User:JM01085758/psp

Platform Security Processor

The AMD Platform Security Processor (PSP) is a 32-bit embedded ARM core running proprietary firmware which forms the basis of the hardware root of trust for AMD processors since 2013.

Since 2017, AGESA updates have made it possible to disable the PSP,^[1] but implementation of this is dependent on motherboard vendors.

A talk (All you ever wanted to know about the AMD Platform Security Processor and were afraid to emulate...) was given at Black Hat 2020 about emulating the PSP:

• Video
• Slides

It gives an overview of its role in the boot process, address spaces, and various approaches to emulation that were tried. Their code is available at the PSPReverse repository.

Vulnerabilities

fTPM remote code execution

In 2018, a stack-based overflow was discovered that could allow remote code execution using a specially-crafted endorsement key. According to the disclosure at the time, "As far as we know, general exploit mitigation technologies (stack cookies, NX stack, ASLR) are not implemented in the PSP environment."^[2]

Voltage glitching attack

Since 2021, a voltage glitching attack^[3][4] against Secure Encrypted Virtualization on Zen 3 and earlier processors enables execution of custom payloads and derivation of valid endorsement keys for any firmware version. This can be used to unlock otherwise paywalled features on Tesla vehicles.^[5] While the initial hardware attack requires physical access, key extraction can later be done remotely.^[6]

See also

• AMD microcode — describes updating the microcode for AMD processors.

External resources

• AMD Platform Security Processor (Wikipedia)
• AMD Platform Security Processor (PSP) Firmware Integration Guide (coreboot)
• Secure Processor (AMD-SP) - AMD (WikiChip)
• AMD processors without AMD PSP / Secure Technology

References