Platform Security Processor
The AMD Platform Security Processor (PSP) is a 32-bit embedded ARM core running proprietary firmware which forms the basis of the hardware root of trust for AMD processors since 2013.
Since 2017, AGESA updates have made it possible to disable the PSP, but implementation of this is dependent on motherboard vendors.
A talk (All you ever wanted to know about the AMD Platform Security Processor and were afraid to emulate...) was given at Black Hat 2020 about emulating the PSP:
It gives an overview of its role in the boot process, address spaces, and various approaches to emulation that were tried. Their code is available at the PSPReverse repository.
fTPM remote code execution
In 2018, a stack-based overflow was discovered that could allow remote code execution using a specially-crafted endorsement key. According to the disclosure at the time, "As far as we know, general exploit mitigation technologies (stack cookies, NX stack, ASLR) are not implemented in the PSP environment."
Voltage glitching attack
Since 2021, a voltage glitching attack against Secure Encrypted Virtualization on Zen 3 and earlier processors enables execution of custom payloads and derivation of valid endorsement keys for any firmware version. This can be used to unlock otherwise paywalled features on Tesla vehicles. While the initial hardware attack requires physical access, key extraction can later be done remotely.
- AMD Platform Security Processor (Wikipedia)
- AMD Platform Security Processor (PSP) Firmware Integration Guide (coreboot)
- Secure Processor (AMD-SP) - AMD (WikiChip)
- AMD processors without AMD PSP / Secure Technology