PrivSec-dev/privsec.dev
1
0
Fork 0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2024-09-19 17:24:43 -04:00
Code

Update content/posts/hardware/Misinformation on x86 Hardware/index.md

Browse Source 
Co-authored-by: friendly-rabbit-35 <169707731+friendly-rabbit-35@users.noreply.github.com>
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2024-06-11 20:41:21 -07:00 committed by GitHub
parent 363796aa8a
commit 7c38c5f5c0
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
content/posts/hardware/Misinformation on x86 Hardware/index.md
View File

@ -20,7 +20,7 @@ Intel CSME provides critical security features, including:
AMD PSP provides its own set of security features: AMD PSP provides its own set of security features:
- Firmware TPM - serving the same role as Intel's Platform Trust Technology. - Firmware TPM - serving the same role as Intel's Platform Trust Technology.
- [Secure Encryption Virtualization](https://www.amd.com/en/developer/sev.html) (on Ryzen Pro and EPYC CPUs). SEV protects both the hypervisor from cold boot attacks and making VM break outs much more difficult. - [Secure Encryption Virtualization](https://www.amd.com/en/developer/sev.html) (on Ryzen Pro and EPYC CPUs). SEV both protects the hypervisor from cold boot attacks and makes VM break outs much more difficult.
By buying hardware with Intel CSME disabled, you are **increasing the attack surface** by not having Boot Guard to protect your firmware. Additionally, if you buy hardware so old that you can run `me_cleaner` to disable the ME yourself, it means that these hardware do not have Boot Guard to begin with. In both cases, you will end up with a piece of hardware with no root of trust, and any attempt to implement firmware security will be futile. By buying hardware with Intel CSME disabled, you are **increasing the attack surface** by not having Boot Guard to protect your firmware. Additionally, if you buy hardware so old that you can run `me_cleaner` to disable the ME yourself, it means that these hardware do not have Boot Guard to begin with. In both cases, you will end up with a piece of hardware with no root of trust, and any attempt to implement firmware security will be futile.