summaryrefslogtreecommitdiffstats
path: root/site/faq
diff options
context:
space:
mode:
authorFrancis Rowe <info@gluglug.org.uk>2016-01-12 22:26:04 (EST)
committer Francis Rowe <info@gluglug.org.uk>2016-01-12 22:26:20 (EST)
commit8f69c663b94a882f16e57e76a9584a5423ad8918 (patch)
tree3b93390a53fda934e271670c9632c1dc89854e3f /site/faq
parent74a8197cd9c1787c5f24309f137ede8e7f4fa237 (diff)
downloadlibreboot.org-8f69c663b94a882f16e57e76a9584a5423ad8918.zip
libreboot.org-8f69c663b94a882f16e57e76a9584a5423ad8918.tar.gz
libreboot.org-8f69c663b94a882f16e57e76a9584a5423ad8918.tar.bz2
FAQ AMD. FAQ THEM
Diffstat (limited to 'site/faq')
-rw-r--r--site/faq/index.php131
1 files changed, 118 insertions, 13 deletions
diff --git a/site/faq/index.php b/site/faq/index.php
index c70e898..20809d8 100644
--- a/site/faq/index.php
+++ b/site/faq/index.php
@@ -1,7 +1,7 @@
<?php
/*
Frequently asked questions
- Copyright (C) 2015 Francis Rowe <info@gluglug.org.uk>
+ Copyright (C) 2015, 2016 Francis Rowe <info@gluglug.org.uk>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
@@ -54,13 +54,23 @@
<li><a href="#intelbastards">Intel is uncooperative</a></li>
</ul>
</li>
+ <li>
+ <a href="#amd">Why is the latest AMD hardware unsupported in libreboot?</a>
+ <li>
+ <li><a href="#amdpsp">AMD Platform Security Processor (PSP)</a></li>
+ <li><a href="#amdimc">AMD IMC firmware</a></li>
+ <li><a href="#amdsmu">AMD SMU firmware</a></li>
+ <li><a href="#amdagesa">AMD AGESA firmware</a></li>
+ <li><a href="#amdmicrocode">AMD CPU microcode updates</a></li>
+ <li><a href="#amdbastards">AMD is incompetent (and uncooperative)</a></li>
+ </li>
+ </li>
<li><a href="#librem">Will the Purism Librem laptops be supported?</a></li>
<li><a href="#t400t500ati">Will libreboot work on a ThinkPad T400 or T500 with an ATI GPU?</a></li>
<li><a href="#thinkpads">Will the latest Thinkpad models be supported?</a></li>
<li><a href="#desktops">Will desktop/server hardware be supported?</a></li>
<li><a href="#randomhardware">Hi, I have &lt;insert random system here&gt;, is it supported?</a></li>
<li><a href="#arm">What about ARM?</a></li>
- <li><a href="#amd">What about AMD?</a></li>
</ul>
<h2>General questions</h2>
<ul class="c">
@@ -359,6 +369,112 @@
<a href="#pagetop">Back to top of page</a>
</p>
+ <h2 id="amd">Why is the latest AMD hardware unsupported in libreboot? <span class="r"><a href="#amd">#amd</a></span></h2>
+ <p>
+ It is extremely unlikely that any post-2013 AMD hardware will ever be supported in libreboot, due to
+ severe security and freedom issues; so severe, that <em>the libreboot project recommends avoiding all modern AMD hardware.
+ If you have an AMD based system affected by the problems described below, then you should get rid of it as soon as possible</em>. The main issues are as follows:
+ </p>
+ <h3 id="amdpsp">AMD Platform Security Processor (PSP) <span class="r"><a href="#amd">#amdpsp</a></span></h3>
+ <p>
+ This is basically AMD's own version of the <a href="#intelme">Intel Management Engine</a>. It has
+ all of the same basic security and freedom issues, although the implementation is wildly different.
+ </p>
+ <p>
+ The Platform Security Processor (PSP) is built in on all Family 16h +
+ systems (basically anything post-2013), and controls the main x86 core startup. PSP firmware is
+ cryptographically signed with a strong key similar to the Intel ME. If
+ the PSP firmware is not present, or if the AMD signing key is not
+ present, the x86 cores will not be released from reset, rendering the
+ system inoperable.
+ </p>
+ <p>
+ The PSP is an ARM core with TrustZone technology, built onto the main
+ CPU die. As such, it has the ability to hide its own program code,
+ scratch RAM, and any data it may have taken and stored from the
+ lesser-privileged x86 system RAM (kernel encryption keys, login data,
+ browsing history, keystrokes, who knows!). To make matters worse, the
+ PSP theoretically has access to the entire system memory space (AMD
+ either will not or cannot deny this, and it would seem to be required to
+ allow the DRM "features" to work as intended), which means that it has
+ at minimum MMIO-based access to the network controllers and any other
+ PCI/PCIe peripherals installed on the system.
