diff options
author | Francis Rowe <info@gluglug.org.uk> | 2016-01-12 22:26:04 (EST) |
---|---|---|
committer | Francis Rowe <info@gluglug.org.uk> | 2016-01-12 22:26:20 (EST) |
commit | 8f69c663b94a882f16e57e76a9584a5423ad8918 (patch) | |
tree | 3b93390a53fda934e271670c9632c1dc89854e3f /site/faq/index.php | |
parent | 74a8197cd9c1787c5f24309f137ede8e7f4fa237 (diff) | |
download | libreboot.org-8f69c663b94a882f16e57e76a9584a5423ad8918.zip libreboot.org-8f69c663b94a882f16e57e76a9584a5423ad8918.tar.gz libreboot.org-8f69c663b94a882f16e57e76a9584a5423ad8918.tar.bz2 |
FAQ AMD. FAQ THEM
Diffstat (limited to 'site/faq/index.php')
-rw-r--r-- | site/faq/index.php | 131 |
1 files changed, 118 insertions, 13 deletions
diff --git a/site/faq/index.php b/site/faq/index.php index c70e898..20809d8 100644 --- a/site/faq/index.php +++ b/site/faq/index.php @@ -1,7 +1,7 @@ <?php /* Frequently asked questions - Copyright (C) 2015 Francis Rowe <info@gluglug.org.uk> + Copyright (C) 2015, 2016 Francis Rowe <info@gluglug.org.uk> This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as @@ -54,13 +54,23 @@ <li><a href="#intelbastards">Intel is uncooperative</a></li> </ul> </li> + <li> + <a href="#amd">Why is the latest AMD hardware unsupported in libreboot?</a> + <li> + <li><a href="#amdpsp">AMD Platform Security Processor (PSP)</a></li> + <li><a href="#amdimc">AMD IMC firmware</a></li> + <li><a href="#amdsmu">AMD SMU firmware</a></li> + <li><a href="#amdagesa">AMD AGESA firmware</a></li> + <li><a href="#amdmicrocode">AMD CPU microcode updates</a></li> + <li><a href="#amdbastards">AMD is incompetent (and uncooperative)</a></li> + </li> + </li> <li><a href="#librem">Will the Purism Librem laptops be supported?</a></li> <li><a href="#t400t500ati">Will libreboot work on a ThinkPad T400 or T500 with an ATI GPU?</a></li> <li><a href="#thinkpads">Will the latest Thinkpad models be supported?</a></li> <li><a href="#desktops">Will desktop/server hardware be supported?</a></li> <li><a href="#randomhardware">Hi, I have <insert random system here>, is it supported?</a></li> <li><a href="#arm">What about ARM?</a></li> - <li><a href="#amd">What about AMD?</a></li> </ul> <h2>General questions</h2> <ul class="c"> @@ -359,6 +369,112 @@ <a href="#pagetop">Back to top of page</a> </p> + <h2 id="amd">Why is the latest AMD hardware unsupported in libreboot? <span class="r"><a href="#amd">#amd</a></span></h2> + <p> + It is extremely unlikely that any post-2013 AMD hardware will ever be supported in libreboot, due to + severe security and freedom issues; so severe, that <em>the libreboot project recommends avoiding all modern AMD hardware. + If you have an AMD based system affected by the problems described below, then you should get rid of it as soon as possible</em>. The main issues are as follows: + </p> + <h3 id="amdpsp">AMD Platform Security Processor (PSP) <span class="r"><a href="#amd">#amdpsp</a></span></h3> + <p> + This is basically AMD's own version of the <a href="#intelme">Intel Management Engine</a>. It has + all of the same basic security and freedom issues, although the implementation is wildly different. + </p> + <p> + The Platform Security Processor (PSP) is built in on all Family 16h + + systems (basically anything post-2013), and controls the main x86 core startup. PSP firmware is + cryptographically signed with a strong key similar to the Intel ME. If + the PSP firmware is not present, or if the AMD signing key is not + present, the x86 cores will not be released from reset, rendering the + system inoperable. + </p> + <p> + The PSP is an ARM core with TrustZone technology, built onto the main + CPU die. As such, it has the ability to hide its own program code, + scratch RAM, and any data it may have taken and stored from the + lesser-privileged x86 system RAM (kernel encryption keys, login data, + browsing history, keystrokes, who knows!). To make matters worse, the + PSP theoretically has access to the entire system memory space (AMD + either will not or cannot deny this, and it would seem to be required to + allow the DRM "features" to work as intended), which means that it has + at minimum MMIO-based access to the network controllers and any other + PCI/PCIe peripherals installed on the system. + </p> + <p> + In theory any malicious entity with access to the AMD signing key would + be able to install persistent malware that could not be eradicated + without an external flasher and a known good PSP image. Furthermore, + multiple security vulnerabilities have been demonstrated in AMD firmware + in the past, and there is