The AMD Platform Security Processor (PSP), officially known as AMD Secure Technology, is a
trusted execution environment
A trusted execution environment (TEE) is a secure area of a main processor. It guarantees code and data loaded inside to be protected with respect to confidentiality and integrity. Data integrity prevents unauthorized entities from outside the ...
subsystem incorporated since about 2013 into
AMD
Advanced Micro Devices, Inc. (AMD) is an American multinational semiconductor company based in Santa Clara, California, that develops computer processors and related technologies for business and consumer markets. While it initially manufactur ...
microprocessors.
According to an AMD developer's guide, the subsystem is "responsible for creating, monitoring and maintaining the security environment" and "its functions include managing the boot process, initializing various security related mechanisms, and monitoring the system for any suspicious activity or events and implementing an appropriate response".
Critics worry it can be used as a backdoor and is a security concern.
AMD has denied requests to open source the code that runs on the PSP.
Details
The PSP itself represents an
ARM core
This is a list of central processing units based on the ARM
In human anatomy, the arm refers to the upper limb in common usage, although academically the term specifically means the upper arm between the glenohumeral joint (shoulder joint) an ...
with the
TrustZone
ARM (stylised in lowercase as arm, formerly an acronym for Advanced RISC Machines and originally Acorn RISC Machine) is a family of reduced instruction set computer (RISC) instruction set architectures for computer processors, configure ...
extension which is inserted into the main CPU die as a
coprocessor
A coprocessor is a computer processor used to supplement the functions of the primary processor (the CPU). Operations performed by the coprocessor may be floating-point arithmetic, graphics, signal processing, string processing, cryptography o ...
.
The PSP contains on-chip firmware which is responsible for verifying the SPI ROM and loading off-chip firmware from it. In 2019, a Berlin-based security group discovered the off-chip firmware in ordinary
UEFI
UEFI (Unified Extensible Firmware Interface) is a set of specifications written by the UEFI Forum. They define the architecture of the platform firmware used for booting and its interface for interaction with the operating system. Examples of ...
image files (the code that boots up the operating system), which meant that it could be easily analyzed. By using a few hand-written
Python
Python may refer to:
Snakes
* Pythonidae, a family of nonvenomous snakes found in Africa, Asia, and Australia
** ''Python'' (genus), a genus of Pythonidae found in Africa and Asia
* Python (mythology), a mythical serpent
Computing
* Python (pro ...
-based tools, they found that the off-chip firmware from the SPI ROM contained an application resembling an entire micro operating system.
Investigation of a Lenovo ThinkPad A285 notebook's motherboard flash chip (stores UEFI firmware) revealed that the PSP core itself (as a device) is run before the main CPU and that its firmware
bootstrapping
In general, bootstrapping usually refers to a self-starting process that is supposed to continue or grow without external input.
Etymology
Tall boots may have a tab, loop or handle at the top known as a bootstrap, allowing one to use fingers ...
process starts just before basic UEFI gets loaded. They discovered that the firmware is run inside in the same system's memory space that user's applications do with unrestricted access to it (including
MMIO
Memory-mapped I/O (MMIO) and port-mapped I/O (PMIO) are two complementary methods of performing input/output (I/O) between the central processing unit (CPU) and peripheral devices in a computer. An alternative approach is using dedicated I/O pr ...
) raising concerns over data safety.
Because PSP is the chip that decides whenever the x86 cores will run or not, it is used to implement hardware downcoring, specific cores on the system can be made permanently inaccessible during manufacturing. The PSP also provides a random number generator for the RDRAND instruction
and provides TPM services.
The PSP also provides security for the entirety of the Data Fabric: regions of system memory, Data Fabric registers, PCI/PCIe devices can be protected by the PSP. It also ensures inter-CPU security and maintains a security hierarchy. Because it's the root of all security, it can access everything; the neighboring IP SMU (System Management Unit) has second most access, due to it needing in depth control over the whole ASIC, microcode has the third most access and X86 supervisor code (OS/firmware) has the least access.
Boot process
The PSP is an integral part of the boot process, without which the x86 cores would never be activated.
; On-chip phase: Firmware located directly on the PSP chip sets up the ARM CPU, verifies the integrity of the SPI ROM and using various data structures locates the off-chip firmware and copies it over to internal PSP memory.
; Off-chip phase: The loaded off-chip modules will initialize DRAM and perform platform initialization. Using the previous data structures the off-chip firmware finds UEFI firmware within the SPI ROM and copies it over to DRAM, it may perform additional verification steps and if the system is deemed secure, it will release the x86 cores from their reset state, thus starting UEFI firmware.
Reported vulnerabilities
In September 2017, Google security researcher Cfir Cohen reported a vulnerability to AMD of a PSP subsystem that could allow an attacker access to passwords, certificates, and other sensitive information; a patch was rumored to become available to vendors in December 2017.
In March 2018, an Israeli
IT security
Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
company reported a handful of allegedly serious flaws related to the PSP in AMD's
Zen
Zen ( zh, t=禪, p=Chán; ja, text= 禅, translit=zen; ko, text=선, translit=Seon; vi, text=Thiền) is a school of Mahayana Buddhism that originated in China during the Tang dynasty, known as the Chan School (''Chánzong'' 禪宗), and ...
architecture CPUs (
EPYC
Epyc is a brand of multi-core x86-64 microprocessors designed and sold by AMD, based on the company's Zen microarchitecture. Introduced in June 2017, they are specifically targeted for the server and embedded system markets. Epyc processors share ...
,
Ryzen
Ryzen ( ) is a brand of multi-core x86-64 microprocessors designed and marketed by AMD for desktop, mobile, server, and embedded platforms based on the Zen microarchitecture. It consists of central processing units (CPUs) marketed for mainst ...
