheap. And Chrome is relatively easy to uninstall when a browser that isn't shit is available.
Jack Sanders
...
Camden Jackson
I hope your atleast running chromium and not literally chrome.
Ayden Campbell
Do you even fucking install gentoo? No you don't. Get out pleb.
Josiah Brown
Like I said, when a non shit browser is available
Nope. 100% pure unadulterated Chrome.
Jayden Brooks
It's just meant to implement the actual security shit that's in the ME, nothing more; you use it, it's just not in a way you can perceive.
David Howard
Define "non-shit". If you are going for the autistically perfect and bug free browser that is perfectly secure, it could never exist because of how CSS, IPV4/6, SSL, and HTTP are structured. If by non-shit you mean fast, then palemoon is much faster then chrome you faggot, go check the benchmarks out via jewgle. If by non-shit you mean more customizable, then palemoon and icecat have firefox's old repository of addons and plugins like flash and java. Icecat even supports new addons that webkit uses.
Luis King
In real world terms, at least on my machine, Chrome renders a shit ton faster and less buggy than pale meme. And as far as IceCat, if I wanted faggotfox I'd just run that.
William Lopez
chromium is flat out faster than pozfox or any of it's forks, even with it's (((quantum))) poz injection with rust, it's still 30% slower.
Julian Brown
Is this a joke? palemoon was forked before the pozzfest as to save the codebase from the cancerous pajeets. Palemoon forked in like 2009 and icecat has patchsets that do use the current code. But icecat removes a bunch of cancer. Have you even tried palemoon recently? I haven't used mainline firefucks since like 2009 actually. The forks are way better. I remember trying chromium in like 2013 but it was shit on my proccessor using like 13% of it to load a page but with a firefox fork I use like less then 1%. If you don't use windows then the opengl rendering engine is faster then chrome/chromium or mainline firecucks. If you do use windows then go >>>/back/ .
Colton Campbell
Math Libbie is a NIGGER!
Luis Scott
AMD's PSP is similar to IME. That's the key word: similar. They're not the same thing. One of the key differences is that PSP does not have Internet connectivity and, in fact, relies on software installed on the OS for such things. In other words, vulnerabilities like these are not as bad or important as the ones in Intel CPUs.
I hope we'll see coreboot for Ryzen chipsets one day, and have more insight into the PSP. If that's true I'd still be more content if you could strip it from the flash like with me_cleaner
Joseph Smith
You won't, newer UEFIs are tivoized. And the PSP is on the actual processor and not on the BIOS chip like the ME so you can't just dump and write to it with your meme pi.
Christopher Jenkins
Nouveau is shit, and you can actually play games with proprietary drivers.
Logan Mitchell
You can play even more of them and with less bugs and better performance on Windows. I will never understand you retards, it's like *NIX is a fashion statement to your ilk.
Christian Lee
Nouveau is shit with new cards*
My 780 doesn't perform as well as the blob, granted, but it is quite usable.
Matthew Moore
Suddenly I have the world's most secure computer.
Christopher Lee
Belongs in the news cyclical fam.
Bentley Nelson
based GTX780 brother, i'll ride this rig until it dies
Angel Fisher
Trustlets, manlets, niglets.
They are all a liability.
Luke Morgan
That's horrifying. I don't even know what to hope for to escape the botnet from now on.
Carter Sanders
Rust could have prevented that.
Brayden Powell
Either for VIA to make x86 CPUs again that are not botnet or switch to a more free architecture. POWER and RISCV, especially the specific implementations TALOS II (will probably ship this month) and EOMA68 (in planning) respectively, are the most promising.
Jacob Myers
This is why I like C(++) more, it keeps the botnet vulnerable.
Juan Bell
Tech beginner and student here. I have no clew of why these are bad because of how they are structured, could you please care to educated me ?
Ryder Stewart
OP is a fag.
It's the TPM. You'd use it for Bitlocker, or for DRM routines in Windows. Needless to say this makes it effectively dead silicon for Holla Forumsies.
FX-8770 HD-6950 combo, reporting. Who poorfag here?
Jonathan Young
i wouldn't upgrade from that even if i had the money
Brayden Hill
you can just disable PSP in the BIOS and in the Device Manager
Bentley Clark
Well fuck me lads, this user figured it all out, looks like the NSA is foiled again!
:^)
Jack Cooper
latest BIOS updates with AGESA upgrade(1.0.0.6b? i think) should allow it
Oliver Johnson
should be "BIOS PSP Support - Disabled" in the bios after the update
Thomas Powell
it's only "disabled" until someone discovers it doesn't actually disable it.
Sebastian Jones
...
Leo Thomas
it probably disables it for the user, but not entirely
Christopher Evans
at least AMD gives you a choice even if partial
Jonathan Wright
You are genius, this will change world! Will you be doing talk at CCC?
Isaiah Cook
...
Justin Butler
just compile it fag
Ayden Scott
They may be gay leftist, but they still don't want aids even while taking the poz from the big systemd.
Noah Cooper
Feeling pretty vindicated upgrading to an FX-8320e last year.
Lucas Thomas
Convenient timing, set to release just as Meltdown was being disclosed. Google probably had the vuln for months and were paid off by Intel to release it to take the heat off in the wake of Meltdown.
Kevin Ortiz
How could this be true? It's literally Google for crying outloud. inb4 it's because everyone has macbooks :^)
Gabriel Phillips
what about laptop FX-9800p? i'm considering a dell 5576 with rx460?
Hunter Cox
Newer than 2012, so it has UEFI + PSP.
Luke Diaz
Gaymd lmao
Eli Reyes
...
Samuel Cruz
what the fuck? where did you find this? what page links to this?
apparently not this website. i didn't know this section was even there. this still doesn't say a damn thing about the PSP though. It just describes some interrupts.
Alexander Sullivan
FX 8350, R9 390 reportan in for duty. >mfw it got faster over time due to excellent driver support on Windows
Austin Rogers
...
Christopher Russell
My R9 390 has never, I mean never, worked under Linux.
Alexander Turner
Install 4.15
Gavin Lewis
Really? I get to rip out my GTX 770? I might break the 390 if it doesn't work tbh
Jacob Davis
Michael "FAS" Larabel has covered this event in more detail that anybody sane cares to read. This is the jist, go further at your own peril.
This isn't remotely surprising. They probably have all kinds of side channel issues just like Intel as well because of meme prediction and caching. The only sane reason to buy AMD was because you need a machine to run shitware such as Windows inside a Faraday cage and you don't want to give money to the bigger company (Intel).
Kayden Jenkins
did you enable the required kernel parameters for radeon/amdgpu sea islands support?