AMD's Ryzen CPUs (Ryzen/TR/Epyc) & Vega/Polaris/Navi GPUs

Peter Chambers On The 2018 AMD Ryzen Mobile Laptops

The 2018 Acer Ryzen Mobile Laptops Revealed!

The 2018 AMD Ryzen Mobile Laptops First Look!

 

https://overclock3d.net/news/cpu_ma...potted_-_how_much_faster_is_it_than_a_1700x/1
https://www.techporn.ph/amd-celebrates-ryzens-one-year-anniversary/
http://thenokiablog.com/2018/03/02/...ews-and-features-everything-you-need-to-know/

Get out your salt shakers for this next one. Spells doom and glom for Intel and nothing but sunshine for AMD. My primary complaints are claiming a 40% performance hit from Meltdown and 12nm possibly eliminating Intel IPC advantage. With the later it may help some but I highly doubt eliminate it.

https://www.bitcoinisle.com/2018/03/01/amds-growing-cpu-advantage-over-intel/

 

Sapphire Nitro+ Radeon RX VEGA 64 -- how good is it?

 

Here's the extremetech article on the subject:
https://www.extremetech.com/computi...n-significant-clock-boost-upcoming-ryzen-cpus

So, we see a supposed 300 MhZ update over 1700x on the baseline.
If those numbers are accurate, the 2800x in comparison might be clocked at 3.9/4.0 GhZ and boost to about 4.4-4.6 GhZ - and if the manuf. process is indeed more suited for higher clocks as the technical info from Glofo says... then people will probably have bigger overclocking headroom allowing them to reach Intel's frequencies.

Though, I suspect that if we want AMD to match Intel in overclocked frequencies (which isn't exactly a fair comparison)... I suspect that 2600x will be the needed CPU to accomplish that due to its smaller core count (which should allow it to clock higher).

The IPC differential between Intel and AMD is only 5%. Its possible AMD might have addressed this issue in addition to optimizing latencies with Infinity Fabric with the refresh... though, historically, we didn't get IPC increases with refreshes... only clock speed increases.

As I said before, we'll need to wait and see.

 

Steam Hardware Survey shows AMD CPU and GPU progress
by Mark Tyson on 5 March 2018, 12:01
http://www.hexus.net/gaming/news/hardware/115886-steam-hardware-survey-shows-amd-cpu-gpu-progress/

"...AMD's fortunes are on the up at the moment. It can't make its GPUs fast enough (neither can Nvidia) - but this isn't wholly due to PC gaming demand. AMD CPUs, meanwhile, have gained enthusiast and gamer attention with the improved performance of Ryzen-cores, platform longevity, and the recent launch of some attractive new generation APUs.

In chart terms, the upside changes for AMD are small but these definitely aren't dead-cat-bounce occurrences, one senses new trends are being formed. In GPUs AMD managed to increase its Steam user share from 8.2 to 8.9 per cent in Feb. In CPUs AMD did better, with a full percentage gain, from 8.1 to 9.1 per cent."...

 

While still at the rumored stage it seems by at least cutting into current overclock headroom that AMD with the new XFR will easily deliver the 10% added performance over stock to the new 2nd generation of Zen chips. We have yet to see where, if anywhere else, we can get with these new chips. Hopefully the wait is almost over.

http://elexonic.com/2018/03/05/leak...sts-significant-clock-boost-for-new-amd-cpus/
https://janyobytes.wordpress.com/20...s-and-features-everything-you-need-to-know-3/

 

Dell is playing dirty (again) :
https://www.extremetech.com/computi...-laptops-crippled-compared-intel-counterparts

This is either Intel bribing in the works, DELL might have become anti-AMD and 'prefers' Intel products (or specifically wants Intel brand because it counts on people's lack of information)... or possibly a combination of the two.

Thankfully, this was an article that caught this practically immediately upon DELL releasing these APU's.

Also, note the distinct LACK of 2700u (makes me wonder just how far up into the sky would they price that one) and how some reviewers for example compare 2500 to comparable Intel SKU's that are actually faster and then say 'oh well, it looks like AMD is trailing Intel in IPC again' (which of course is stupidly ignorant and only valid if they use outdated software which was optimized to specifically make use of Intel's uArch - why can't they provide proper software that's not biased one way or the other?).

 

Here's another article on leaked 2000 Ryzen series:
https://hothardware.com/news/amd-ry...r-benchmarks-leak-435ghz-turbo-clock-achieved

This one shows a supposed boost that's 150 MhZ higher than the article from extremetech I posted before... and them claiming that Ryzen is still weaker in single threaded is not that surprising because Intel boosts to at least 4.5-4.7GhZ on single core.

