Uncover, Understand, Own – Regaining Control over Your AMD CPU [video]

consp · on Dec 29, 2019

Quite interesting. As usual with these 'secure' processors they have the same flaws all code have.

Still good to hear the PSP is quite lean which means less to fix and less to go wrong.

stevefan1999 · on Dec 29, 2019

I mean, this had also happened to Apple with the recent checkm8 exploit that abused a UaF situation in the bootrom by USB communication reset. Not even Apple is secure; nothing is secure. The only secure is design by open, that's why Linux/FreeBSD had marginally less CVEs than Windows or Macs

EncryptEntropy · on Dec 29, 2019

Apples to oranges. This is about processor security. Free operating systems or proprietary, they run on the same processors.

peter_d_sherman · on Dec 29, 2019

Excerpt:

"The AMD Platform Security Processor (PSP) is a dedicated ARM CPU inside your AMD processor and runs undocumented, proprietary firmware provided by AMD.

It is a processor inside your processor that you don't control. It is essential for system startup. In fact, in runs before the main processor is even started and is responsible for bootstrapping all other components.

This talk presents our efforts investigating the PSP internals and functionality and how you can better understand it.

Our talk is divided into three parts:

The first part covers the firmware structure of the PSP and how we analyzed this proprietary firmware. We will demonstrate how to extract and replace individual firmware components of the PSP and how to observe the PSP during boot.

The second part covers the functionality of the PSP and how it interacts with other components of the x86 CPU like the DRAM controller or System Management Unit (SMU). We will present our method to gain access to the, otherwise hidden, debug output.

The talk concludes with a security analysis of the PSP firmware. We will demonstrate how to provide custom firmare to run on the PSP and introduce our toolchain that helps building custom applications for the PSP.

This talk documents the PSP firmware's proprietary filesystem and provides insights into reverse-engineering such a deeply embedded system. It further sheds light on how we might regain trust in AMD CPUs despite the delicate nature of the PSP."

Researchers: Robert Buhren, Alexander Eichner and Christian Werling

Video is also available here:

https://www.youtube.com/watch?v=bKH5nGLgi08

and here:

https://www.youtube.com/watch?v=IejO5HxqMwo

Also:

PSPTool - Display, extract, and manipulate PSP firmware inside UEFI images

https://github.com/PSPReverse/PSPTool

Also, new (to me): (AMD) SMN "System Management Network" (description starts at 22:47)

trulyrandom · on Dec 29, 2019

This is a great talk. I'm excited to see what else they can learn about the PSP as they continue working on their tools. So far, it seems that it's much easier to explore than the Intel ME.

rurban · on Dec 29, 2019

This was my highlight of the 36c3 so far. Initially I thought the two Daniel Gruss talks would be better, but they turned it into a cheap TV show.

im3w1l · on Dec 30, 2019

Why are people suspicious of the firmware but willing to trust the hardware? Is it a case of looking where the light is brightest?

benchaney · on Dec 30, 2019

Hardware operates under much different constraints than firmware. Carrying out an attack from hardware would be a lot more difficult.

brian_herman__ · on Dec 30, 2019

https://www.intel.com/content/www/us/en/support/articles/000...