Is ASP/PSP really worse than ME? To me, it looks more like we just don’t know enough about it, and other parts of the AMD platform. Has anyone even tried to make a ASP/PSP_cleaner?
AMD Secure Processor vs Intel Management Engine
The AMD Secure Processor (previously called the Platform Security Processor) and Intel’s Management Engine, are separate cores running signed code from AMD or Intel that have Direct Memory Access to the rest of your machine.
| ASP | ME | |
|---|---|---|
| Location | on processor chip1 | in package/module; earlier versions were in northbridge2 |
| Architecture | ARM | x86; earlier versions were ARC |
| OS | TrustZone | Minix; earlier versions ran ThreadX |
| Disable completely | No | No |
| Disable after startup | Unknown | using the HAP bit; earlier versions have AltMeDisable bit |
| Modify signed code | No4 | No4 |
| Prevent code being loaded | Unknown | Corrupt/remove certain ME partitions3 |
| Operation without ROM? | Unknown | 30 minute recovery mode before forced shutdown |
| Network Access | Unknown | Yes (with Intel NIC) |
- You can see it in the die shot in AnandTech’s Mullins architecture article.
- From HardenedLinux article about ME.
- This is what me_cleaner does.
- Might be possible at runtime with exploits.
This table is pretty much all I know about the two. Some things I couldn’t fit into a table row are:
-
Purism has mentioned that ME controls the ICC, and can cause problems with shutdown if misconfigured. This suggests some kind of deeper involvement with system initialisation that might not be replaceable even if ME could be completely removed.
-
In the Q&A portion of a talk on AMD x86 SMU firmware analysis at 31C3 (the response to the question at 47:58 about firmware verification) an AMD guy says this:
The statement about verifying the BIOS code which loads the firmware is a statement with regard to newer products starting with the Mullins product that include a Platform Security Processor where the Platform Security Processor is the first micro-controller that comes up out of reset; for the older parts that do not have that, what Rudolf just said is correct.
So on AMD chips, ASP starts executing first and verifies the x86 firmware.
-
Some people noticed that some AGESA (AMD’s version of FSP IIRC) updates added options to UEFI to stop it from talking to the ASP/PSP, but there is no indication this stops ASP/PSP (like HAP or AltMEDisable on ME) or affects it in any way.
The UEFI screenshot from the original reddit thread says this specifically:
BIOS PSP Support
Description
Enable/Disable BIOS PSP driver execution (including all C2P/P2C mailbox, Secure S3, fTPM Support)and the QR code is the URL:
http://www.asrock.com/manual.asp?Model=AB350%20Pro4