After Intel ME, Researchers Find Security Bug In AMD's SPS Secret Chip-on-Chip (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

After Intel ME, Researchers Find Security Bug In AMD's SPS Secret Chip-on-Chip (bleepingcomputer.com)

Posted by EditorDavid on Sunday January 7, 2018 @08:34AM from the in-the-chips dept.

An anonymous reader writes: AMD has fixed, but not yet released BIOS/UEFI/firmware updates for the general public for a security flaw affecting the AMD Secure Processor. This component, formerly known as AMD PSP (Platform Security Processor), is a chip-on-chip security system, similar to Intel's much-hated Management Engine (ME). Just like Intel ME, the AMD Secure Processor is an integrated coprocessor that sits next to the real AMD64 x86 CPU cores and runs a separate operating system tasked with handling various security-related operations.

The security bug is a buffer overflow that allows code execution inside the AMD SPS TPM, the component that stores critical system data such as passwords, certificates, and encryption keys, in a secure environment and outside of the more easily accessible AMD cores. Intel fixed a similar flaw last year in the Intel ME.

76 comments

Min score:

Reason:

Sort:

Misdirection. by Anonymous Coward · 2018-01-07 08:40 · Score: 0

... the component that stores critical system data such as passwords, certificates, and encryption keys, in a secure environment and outside of the more easily accessible AMD cores.
Oh, heh. EXACTLY the same thing as Intel's ME.
Not the same? Not an actual backdoor? by Futurepower(R) · 2018-01-07 08:44 · Score: 5, Informative

Quote from a complaining comment about the Bleeping Computer story: "Garbage FUD probably hired by Intel, and it wouldn't be surprising. In order to exploit AMD's TPM (which is an easy BIOS fix) the hacker needs physical access to the motherboard... at that point the hacker may as well have armed forces hijack the data center."
1. Re:Not the same? Not an actual backdoor? by Anonymous Coward · 2018-01-07 09:01 · Score: 1
  
  It’s because AMD fangirls can’t handle bad news about the company. It’s like their whole identity is tied up in some corporation who couldn’t get two shits about them. It’s really sad...
  That's not actually addressing the comment above. Does this require physical access? Does Meltdown/spectre? Did the Intel ME exploit require it? That is a huge difference if so.
2. Re:Not the same? Not an actual backdoor? by TheMiddleRoad · 2018-01-07 09:05 · Score: 1, Flamebait
  
  Because buffer overflows are only usable with physical access? AMD fanboys are the best.
3. Re:Not the same? Not an actual backdoor? by Anonymous Coward · 2018-01-07 09:12 · Score: 4, Informative
  
  This AMD PSP vuln requires prerequisite physical access.
4. Re:Not the same? Not an actual backdoor? by Anonymous Coward · 2018-01-07 09:13 · Score: 0
  
  So then I gather the TPM is not accessible by the OS then to be exploited by malicious code? if so what use is the TPM? At least that is what I am assuming you are saying because otherwise it is nothing but bullshit.
5. Re:Not the same? Not an actual backdoor? by DontBeAMoran · 2018-01-07 09:18 · Score: 1
  
  There wouldn't BE buffer overflows if companies would use my simple idea: only sell computers with infinite RAM and infinite memory address registers.
  
  --
  #DeleteFacebook
6. Re:Not the same? Not an actual backdoor? by Anonymous Coward · 2018-01-07 09:27 · Score: 0, Flamebait
  
  Sadly you're defending the indefensible. But that is how it goes with AMD fans.
7. Re:Not the same? Not an actual backdoor? by Anonymous Coward · 2018-01-07 09:37 · Score: 0
  
  This. And you can sell it for infinite dollars. I don't see the downside here.
8. Re:Not the same? Not an actual backdoor? by guruevi · 2018-01-07 09:42 · Score: 2
  
