[redleader55]

TrustZone allows you to boot an OS that keeps separate memory from the main OS. It is used to do cryptography and other secure computation while keeping its secure parts hidden from the OS. There are open source OSes that run in TrustZone - eg. Trusty, Optee.

ME is firmware that you don't have any control over (it comes from the CPU marker, packaged with the BIOS) and is used to manage the machine for remote access(not specifically nefarious).

They are quite different in their purpose and more importantly implementation.

[dannyw]

ME is a bit more than that. To enable remote access functionality, the ME has:

  * Access to all memory of the host device.
  * Ability to make and receive network requests, transparent (invisible) to the host device.
  * Access to all other communications, buses, and devices of the host device.
  * Can execute CPU commands at the highest privilege level.
  * Accepts updates that are signed by Intel's signing key.

This means that it's quite possible for a web page to deliver a series of "magic bytes" that a backdoored ME listens to, and then immediately executes instructions.

Various controls, like the UK and Australia, have laws in force that can compel companies like Intel to sign using its signing key.

Before you think this doesn't affect someone in the US, it is widely known that five-eyes uses each other's capabilities and privileges and acts collectively.

[timschmidt]

"The PSP itself represents an ARM core (ARM Cortex A5) with the TrustZone extension which is inserted into the main CPU die as a coprocessor."

https://en.wikipedia.org/wiki/AMD_Platform_Security_Processo...