AMD IS FUCKED AS WELL

AMD IS FUCKED AS WELL
AMD PSP Affected By Remote Code Execution Vulnerability

While all eyes have been on Intel this week with the Spectre and Meltdown vulnerabilities, a disclosure was publicly made this week surrounding AMD's PSP Secure Processor in an unrelated security bulletin.

AMD's Secure Processor / Platform Security Processor (PSP) that is akin to Intel's Management Engine (ME) is reportedly vulnerable to remote code execution.

A member of Google's Cloud Security Team discovered through static analysis that a function in PSP's firmware TPM code is vulnerable to a stack-based overflow due to missing bounds checks. Submitting a specially-crafted certificate to the fTPM trustlet code can lead to an overflow and then full control on the program counter.

Google reported this issue to the AMD Security Team in September and then in December began rolling out a software fix. Following the 90-day disclosure process, the information was made public here.

phoronix.com/scan.php?page=news_item&px=AMD-PSP-2018-Vulnerability

Other urls found in this thread:

boards.4chan.org/g/thread/64192385
support.amd.com/TechDocs/52740_16h_Models_30h-3Fh_BKDG.pdf
support.amd.com/en-us/search/tech-docs
phoronix.com/scan.php?page=news_item&px=Linux-4.15-AMD-Mega
twitter.com/NSFWRedditGif

Fucking trustlets when will they learn

>Google reported this issue to the AMD Security Team in September and then in December began rolling out a software fix
itsfuckingnothing.tiff

And I continue regretting my FX purchase less and less every day. All I get hit with is Specter.

It's already taken care of.

does this mean a specially crafted certificate could nuke the PSP all together? maybe it's best not to patch it.

It depends on how botnet the PSP is. If it controls power management and ACPI calls like intel's ME does then no you can't just nuke it and be safe. Another problem with just deleting it would be that a virus could still write to the memory it was located in and hide in that section. So even if it isn't as botnet as the (((ME))) it still is a fucking botnet due to being R/W'able to begin with.

PSP is practically optional. OEMs even have the option to allow the user to disable it in upcoming releases.

Yup. And yes, I'm running Chrome. Sue me.

...

the fact that's it's on there at all and YOU CANT USE IT, is concerning.

Atleast with Intel ME you could use it if you really felt like it. With PSP it's totally locked off. I haven't seen one piece of information on anyone who actually uses it, or how to use it if I wanted to.

Actually purchased it because it was cheap. And Chrome is relatively easy to uninstall when a browser that isn't shit is available.

...

I hope your atleast running chromium and not literally chrome.

Do you even fucking install gentoo? No you don't. Get out pleb.

Like I said, when a non shit browser is available

Nope. 100% pure unadulterated Chrome.

It's just meant to implement the actual security shit that's in the ME, nothing more; you use it, it's just not in a way you can perceive.

Define "non-shit". If you are going for the autistically perfect and bug free browser that is perfectly secure, it could never exist because of how CSS, IPV4/6, SSL, and HTTP are structured. If by non-shit you mean fast, then palemoon is much faster then chrome you faggot, go check the benchmarks out via jewgle. If by non-shit you mean more customizable, then palemoon and icecat have firefox's old repository of addons and plugins like flash and java. Icecat even supports new addons that webkit uses.

In real world terms, at least on my machine, Chrome renders a shit ton faster and less buggy than pale meme. And as far as IceCat, if I wanted faggotfox I'd just run that.

chromium is flat out faster than pozfox or any of it's forks, even with it's (((quantum))) poz injection with rust, it's still 30% slower.

Is this a joke? palemoon was forked before the pozzfest as to save the codebase from the cancerous pajeets. Palemoon forked in like 2009 and icecat has patchsets that do use the current code. But icecat removes a bunch of cancer. Have you even tried palemoon recently? I haven't used mainline firefucks since like 2009 actually. The forks are way better. I remember trying chromium in like 2013 but it was shit on my proccessor using like 13% of it to load a page but with a firefox fork I use like less then 1%. If you don't use windows then the opengl rendering engine is faster then chrome/chromium or mainline firecucks. If you do use windows then go >>>/back/ .