  Both Intel ME and AMD's SPS require access to the system to enable in the first place, so yes, you need at the very least an account on the computer. It doesn't require physical access (as in, you don't need to attach wires to the bus or push buttons).
  Given that AMD's SPS flaw sits in a certificate validation routine, it may actually be possible to trick the computer into the exploit by using some DRM shenanigans (eg. an evil Netflix site) whereas from what I could compile from a cursory look on the Intel link, you actually already need to have the Intel ME enabled and have some privileges into Intel ME's in order to elevate your permissions.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
9. Re:Not the same? Not an actual backdoor? by BlueCoder · 2018-01-07 09:51 · Score: 3, Interesting
  
  No it isn't the same. Until you show me that it can be used through a network attack. While it is a security bug it's relevant to a TPM boot chain.
  Who is using TPM? I've considered getting one at home just to play around with it.
  To me TPM has been in perpetual development because of bugs. And honestly until there are BIOS setting which enable ME to manage all of it's keys then I will never trust it.
10. Re:Not the same? Not an actual backdoor? by Anonymous Coward · 2018-01-07 09:54 · Score: 0
  
  Oh the irony coming from an Intel bootlicking sycophant.
  Tell us, are you on their regular payroll, "contractor" that's paid by the post, or are you stupid enough to be defending them for free because they've brainwashed you?
11. Re:Not the same? Not an actual backdoor? by Anonymous Coward · 2018-01-07 10:03 · Score: 0, Funny
  
  Snowflake spotted. Do you need some analgesic cream for all that butthurt?
12. Re:Not the same? Not an actual backdoor? by Lunix+Nutcase · 2018-01-07 10:05 · Score: 1
  
  Tons of people use TPM.
13. Re:Not the same? Not an actual backdoor? by serviscope_minor · 2018-01-07 10:06 · Score: 3, Insightful
  
  Because buffer overflows are only usable with physical access?
  doesn't that depend on what the buffer overflow exploit is in?
  I have not RTFA because this is slashdot, but buffer overflows are not de-facto remote exploits. If the buffer is accessible via the network, you're in the crap. If it's only available locally then it's only a local exploit.
  Of course local priviledge elevation is bad because that's only one remote unpriviliged exploitation away from being a remote root access. No idea what this one is.
  Either way though, that obnoxious bastard Stallman was fucking right again[*].
  Can't see the source, can't fix it, can't trust it.
  [*]Part of his obnoxiousness is consistently being right about paranoid, inconvenient things.
  
  --
  SJW n. One who posts facts.
14. Re: Not the same? Not an actual backdoor? by Anonymous Coward · 2018-01-07 10:07 · Score: 0
  
  While this is a serious issue, an attack requiring physical (internal) access to the hardware is not catastrophic. Although high profile targets may not want to use the TPM anymore for storing long term secrets.
15. Re: Not the same? Not an actual backdoor? by Anonymous Coward · 2018-01-07 10:09 · Score: 0
  
  The buffer overflow is in the bios. When the OS is booted this code is not used. The OS can interact directly with the TPM, but the exploitable code path is not there. This issue can be fixed with a simple bios update.
16. Re:Not the same? Not an actual backdoor? by Anonymous Coward · 2018-01-07 11:14 · Score: 0
  
  WRONG, you don't need physical to access the IME by default.
17. Re:Not the same? Not an actual backdoor? by Anonymous Coward · 2018-01-07 11:15 · Score: 0
  
  Wait, so months/years of complaining about Intel ME is OK, but the moment AMD PSP has an issue it's just some FUD?
18. Re:Not the same? Not an actual backdoor? by Anonymous Coward · 2018-01-07 11:44 · Score: 0
  
  http://www.infinitecoin.com/
19. Re: Not the same? Not an actual backdoor? by Anonymous Coward · 2018-01-07 12:48 · Score: 0
  
