mirror of
https://github.com/PrivSec-dev/privsec.dev
synced 2024-12-22 04:41:33 -05:00
Update text
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
e81a6cd362
commit
3a9069e298
@ -60,8 +60,9 @@ It is important to note that DRTM technologies can be bypassed via the System Ma
|
||||
|
||||
A very common misinformation among privacy communities is that the Intel Management Engine (ME), its sucessor - Intel Converged Security and Management Engine (CSME), and AMD Platform Security Processor (PSP) are some sort of evil backdoor. Some may go so far as to tell the user to "disable the ME", either out of paranoia or for attack surface reduction:
|
||||
|
||||
![Intel ME Misinformation](/images/intel-me-misinfo.png)
|
||||
![Intel ME Misinformation](/images/intel-me-misinfo-1.png)
|
||||
|
||||
![Intel ME Misinformation](/images/intel-me-misinfo-2.png)
|
||||
|
||||
The problem with these recommendations are as follows:
|
||||
|
||||
@ -75,7 +76,9 @@ AMD PSP provides similar security features:
|
||||
- Firmware TPM
|
||||
- Memory Encryption (on Ryzen Pro and EPYC systems)
|
||||
|
||||
By disabling Intel CSME, you are **increasing the attack surface** by crippling security features. Additionally, if you buy hardware so old that you can run me_cleaner to disable the ME yourself, it means that these hardware do not have Boot Guard and it is impossible to implement any kind of boot security.
|
||||
By disabling Intel CSME, you are **increasing the attack surface** by crippling security features. Additionally, if you buy hardware so old that you can run `me_cleaner` to disable the ME yourself, it means that these hardware do not have Boot Guard and it is impossible to implement any kind of boot security.
|
||||
|
||||
This excercise also achieves nothing to protect against a hypothetical scenario where Intel and AMD are malicious. Intel and AMD do not need the co-processor to implement a backdoor - they can simply introduce CPU vulnerabilities like Spectre and Meltdown if they want to. If you do not trust a CPU vendor, the only mitigation is to not use said vendor.
|
||||
|
||||
### Intel AMT and AMD DASH
|
||||
|
||||
|
Before Width: | Height: | Size: 166 KiB After Width: | Height: | Size: 166 KiB |
BIN
static/images/intel-me-misinfo-2.png
Normal file
BIN
static/images/intel-me-misinfo-2.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 137 KiB |
Loading…
Reference in New Issue
Block a user