AMD’s Secure Processor Firmware Is Now Explorable Thanks to New Tool

AMD’s Secure Processor Firmware Is Now Explorable Thanks to New Tool

A security researcher named Cwerling has released a new tool, called PSPTool, that researchers can use to analyze the firmware used by AMD’s Secure Platform Processor (PSP).

Note: PSPTool has nothing to do with Sony’s old PSP handheld.

AMD’s PSP is its equivalent of the Intel Management Engine and has been criticized for many of the same issues as that solution. Security researchers have been publicly unhappy with AMD and Intel’s decision to keep details of how these chips operate under wraps because they function in secret, entirely divorced from the operation of the primary CPU or operating system. If you can hack the IME or AMD’s PSP, you can theoretically run code on a computer that’s completely invisible to the end-user. And while it’s not clear that there are practical exploits in the wild that make use of these capabilities, their existence and obfuscation are enough to give security white-hats a severe case of heartburn.

This is scarcely unique to the two x86 manufacturers. Closed-source software developers and many hardware companies have often incorporated the principle of security through obscurity into their security systems, reasoning that limiting the available information about a solution will also limit its addressable attack surface. Proponents of a more open approach have called for Intel and AMD to provide far more information publicly. The PSPTool is intended to allow for a greater examination of AMD firmware than the company has allowed. The author writes:

PSPTool is a Swiss Army knife for dealing with firmware of the AMD Secure Processor (formerly known as Platform Security Processor or PSP). It locates AMD firmware inside UEFI images as part of BIOS updates targeting AMD platforms.

It is based on reverse-engineering efforts of AMD’s proprietary filesystem used to pack firmware blobs into UEFI Firmware Images. These are usually 16MB in size and can be conveniently parsed by UEFITool. However, all binary blobs by AMD are located in padding volumes unparsable by UEFITool. (all emphasis original)

PSPTool favourably works with UEFI images as obtained through BIOS updates.

UEFITool is described in its own repository as a cross-platform application for modifying and extracting firmware images.

Hardware DRM support can be implemented through the PSP (and likely has been, as far as Windows 10’s 4K playback scheme is concerned). The ability to analyze the PSP’s firmware could lead to DRM cracks or the discovery of further security flaws.

ARM’s TrustZone architecture
ARM’s TrustZone architecture

Some of the security issues at play here are related to those raised last year by CTS-Labs. Those flaws were made public under highly suspicious circumstances and with the involvement of a short-seller firm, Viceroy Research. Viceroy Research is known for issuing damaging reports in an attempt to tank company stock prices. But while the security disclosure process was incredibly suspect in this case, the actual issues themselves were confirmed to exist by independent researchers. There is, in other words, reason to be dubious of the security-through-obscurity approach that both AMD and Intel have practiced.

This is not to imply that researchers automatically will find flaws in AMD’s PSP implementation. Even if flaws are found, it’s possible they would ultimately be ARM’s responsibility, depending on exactly what the issue is and where it’s located.

There’s an argument to be made that fixing these problems now would ultimately be to AMD’s benefit, not its harm. Currently, AMD’s practical exposure to sophisticated side-channel attacks or high-level corporate / state espionage is minimal, because Intel commands ~97 percent of the x86 server market and between 80-87 percent of the mobile and desktop markets. Businesses are far more likely to have Intel systems deployed, not AMD.

Fixing any PSP security issues before its hardware is widely deployed in mission-critical environments is far better than being forced to fix them afterward, particularly if customers were to start turning to AMD as an alternative to Intel due to the perceived superiority of AMD’s security situation relative to the ongoing disclosure of Spectre-class flaws.

Continue reading

SpaceX Launches ‘Better Than Nothing’ Starlink Beta
SpaceX Launches ‘Better Than Nothing’ Starlink Beta

Those lucky few who have gotten invitations to try the service will have to pay a hefty up-front cost, and the speeds aren't amazing. Still, it's a new generation of satellite internet.

Apple’s New M1 SoC Looks Great, Is Not Faster Than 98 Percent of PC Laptops
Apple’s New M1 SoC Looks Great, Is Not Faster Than 98 Percent of PC Laptops

Apple's new M1 silicon really looks amazing, but it isn't faster than 98 percent of the PCs sold last year, despite what the company claims.

Apple Cuts Fees in Half for App Store Developers Earning Less Than $1 Million
Apple Cuts Fees in Half for App Store Developers Earning Less Than $1 Million

Going forward, Apple's customary 30 percent cut of sales on the iOS platform will drop to just 15 percent for smaller developers. Epic, however, claims this is just an attempt to split the developer community.

Quake II RTX Now Runs on AMD GPUs Thanks to Vulkan Ray Tracing
Quake II RTX Now Runs on AMD GPUs Thanks to Vulkan Ray Tracing

Nvidia's Quake II RTX now runs on AMD GPUs using Vulkan, if you've got the right driver (and an RX 6000).