  Maybe..maybe not. I'm sure now that this has hit slashdot it will spread and AMD will release an update.
  At the very least it does require physical access and really by that point if a hacker has physical access you can probably assume you're system is fucked regardless of whether there was security vulnerabilities with the CPU. Chances are they got in anyway.
  Ahh well at least I don't have to worry about this one. If someone breaks into my house to have my AMD PC they will be very upset to discover I'm running a 5820k and they showed up too early. After I shoot them I'll tellem to come back after Ryzen 2 launches and they can try again =P
  I better go buy a gun. Don't want people to think they can just break in at any old time. If they get physical access should I shoot them 1st or the PC?
  If they broke in just to hack my gaming rig should I shoot them at all or should we just play some couch coop and call it a night?
  So many questions...
20. Re: Not the same? Not an actual backdoor? by Anonymous Coward · 2018-01-07 15:07 · Score: 0
  
  It's a nightmare when you are shipping computer systems from one location to another.
21. Re:Not the same? Not an actual backdoor? by AmiMoJo · 2018-01-07 15:17 · Score: 1
  
  TPM is very useful for storing secrets like encryption keys. For example, you can use it to store the encryption keys for your hard drive, in order to support waking from sleep modes, without needing the key to be in RAM where it is vulnerable.
  You can also use TPM to secure your OS against rootkit attacks. The TPM can verify the boot code is unmodified, independent of the CPU and any other code that could be compromised.
  Hardware TPMs have proven reliable. AMD uses a software TPM, which has this issue.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
22. Re:Not the same? Not an actual backdoor? by BronsCon · 2018-01-07 15:41 · Score: 1
  
  One company's flaw requires physical access to reboot the system into BIOS/UEFI and install a certificate in order to enable remote access, the other company's is remotely exploitable from day 0. That might explain why they're being received differently.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
23. Re:Not the same? Not an actual backdoor? by Anonymous Coward · 2018-01-07 19:08 · Score: 0
  
  Ironically, TPM is a massive security hole in itself.
24. Re:Not the same? Not an actual backdoor? by Anonymous Coward · 2018-01-07 19:11 · Score: 0
  
  Yeah, seems pretty much like FUD from the disclosure: "Without access to a real AMD hardware, we used an ARM emulator " http://seclists.org/fulldisclosure/2018/Jan/12 .
  AFACIT this has not been demonstrated to be exploited on real hardware in any way shape or form and AMD is issuing a patch anyway in case it turns out this attack can somehow be used.
25. Re:Not the same? Not an actual backdoor? by thegarbz · 2018-01-07 20:18 · Score: 1
  
  Who is using TPM?
  Lots of people. TPM has found its niche in corporate computers, as well as laptops and modern devices with advanced security features. It is also a required component for Windows 10 certification for system builders. Of the 5 computers in my house (excluding embedded ones) the only one which doesn't have a TPM chip is my server.
  Not only will many modern devices ship with TPM hardware installed but many will default to using it for things like Bitlocker and other encryption keys.
26. Re: Not the same? Not an actual backdoor? by Anonymous Coward · 2018-01-07 22:34 · Score: 0
  
  Yay! 4 of the 5 computers in your houseate easily pwnd through TPM exploits! Bully for you cool guy!!
27. Re: Not the same? Not an actual backdoor? by Anonymous Coward · 2018-01-08 08:50 · Score: 0
  
  up until recently there was no way of properly disabling intel ME and came enabled by default. soo, what you said seems wrong
It's ... by Anonymous Coward · 2018-01-07 08:45 · Score: 0

buggy (operating) systems all the way down.
Passwordless login on Intel by Anonymous Coward · 2018-01-07 08:46 · Score: 0

Hardly a "similar flaw", plain incompetence. Never trust Intel.
Make up your damn mind. by Anonymous Coward · 2018-01-07 08:52 · Score: 0

Is it SPS or is it PSP?
1. Re:Make up your damn mind. by Lunix+Nutcase · 2018-01-07 08:54 · Score: 2
  
  It’s both and neither depending on if the cat is dead in the box or not.
Info: Intel CPU backdoors by Futurepower(R) · 2018-01-07 08:55 · Score: 2

What we know about Intel CPU backdoors so far (June 2017)
hmmm.... by Tsolias · 2018-01-07 09:06 · Score: 2, Interesting

the real AMD64 x86 CPU cores"
softpedia yesterday was telling us about AMD Radeon Processors
now we get real AMD64 x86 CPU cores
you know that intel doesn't have money to buy at least an educated shill, when they shop from junior CS classes... and I even doubt that, I believe that they just hire SJWs for everything nowadays.

