
AMD Launches Ryzen PRO CPUs - robin_reala
http://www.anandtech.com/show/11591/amd-launches-ryzen-pro-cpus-enhanced-security-longer-warranty-better-quality
======
daxorid
It's absolutely astounding to me that anyone could claim, with a straight
face, that the PSP "enhances security".

The fact that one is not even offered the option of disabling the PSP (or the
ME for that matter) tells us everything we need to know about the true
purposes of these features.

~~~
illumin8
Isn't it somewhat like a fuse in an electric circuit?

Let's say, for example, that you had perfect overvoltage protection
implemented in firmware, and could disconnect the mains quickly enough to
prevent damage or a fire. But, the feature is implemented in firmware, which
can be modified, so a malicious individual could disable this protection and
expose you to risk of damage or fire.

By implementing an unmodifiable security feature (like a physical fuse), you
minimize the risk of a malicious individual bypassing the protection or
security control.

~~~
takeda
No, it doesn't work this way.

CPU has various modes that are typically switched when booting. It could allow
to control it before the system boot without forgoing security.

Unless... that "security" is from the users that own it.

~~~
euyyn
From someone that doesn't know anything about this: Is it impossible for
malware to modify that boot code?

~~~
takeda
Yes, that's why things like UEFI were invented to secure the hardware.

Those things are not necessarily bad, the problem is with having control over
what your computer runs. It's about whether you decide that or a 3rd party
that you might not necessarily trust.

If things are modifiable before the machine boots, and can't be modified once
system has booted, then malware should not be able to modify it.

------
thejosh
Still waiting for the threadrippers, excited to see the benchmarks and if it
will be worth buying. Will be using it for mainly developing elixir
applications, which use all cores.

------
sliken
Anyone heard performance numbers on the encrypted memory? Any change in
latency/bandwidth?

Would this help protect against malicious thumbdrives stealing keys out of
memory? Seems like encryption would disable all DMA.

~~~
laydn
Anyone know where the AES key is stored for the encrypted memory? Is is a
fixed, hardcoded key inside the processor, or does the user set it by some
means?

~~~
daxorid
Speculation here. Since the PSP is effectively leveraging TrustZone, I'm
guessing it's generated and stored inside the TrustZone itself. This article
states it's generated by a hardware RNG, so user control is unlikely.

One important factor missing from this article is the AES cipher mode being
used. Not sure how you'd be able to use an authenticated mode and maintain
random access, so maybe XTS or even ECB?

~~~
amluto
SGX does it, but it's quite complicated. SME is unauthenticated AFAIK.

------
trengrj
I wonder how Ryzen CPUs will fare in laptops especially around Linux
compatibility.

~~~
d33
Could you elaborate? TBH I don't know much about incompatibilities CPUs can
cause in Linux world.

~~~
nailer
> TBH I don't know much about incompatibilities CPUs can cause in Linux world.

I remember one, a long time ago. This is from memory so it might not be 100%
correct but the main details are true, and it's an interesting story:

CPUs have identifiers on them. GenuineIntel, AuthenticAMD, etc, models, plus a
number to indicate what generation.

Pentiums were P1, P2, P3, etc.

Intel released the Pentium 4 (one of their worst chip designs - the next one,
Core, was based on Pentium 3 rather than Pentium 4).

Which Linux saw as a P... FIFTEEN?

Some jackass at Intel though 'IV' \- ie roman numbers for four - was a cool
thing to put as the CPU ID. So Linux saw 'Pentium 15' and freaked the fuck out
while people confirmed that yes, Intel were actually stamping Pentium 4s as
'15'.

~~~
TazeTSchnitzel
This confused me because I couldn't see how that ASCII would relate to the
number.

Turns out they chose 0xF for a different reason:
[http://linux.omnipotent.net/article.php?article_id=11457](http://linux.omnipotent.net/article.php?article_id=11457)

It was to work around Windows NT!

~~~
nailer
Thanks for the correction!

------
0xbear
Intel CPUs had the various "management" features for over a decade. Does
anyone actually use them though?

~~~
sambe
So did AMD CPUs:

"For years AMD’s processors for business PCs supported additional security
technologies (collectively known as AMD Secure Processor and Platform Security
Processor before that) enabled by the ARM TrustZone platform with the ARM
Cortex-A5 core. AMD’s previous-gen PRO-series APUs included Secure Boot,
Content Protection, per-Application security, fTPM 2.0, and support for
Microsoft Device Guard, Windows Hello, fingerprint security, data protection
and so on."

I honestly don't know who uses them. I've not seen it in finance or health.
Government?

~~~
tremon
TrustZone is not a "management" feature in the sense that Intel AMT is; it is
a security feature that can prevent/obscure certain hardware access (basically
Ring 0 for peripherals), but does not allow for out-of-band machine access
like AMT (although in-band machine access, with the firmware circumventing the
user OS is a possibility).

~~~
julian_1
Trustzone is ARM's hardware access control. But I suspect AMD's PSP which
incorporates an on-die ARM core rather than just implement the Trustzone ip,
is doing a lot more. Reportedly it can manage DMA actions itself independently
of the amd64 core.

------
jackmott
I have to chuckle that the features here are

1\. We promise it will work now 2\. We will reduce the user's power over their
machine

------
GoodAdmiral
Do you guys think these are worth the price premium for home server use? Are
they really "better quality" (more margin/tighter silicon screening, etc) or
is that part mostly a marketing gimmick?

