From 7c38c5f5c0808a94d508dc758df71fb2530d56d8 Mon Sep 17 00:00:00 2001 From: Tommy Date: Tue, 11 Jun 2024 20:41:21 -0700 Subject: [PATCH] Update content/posts/hardware/Misinformation on x86 Hardware/index.md Co-authored-by: friendly-rabbit-35 <169707731+friendly-rabbit-35@users.noreply.github.com> Signed-off-by: Tommy --- content/posts/hardware/Misinformation on x86 Hardware/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/hardware/Misinformation on x86 Hardware/index.md b/content/posts/hardware/Misinformation on x86 Hardware/index.md index aa2403e..5bb45e2 100644 --- a/content/posts/hardware/Misinformation on x86 Hardware/index.md +++ b/content/posts/hardware/Misinformation on x86 Hardware/index.md @@ -20,7 +20,7 @@ Intel CSME provides critical security features, including: AMD PSP provides its own set of security features: - Firmware TPM - serving the same role as Intel's Platform Trust Technology. -- [Secure Encryption Virtualization](https://www.amd.com/en/developer/sev.html) (on Ryzen Pro and EPYC CPUs). SEV protects both the hypervisor from cold boot attacks and making VM break outs much more difficult. +- [Secure Encryption Virtualization](https://www.amd.com/en/developer/sev.html) (on Ryzen Pro and EPYC CPUs). SEV both protects the hypervisor from cold boot attacks and makes VM break outs much more difficult. By buying hardware with Intel CSME disabled, you are **increasing the attack surface** by not having Boot Guard to protect your firmware. Additionally, if you buy hardware so old that you can run `me_cleaner` to disable the ME yourself, it means that these hardware do not have Boot Guard to begin with. In both cases, you will end up with a piece of hardware with no root of trust, and any attempt to implement firmware security will be futile.