Intel and AMD chips used in European sovereign cloud infrastructure include Ring-3 management subsystems that function as complete computers with deep access to host systems. These subsystems are largely opaque to the organizations that own and administer the cloud. The subsystems are designed to be controlled over the same networks used for server operations, creating potential vectors for remote attackers. French and EU sovereign cloud specifications include many technical details but do not mention these management subsystems. Because Intel and AMD are subject to American laws that can compel secret state action, the effort to build an impenetrable European cloud fortress is portrayed as flawed. Sovereignty depends on controlling supply chains that protect systems from malign influence or attack, as shown by wartime resource and component constraints.
"Both companies' chips have so-called Ring -3 management subsystems, complete computers with deep access to the host system, while remaining largely opaque to the people who own and administer it. The management subsystems are designed to be controlled over the same networks that servers use for servery stuff, which makes them in theory and in practice vectors for remote attackers."
"The story is more that the French specification derived from the EU's IPCEI-CIS specification and for sovereign clouds, while having thousands of technical details, doesn't mention this at all. The management subsystems are designed to be controlled over the same networks that servers use for servery stuff, which makes them in theory and in practice vectors for remote attackers."
"As Intel and AMD are governed by American laws that can force them to act in secret for the state, the billion-Euro effort to fly the European flag over an impenetrable cloud fortress seems badly flawed. A good old supply chain attack, not so much secret as too boring to think about. Fixing it will mean fixing that supply chain, and the others that live in the same blind spot."
"Sovereignty is supply chains. If you don't control the components that keep your state safe from malign influence or outright attack, you don't have sovereignty. This is most starkly on show during wartime, not just in military logistics in theatre but also the industrial base that keeps the machinery going."
#digital-sovereignty #supply-chain-security #trusted-computing #cloud-infrastructure #hardware-security
Read at theregister
Unable to calculate read time
Collection
[
|
...
]