FAQ AMD. FAQ THEM

1 files changed, 118 insertions, 13 deletions

diff --git a/site/faq/index.php b/site/faq/index.php
index c70e898..20809d8 100644
--- a/site/faq/index.php
+++ b/site/faq/index.php
@@ -1,7 +1,7 @@
 <?php
 /*
     Frequently asked questions
-    Copyright (C) 2015  Francis Rowe <info@gluglug.org.uk>
+    Copyright (C) 2015, 2016  Francis Rowe <info@gluglug.org.uk>
 
     This program is free software: you can redistribute it and/or modify
     it under the terms of the GNU Affero General Public License as
@@ -54,13 +54,23 @@
 							<li><a href="#intelbastards">Intel is uncooperative</a></li>
 						</ul>
 					</li>
+					<li>
+						<a href="#amd">Why is the latest AMD hardware unsupported in libreboot?</a>
+						<li>
+							<li><a href="#amdpsp">AMD Platform Security Processor (PSP)</a></li>
+							<li><a href="#amdimc">AMD IMC firmware</a></li>
+							<li><a href="#amdsmu">AMD SMU firmware</a></li>
+							<li><a href="#amdagesa">AMD AGESA firmware</a></li>
+							<li><a href="#amdmicrocode">AMD CPU microcode updates</a></li>
+							<li><a href="#amdbastards">AMD is incompetent (and uncooperative)</a></li>
+						</li>
+					</li>
 					<li><a href="#librem">Will the Purism Librem laptops be supported?</a></li>
 					<li><a href="#t400t500ati">Will libreboot work on a ThinkPad T400 or T500 with an ATI GPU?</a></li>
 					<li><a href="#thinkpads">Will the latest Thinkpad models be supported?</a></li>
 					<li><a href="#desktops">Will desktop/server hardware be supported?</a></li>
 					<li><a href="#randomhardware">Hi, I have &lt;insert random system here&gt;, is it supported?</a></li>
 					<li><a href="#arm">What about ARM?</a></li>
-					<li><a href="#amd">What about AMD?</a></li>
 				</ul>
 			<h2>General questions</h2>
 				<ul class="c">
@@ -359,6 +369,112 @@
 					<a href="#pagetop">Back to top of page</a>
 				</p>
 