 

And here's another article on upcoming HP laptops with Ryzen 2700u:
https://www.neowin.net/news/new-hp-laptops-with-ryzen--vega-internals-leaked

 

It's worse than that, Dell is blowing it again, seems to be in their culture. They took Intel's "Marketing Benefits" payments for so long Dell missed the boat with AMD servers, until they finally felt they couldn't any longer, "Dell is looking silly not having the better performing AMD server CPU's".

It's a big thing, still going on to some extent, as this recent article points out:

Dell: Intel will continue to dominate the PC market despite AMD Ryzen
by Benjamin Herzig, 2018/03/01
https://www.notebookcheck.net/Dell-...the-PC-market-despite-AMD-Ryzen.287162.0.html

"Thanks to the powerful Ryzen processors, AMD has experienced a renaissance. Despite this positive trend, most PCs continue to be based on Intel-CPUs. In an interview, a manager of the big PC manufacturer Dell has now explained why he believes that Intel will continue to dominate the PC sector."

"One of the biggest stories of the technology business in 2017 was no doubt AMD's revitalization. After years of slow AMD CPUs and Intel having almost no competition, AMD finally became competitive again, thanks to the Ryzen processors. Based on the new Zen architecture, these new CPUs have truly been a breath of fresh air for the PC market.

One very interesting question remained: Will AMD be able to break Intel's stranglehold on the PC? For this question, another factor comes into play: The PC manufacturers. The PC manufacturers are the ones who decide which CPUs are used in most systems, especially in the lucrative Enterprise market and when it comes to laptops – most of these PCs are equipped with Intel processors.

In an interview with the British website Channel Pro, Dell's CTO John Roese had some interesting things to say about this topic. According to Roese, AMD's products do have some interesting qualities for the PC manufacturers and there will also be Dell-PCs with AMD CPUs, but even Ryzen can't break Intel's dominance. The main reason for this is the portfolio that Intel has, which is much wider than AMD's product portfolio.

Indeed, Intel doesn't have any competition in some parts of the market. In the laptop market for example: AMD does have some mobile processors, but Ryzen Mobile CPUs are all 15-W-CPUs for mainstream Ultrabooks. Intel offers the manufacturers more choice, as they also have even lower-voltage CPUs for fanless designs and very thin ultrabooks or tablets, as well as higher-voltage 45-W-CPUs for mobile workstations and gaming-machines – AMD currently does not offer anything in those areas.

Thats why AMD will remain the second player, while Intel will continue to be the dominating force, according to Roese.

Dell hasn't announced any laptop with Ryzen Mobile so far, though there are rumors about an upcoming Dell Latitude 5495 with Ryzen Mobile CPUs."

Don't expect many AMD chips in our products, says Dell
News Adam Shepherd
Feb 27, 2018
http://www.channelpro.co.uk/news/10754/dont-expect-many-amd-chips-in-our-products-says-dell

 

I wouldn't buy Dell anyway... overpriced for what they offer most of the time.

I got the GL702ZC and I'm glad for it.
Asus seems to have made at least half-decent attempt at all AMD hardware laptop.
The Acer Swift 3 which has 2500u for example has soldered RAM... that's a bad choice right off the bat... and let's not forget how OEM's have a tendency of not letting these new Ryzen APU's reaching their full 25W TDP to 'stretch their legs'... resulting in 2700u performing on par with 2500u.
The Raven Ridge TDP is maxed out at 25W... but its also configurable and OEM's usually opt to restrict the TDP artificially themselves down to 15W... and then they never explain which versions of SKU's are limited and which ones aren't.

AMD is at least seeing better market penetration this time around, but half-rear ended attempts at execution and overpricing on the part of OEM's is not making for a good impression/comeback.
Less informed people who never do any research (and re-sellers at large) will get the mistaken impression that AMD is a bad investment...

 

Still no info about Clevo with Ryzen... I'd like to get P870 with Threadripper or P750 with Ryzen 2700X/2800X/1800X... and some GTX 1070/2060 with 4K G-Sync... Dream workstation!

But I'll probably buy cheaper model with 2700U for my woman. This anyway seems to be very good investment (GPU enough to carry LOL and lighter multimedia).

 

Could you point out their typo to writers? I can't log in to disqus due to my browser settings now.
fixed it myself

It's 8+4 with single channel to the last 4GB.

 

I somewhat fault AMD here. TBH anything mobile, other than a new Ryzen chip, is extremely lack luster. Amd just needs to get a full mobile line out of the new Zen cores and be done with it.

Also make the TDP options users selectable, at least on the mobile chips, do not leave it up to the OEM's!

 

Yes and it doesn't do the 2200u or 2500u any favors to run in single channel mode.