, Ryzen Pro, and Ryzen Mobile) that could allow malware to run and gain access to sensitive information.
AMD announced firmware updates to handle these flaws.
Their validity from a technical standpoint was upheld by independent security experts who reviewed the disclosures, although the high risks claimed by CTS Labs were dismissed,
leading to claims that the flaws were published for the purpose of
stock manipulation
In economics and finance, market manipulation is a type of market abuse where there is a deliberate attempt to interfere with the free and fair operation of the market; the most blatant of cases involve creating false or misleading appearances ...
.
See also
*
Intel Management Engine
The Intel Management Engine (ME), also known as the Intel Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of mod ...
References
{{Reflist, refs=
[{{cite web , author-last=Williams , author-first=Rob , date=2017-07-19 , title=AMD Confirms It Won't Opensource EPYC's Platform Security Processor Code , quote=This chip is found on most AMD platforms from 2013 on, and behaves much like Intel's Management Engine does ..The rather blunt realization that PSP wasn't being open sourced came out during a discussion with AMD top brass about EPYC. , url=https://hothardware.com/news/amd-confirms-it-will-not-be-opensourcing-epycs-platform-security-processor-code]
[{{cite web , date=2016 , title=BIOS and Kernel Developer's Guide (BKDG) for AMD Family 16h Models 30h-3Fh Processors , publisher=]AMD
Advanced Micro Devices, Inc. (AMD) is an American multinational semiconductor company based in Santa Clara, California, that develops computer processors and related technologies for business and consumer markets. While it initially manufactur ...
, page=156 , url=http://support.amd.com/TechDocs/52740_16h_Models_30h-3Fh_BKDG.pdf
[{{cite web , author-last=Martin , author-first=Ryan , date=July 2013 , title=Expert Says NSA Have Backdoors Built Into Intel And AMD Processors , publisher=eteknix.com , url=https://www.eteknix.com/expert-says-nsa-have-backdoors-built-into-intel-and-amd-processors/ , access-date=2018-01-19]
[{{citation , author-last=Claburn , author-first=Thomas , date=2018-01-06 , title=Security hole in AMD CPUs' hidden secure processor code revealed ahead of patches , publisher=]The Register
''The Register'' is a British technology news website co-founded in 1994 by Mike Magee, John Lettice and Ross Alderson. The online newspaper's masthead sublogo is "''Biting the hand that feeds IT''." Their primary focus is information tec ...
, url=https://www.theregister.co.uk/2018/01/06/amd_cpu_psp_flaw/
[{{cite web , author-last=Larabel , author-first=Michael , author-link=Michael Larabel , date=2017-12-07 , title=AMD Reportedly Allows Disabling PSP Secure Processor With Latest AGESA , quote=This built-in AMD Secure Processor has been criticized by some as another possible attack vector... , url=https://www.phoronix.com/scan.php?page=news_item&px=AMD-PSP-Disable-Option]
[{{cite web , title=Libreboot FAQ , url=https://libreboot.org/faq.html , quote=The PSP is an ARM core with TrustZone technology, built onto the main CPU die.]
[{{cite web , author-last=Millman , author-first=Rene , date=2018-01-08 , title=Security issue found in AMD's Platform Security Processor , url=https://www.scmagazineuk.com/security-issue-found-in-amds-platform-security-processor/article/735414/]
[{{cite web , author-last=Cimpanu , author-first=Catalin , date=2018-01-06 , title=Security Flaw in AMD's Secure Chip-On-Chip Processor Disclosed Online , url=https://www.bleepingcomputer.com/news/security/security-flaw-in-amds-secure-chip-on-chip-processor-disclosed-online/]
[{{cite web , author-last=Goodin , author-first=Dan , date=2018-03-13 , title=A raft of flaws in AMD chips makes bad hacks much, much worse , publisher=]Ars Technica
''Ars Technica'' is a website covering news and opinions in technology, science, politics, and society, created by Ken Fisher and Jon Stokes in 1998. It publishes news, reviews, and guides on issues such as computer hardware and software, sci ...
, url=https://arstechnica.com/information-technology/2018/03/a-raft-of-flaws-in-amd-chips-make-bad-hacks-much-much-worse/
[{{cite web , author-last=Bright , author-first=Peter , author-link=Peter Bright , date=2018-03-20 , title=AMD promises firmware fixes for security processor bugs All bugs require administrative access to exploit , publisher=]Ars Technica
''Ars Technica'' is a website covering news and opinions in technology, science, politics, and society, created by Ken Fisher and Jon Stokes in 1998. It publishes news, reviews, and guides on issues such as computer hardware and software, sci ...
, url=https://arstechnica.com/gadgets/2018/03/amd-promises-firmware-fixes-for-security-processor-bugs/
[{{cite web , author-last=Papermaster , author-first=Mark , author-link=Mark Papermaster , date=2018-03-21 , title=Initial AMD Technical Assessment of CTS Labs Research , publisher=AMD Community , url=https://community.amd.com/community/amd-corporate/blog/2018/03/21/initial-amd-technical-assessment-of-cts-labs-research]
[{{cite web , author-last=Guido , author-first=Dan , title="AMD Flaws" Technical Summary , date=15 March 2018 , url=https://blog.trailofbits.com/2018/03/15/amd-flaws-technical-summary]
[{{cite web , date=2017-06-27 , title=AMD Random Number Generator , publisher=]AMD
Advanced Micro Devices, Inc. (AMD) is an American multinational semiconductor company based in Santa Clara, California, that develops computer processors and related technologies for business and consumer markets. While it initially manufactur ...
, url=https://www.amd.com/system/files/TechDocs/amd-random-number-generator.pdf
External links
AMD Pro Securityat AMD
Remote administration software
Firmware
AMD
BIOS
Unified Extensible Firmware Interface