| > So, if I remember correctly AMD PSP started out as a response to Intel ME, whose main selling point at the time was that businesses could remote into a compromised system and wipe malware without the malware being able to fight back. Do you have a source for this? > SGX is an interesting case since Intel actually axed the feature a year ago. The only thing it did was enable more DRM for 4K Blu-Rays, and Hollywood's response to that feature going away has been to just refuse to let you play 4K Blu-Rays on PCs. Signal used Intel SGX for remote attestation of their servers and is also using it for their upcoming username/password features to generate keys without Signal's knowledge (since it's a private enclave). > Furthermore, there IS a very large customer that has wanted to remove these kinds of secure enclaves from their systems: the US government, specifically the National Security Administration[1]. There's a special configuration option in Intel ME to turn off everything but basic system bring-up. Why would the NSA want to turn off "privacy and security software" on their own machines? Well, again, the whole "wipe a compromised system without the malware being able to resist" thing implies that this isn't merely a security enclave, but a backdoor that could be compromised by a third-party. If you aren't specifically using that remote management stuff, you want the ME to be as brain-dead as possible. I need a source saying PSP has remote management capability. > Oh, and Apple doesn't actually give the Secure Enclave the ability to mess with the main application processor. It's more akin to a TPM, where it can withhold encryption keys from the regular OS but it can't actively snoop on it. So they also understand why PSP/ME were bad ideas. What does "snoop" mean here? How can PSP "snoop" without remote management capability? |