- Mar 14, 2018
- 6
- 0
- 10
So to all of those saying this is no big deal because it needs admin access...how's your supply chain? Do you buy straight from the mainboard manufacturer and guard the systems in transit? Or do you just trust that everyone that might have had local admin access BEFORE you got the system didn't put anything interesting in your firmware?
Basically, this turns a simple zero day (standard recovery: nuke from orbit, reload new OS) into a "buy new hardware" event *. Not good. And this doesn't even go into how it breaks AMD's vaunted secure VM isolation, basically meaning shady (or legally forced) cloud providers can hack you without you even knowing, despite AMD saying their technology would prevent this.
Remember, this was the exact scenario the PSP was supposed to prevent, but it used a permanently flawed central signing scheme, meaning that even if you wanted to rip out / replace any possibly compromised code, you can't, because the code containing the vulnerabilities is AMD signed and that signature is checked by the hardware. Dumb, dumb design. Intel's no better here with their ME, BTW, and in fact only small ARM chips really don't have this stupid centralized "security" design that keeps getting broken. 🙁
* Yes, technically IF you can get a known good complete ROM image (not just the UEFI update, but a full "golden" ROM for that specific board and CPU), and IF your mainboard allows the Flash to be externally programmed without power applied to the mainboard itself, or IF you can solder / desolder the Flash chip, you can eliminate the threat. That's a lot of ifs though, and in a normal organization there is no way management is going to say "have at our production servers with a soldering iron".
Basically, this turns a simple zero day (standard recovery: nuke from orbit, reload new OS) into a "buy new hardware" event *. Not good. And this doesn't even go into how it breaks AMD's vaunted secure VM isolation, basically meaning shady (or legally forced) cloud providers can hack you without you even knowing, despite AMD saying their technology would prevent this.
Remember, this was the exact scenario the PSP was supposed to prevent, but it used a permanently flawed central signing scheme, meaning that even if you wanted to rip out / replace any possibly compromised code, you can't, because the code containing the vulnerabilities is AMD signed and that signature is checked by the hardware. Dumb, dumb design. Intel's no better here with their ME, BTW, and in fact only small ARM chips really don't have this stupid centralized "security" design that keeps getting broken. 🙁
* Yes, technically IF you can get a known good complete ROM image (not just the UEFI update, but a full "golden" ROM for that specific board and CPU), and IF your mainboard allows the Flash to be externally programmed without power applied to the mainboard itself, or IF you can solder / desolder the Flash chip, you can eliminate the threat. That's a lot of ifs though, and in a normal organization there is no way management is going to say "have at our production servers with a soldering iron".
Facebook
Twitter
Instagram