After Intel ME, Researchers Find Security Bug In AMD's SPS Secret Chip-on-Chip

An anonymous reader writes: AMD has fixed, but not yet released BIOS/UEFI/firmware updates for the general public for a security flaw affecting the AMD Secure Processor. This component, formerly known as AMD PSP (Platform Security Processor), is a chip-on-chip security system, similar to Intel's much-hated Management Engine (ME). Just like Intel ME, the AMD Secure Processor is an integrated coprocessor that sits next to the real AMD64 x86 CPU cores and runs a separate operating system tasked with handling various security-related operations.

The security bug is a buffer overflow that allows code execution inside the AMD SPS TPM, the component that stores critical system data such as passwords, certificates, and encryption keys, in a secure environment and outside of the more easily accessible AMD cores. Intel fixed a similar flaw last year in the Intel ME.

Not the same? Not an actual backdoor?

[Futurepower(R)]

Quote from a complaining comment about the Bleeping Computer story: "Garbage FUD probably hired by Intel, and it wouldn't be surprising. In order to exploit AMD's TPM (which is an easy BIOS fix) the hacker needs physical access to the motherboard... at that point the hacker may as well have armed forces hijack the data center."

Re:Not the same? Not an actual backdoor?

This AMD PSP vuln requires prerequisite physical access.

Luckily it can be officially disabled...

[HalAtWork]

...at least when mainboard makers support the option in UEFI.

https://www.phoronix.com/scan....