0.02 shekels have been deposited to your account
iRONY by Anonymous Coward · 2018-01-07 09:11 · Score: 0

After millions of "entry-level-nerds" suggested everyone shall buy AMD instead of Intel... "The iRONY is strong in that one!"
1. Re:iRONY by DontBeAMoran · 2018-01-07 09:17 · Score: 3, Interesting
  
  It seems that particular AMD bug can by disabled/bypassed by a BIOS/UEFI update, so the suggestion is still valid.
  
  --
  #DeleteFacebook
Luckily it can be officially disabled... by HalAtWork · 2018-01-07 09:12 · Score: 4, Informative

...at least when mainboard makers support the option in UEFI.
https://www.phoronix.com/scan....

--
Twinstiq, game news
1. Re:Luckily it can be officially disabled... by Anonymous Coward · 2018-01-07 09:32 · Score: 1
  
  Unfortunately, none of my Ryzen motherboards have seen vendor BIOS updates since September, so not yet able to confirm this feature on any of my motherboards.
  So basically next to no one can do this.
2. Re:Luckily it can be officially disabled... by UperPoti · 2018-01-07 10:10 · Score: 2
  
  AGESA is proprietary again since 2014. Even if AGESA was open source, or AMD released the BKDG and someone paid the $$$ for a coreboot port, the simple fact is the signed PSP is still needed for the platform to boot. Therefore, libreboot can never happen, and you don't really have full control over the machine. And that's assuming this isn't just an option to limit the UEFI firmware from talking to the PSP during boot. Best case is that the PSP still runs during boot but is somehow shut off after the BIOS loads. Worst case: AMD is simply making the BIOS not talk to the still active and still dangerous PSP. Even in the best case scenario, the PSP is still active and still has control of your machine for at least a limited time window as AGESA has to bootstrap the ARM TrustZone. If it's disabled, it hopefully simply isn't booted. Or, perhaps, the CPU would prevent PSP from accessing memory, effectively disabling it (and all of ring 0 code, in fact). But, there would be no way to know that it was truly deactivated short of AMD releasing the source code showing that it does in fact shut down. If it shuts down then theoretically there should be no AMD / third party IP required, so AMD should be able to release stripped-down source code and binaries sans the third party IP. If they aren't willing to do that, don't just blindly take a nebulous BIOS option as evidence of security. Disabling could be fully accomplished by preventing address translation, though the end user has no such capability. With Ryzen, PSP is likely a client of the IMC directly, attached via the infinity fabric. A single flag should be able to disable that link - or, more exactly, prevent it from being initialized. This would be the easiest way to disable the PSP, but isn't necessarily how this BIOS option works. Disabling the link is an option. However, only AMD can do that and AMD is on record as stating the PSP is mandatory and that they will not support it being disabled or allow anyone else to disable it. Given ASRock's description, this particular [BIOS] option appears to disable the driver as a debug option intended to fix / work around boot problems related to the UEFI firmware's PSP driver, and has no bearing on the PSP core operation.
This one requires keyboard / BIOS access by raymorris · 2018-01-07 09:25 · Score: 1

Yes, installing an EK cert requires pre-boot access.
You don't know what a buffer overflow, TPM, or attestation certificate are, do you?
1. Re:This one requires keyboard / BIOS access by TheMiddleRoad · 2018-01-07 10:50 · Score: 0
  