Not to mention their atrocious pricing for 2200u and 2500u on offer while Dell didn't even bother to include 2700u, and pairing them with generally bad hardware whereas the Intel counterpart is better specced and an overall better value for money (comes even with a dGpu for a same or slightly higher price).

Dell is basically sucking up to Intel and seems to be making AMD look bad (like a more expensive alternative that's not viable at all).

 

Indeed, until 2700U and 2500U will be powered by 2666MHz Dual-Channel configuration... it will be crippled (quite heavily).

2700U + little of active cooling + Dual Channel 2400-2666MHz could give us great performance per value. Including small-size and low TDP.

 

It go wrong direction. The OEM’s run the game now.

———————————-

Official AMD Ryzen 2000 CPUs Specs, Prices and Performance Leaks Out - 2700X Flagship With 4.35 GHz Clocks, 105W TDP

 

The fact of going to 105w TDP shows they are somewhat eating into overclocking headroom. Hopefully there is still more leftover. I can see not going with the 2800X as the 1700X and 1800X skews almost everyone agrees the 1700X was the better deal for about the same overclocking headroom.

I am hoping with silicon maturity we can the 2950x @ 4.5 GHz. That would give a default of about 3,400 for CB R15. I would not run out for an upgrade but it would be a nice boost. As it stands for another upgrade it looks like I will be waiting on Zen2 and that is no guaranty as of yet either.

I hear everyone speculating a big game but with the lack luster silicon as of late form AMD I am not holding my breath, that is for sure.

 

The Boost numbers for the X models looks more like AMD has stretched they as long they can. Every MHz counts

 

We have yet too see the silicon so I can't say it is stretched as far as it can but it seems they are closer to the bleeding edge if a reduced nomenclature has that 10w increase in TDP from 95w to 105w.

 

Yeah. And 50MHz on top instead of roundup with 1 bin is probably to max out performance for default specs.

Intel has to increase TDP for coming 8 core i7 as well. And 4.35GHz has to be minimum boost clocks.

 

Wow, this would be impressive! Higher clock speed, and increasing transistor density by a factor of 2.7 - allowing for much larger cores (in terms of number of transistors).
http://www.guru3d.com/news-story/am...undries-expects-5-ghz-in-the-7nm-process.html

 

Well, let's not forget that the upcoming 7nm process that GLOFO will be using is IBM's design... and according to the technical specs, they said the process will allow 5GhZ on the baseline at much lower power draw.

 

Now this makes me much happier. We now know what to expect from 12nm and are not trying to just guess. About all that is left is to find out what type of headroom is left for overclocking and eventual TR info. There may be some other tweaks as well but I doubt they are awe inspiring.

If you are just doing a core for core upgrade then 7nm is the thing to wait for.

 

Ryzen 5 2400G: Best Value Build of 1H 2018?

AMD Ryzen 3 2200g + Vega: Budget Oriented? (vs GT 1030 - AC Origins, Nier Automata & Wolfenstein 2)

I Made My Own Xbox With A Ryzen 2400g

Xbox 2400g APU Update, Benchmarks vs 750ti and more...

 

ryzen 3 at 5+ ghz? count me in! (also gives me more time to save up for a sick desktop build and wait for gpu prices to normalize again)

Sent from my Xiaomi Mi Max 2 (Oxygen) using Tapatalk

 

Roadmap looks great;
http://displayport.com/2018/03/10/a...for-ryzen-threadripper-processors-until-2020/

 

http://digiworthy.com/2018/03/10/amd-7nm-zen-2-matisse-cpus-5ghz/

 

Holy sh*t, this is not good for AMD - 13 security vulnerabilities found with Ryzen, Threadripper & Epyc...13(!), not the 3 of Intel (Spectre & Meltdown)!
http://www.guru3d.com/news-story/13...doors-discovered-in-amd-ryzen-processors.html

 

And here's something else someone else posted in the replies which is an extract from the report:

They did post a disclaimer stating it is their opinion not fact.

Legal Disclaimer BACK TO SITE CTS is a research organization. This website is intended for general information and educational purposes. This website does not offer the reader any recommendations or professional advice. **The opinions expressed in this report are not investment advice nor should they be construed as investment advice or any recommendation of any kind.

It summarizes security vulnerabilities, but purposefully does not provide a complete description of such vulnerabilities to protect users, such that a person with malicious intent could not actually exploit the vulnerabilities and try to cause harm to any user of the products described herein. Do not attempt to exploit or otherwise take advantage of the security vulnerabilities described in the website.

The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Our opinions are held in good faith, and we have based them upon publicly available facts and evidence collected and analyzed, which we set out in our research report to support our opinions. We conducted research and analysis based on public information in a manner that any person could have done if they had been interested in doing so. You can publicly access any piece of evidence cited in this report or that we relied on to write this report. Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports. Any other organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents.