+ </p>
+ <p>
+ In theory any malicious entity with access to the AMD signing key would
+ be able to install persistent malware that could not be eradicated
+ without an external flasher and a known good PSP image. Furthermore,
+ multiple security vulnerabilities have been demonstrated in AMD firmware
+ in the past, and there is every reason to assume one or more zero day
+ vulnerabilities are lurking in the PSP firmware. Given the extreme
+ privilege level (ring -2 or ring -3) of the PSP, said vulnerabilities
+ would have the ability to remotely monitor and control any PSP enabled
+ machine. completely outside of the user's knowledge.
+ </p>
+ <h3 id="amdimc">AMD IMC firmware <span class="r"><a href="#amd">#amdimc</a></span></h3>
+ <p>
+ Read <a href="https://www.coreboot.org/AMD_IMC">https://www.coreboot.org/AMD_IMC</a>.
+ </p>
+ <h3 id="amdsmu">AMD SMU firmware <span class="r"><a href="#amd">#amdsmu</a></span></h3>
+ <p>
+ Read <a href="https://www.coreboot.org/AMD_IMC">https://www.coreboot.org/AMD_IMC</a>.
+ </p>
+ <p>
+ Handles some power management for PCIe devices (without this, your laptop
+ will not work properly) and several other power management related features.
+ </p>
+ <p>
+ The firmware is signed, although on older AMD hardware it is a symmetric key, which means
+ that with access to the key (if leaked) you could sign your own modified version and run it.
+ Rudolf Marek (coreboot hacker) found out how to extract this key <a href=https://media.ccc.de/v/31c3_-_6103_-_en_-_saal_2_-_201412272145_-_amd_x86_smu_firmware_analysis_-_rudolf_marek">in this video demonstration</a>, and
+ based on this work, Damien Zammit (another coreboot hacker) <a href="https://github.com/zamaudio/smutool/">partially replaced it</a> with
+ free firmware, but on the relevant system (ASUS F2A85-M) there were still other blobs present (Video BIOS, and others) preventing
+ the hardware from being supported in libreboot.
+ </p>
+ <h3 id="amdagesa">AMD AGESA firmware <span class="r"><a href="#amd">#amdagesa</a></span></h3>
+ <p>
+ This is responsible for virtually all core hardware initialization on modern AMD systems. In 2011,
+ AMD started cooperating with the coreboot project, releasing this as source code under a
+ free license. In 2014, they stopped releasing source code and started releasing AGESA
+ as binary blobs instead. This makes AGESA now equivalent to <a href="#intelfsp">Intel FSP</a>.
+ </p>
+ <h3 id="amdmicrocode">AMD CPU microcode updates <span class="r"><a href="#amd">#amdmicrocode</a></span></h3>
+ <p>
+ Read the Intel section <a href="#microcode">#microcode</a>. AMD's updates are practically the same, though
+ it was found with much later hardware in AMD that you could run without microcode updates. It's unknown
+ whether the updates are needed on all AMD boards (depends on CPU).
+ </p>
+ <h3 id="amdbastards">AMD is incompetent (and uncooperative) <span class="r"><a href="#amd">#amdbastards</a></span></h3>
+ <p>
+ AMD seemed like it was on the right track in 2011 when it started cooperating with
+ and releasing source code for several critical components to the coreboot project.
+ It was not to be. For so-called economic reasons, they decided that it was not
+ worth the time to invest in the coreboot project anymore.
+ </p>
+ <p>
+ For a company to go from being so good, to so bad, in just 3 years, shows
+ that something is seriously wrong with AMD. Like Intel, they do not deserve your
+ money.
+ </p>
+ <p>
+ Given the current state of Intel hardware with the Management Engine, it
+ is our opinion that all performant x86 hardware newer
+ than the AMD Family 15h CPUs (on AMD's side) on anything post-2009 on Intel's
+ side is defective by design and cannot safely be
+ used to store, transmit, or process sensitive data. "Sensitive data" is
+ any data in which a data breach would cause significant economic harm to
+ the entity which created or was responsible for storing said data, so
+ this would include banks, credit card companies, or retailers (customer
+ account records), in addition to the "usual" engineering and software
+ development firms.
+ </p>
+ <p>
+
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page</a>
+ </p>
+
<h2 id="librem">Will the Purism Librem laptops be supported? <span class="r"><a href="#librem">#librem</a></span></h2>
<p>
Probably not. There are several privacy, security and freedom issues with these laptops, due to the Intel chipsets
@@ -464,17 +580,6 @@
<p>
<a href="#pagetop">Back to top of page</a>
</p>
- <h2 id="amd">What about AMD? <span class="r"><a href="#amd">#amd</a></span></h2>
- <p>
- Libreboot has support for some AMD platforms, with more on the horizon.
- See <a href="../docs/hcl/index.html">../docs/hcl/index.html</a>.
- </p>
- <p>
- More AMD-related information will be added to this page at a later date.
- </p>
- <p>
- <a href="#pagetop">Back to top of page</a>
- </p>
</div>
<div>