Slashdot Mirror

← Back to Stories (view on slashdot.org)

After Intel ME, Researchers Find Security Bug In AMD's SPS Secret Chip-on-Chip (bleepingcomputer.com)

Posted by EditorDavid on from the in-the-chips dept.

An anonymous reader writes: AMD has fixed, but not yet released BIOS/UEFI/firmware updates for the general public for a security flaw affecting the AMD Secure Processor. This component, formerly known as AMD PSP (Platform Security Processor), is a chip-on-chip security system, similar to Intel's much-hated Management Engine (ME). Just like Intel ME, the AMD Secure Processor is an integrated coprocessor that sits next to the real AMD64 x86 CPU cores and runs a separate operating system tasked with handling various security-related operations.

The security bug is a buffer overflow that allows code execution inside the AMD SPS TPM, the component that stores critical system data such as passwords, certificates, and encryption keys, in a secure environment and outside of the more easily accessible AMD cores. Intel fixed a similar flaw last year in the Intel ME.

4 of 76 comments (clear)

  1. hmmm.... by Tsolias · · Score: 2, Interesting

    the real AMD64 x86 CPU cores"

    softpedia yesterday was telling us about AMD Radeon Processors
    now we get real AMD64 x86 CPU cores
    you know that intel doesn't have money to buy at least an educated shill, when they shop from junior CS classes... and I even doubt that, I believe that they just hire SJWs for everything nowadays.

    0.02 shekels have been deposited to your account

  2. Re:iRONY by DontBeAMoran · · Score: 3, Interesting

    It seems that particular AMD bug can by disabled/bypassed by a BIOS/UEFI update, so the suggestion is still valid.

    --
    #DeleteFacebook
  3. we need to stop accepting these as accidents by Anonymous Coward · · Score: 2, Interesting

    the fact that over, and over, and over, systems prove to have obscure vulnerabilities that allow an attacker to spy on everything the user is doing.... seems like it might be deliberate. i.e. the government gave up on the clipper chip, and cracking down on encryption.... why?

    The era of "oh the government doesnt care" or "it would never spy" is gone. they do spy. they feel like its their job, their purpose in life, the necessity of a stable government, they believe they have a god given right to all of your information. Because 9/11. Because Hitler. Because China. Because because because.

    Look at these situations. These are the leading US tech companies, all of which have huge relationships with many secret govt agencies, all have revolving doors between themselves and the congress and the bureaucracy that regulates and profits from these tools... for example Cray wouldnt exist without NSA secretly bailing them out. You dont need to be a conspiracy theorist, just read a few history books about the actual NSA and CIA by people who worked there. They dont even apologize because they dont think they did anything wrong.

    Look at the Russian or Chinese or Turkish or UK or any other government and how they exploit Info tech to spy on people. Realize the US is not really that different. These are all deliberate backdoors built by governments to spy on their people. These are not security bugs. These are security features.

    Maybe.

  4. Re:Not the same? Not an actual backdoor? by BlueCoder · · Score: 3, Interesting

    No it isn't the same. Until you show me that it can be used through a network attack. While it is a security bug it's relevant to a TPM boot chain.

    Who is using TPM? I've considered getting one at home just to play around with it.
    To me TPM has been in perpetual development because of bugs. And honestly until there are BIOS setting which enable ME to manage all of it's keys then I will never trust it.