You may republish this website in whole or in part as long as CTS is clearly and visibly credited and appropriately cited, and as long as you do not edit content.

Although we strive for accuracy and completeness to support our opinions, and we have a good-faith belief in everything we write, all such information is presented "as is," without warranty of any kind– whether express or implied – and CTS does not accept responsibility for errors or omissions. CTS reserves the right to change the contents of this website and the restrictions on its use, with or without notice, and CTS reserves the right to refrain from updating this website even as it becomes outdated or inaccurate.

 

Plus, as it was also mentioned, they gave AMD less than 24 hrs to respond when industry standard is about 90 days. that's a tad odd, is it not?

 

Well I've not read the detail of the report, just the Guru3d article that I quoted - but what will be the acid test will be how AMD responds to this, and if they release patches to plug the holes then you for sure can believe that the vulnerabilities are real. I imagine AMD will respond very quickly either way, either to discredit the findings or to patch as soon as possible. For now AMD is just saying this: "At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings,".

 

Some I won’t name names... Said go for AMD. Intel has only flaws. Oh’well

I have said this before. It’s tech. Next time it will be the other manufacturer who run into problems.

 

Something funky, the first link to the white paper does not exist, the homepage for safefirmware does not come up and the whois is lets say funky

https://www.godaddy.com/whois/resul...dJBSHQPynYenpHzgDnpFJ0JSxeh0ErRM&isc=gofdb026

Same registrant on 2/22/2018 takes a 2 year registar with godaddy for amdflaws.com

https://www.godaddy.com/whois/resul...fQbo9LFbMqDCFdyobvd5NG1jyf5EuMLM&isc=gofdb026

 

amdflaws_whitepaper.pdf

https://amdflaws.com/


AMD's Ryzen, Epyc security co-processor and chipset have major flaws, researchers claim-Pcworld.com
"CTS-Labs is not the only security organization to discover an issue with AMD’s Secure Processor. Last September, Google researchers found and reported a stack overflow vulnerability, which AMD said it patched. AMD’s BIOS now allows users to disable PSP support. PSP, or the Platform Security Processor, is the former name of AMD’s Secure Processor."

 

https://www.reddit.com/r/Amd/comments/844q1f/anybody_heard_of_these_people_before_they_are/

Also at their website nothing about this;

http://www.cts-labs.com/detailed-analysis

Youtube channel just created for this. 3/12/2018, this reeks.

https://www.youtube.com/channel/UCJ_lbUAqBgM54eEdIsv3llg

 

From the guru3d article:

" What now?
It's not known how long it will take to address and fix these issues if some of them can be fixed at all. CTS-Labs said it hasn't heard back from AMD, but considering they gave AMD 24 hours to digest this all, that makes sense. The researchers said it could take several months to fix. Some of the exploits in hardware can't be fixed, they add.

We say testing & verification is required. Should you be worried? Well, from what we've read, all four levels of vulnerabilities require actual administrative access towards your PC. This means you'd need to hand out full access to your PC, that would read as alleviated privileges. And yeah, anything and anyone you hand out admin rights would be at risk or compromized anyway.

At the time of writing, I (Hilbert) am looking at the vulnerability announcements with a healthy amount of skepticism, and so should you. I'd advise we all await what AMD has to say about this, once they have had a chance to digest all information and accusations.

There are many things that bother me:

• The 24-hour disclosure opposed to the industry standard 90/180 day is just wrong
• Domain records for "amdflaws.com" has been created on Feb, 22, 2018.
• Company is listed only since 2017, linked-in shows very poor company info.
• Domain registered not directly but through "domainsbyproxy.com".
• Domain is registered at GoDaddy, privately. No contact information of the domain is public.
• Their official Youtube Channel with that video, was created March this year. That would be the official company YT channel.
• Video looks marketed, too well produced.
• Names like Ryzenfall sounds like somebody from marketing made that up?
• Precisely 13 flaws? An unlucky number?
• Whitepaper shows no specific technical detail.
• Earlier today when the news broke and info was released I did some Google searches on CTS-Labs, it revealed very little, for a proclaimed established security agency.
• Parts of www.cts-labs.com website are copied from public PDF documents
• As a security firm, cts-labs website does not even have an SSL certificate active? Thus no https available as an option?
• cts-labs does not disclose address on website.

All things combined raise so many red flags, now we can also add this:

Currently, there is speculation that this information release is an attempt to manipulate the stock price of AMD. The short seller Viceroy Research would possibly play a role in this. That company published relatively quickly after CTS the claim that the 'revelations' would be the death blow for AMD.

