A decade ago, AMD added a protection to its high-end CPUs to protect them against cold boot attacks and other types of physical exploits that siphon sensitive data out of the connected memory chips. Short for Transparent Secure Memory Encryption, TSME encrypts the entire contents stored in memory, making the data useless to physical attackers.
4 Likes
I’m getting the sense that the mobile device stack is the only way forward for secure and private computing.
1 Like
Mobile is far worse.
Mobile is waaay worse. On PC you at least have ability to install any operating system…
IMHO, even without this protection, you should keep your devices away from people. Fer ex: locked.
Cold-boot attack for regular person is mostly theoretical
I live for ex without even secure-boot (because I hate that everything signed with microslop keys + I am on Linux).
Physical security is consumer responsibility. You lock doors at home, right? Why not to lock laptop in safe if you have this threat model?
And the main point: never store anything sensitive inside any machine (even with FDE). Use encrypted external drive, so you can hide it, if needed.
Another great way (less secure than fully external drive) - get RAMDISK. Yes, now it is expensive but… You can afford mounting at least 100 MB from your RAM in fstab as TMPFS, right?
So if you need something sensitive (most of sensitive files are tiny, like .kbdx, various docs etc) edit on it! Beware of sudden power loss though.
1 Like
How so? I feel that GrapheneOS is the best operating system for privsec.
GrapheneOS: The desktop Linux software stack has horrible privacy and security compared to AOSP.
GrapheneOS: Desktop OSes don’t have anything close to the security model or hardware-based security features of AOSP or iOS.
We can see proof of this in practice. All of these exploits were possible on mainstream desktop linux:
GrapheneOS isn’t vulnerable to the 3 recently disclosed Linux kernel vulnerabilities named Copy Fail, Copy Fail 2 and Dirty Frag. Current Android Open Source Project SELinux policies block exploiting all 3 bugs. Standard AOSP GKI kernel configuration also has 2/3 of the vulnerable features disabled.
Android has a robust app sandbox, while desktop linux lets apps have full file access.
I referred to privsec, not user freedom.
Ok? And I don’t have to lock my phone in a safe if I had this threat model because of its outstanding hardware security.
Agree, but maybe cloud instead of locally at all.
2 Likes
Blackbox cellular baseband, for starters.
You don’t have to use cellular on a phone, you can use it like a computer.
https://xcancel.com/GrapheneOS/search?f=tweets&q=cellular&since=&until=&min_faves=
The cellular radio for every smartphone supported by GrapheneOS is an isolated and unprivileged peripheral component. GrapheneOS doesn’t sit on top of the cellular radio and it doesn’t control the SoC either. It’s very similar to how the Wi-Fi/Bluetooth radio is integrated.
The CPU in every modern computer is a massively complex closed source component. The reason people are talking about AMD PSP or cellular radios is because they’ve been misled by companies scamming people who claim they’ve changed things while actually making devices less secure.
The idea that cellular radios are unique in being closed source is wrong itself. Every mainstream CPU, GPU and many other components used in computers are closed source. Open source firmware and especially hardware isn’t nearly as successful as higher level software has been.
2 Likes
Here’s a good post with ethos and logos of the GrapheneOS project.
1 Like
Users have no meaningful choice in the matter, the cellular baseband is more privileged than the user’s preferences.
How so?
1 Like
They already answered a nearly identical question three comments below…..
2 Likes
Do laptops have that?
If I were to buy a desktop CPU, what’s the cheapest processor with TSME?
1 Like
Does anyone here know what the Intel equivalent is?
Does the AMD Ryzen Pro 4650GE support TSME?
1 Like
No.
TME(-MK).
2 Likes
Do all Intel consumer CPUs have it?
1 Like
No.
Probably the Ryzen 3 Pros
or older zen cpus from around ryzen 1000-7000 if not ryzen 1000-5000
1 Like
AMDs PSP is an implementation of ARMs TrustZone. Mobile and Desktop both have “black boxes” and in AMDs case it is the same one as in most Androids.
1 Like