1
0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2025-01-18 10:01:34 -05:00

Update content/posts/hardware/Misinformation on x86 Hardware/index.md

Co-authored-by: friendly-rabbit-35 <169707731+friendly-rabbit-35@users.noreply.github.com>
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2024-06-11 20:41:21 -07:00 committed by GitHub
parent 363796aa8a
commit 7c38c5f5c0
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -20,7 +20,7 @@ Intel CSME provides critical security features, including:
AMD PSP provides its own set of security features: AMD PSP provides its own set of security features:
- Firmware TPM - serving the same role as Intel's Platform Trust Technology. - Firmware TPM - serving the same role as Intel's Platform Trust Technology.
- [Secure Encryption Virtualization](https://www.amd.com/en/developer/sev.html) (on Ryzen Pro and EPYC CPUs). SEV protects both the hypervisor from cold boot attacks and making VM break outs much more difficult. - [Secure Encryption Virtualization](https://www.amd.com/en/developer/sev.html) (on Ryzen Pro and EPYC CPUs). SEV both protects the hypervisor from cold boot attacks and makes VM break outs much more difficult.
By buying hardware with Intel CSME disabled, you are **increasing the attack surface** by not having Boot Guard to protect your firmware. Additionally, if you buy hardware so old that you can run `me_cleaner` to disable the ME yourself, it means that these hardware do not have Boot Guard to begin with. In both cases, you will end up with a piece of hardware with no root of trust, and any attempt to implement firmware security will be futile. By buying hardware with Intel CSME disabled, you are **increasing the attack surface** by not having Boot Guard to protect your firmware. Additionally, if you buy hardware so old that you can run `me_cleaner` to disable the ME yourself, it means that these hardware do not have Boot Guard to begin with. In both cases, you will end up with a piece of hardware with no root of trust, and any attempt to implement firmware security will be futile.