In the end, this all could be a hoax or plot to damage AMD or for self-benefit (manipulating stock exchange), and as more time passes it seems to be the case that all this is just that, a hoax to create some sort of effect. We'll have to wait and see what AMD makes of this and what their actions will be.

Initial AMD Statement
We've reached out to AMD for a statement, here is the latest updated reaction:

"We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise. We will update this blog as news develops,"."

This is apparently a well funded and coordinated attempt to torpedo AMD set up to appear to be orchestrated from Israel - Intel is the #1 technology employer in Israel.

How Intel came to be Israel’s best tech friend
A newly found cache of photographs shows the development of one of the country's most important ongoing business relationships
By DAVID SHAMAH, 23 April 2015, 12:09 pm
https://www.timesofisrael.com/how-intel-came-to-be-israels-best-tech-friend/

https://www.google.com/search?q=intel+israel

This is a sad day both for Intel and Israel, they are both being smeared by whoever is perpetrating this effort, and both need to get on top of the perpetrators, stop it, and disclose the cleanup.

AMD is on the right path, and more attacks are likely forthcoming.

 

One issue could be a short seller betting a lot on AMD having a crash and burn. While Zen 12 nm may not be the companies save grace making the CPU's highly competitive Zen2 at 7nm most likely will. This is exactly the opposite of what a short seller wants to see. As it stands the stocks look to at least be holding their own somewhat, again a short sellers nightmare.

 

OK, deep breath, relax... Let's have a sober look at these 'ere annoying AMD chip security flaws
Holes useful for malware on completely pwned PCs, servers
By Thomas Claburn in San Francisco 13 Mar 2018 at 22:47
https://www.theregister.co.uk/2018/03/13/amd_flaws_analysis/

" Analysis
CTS-Labs, a security startup founded last year in Israel, sent everyone scrambling and headlines flying today – by claiming it has identified "multiple critical security vulnerabilities and manufacturer backdoors in AMD’s latest Epyc, Ryzen, Ryzen Pro, and Ryzen Mobile processors."

Tuesday's glitzy advisory disclosed no technical details – but described 13 "critical" security vulnerabilities that span four bug classes in AMD chips. The biz apparently gave AMD only one day of advance notice it was going public, an amount of time that precludes addressing the flaws prior to publication and deviates from security industry norms of responsible disclosure. Typically, organizations are given up to 30 to 90 days to fix their products.

The report describes the four classes of vulnerability, each of which has several variations. They all require local administrator access – or in one case, physical access – to exploit, which limits them as vulnerabilities useful for miscreants.

Essentially, the security holes can be exploited by malware already present in a computer to bury deep into its machinations to ensure it can't be easily detected and removed – not even by wiping hard drives and reinstalling everything from scratch. The malware can inject itself into motherboard firmware to stay out of sight, all while meddling with or siphoning off files and other personal information, and interfering with system hardware.

But it's important to note that a software nasty has to have superuser powers to abuse the programming cockups found by CTS-Labs. At which point, the malware already can spy on its victim, steal their data, hold their files to ransom, and so on.

The flaws do not open AMD-powered PCs and servers to remote hijacking over the internet, nor allow malicious apps to commandeer systems. Instead, they can be leveraged to ensure that once malware is present, it's more difficult to find and remove.

Also, no code exploiting the security shortcomings has been made public, nor is any circulating right now in malware. The holes are also not necessarily unfixable.

Spoiler

What are the bug classes?
RYZENFALL allows malicious code to take over the AMD Secure Processor in Ryzen, Ryzen Pro, and Ryzen Mobile chips. Exploitation requires being able to run a program locally with administrator privileges. CTS-Labs claims there's no mitigation, despite AMD's recent released BIOS update that is supposed to disable the Secure Processor, thus killing off the whole thing.

The Secure Processor – aka the Platform Security Processor or PSP – is a coprocessor that ships with modern AMD chips that ensures a valid, untampered operating system is booted, among other tasks.

The RYZENFALL vulnerability may be related to a security issue in AMD's Secure Processor reported by Google security researcher Cfir Cohen in January. RYZENFALL requires root-level access to attack. It can be used to commandeer the Secure Processor, boot backdoored operating systems, and extract, say, protected Bitlocker crypto-keys from the firmware to decrypt drives in seized Windows 10 machines.

Re: today's AMD flaw hype.
There was a very similar AMD PSP firmware hole uncovered (and patched) in January, but I guess it just didn't have a fancy bug name nor a website https://t.co/GBtGTf22zn
— Chris Williams (@diodesign) March 13, 2018

FALLOUT, a flaw in the boot loader component of Epyc's Secure Processor, allows attackers to read and write sensitive and protected memory areas, such as SMRAM and Windows Credential Guard isolated memory (VTL-1). As with RYZENFALL, local administrative access is necessary to exploit the issue.

