
Uncover, Understand, Own – Regaining Control over Your AMD CPU [video] - DyslexicAtheist
https://media.ccc.de/v/36c3-10942-uncover_understand_own_-_regaining_control_over_your_amd_cpu
======
consp
Quite interesting. As usual with these 'secure' processors they have the same
flaws all code have.

Still good to hear the PSP is quite lean which means less to fix and less to
go wrong.

~~~
stevefan1999
I mean, this had also happened to Apple with the recent checkm8 exploit that
abused a UaF situation in the bootrom by USB communication reset. Not even
Apple is secure; nothing is secure. The only secure is design by open, that's
why Linux/FreeBSD had marginally less CVEs than Windows or Macs

~~~
EncryptEntropy
Apples to oranges. This is about processor security. Free operating systems or
proprietary, they run on the same processors.

------
peter_d_sherman
Excerpt:

"The AMD Platform Security Processor (PSP) is a dedicated ARM CPU inside your
AMD processor and runs undocumented, proprietary firmware provided by AMD.

It is a processor inside your processor that you don't control. It is
essential for system startup. In fact, in runs before the main processor is
even started and is responsible for bootstrapping all other components.

This talk presents our efforts investigating the PSP internals and
functionality and how you can better understand it.

Our talk is divided into three parts:

The first part covers the firmware structure of the PSP and how we analyzed
this proprietary firmware. We will demonstrate how to extract and replace
individual firmware components of the PSP and how to observe the PSP during
boot.

The second part covers the functionality of the PSP and how it interacts with
other components of the x86 CPU like the DRAM controller or System Management
Unit (SMU). We will present our method to gain access to the, otherwise
hidden, debug output.

The talk concludes with a security analysis of the PSP firmware. We will
demonstrate how to provide custom firmare to run on the PSP and introduce our
toolchain that helps building custom applications for the PSP.

This talk documents the PSP firmware's proprietary filesystem and provides
insights into reverse-engineering such a deeply embedded system. It further
sheds light on how we might regain trust in AMD CPUs despite the delicate
nature of the PSP."

Researchers: Robert Buhren, Alexander Eichner and Christian Werling

Video is also available here:

[https://www.youtube.com/watch?v=bKH5nGLgi08](https://www.youtube.com/watch?v=bKH5nGLgi08)

and here:

[https://www.youtube.com/watch?v=IejO5HxqMwo](https://www.youtube.com/watch?v=IejO5HxqMwo)

Also:

PSPTool - Display, extract, and manipulate PSP firmware inside UEFI images

[https://github.com/PSPReverse/PSPTool](https://github.com/PSPReverse/PSPTool)

Also, new (to me): (AMD) SMN "System Management Network" (description starts
at 22:47)

------
trulyrandom
This is a great talk. I'm excited to see what else they can learn about the
PSP as they continue working on their tools. So far, it seems that it's much
easier to explore than the Intel ME.

------
rurban
This was my highlight of the 36c3 so far. Initially I thought the two Daniel
Gruss talks would be better, but they turned it into a cheap TV show.

------
im3w1l
Why are people suspicious of the firmware but willing to trust the hardware?
Is it a case of looking where the light is brightest?

~~~
benchaney
Hardware operates under much different constraints than firmware. Carrying out
an attack from hardware would be a lot more difficult.

~~~
brian_herman__
[https://www.intel.com/content/www/us/en/support/articles/000...](https://www.intel.com/content/www/us/en/support/articles/000025619/software.html)