Math Libbie is a NIGGER!

AMD's PSP is similar to IME. That's the key word: similar. They're not the same thing.
One of the key differences is that PSP does not have Internet connectivity and, in fact, relies on software installed on the OS for such things. In other words, vulnerabilities like these are not as bad or important as the ones in Intel CPUs.

boards.4chan.org/g/thread/64192385

I hope we'll see coreboot for Ryzen chipsets one day, and have more insight into the PSP.
If that's true I'd still be more content if you could strip it from the flash like with me_cleaner

You won't, newer UEFIs are tivoized. And the PSP is on the actual processor and not on the BIOS chip like the ME so you can't just dump and write to it with your meme pi.

Nouveau is shit, and you can actually play games with proprietary drivers.

You can play even more of them and with less bugs and better performance on Windows. I will never understand you retards, it's like *NIX is a fashion statement to your ilk.

Nouveau is shit with new cards*

My 780 doesn't perform as well as the blob, granted, but it is quite usable.

Suddenly I have the world's most secure computer.

Belongs in the news cyclical fam.

based GTX780 brother, i'll ride this rig until it dies

Trustlets, manlets, niglets.

They are all a liability.

That's horrifying. I don't even know what to hope for to escape the botnet from now on.

Rust could have prevented that.

Either for VIA to make x86 CPUs again that are not botnet or switch to a more free architecture. POWER and RISCV, especially the specific implementations TALOS II (will probably ship this month) and EOMA68 (in planning) respectively, are the most promising.

This is why I like C(++) more, it keeps the botnet vulnerable.

Tech beginner and student here.
I have no clew of why these are bad because of how they are structured, could you please care to educated me ?

OP is a fag.

It's the TPM. You'd use it for Bitlocker, or for DRM routines in Windows. Needless to say this makes it effectively dead silicon for Holla Forumsies.

support.amd.com/TechDocs/52740_16h_Models_30h-3Fh_BKDG.pdf

Did you RTFM?

FX-8770 HD-6950 combo, reporting. Who poorfag here?

i wouldn't upgrade from that even if i had the money

you can just disable PSP in the BIOS and in the Device Manager

Well fuck me lads, this user figured it all out, looks like the NSA is foiled again!

:^)

latest BIOS updates with AGESA upgrade(1.0.0.6b? i think) should allow it

should be "BIOS PSP Support - Disabled" in the bios after the update

it's only "disabled" until someone discovers it doesn't actually disable it.

...

it probably disables it for the user, but not entirely

at least AMD gives you a choice even if partial

You are genius, this will change world! Will you be doing talk at CCC?

...

just compile it fag

They may be gay leftist, but they still don't want aids even while taking the poz from the big systemd.

Feeling pretty vindicated upgrading to an FX-8320e last year.

Convenient timing, set to release just as Meltdown was being disclosed. Google probably had the vuln for months and were paid off by Intel to release it to take the heat off in the wake of Meltdown.

How could this be true? It's literally Google for crying outloud.
inb4 it's because everyone has macbooks :^)

what about laptop FX-9800p? i'm considering a dell 5576 with rx460?

Newer than 2012, so it has UEFI + PSP.

Gaymd lmao

...

what the fuck? where did you find this? what page links to this?

Have you never used a website before?

support.amd.com/en-us/search/tech-docs

apparently not this website. i didn't know this section was even there. this still doesn't say a damn thing about the PSP though. It just describes some interrupts.

FX 8350, R9 390 reportan in for duty.
>mfw it got faster over time due to excellent driver support on Windows

...

My R9 390 has never, I mean never, worked under Linux.

Install 4.15

Really? I get to rip out my GTX 770? I might break the 390 if it doesn't work tbh

Michael "FAS" Larabel has covered this event in more detail that anybody sane cares to read. This is the jist, go further at your own peril.

phoronix.com/scan.php?page=news_item&px=Linux-4.15-AMD-Mega

This isn't remotely surprising. They probably have all kinds of side channel issues just like Intel as well because of meme prediction and caching. The only sane reason to buy AMD was because you need a machine to run shitware such as Windows inside a Faraday cage and you don't want to give money to the bigger company (Intel).