Zen 4 (Raphael) desktop CPUs will have it. Right now, Zen 3 (Chagall) and Zen 4 Threadripper (Storm Peak) don't currently have plans for integrating it, but that may be subject to change. I cannot provide proof, but I sure as hell am never buying Zen 4 or later AMD Desktop CPUs ever again for a system that will be connected to the internet.
Maybe I'm interpreting this comment incorrectly but I'm begging people to realize if they're a normal person and they have the NSA at the top of their threat model they're bad at internalizing relative risk.
You do appear to be interpreting it incorrectly. This is about Pluton, for which the threat actor is Microsoft. People concerned about the NSA would need to be worried going all the way back to the introduction of AMD PSP back in 2011.
Now, with regards to the important part of your message, I'm begging people to realize that if they're blindly trusting all code running on all firmware in their personal machine, they are even worse at accurately internalizing risk than those who are proactively paranoid.
I would argue not trusting MS is even sillier. Like it or not, they run most desktops around the world. Even if you only run the purest NetBSD at home, nearly everything someone knows about you will touch Windows at some point. In terms of secureboot et al, MS hasn't done any of the shenanigans people were worried about. You can still turn off SB on every x86 desktop. What is the actual risk here? At the end of the day, MS isn't the government.
Raptor Systems is right there for the truly paranoid.
You're right that MS isn't the government - they have fewer restrictions on behavior than government does, and a financial incentive to snoop on people the government doesn't care about.
If you're aware of the risks, you do you, just don't kid yourself into thinking the third most valuable company on the planet is diligently concerned with protecting your privacy and putting your interests above their own.
I would not go that far saying I won't buy AMD ever again, but if Microsoft has a foot in the door inside my systems in form of creepware like Pluton it is there for keeping the door open.
I am also paranoiac about such things, but the part with avoiding the connection to the Internet is easy for a desktop computer, if it also does not run Windows, where you never know what services might be active and with which external servers they might try to communicate.
I have a small computer that is used as the router for the Internet connection and on which I have complete control over the firewall and over the proxies used for connecting to the Internet, so there are no chances for an unwanted connection to the Internet.
For additional protection, one could run the Internet browsers in a Virtual Machine, to be absolutely certain that there is no way for a script run by the browser to access the physical hardware, assuming that you do not trust the sandboxing capabilities of the browser.
VMs are an imperfect solution to preventing programs running in the guest OS from affecting the host OS (imperfect, as VM escapes are a thing).
VMs do not provide protection to the guest OS (or it's processes) from inspection and snooping by the host OS, or from inspection / snooping by the hardware the host OS is running on.
If using a bare metal hypervisor, sed 's/host OS/hypervisor/g'
FWIW it's already present on Zen 3+ (Rembrandt) CPUs. However, at least on lenovo you can disable it (there's an option in the BIOS that allows you to toggle between TPM 2.0 and pluton).
No, Intel's 13th generation (Raptor Lake) chips are slated to have it too.
I suspect that like with Threadrippers, some Xeons will not ship with it, but I am not as confident about this as I am for Threadrippers, for reasons I cannot divulge.
I don't know but for what it's worth my main machine is a 6000 series laptop (with Pluton) running Linux and I did not have any compatibility issues. Sure, it sucks to have some Microsoft designed hardware in my CPU but at least it not causing issues (for now).
You have two ring -3 coprocessors with unrestricted DMA, unrestricted disk I/O, and unrestricted access to your network interface. One belongs to the NSA, the other to Microsoft.
Do some traffic analysis on the upstream end of an ethernet cable plugged into that computer while it is hibernating or sleeping some time, you might not like what you what you find.
>Do some traffic analysis on the upstream end of an ethernet cable plugged into that computer while it is hibernating or sleeping some time, you might not like what you what you find.
Is this something you know for a fact, or are you extrapolating from intel ME?
It's behavior I've witnessed on my own system w/ AMD PSP. I can't definitively attribute it to PSP, but I can't attribute it definitively to anything else either.
What method did you use to do the traffic analysis? I mean, under assumption that this kind of traffic can only be sniffed at the wire level, what exactly did you do to accomplish this? I am genuinely interested.
Are you willing to give up the reason for your secrecy? I'm not sure what you stand to lose if you just say "I saw some traffic to NSA headquarters every 10 minutes that coincide with access entries on my SSD"
Yes. Divulging the destination on a public platform is providing more identifying information than I am comfortable sharing.
It's funny that you'd think real-world espionage by intelligence agencies would be sending that data to headquarters rather than some random commercial VPS set up as collection infrastructure that is deliberately unattributable to the organization behind the espionage.
Allowlisting, yes. Keep in mind that even fairly unsophisticated malware has been observed using channels like pastebin and Twitter for exfil/c2.
Blocklisting, that's a cat and mouse game. Go look at how many different URLs and IPs are utilized for commercial telemetry in the likes of Adobe and Microsoft software if you aren't familiar.
