AMD Secure Technology PSP Firmware Now Explorable, Thanks to Researcher's Tool

Credit: Andreas Merchel/ShutterstockCredit: Andreas Merchel/Shutterstock

A security researcher this week released the PSPtool, a software tool that “aims to lower the entry barrier for looking into the code running" on the AMD Platform Security Processor (PSP), officially known as AMD Secure Technology, and other AMD subsystems. The PSP serves similar functions to those of Intel’s Management Engine (ME) processor. However, just like the Intel ME, the secretive and undocumented nature of the chip worries security and privacy advocates.

PSPTool for AMD Computers

The researcher going by the online name of cwerling described the PSPTool as a “Swiss Army knife” for dealing with the AMD PSP’s firmware. The tool is based on reverse-engineering efforts of AMD’s proprietary file system that the company uses to pack firmware blobs into UEFI firmware images.

Usually, all firmware blobs can be parsed by another software program called the UEFITool. However, in this case AMD’s firmware files are located in padding volumes that can’t be parsed by the UEFITool. This is the reason for the PSPTool, which can locate the PSP firmware within UEFI images and parse it. Through this tool, more researchers can look into what their local PSP chip is doing to their computers, as its actions are normally hidden from the operating system or the main processor.

What Is the Purpose of a PSP?

AMD Secure Technology is a trusted execution environment that has been integrated into AMD’s processors since 2013. It uses an Arm processor, as well as Arm’s TrustZone software solution, which separates some security-sensitive operations from the main processor and operating system.

There are some clear security benefits to this security technology, including being able to store biometric information or encryption private keys in that secure domain. However, perhaps an even more important role from AMD’s perspective was the enabling of Digital Rights Management (DRM). If DRM solutions are implemented in this separated subsystem, it's more difficult for users to disable them.

Others also believe that the PSP could enable NSA backdoors. The suspicion may not be completely without merit, as Intel’s similar technology, the Management Engine was found to have an undocumented mode that was specifically developed for the NSA. As these subsystems are kept mostly undocumented and their operations secret from the user, we may still not know the full extent of these chip’s operations.

The good news is that security researchers are starting to investigate much more thoroughly everything that goes inside modern chips and their firmware. This is how we learned about Meltdown, Spectre, Foreshadow and the latest MDS flaws, too.

Previous Intel ME and AMD PSP vulnerabilities were also discovered by such researchers, and similar discoveries are likely to come in the future. If Intel or AMD had ever built any tools or left any security holes that could allow intelligence agencies to hack into any computer they want, now may be a good time to remove or close them. Because we’re likely not going back to a world of obscurity in regards to how microprocessors work and what they do to our PCs in the background.

3 comments
    Your comment
  • bit_user
    Quote:
    we’re likely not going back to a world of obscurity in regards to how microprocessors work and what they do to our PCs in the background.

    Only by virtue of customers demanding it.

    There's really nothing preventing AMD (or anyone else) from using hardware encryption to encrypt the image and have the PSP decrypt it on-the-fly. All that happened here is that AMD just didn't do a very good job of hiding it.

    Of course, there's a risk that someone (probably government-backed) with an electron microscope and a bit of patience could somehow extract the hardware encryption key. So, we really come back to the point that the real problem with obscurity by security is that there's no such thing as complete obscurity.
  • JamesSneed
    Quote:
    Only by virtue of customers demanding it. There's really nothing preventing AMD (or anyone else) from using hardware encryption to encrypt the image and have the PSP decrypt it on-the-fly. All that happened here is that AMD just didn't do a very good job of hiding it. Of course, there's a risk that someone (probably government-backed) with an electron microscope and a bit of patience could somehow extract the hardware encryption key. So, we really come back to the point that the real problem with obscurity by security is that there's no such thing as complete obscurity.



    Agree all obscurity does is allow for those with a lot of resources to figure a way around the security and they certainly are not inclined to share this with the vendor. However both Intel and AMD will not release the code for the PSP / IME which is sad. They should release the code because a secure system must be secure even if every detail is known by untrusted individuals or organizations.
  • bit_user
    Quote:
    However both Intel and AMD will not release the code for the PSP / IME which is sad. They should release the code because a secure system must be secure even if every detail is known by untrusted individuals or organizations.

    Well, it looks like the cat is out of the bag. The article implies that researchers (and hackers) now have access to the PSP machine code, on AMD's current gen processors.

    I wonder to what extent AMD is actually prevented from sharing it, given that it's based on ARM's TrustZone (IIRC). So, unless they re-implement the firmware from scratch, they might not have the option to share it.