every reason to assume one or more zero day + vulnerabilities are lurking in the PSP firmware. Given the extreme + privilege level (ring -2 or ring -3) of the PSP, said vulnerabilities + would have the ability to remotely monitor and control any PSP enabled + machine. completely outside of the user's knowledge. + </p> + <h3 id="amdimc">AMD IMC firmware <span class="r"><a href="#amd">#amdimc</a></span></h3> + <p> + Read <a href="https://www.coreboot.org/AMD_IMC">https://www.coreboot.org/AMD_IMC</a>. + </p> + <h3 id="amdsmu">AMD SMU firmware <span class="r"><a href="#amd">#amdsmu</a></span></h3> + <p> + Read <a href="https://www.coreboot.org/AMD_IMC">https://www.coreboot.org/AMD_IMC</a>. + </p> + <p> + Handles some power management for PCIe devices (without this, your laptop + will not work properly) and several other power management related features. + </p> + <p> + The firmware is signed, although on older AMD hardware it is a symmetric key, which means + that with access to the key (if leaked) you could sign your own modified version and run it. + Rudolf Marek (coreboot hacker) found out how to extract this key <a href=https://media.ccc.de/v/31c3_-_6103_-_en_-_saal_2_-_201412272145_-_amd_x86_smu_firmware_analysis_-_rudolf_marek">in this video demonstration</a>, and + based on this work, Damien Zammit (another coreboot hacker) <a href="https://github.com/zamaudio/smutool/">partially replaced it</a> with + free firmware, but on the relevant system (ASUS F2A85-M) there were still other blobs present (Video BIOS, and others) preventing + the hardware from being supported in libreboot. + </p> + <h3 id="amdagesa">AMD AGESA firmware <span class="r"><a href="#amd">#amdagesa</a></span></h3> + <p> + This is responsible for virtually all core hardware initialization on modern AMD systems. In 2011, + AMD started cooperating with the coreboot project, releasing this as source code under a + free license. In 2014, they stopped releasing source code and started releasing AGESA + as binary blobs instead. This makes AGESA now equivalent to <a href="#intelfsp">Intel FSP</a>. + </p> + <h3 id="amdmicrocode">AMD CPU microcode updates <span class="r"><a href="#amd">#amdmicrocode</a></span></h3> + <p> + Read the Intel section <a href="#microcode">#microcode</a>. AMD's updates are practically the same, though + it was found with much later hardware in AMD that you could run without microcode updates. It's unknown + whether the updates are needed on all AMD boards (depends on CPU). + </p> + <h3 id="amdbastards">AMD is incompetent (and uncooperative) <span class="r"><a href="#amd">#amdbastards</a></span></h3> + <p> + AMD seemed like it was on the right track in 2011 when it started cooperating with + and releasing source code for several critical components to the coreboot project. + It was not to be. For so-called economic reasons, they decided that it was not + worth the time to invest in the coreboot project anymore. + </p> + <p> + For a company to go from being so good, to so bad, in just 3 years, shows + that something is seriously wrong with AMD. Like Intel, they do not deserve your + money. + </p> + <p> + Given the current state of Intel hardware with the Management Engine, it + is our opinion that all performant x86 hardware newer + than the AMD Family 15h CPUs (on AMD's side) on anything post-2009 on Intel's + side is defective by design and cannot safely be + used to store, transmit, or process sensitive data. "Sensitive data" is + any data in which a data breach would cause significant economic harm to + the entity which created or was responsible for storing said data, so + this would include banks, credit card companies, or retailers (customer + account records), in addition to the "usual" engineering and software + development firms. + </p> + <p> + + </p> + <p> + <a href="#pagetop">Back to top of page</a> + </p> + <h2 id="librem">Will the Purism Librem laptops be supported? <span class="r"><a href="#librem">#librem</a></span></h2> <p> Probably not. There are several privacy, security and freedom issues with these laptops, due to the Intel chipsets @@ -464,17 +580,6 @@ <p> <a href="#pagetop">Back to top of page</a> </p> - <h2 id="amd">What about AMD? <span class="r"><a href="#amd">#amd</a></span></h2> - <p> - Libreboot has support for some AMD platforms, with more on the horizon. - See <a href="../docs/hcl/index.html">../docs/hcl/index.html</a>. - </p> - <p> - More AMD-related information will be added to this page at a later date. - </p> - <p> - <a href="#pagetop">Back to top of page</a> - </p> </div> <div> |