+			<h2 id="amd">Why is the latest AMD hardware unsupported in libreboot? <span class="r"><a href="#amd">#amd</a></span></h2>
+				<p>
+					It is extremely unlikely that any post-2013 AMD hardware will ever be supported in libreboot, due to
+					severe security and freedom issues; so severe, that <em>the libreboot project recommends avoiding all modern AMD hardware.
+					If you have an AMD based system affected by the problems described below, then you should get rid of it as soon as possible</em>. The main issues are as follows:
+				</p>
+				<h3 id="amdpsp">AMD Platform Security Processor (PSP) <span class="r"><a href="#amd">#amdpsp</a></span></h3>
+					<p>
+						This is basically AMD's own version of the <a href="#intelme">Intel Management Engine</a>. It has
+						all of the same basic security and freedom issues, although the implementation is wildly different.
+					</p>
+					<p>
+						The Platform Security Processor (PSP) is built in on all Family 16h +
+						systems (basically anything post-2013), and controls the main x86 core startup.  PSP firmware is
+						cryptographically signed with a strong key similar to the Intel ME.  If
+						the PSP firmware is not present, or if the AMD signing key is not
+						present, the x86 cores will not be released from reset, rendering the
+						system inoperable.
+					</p>
+					<p>
+						The PSP is an ARM core with TrustZone technology, built onto the main
+						CPU die.  As such, it has the ability to hide its own program code,
+						scratch RAM, and any data it may have taken and stored from the
+						lesser-privileged x86 system RAM (kernel encryption keys, login data,
+						browsing history, keystrokes, who knows!).  To make matters worse, the
+						PSP theoretically has access to the entire system memory space (AMD
+						either will not or cannot deny this, and it would seem to be required to
+						allow the DRM "features" to work as intended), which means that it has
+						at minimum MMIO-based access to the network controllers and any other
+						PCI/PCIe peripherals installed on the system.
+					</p>
+					<p>
+						In theory any malicious entity with access to the AMD signing key would
+						be able to install persistent malware that could not be eradicated
+						without an external flasher and a known good PSP image.  Furthermore,
+						multiple security vulnerabilities have been demonstrated in AMD firmware
+						in the past, and there is every reason to assume one or more zero day
+						vulnerabilities are lurking in the PSP firmware.  Given the extreme
+						privilege level (ring -2 or ring -3) of the PSP, said vulnerabilities
+						would have the ability to remotely monitor and control any PSP enabled
+						machine. completely outside of the user's knowledge.
+					</p>
+				<h3 id="amdimc">AMD IMC firmware <span class="r"><a href="#amd">#amdimc</a></span></h3>
+					<p>
+						Read <a href="https://www.coreboot.org/AMD_IMC">https://www.coreboot.org/AMD_IMC</a>.
+					</p>
+				<h3 id="amdsmu">AMD SMU firmware <span class="r"><a href="#amd">#amdsmu</a></span></h3>
+					<p>
+						Read <a href="https://www.coreboot.org/AMD_IMC">https://www.coreboot.org/AMD_IMC</a>.
+					</p>
+					<p>
+						Handles some power management for PCIe devices (without this, your laptop
+						will not work properly) and several other power management related features.
+					</p>
+					<p>
+						The firmware is signed, although on older AMD hardware it is a symmetric key, which means
+						that with access to the key (if leaked) you could sign your own modified version and run it.
+						Rudolf Marek (coreboot hacker) found out how to extract this key <a href=https://media.ccc.de/v/31c3_-_6103_-_en_-_saal_2_-_201412272145_-_amd_x86_smu_firmware_analysis_-_rudolf_marek">in this video demonstration</a>, and
+						based on this work, Damien Zammit (another coreboot hacker) <a href="https://github.com/zamaudio/smutool/">partially replaced it</a> with
+						free firmware, but on the relevant system (ASUS F2A85-M) there were still other blobs present (Video BIOS, and others) preventing
+						the hardware from being supported in libreboot.
+					</p>
+				<h3 id="amdagesa">AMD AGESA firmware <span class="r"><a href="#amd">#amdagesa</a></span></h3>
+					<p>
+						This is responsible for virtually all core hardware initialization on modern AMD systems. In 2011,
+						AMD started cooperating with the coreboot project, releasing this as source code under a
+						free license. In 2014, they stopped releasing source code and started releasing AGESA
+						as binary blobs instead. This makes AGESA now equivalent to <a href="#intelfsp">Intel FSP</a>.
+					</p>
+				<h3 id="amdmicrocode">AMD CPU microcode updates <span class="r"><a href="#amd">#amdmicrocode</a></span></h3>
+					<p>
+						Read the Intel section <a href="#microcode">#microcode</a>. AMD's updates are practically the same, though
+						it was found with much later hardware in AMD that you could run without microcode updates. It's unknown
+						whether the updates are needed on all AMD boards (depends on CPU).
+					</p>
+				<h3 id="amdbastards">AMD is incompetent (and uncooperative) <span class="r"><a href="#amd">#amdbastards</a></span></h3>
+					<p>
+						AMD seemed like it was on the right track in 2011 when it started cooperating with
+						and releasing source code for several critical components to the coreboot project.
+						It was not to be. For so-called economic reasons, they decided that it was not
+						worth the time to invest in the coreboot project anymore.
+					</p>
+					<p>
+						For a company to go from being so good, to so bad, in just 3 years, shows
+						that something is seriously wrong with AMD. Like Intel, they do not deserve your
+						money.
+					</p>
+					<p>
+						Given the current state of Intel hardware with the Management Engine, it
+						is our opinion that all performant x86 hardware newer
+						than the AMD Family 15h CPUs (on AMD's side) on anything post-2009 on Intel's
+						side is defective by design and cannot safely be
+						used to store, transmit, or process sensitive data.  "Sensitive data" is
+						any data in which a data breach would cause significant economic harm to
+						the entity which created or was responsible for storing said data, so
+						this would include banks, credit card companies, or retailers (customer
+						account records), in addition to the "usual" engineering and software
+						development firms.
+					</p>
+					<p>
+						
+					</p>
+				<p>
+					<a href="#pagetop">Back to top of page</a>
+				</p>
+
 			<h2 id="librem">Will the Purism Librem laptops be supported? <span class="r"><a href="#librem">#librem</a></span></h2>
 				<p>
 					Probably not. There are several privacy, security and freedom issues with these laptops, due to the Intel chipsets
@@ -464,17 +580,6 @@
 				<p>
 					<a href="#pagetop">Back to top of page</a>
 				</p>
-			<h2 id="amd">What about AMD? <span class="r"><a href="#amd">#amd</a></span></h2>
-				<p>
-					Libreboot has support for some AMD platforms, with more on the horizon.
-					See <a href="../docs/hcl/index.html">../docs/hcl/index.html</a>.
-				</p>
-				<p>
-					More AMD-related information will be added to this page at a later date.
-				</p>
-				<p>
-					<a href="#pagetop">Back to top of page</a>
-				</p>
 	</div>
 
 	<div>