CHIMERA is described as a pair of manufacturer backdoors, one in firmware and one in hardware (specifically in an ASIC), that allow code to be injected into AMD Ryzen chipsets. Again, you need root privileges to do this. This means the underlying motherboard firmware can be programmed to become a keylogger, send keypresses for passwords over the network, and so on.

The advisory claims the backdoors were introduced, accidentally or otherwise, by Taiwanese chip manufacturer ASMedia, owned by ASUSTeK, which used its own insecure integrated circuits in AMD's Promontory chip, found in AMD's Ryzen and Ryzen Pro lines.

MASTERKEY, allows the installation of persistent malware inside the Secure Processor, running in kernel-mode with administrative permissions. It requires the ability re-flash the motherboard BIOS with a malicious software update. This typically requires admin-level or physical access to a box, but CTS-Labs contends this could be done remotely through a command-line utility, again with the appropriate permissions.

The key thing with, er, MASTERKEY is that the system accepts modified BIOS images – when really, it ought to reject them, regardless of who is flashing them.

Eypc server chipsets are, we're told, affected by FALLOUT and MASTERKEY. Ryzen workstation has CHIMERA, MASTERKEY and RYZENFALL. Ryzen Pro has CHIMERA and RYZENFALL. Ryzen mobile has RYZENFALL.

Questions of motivation
Some members of the online security community are characterizing the research as a hit piece designed to manipulate AMD's stock price, presumably to benefit those intending to short company stock.

Dan Guido, CEO of security firm Trail of Bits, meanwhile contends the findings are valid. He said he was contacted by CTS-Labs ahead of today's disclosures to check over the vulnerability discoveries to evaluate their impact, and said the blunders can be exploited.

"Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public AFAIK), and their exploit code works," he said via Twitter.

In a video published in conjunction with the research, Ido Li On, CEO of CTS-Labs, claimed many of Taiwanese chipmaker ASMedia's products contain backdoors that could be used by hackers to inject malicious code. Fined by the FTC in 2016 for ignoring security flaws, ASMedia has helped build some AMD chipsets.

"When we looked at Ryzen computers, we saw that the very same backdoors that have existed on ASMedia chips for over six years are now on every Ryzen PC in the market," Li On said. "This was deeply concerning to use and it got us to look at AMD security as a whole."

Response
AMD in a statement issued a few hours ago said it was looking into the claims:

We have just received a report from a company called CTS-Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings.

In keeping with the practice cemented by the Spectre and Meltdown vulnerabilities in January, CTS-Labs is promoting the disclosure on a dedicated website, amdflaws.com – complete with logos, codenames, claims of public safety risks, and media briefings to create a big splash.

The website, and the white paper that accompanies it, includes a lengthy disclaimer advising not to use the research as investment advice. "The report and all statements contained herein are opinions of CTS and are not statements of fact," the dot-com declared. "Organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents."

It also, curiously, acknowledges the possibility that those involved may have a financial interest in AMD stock:

Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.

A separate website published under the name Viceroy Research meanwhile has cited CTS-Labs' work to claim, rather sensationally, "We believe AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries." Viceroy's blog post and CTS' findings went live today within a couple of hours of each other.

Reached by phone, John Fraser Perring, founder of Viceroy Research, which describes itself as "a group of individuals that see the world differently," confirmed to The Register that his firm has a short position in AMD stock and that he intends to increase that position in light of support for CTS-Labs' findings.

He said that technical experts he corresponded with who have verified the findings, specifically Dan Guido, have left him convinced that these flaws pose a serious risk to AMD customers.

Perring said he received a copy of report from an anonymous source and found the findings credible after consultation with internal and external technical experts.

Not everyone believes the flaws are quite so dire – certainly not enough to warrant a media blitz with claims of doom and death.

If you're already that pwned...
Jake Williams, founder and president of Rendition Infosec, commented on the above quoted disclaimer via Twitter, saying, "I'm pretty well convinced that this is designed to manipulate stock prices. That doesn't make the vulnerabilities fake or any less dangerous (though you need admin access to exploit most)."

Arrigo Triulzi, a security consultant based in Switzerland, described the paper as "over-hyped beyond belief" and added, "This is a whitepaper worthy of an ICO [cryptocurrency initial coin offering]. And yes, that is meant to be an insult."

Google security researcher Tavis Ormandy, responding to Triulzi wrote, "Nothing in this paper matters until the attacker has already won so hard it's game over. Not something I'm too interested in, but maybe DFIR [Digital Forensics and Incident Response] people are?"

