AMD PSP is basically their equivalent to Intel's ME, so this is not surprising... but then it says
This function is called from TPM2_CreatePrimary with user controlled data - a DER encoded [6] endorsement key (EK) certificate stored in the NV storage.
If I understand correctly, this is related to SecureBoot and to do such operations with the keys and certificates, the user has to have physical access to the BIOS/UEFI setup already, correct?
The PSP is already quite long in the tooth. I think AMD will switch to ARM's recently announced "SecurCore" soon, just like Qualcomm did for the Snapdragon 845:
I think Intel's ME is much more complex than AMD's PSP. Does anyone know if AMD's PSP has a full network stack and the ability to interact with network hardware independent of the main CPU's OS?
TPM's are supposed to be resistant to physical attacks.
With this flaw, someone can just stick a bootable USB stick in your computer to mirror the LUKS/bitlocker disk drive and get access to the keys in the TPM which protect that drive.
For discrete TPMs the specification explicitly says that they are not required to be resistant to physical attacks (probably because that would require specifying what kinds of attacks it is supposed to be resistant to).
This function is called from TPM2_CreatePrimary with user controlled data - a DER encoded [6] endorsement key (EK) certificate stored in the NV storage.
If I understand correctly, this is related to SecureBoot and to do such operations with the keys and certificates, the user has to have physical access to the BIOS/UEFI setup already, correct?