  "The researcher claims that an attacker could use specially-crafted EK certificates to get remote code execution rights on the AMD Secure Processor, allowing him to compromise its security."
  Is the TPM protected from writing? If not, I assume the certificate can be modified/replaced via software. I know that motherboards I've owned over the years typically don't write-protect the BIOS by default. Not sure if that includes TPM. Dell certainly makes TPM firmware updates easy via Windows software.
  Either way, an agent could grab hardware mid-shipment, alter the EK cert, and then resume shipment. A very subtle hack.
Researchers... by Hall · 2018-01-07 09:32 · Score: 0, Troll

Researchers = Intel engineers ;-)
1. Re:Researchers... by Anonymous Coward · 2018-01-07 09:35 · Score: 0
  
  Probably since AMD fired so many of their drivers and kernel developers in the last few years. Most probably went to Intel.
we need to stop accepting these as accidents by Anonymous Coward · 2018-01-07 09:34 · Score: 2, Interesting

the fact that over, and over, and over, systems prove to have obscure vulnerabilities that allow an attacker to spy on everything the user is doing.... seems like it might be deliberate. i.e. the government gave up on the clipper chip, and cracking down on encryption.... why?
The era of "oh the government doesnt care" or "it would never spy" is gone. they do spy. they feel like its their job, their purpose in life, the necessity of a stable government, they believe they have a god given right to all of your information. Because 9/11. Because Hitler. Because China. Because because because.
Look at these situations. These are the leading US tech companies, all of which have huge relationships with many secret govt agencies, all have revolving doors between themselves and the congress and the bureaucracy that regulates and profits from these tools... for example Cray wouldnt exist without NSA secretly bailing them out. You dont need to be a conspiracy theorist, just read a few history books about the actual NSA and CIA by people who worked there. They dont even apologize because they dont think they did anything wrong.
Look at the Russian or Chinese or Turkish or UK or any other government and how they exploit Info tech to spy on people. Realize the US is not really that different. These are all deliberate backdoors built by governments to spy on their people. These are not security bugs. These are security features.
Maybe.
1. Re:we need to stop accepting these as accidents by Anonymous Coward · 2018-01-07 10:53 · Score: 0
  
  the necessity of a stable government
  And you know what ? They're right.
2. Re:we need to stop accepting these as accidents by Anonymous Coward · 2018-01-07 15:58 · Score: 0
  
  privacy is a human right, and the US is depriving us of that right. That's not right.
3. Re: we need to stop accepting these as accidents by Anonymous Coward · 2018-01-07 22:39 · Score: 0
  
  youll always be a slave
Not A Problem by StormReaver · 2018-01-07 09:46 · Score: 1

Anything that disables IME or PSP is a net positive for the world.
Javascript!!! by Tim12s · 2018-01-07 10:06 · Score: 0

The intel team must have worked long and hard to find some fud for that one.
SPECTRE can be exploited through javascript!
AsRock's shockingly badly designed web page. by Futurepower(R) · 2018-01-07 10:28 · Score: 1

"Given ASRock's description..."

AsRock mentions fixes for AsRock Intel processor motherboards in one of the most badly designed web pages I've seen: Intel Firmware vulnerability INTEL-SA-00086.
We need to stop accepting these as accidents. by Anonymous Coward · 2018-01-07 10:34 · Score: 0

"These are the leading US tech companies, all of which have huge relationships with many secret govt agencies, ..."
"These are all deliberate backdoors built by governments to spy on their people."
Backdoors in everything by Anonymous Coward · 2018-01-07 11:00 · Score: 0

Its just too lucrative for these companies too not put a backdoor in for sale to deep intel or bad state actors. Get used to it, nothing digital is safe.
Wow, "Anonymous"?!? Really?!?! by cpurdy · 2018-01-07 11:08 · Score: 1

"An anonymous reader writes" ... to tell us about an unrelated security bug in an AMD product. Funny how anonymous people seem to post so many stories of concern ....
Obligatory:Intel CPU Backdoor Report (Jan 1 2018) by Anonymous Coward · 2018-01-07 11:22 · Score: 1

Change log:
2018/01/01 - Added 14 Useful Links, Intel CPU CVE links (CVE-2017-5689 CVSS Score 10.0), how to disable Intel ME 11 via undocumented NSA "High Assurance Platform" mode.
Intel CPU Backdoor Report
The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.
What we know about Intel CPU backdoors so far:
TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.
The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
[Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
@21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
[Quotes] Vortrag:
"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".
"We can permanently monitor the keyboard buffer on both operating system targets."

Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.
2017 Dec Update:
Intel ME on recent CPUs may be disabled by enabling the undocumented NSA HAP bit.

Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.
If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Useful links (Added 2018 Jan 1):
Disabling Intel ME 11 via undocumented mode (NSA High Assurance Platform mode)
Blackhat 2017: How To Hack A Turned Off Computer Or Running Unsigned Code In Intel Management Engine
EEF: Intel's Management Engine is a security hazard, and users need a way to disable it
Sakaki's EFI Install Guide/Disabling the Intel Management Engine
Intel ME bug storm: Hardware vendors race to identify and provide updates for dangerous Intel flaws.
CVE-2017-5689: An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs
CVE-2017-5705: Multiple buffer overflows in kernel in Intel Manageability Engine Firmware
CVE-2017-5706: Multiple buffer overflows in kernel in Intel Server Platform Services Firmware
Disappointed with AMD over Meltdown and more by simpz · 2018-01-07 11:26 · Score: 1

Sadly AMD has completely failed to counter the Intel PR that Meltdown/Spectre affects all CPUs when in reality Intel is massively more impacted. The press it parroting Intel PR unchallenged.
AMD doesn't have an easy way to remove their inbuilt PSP when Intel has made lots of people worry about their ME. An obvious thing for AMD to offer.
And why oh why don't AMD support ECC memory on their desktop chips. I know why Intel don't as they want to sell Xeons but AMD has no real server market share. The silicon to do this is pretty minimal. I don't get it, an easy win over Intel.
1. Re:Disappointed with AMD over Meltdown and more by Anonymous Coward · 2018-01-07 12:06 · Score: 0
  
  Sadly AMD has completely failed to counter the Intel PR that Meltdown/Spectre affects all CPUs when in reality Intel is massively more impacted. The press it parroting Intel PR unchallenged.
  AMD doesn't have an easy way to remove their inbuilt PSP when Intel has made lots of people worry about their ME. An obvious thing for AMD to offer.
  And why oh why don't AMD support ECC memory on their desktop chips. I know why Intel don't as they want to sell Xeons but AMD has no real server market share. The silicon to do this is pretty minimal. I don't get it, an easy win over Intel.
  http://www.hardwarecanucks.com/forum/hardware-canucks-reviews/75030-ecc-memory-amds-ryzen-deep-dive.html
  AMD does not officially support ECC on the consumer Ryzen platform, but a user could turn it on with a supported motherboard
  AMD officially supported ECC on the FX line (Bulldozer/piledriver) CPUs (my old system I was a FX-8350 + 16GB ECC ram)
Obligatory:Intel CPU Backdoor Report (Jan 1 2018) by Anonymous Coward · 2018-01-07 11:58 · Score: 0

Change log:
2018/01/01 - Added 14 Useful Links. Disable Intel ME 11 via undocumented NSA "High Assurance Platform" mode, Intel CPU CVE links (CVE-2017-5689 CVSS Score 10.0)
Intel CPU Backdoor Report
The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.
What we know about Intel CPU backdoors so far:
TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.
The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
[Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
@21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
[Quotes] Vortrag:
"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".
"We can permanently monitor the keyboard buffer on both operating system targets."

Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.
2017 Dec Update:
Intel ME on recent CPUs may be disabled by enabling the undocumented NSA HAP mode.

Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.
If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Useful links (Added 2018 Jan 1):
Disabling Intel ME 11 via undocumented mode (NSA High Assurance Platform mode)
Blackhat 2017: How To Hack A Turned Off Computer Or Running Unsigned Code In Intel Management Engine
EFF: Intel's Management Engine is a security hazard, and users need a way to disable it
Sakaki's EFI Install Guide/Disabling the Intel Management Engine
Intel ME bug storm: Hardware vendors race to identify and provide updates for dangerous Intel flaws.
CVE-2017-5689: An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs
CVE-2017-5705: Multiple buffer overflows in kernel in Intel Manageability Engine Firmware
CVE-2017-5706: Multiple buffer overflows in kernel in Intel Server Platform Services Firmware
Donâ(TM)t assume anything is secure by Midnight+Thunder · 2018-01-07 12:08 · Score: 1

While it is worrying there are these security issues, I am not sure how worried we should be? We didnâ(TM)t have these security features in the past and this shouldnâ(TM)t be the only line of defense. It is good to have these security elements in place, but I wonder if too much focus is being put on a single security point?

--
Jumpstart the tartan drive.
1. Re:Donâ(TM)t assume anything is secure by Anonymous Coward · 2018-01-08 03:01 · Score: 0
  
  I am not sure how worried we should be?
  you need to turn off your computer right now and never turn it back on again until all the security bugs are fixed
  please! for your own sake!
Need to connect wires to microscopic TPM traces by raymorris · 2018-01-07 12:50 · Score: 2

> Is the TPM protected from writing? If not, I assume the certificate can be modified/replaced via software.
No, you cannot write directly to TPM nvram from the OS. The spec says the endorsement key is supposed to be permanently burned in at the factory, but some manufacturers instead support CreateEndorsementKeyPair, which asks the TPM to create a key for itself, if it doesn't already have one. If it already has a key, as it should, CreateEndorsementKeyPair does nothing but return an error code.
To put your own malicious endorsement key in the TPM, you'd need to directly access its NVRAM. The most direct way to do that would be to pull out your scanning electron microscope and connect to the nvram traces on the chip. If some *other* vulnerability allowed full write access to TPM NVRAM, that would be a game changer.
1. Re:Need to connect wires to microscopic TPM traces by TheMiddleRoad · 2018-01-07 13:35 · Score: 0
  
  AMD still feels the need to patch this.
Thank God! by Anonymous Coward · 2018-01-07 14:23 · Score: 0

But why not let anyone disable it including the 99% of the planet not running UEFI?
Enterprises which want to peer into the butt cracks and behind the eyeballs of their employees need ME. No one else does.
At least AMD agree people should be allowed to disable it. Intel's arrogance on their ME has been amazing. What a company of cunts. My next PC won't be Intel.
1. Re:Thank God! by Anonymous Coward · 2018-01-07 15:38 · Score: 0
  
  BIOS no longer exists and is emulated in UEFI so no issue there
cc Easterggs? by harvey+the+nerd · 2018-01-07 20:27 · Score: 1

I'm waiting to hear if there is a copyright mark or NSA Easter eggs in the silicon...
Re: Need to connect wires to microscopic TPM trace by Anonymous Coward · 2018-01-08 08:46 · Score: 0

Admittedly I did not read tfa, but where does it say that amd feels they need to patch this? if they do feel they have to patch it, it's probably a cautionary measure to address a non-issue blown out of proportion by people on /.
It bothers me that the CAN by raymorris · 2018-01-08 16:13 · Score: 1

Or are least they figured they may as well patch it. Easy patch.
What bothers me the more than the overflow in parsing a malicious EK cert is that they CAN patch it, that a BIOS / UEFI update touches this code. Presumably if a BIOS update can fix it, a malicious bios update can *create* at least a similar problem, and probably a significantly worse variation. Of course we already knew a malicious BIOS would be bad, but I wouldn't expect it to touch that code.
1. Re:It bothers me that the CAN by TheMiddleRoad · 2018-01-08 17:55 · Score: 1
  
  Wait, what? Of course the PSP is updatable, even in this way. To do otherwise would be terrible security. Once a flaw is found, there'd be no fixing it at all. Hence Intel has had updatable microcode since the P6. It beats a recall.