I never understood why AMD is not at least making the source of these available. I would actually really like a secure cryptographic processor that's been extensively vetted and trustworthy.
> Dr. Lisa Su gave some hope that something would be done when she said she'd discuss things internally as the result of a recent reddit AMA question. Ultimately, though, it turns out that AMD is not opening up the PSP
There are several functionalities provided by these systems:
* System Control Processing. This means that the PSP / ME handle early boot (bringup) and peripheral management, especially in low-power and sleep modes. So from a "popularity" standpoint, 100% of systems with these processors are using them for this reason alone.
* Firmware TPM (AMD fTPM / Intel PTT). This provides the Trusted Platform Module API using a Trusted Application running in the management engine, rather than a dedicated TPM chip. It's commonly used with Windows for BitLocker, especially on AMD platforms, and Linux users who like keeping their disks secure will use it as well. It's less vulnerable to bus snooping attacks, since on AMD it's embedded in the CPU package and on Intel nobody's reverse engineered the bus interface between the PCH and the CPU to see if key extraction is possible like it is for unencrypted standalone TPM. TPM also has other uses, like Secure Boot measurement attestation (hashes) and arbitrary key enrollment, which are of course also provided by fTPM when available. From a popularity standpoint this is used on 100% of modern AMD systems running Windows 11.
* Virtual Machine encryption/isolation (AMD SEV for example).
* Widevine L1 video DRM support on Chromebooks. I think it might also be used for PlayReady on Windows, but I'm less familiar with this system.
* Custom TrustApps. AMD PSP provides a standard GlobalPlatform / ARM TEE (Trusted Application Environment). I'm not aware of anyone besides Google (Chromebooks use it for trusted boot, SecureDebug validation, Widevine, etc.) actively using it in widespread deployment yet, but I'm sure someone is working on it. It has application basically anywhere Intel SGX was used, for example, for secure / segregated key management, data processing, etc. (Signal use SGX extensively for this).
* Remote management (Intel vPro). This is the thing that causes people to freak out about Intel ME. It's somewhat popular in enterprise beige-laptop deployments, although it's limited to network interfaces with driver support in the ME firmware (Intel Ethernet and WiFi). Arguably more bug-ridden and horrible external third-party management engines like iDRAC are still more popular in the datacenter.
It's mentioned in part 1 of this post, that the PSP is what actually boots the processor (among other things, it sets up the memory controller), so it's used in the real world every time you turn on your AMD-based computer.
Signal Private Messenger built private contact discovery and secure value recovery using Intel Software Guard eXtensions (SGX), similar to AMD Secure Memory Encryption (both usually used for DRM).
(genuine question, sorry -) is it just me or does anyone else have problems reading the text with the font the webpage uses? It kinda blurs away from "text" into kind of a grey block. I think it might be the very small vertical line to line spacing?
It's the contrast!, all the code blocks do not meet the WCAG standards for accessible text, especially the second one, which as the hardest one for me to read.
Author of the site here (though not this specific post).
Any chance you could take a screenshot of what your seeing? The other commenter mentioned the contract of comment s in code blocks which I've already noted to fix.
dtx1|1 year ago
gchadwick|1 year ago
Which Google will be using in Chromebook for it's security chip https://lowrisc.org/news/nuvoton-develops-opentitan-based-se...
rajeshr|1 year ago
This was the PR(!): https://ir.amd.com/news-events/press-releases/detail/1154/am...
I wonder if the reported exploits forced them to publish the source.
DaSHacka|1 year ago
shrubble|1 year ago
password4321|1 year ago
> Dr. Lisa Su gave some hope that something would be done when she said she'd discuss things internally as the result of a recent reddit AMA question. Ultimately, though, it turns out that AMD is not opening up the PSP
https://www.twitch.tv/videos/160097335?t=00h35m35s
mrweasel|1 year ago
bri3d|1 year ago
* System Control Processing. This means that the PSP / ME handle early boot (bringup) and peripheral management, especially in low-power and sleep modes. So from a "popularity" standpoint, 100% of systems with these processors are using them for this reason alone.
* Firmware TPM (AMD fTPM / Intel PTT). This provides the Trusted Platform Module API using a Trusted Application running in the management engine, rather than a dedicated TPM chip. It's commonly used with Windows for BitLocker, especially on AMD platforms, and Linux users who like keeping their disks secure will use it as well. It's less vulnerable to bus snooping attacks, since on AMD it's embedded in the CPU package and on Intel nobody's reverse engineered the bus interface between the PCH and the CPU to see if key extraction is possible like it is for unencrypted standalone TPM. TPM also has other uses, like Secure Boot measurement attestation (hashes) and arbitrary key enrollment, which are of course also provided by fTPM when available. From a popularity standpoint this is used on 100% of modern AMD systems running Windows 11.
* Virtual Machine encryption/isolation (AMD SEV for example).
* Widevine L1 video DRM support on Chromebooks. I think it might also be used for PlayReady on Windows, but I'm less familiar with this system.
* Custom TrustApps. AMD PSP provides a standard GlobalPlatform / ARM TEE (Trusted Application Environment). I'm not aware of anyone besides Google (Chromebooks use it for trusted boot, SecureDebug validation, Widevine, etc.) actively using it in widespread deployment yet, but I'm sure someone is working on it. It has application basically anywhere Intel SGX was used, for example, for secure / segregated key management, data processing, etc. (Signal use SGX extensively for this).
* Remote management (Intel vPro). This is the thing that causes people to freak out about Intel ME. It's somewhat popular in enterprise beige-laptop deployments, although it's limited to network interfaces with driver support in the ME firmware (Intel Ethernet and WiFi). Arguably more bug-ridden and horrible external third-party management engines like iDRAC are still more popular in the datacenter.
cesarb|1 year ago
transpute|1 year ago
almostgotcaught|1 year ago
password4321|1 year ago
https://signal.org/blog/private-contact-discovery/ (2017) https://signal.org/blog/secure-value-recovery/ (2019)
Intel SGX is mostly orthogonal to Intel IME but each is an additional attack surface with enough privilege/persistence to assist attacks on the other.
eqvinox|1 year ago
zote|1 year ago
kdbg|1 year ago
Any chance you could take a screenshot of what your seeing? The other commenter mentioned the contract of comment s in code blocks which I've already noted to fix.