Ormandy is referring to the fact that exploiting these supposed flaws require local administrative access, making them significantly less dangerous than vulnerabilities that can be exploited by a remote, unprivileged user.

Linux kernel contributor and expert Matthew Garrett also broke down the four bug classes thus:

The argument is that if you can replace the firmware then of course you win, except the whole point of having the CPU validate the firmware is that replacing the firmware means the machine doesn't boot. It's not a real threat for most people, but it still matters.

— Matthew Garrett (@mjg59) March 13, 2018
RYZENFALL: OS-level admin can gain access to the Secure Processor. This means root can extract any secrets stored in the fTPM. Use Bitlocker? Attacker can boot their own OS image, break into the fTPM, extract the key, decrypt your drive.

— Matthew Garrett (@mjg59) March 13, 2018
FALLOUT: Different attack path to Ryzenfall, looks like it gives the same kind of outcomes - any protections mediated by the Secure Processor are broken

— Matthew Garrett (@mjg59) March 13, 2018
CHIMERA: Someone with root can potentially turn your motherboard chipset into a hardware keylogger that sends anything that looks like a password over the network and you can never fix it look this is kind of a big deal

— Matthew Garrett (@mjg59) March 13, 2018
But there are many other people who don't want to make that assumption - root shouldn't be able to replace your system firmware with malware, root shouldn't be able to extract secrets from your credential VM, root shouldn't be able to trojan your chipset

— Matthew Garrett (@mjg59) March 13, 2018
In an email to The Register, Yuriy Bulygin, CEO and cofounder of firmware security firm Eclypsium, said that while the white paper offered little in the way of technical details, it nonetheless describes what look to be an important set of vulnerabilities affecting the Platform Security Processor, a critical security component on AMD systems.

"Assuming these vulnerabilities are confirmed, they would seem to lead to a bypass of fundamental platform protections like hardware based secure boot, Windows 10 Virtualization Based Security (with Credential and Device Guard), firmware based Trusted Platform Module, secure encrypted virtualization," said Bulygin.

"This would also allow malicious code to persist in PSP’s firmware and other firmware like UEFI and runtime SMM. If we navigate beyond marketing language and disclosure discussions, this is important research into the platform security of AMD-based systems. The next step is to evaluate technical details when they are released to confirm the issues."

Impact
Jake Williams told The Register that the lack of details in the report made gauging the impact of the vulnerabilities difficult, but the flaws could be a major issue - depending on who you think is likely to go after your networks.

"If nation state attackers top your threat model, then yeah this is bad. The vulnerabilities will allow attackers to bypass Trusted Boot (allowing them to bypass device driver signing and other rootkit mitigations) and Credential Guard (allowing them to bypass Windows 10 credential hardening mitigations)," he explained.

"The most concerning are the two chipset vulnerabilities. These have the potential to more widely exploited. The hardware vulnerability that involves direct memory access (DMA) is particularly concerning since it will difficult to impossible to patch through software."

AMD stock closed up about one per cent on Tuesday. If the plan was to short the stock, well, that backfired somewhat.

El Reg asked the US Department of Homeland Security whether it was aware of the CTS-Labs report, and whether it had any comment on the findings. A spokesperson in an email said: “DHS is aware of the report” but has nothing further to add at this time.

The Register also asked an Intel spokesperson whether the company had any financial or logistical ties to CTS-Labs. We have yet to hear back. ®

Bootnote
Linux kernel chief Linus Torvalds is not amused. "It looks like the IT security world has hit a new low," he stormed.

"At what point will security people admit they have an attention-whoring problem?""

 

If you have admin level access there is al kinds of things that can be done to any system. This includes software/malware/bios hacks that can be devastating. I would be willing to bet if you gave the same access to an Intel system quite a bit of devastation can be done there as well.

My bet is the reason for no allowed response time is exactly this. AMD not just coming back and saying beware who you give admin access too. what a bad malicious joke.

 

On AMD Flaws from CTS Labs
Kevin Beaumont, InfoSec, from the trenches of reality. Email [email protected] | Twitter: @gossithedog on Twitter. Mar 13
https://doublepulsar.com/on-amd-flaws-from-cts-labs-f167ea00e4e8

"You may have seen media reports about flaws in AMD chipsets. AMD are currently reviewing the report, as they were given less than a day notice of vulnerabilities that CTS Labs claim put lives at risk (via their website, AMDflaws.com). This is a highly unusual and reckless disclosure of security flaws.

Some initial technical analysis from me.

• All of the bugs require administrator (or root) access to exploit. This is a significant mitigation.
• All of the bugs require the ability to execute code. This is a significant mitigation.
• No proof of concept code has been provided.
• No technical information has been published.
• Nothing is in the wild for this.
• It could not lead to a global cyber attack like WannaCry, as it does not provide code execution.

