back

Uncover, Understand, Own - Regaining Control Over Your AMD CPU

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:56:36
Language
English
Abstract
The AMD Platform Security Processor (PSP) is a dedicated ARM CPU inside your AMD processor and runs undocumented, proprietary firmware provided by AMD.

It is a processor inside your processor that you don't control. It is essential for system startup. In fact, in runs before the main processor is even started and is responsible for bootstrapping all other components.

This talk presents our efforts investigating the PSP internals and functionality and how you can better understand it.

Our talk is divided into three parts:

The first part covers the firmware structure of the PSP and how we analyzed this proprietary firmware. We will demonstrate how to extract and replace individual firmware components of the PSP and how to observe the PSP during boot.

The second part covers the functionality of the PSP and how it interacts with other components of the x86 CPU like the DRAM controller or System Management Unit (SMU). We will present our method to gain access to the, otherwise hidden, debug output.

The talk concludes with a security analysis of the PSP firmware.
We will demonstrate how to provide custom firmare to run on the PSP and introduce our toolchain that helps building custom applications for the PSP.

This talk documents the PSP firmware's proprietary filesystem and provides insights into reverse-engineering such a deeply embedded system. It further sheds light on how we might regain trust in AMD CPUs despite the delicate nature of the PSP.

Talk ID
10942
Event:
36c3
Day
1
Room
Borg
Start
10:10 p.m.
Duration
01:00:00
Track
Security
Type of
lecture
Speaker
Robert Buhren
Alexander Eichner
Christian Werling
Talk Slug & media link
36c3-10942-uncover_understand_own_-_regaining_control_over_your_amd_cpu

Talk & Speaker speed statistics

Very rough underestimation:
145.9 wpm
801.7 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%
  

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
145.9 wpm
801.7 spm
pspsystemamdcodefirmwarebootmemorydirectorybootloaderrobertaccessentriesx86micdataflashcpufindsecurekeycontrolexamplespimanagemententrysevmodechristianpublicthingprocessoroff-chiptalksizequestionuefihardwarecallloadedbitkernelfileappnetworkcopyromworkreadaddressspace