In terms of disclosure this happened with full press releases to major media organisations and no independent analysis of facts, or demonstrations of the vulnerabilities. The website makes extreme claims about the vulnerabilities – the FAQ section is worse than Buffy fanfic. No mitigation advice was provided to organisations.

The only independent voice provided to press who reviewed the work is Dan Guido – who was paid as a contractor of CTS, per his own tweet.

Somehow this has not yet be mentioned in articles.

Fancy videos were provided – with fake office backgrounds.

I would encourage security researchers not to disclose vulnerabilities like this. If you have vulnerabilities that you truly think are serious and truly want to provide information so people can protect themselves, work to get them resolved and work with the cyber security community around mitigations.
The only real public exploit here at the moment is a press exploit. This situation should not be happening.

~kevin"

 

wow, just check their own website:

"The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."
and even more fishy:
"...CTS reserves the right to refrain from updating this website even as it becomes outdated or inaccurate."


- report declared as OPINIONS

- they MAY have economic interest in the performance of company securities they report on

- refrain from updating website as it becomes outdated/inaccurate


seriously??? this is as SHADY as it gets! this sounds to me like theyre already protecting their behinds from potential lawsuits and are planning to milk this thing via stock market manipulation. just unbelieveable...

Sent from my Xiaomi Mi Max 2 (Oxygen) using Tapatalk

 

AMD Aggressively Taking CPU Share From Intel

 

Leasing An AMD RX 580 For $60 A Month? WTF?

 

At 600 MSRP I would say a lease at 15 USD would be reasonable, 60 per month, no way

 

I haven't look at the site or the terms, but I would assume the duration has an impact on the monthly, so paying it off in 12 months might be worth $57 / month. IDK what the balloon payment or terms are.

It's interesting, a first step or two toward mitigating the difficulty in finding hardware for current times, and for even higher cost GPU's, it might be the only way for some people to stretch out the payments, and maybe not get "stuck" with old tech.

Right now IDK if I'd buy an Nvidia GPU, expecting the next gen to be released at any time, it would be nice to be able to turn it in and walk away without getting stuck for the full cost commitment of buying and then trying to sell it.

 

Although I do not see them on Amazon or Newegg;

https://segmentnext.com/2018/03/16/amd-ryzen-2000-pre-orders/

 

I would think pre-orders would start when announced shortly, at or just before GDC(?), by AMD directly.

 

Thought it was probably too early.

 

7 nm "Castle Peak" Threadripper desktop CPU coming next year as reavealed in leaked AMD roadmap

"Castle Peak" will be based on the upcoming Zen 2 core, while this year's Threadripper gen 2 will feature a slightly improved 12 nm Zen+ core. The first Zen 3 cores are expected to arrive with the 2020 APUs.

AMD is known to be holding special events for retailers and distributors at least twice a year. According to Informatica Cero, the company presented a new roadmap slide at the latest special event, revealing more information about the upcoming CPU architectures and release schedules.

The slide is not supposed to be public, but the guys over at Informatica Cero leaked it anyway. It presents an overview for each year up until 2020 and also introduces the idea of an “Inflection-Optimization” release schedule approach, with inflection years introducing new technologies and CPU cores, while optimization years are meant to further improve the architectures released the year before. It now makes sense to see that 2018 is considered an optimization year, as AMD is enhancing the original Zen architecture launched in 2017, which was an inflection year. The “Raven Ridge” APUs and “Pinnacle Ridge” desktops CPUs were already revealed to be launched this year, however, the leaked slide also mentions a “Threadripper” gen 2 for 2018, as part of the Zen+ improved architecture. This should be the 12 nm version of the Threadripper models launched last year.

2019 will be a new inflection year when AMD is to introduce the anticipated 7 nm Zen 2 core. From here onwards the desktop CPUs and APUs get codenames of well-known painters. There is the “Matisse” desktop series, the “Picasso” APU series, and the “Castle Peak” series which will include the Zen 2 variants of today’s Threadrippers. AMD is also expected to launch its EPYC server CPUs codenamed “Rome” and “Starship” in 2019.

As an optimization year, 2020 will only enhance the previous Zen 2 architecture. The desktop CPUs for 2020 are codenamed “Vermeer, while the Threadripper successors are just known as next gen HEDT (high-end desktop). However, according to Videocardz, the APUs codenamed “Renoir” are said to be featuring the Zen 3 core that will be introduced in 2021 for desktops and HEDT. It is not clear what manufacturing process all these models will feature, but previous slides indicate that AMD will stick to 7 nm through 2021 as well.

@Vasudev