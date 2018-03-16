Rethink Technology business briefs for March 16, 2018.

Questionable motives surround the CTS “Security Advisory on AMD”

Ryzen processor and chipset vulnerabilities. Source: CTS.

The recent hasty release of a “Security Advisory” concerning purported flaws in Advanced Micro Devices' (AMD) Ryzen architecture processors could be passed off as youthful rashness by a heretofore unknown security research firm, CTS, based in Israel. That is, if it weren't for the simultaneous release to the media of the report as well as the highly inflammatory take by Viceroy Research called “AMD-The Obituary” on March 13.

Viceroy verges on the hysterical:

Viceroy, in consultation with experts, have evaluated CTS’ report. We believe the issues identified by CTS are fatal to AMD on a commercial level, and outright dangerous at an international level. In light of CTS’ discoveries, the meteoric rise of AMD’s stock price now appears to be totally unjustified and entirely unsustainable. We believe AMD is worth $0.00 and will have no choice but to file for Chapter 11 (bankruptcy) in order to effectively deal with the repercussions of recent discoveries.

In an interview with Anandtech, CTS could offer only the flimsiest of excuses for jumping the gun and not giving AMD the usual 90 days notice before making the disclosure. CTS claimed that waiting the 90 days gives chip vendors “a lot of control” in PR spin and minimizing the issues. CTS added:

The second problem is that if mitigations are not available in the relevant timespan, this paradigm does not make much sense.

In fact, CTS could offer no substantiation for the opinion that AMD might not be able to address the vulnerabilities within the 90-day period. It simply didn't know.

People who follow me know that I'm no great friend to AMD, but I think the conduct of CTS in this matter is absolutely reprehensible. CTS should have been willing to afford AMD the 90 days to review CTS' findings and come up with mitigations. That would have been the responsible way to proceed.

The U.S. Securities and Exchange Commission offers this definition of stock manipulation:

Manipulation is intentional conduct designed to deceive investors by controlling or artificially affecting the market for a security. Manipulation can involve a number of techniques to affect the supply of, or demand for, a stock. They include: spreading false or misleading information about a company; improperly limiting the number of publicly-available shares; or rigging quotes, prices or trades to create a false or deceptive picture of the demand for a security. Those who engage in manipulation are subject to various civil and criminal sanctions.

CTS and Viceroy have probably stopped just short of the SEC definition of manipulation by virtue of the CTS report being factually correct.

Understanding the Ryzen vulnerabilities and their impact

An independent research firm, Trail of Bits (TofB), has confirmed the CTS findings and was paid for their services, but I don't think that means TofB would have misrepresented their own findings in the matter.

The TofB blog tried to play down the risk:

There is no immediate risk of exploitation of these vulnerabilities for most users. Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. . . These types of vulnerabilities should not surprise any security researchers; similar flaws have been found in other embedded systems that have attempted to implement security features. They are the result of simple programming flaws, unclear security boundaries, and insufficient security testing. In contrast, the recent Meltdown and Spectre flaws required previously unknown techniques and novel research advances to discover and exploit.

One can appreciate the desire to lower the hysteria level, but the reasoning here seems a little flawed. On the one hand, it's claimed that the AMD vulnerabilities pose little risk because it would take time for attacks to be developed, yet the statement implies that Meltdown and Spectre are more serious risks, even though developing attacks based on them would certainly be even more difficult. In short, there was no immediate risk due to Meltdown or Spectre, either.

There continues to be much downplaying of the AMD vulnerabilities, but they are serious. One argument is that the vulnerabilities require administrator credentials to exploit. This is true, but stealing administrator credentials (the login password and username) is not difficult.

When an operating system such as Windows or macOS is first installed, the first user account that's created is administrator level by default. This is to provide necessary administrator privileges following installation. Most home PC users receive administrator privileges by default.

A 2016 report by Verizon found that 63% of data breaches stemmed from “weak, stolen or default passwords.” Human nature has ever been the greatest threat to computer security.

Once administrative credentials have been acquired, the harm that can be done to the assumed security protections of AMD processors is considerable. Within modern AMD processors is an ARM based AMD Secure Processor (ASP) that's supposed to ensure secure boot, as well as handle various encryption tasks. The vulnerabilities allow malware to invade the ASP and commandeer it in order to compromise other parts of the processor and operating system, and potentially spread to other computers.

Source: Hexus.net

Perhaps the most disturbing finding of CTS was the discovery of backdoors (the Chimera vulnerabilities) in the chipset used by Ryzen processors, the Promontory X370 chipset. AMD contracted with ASMedia to design the chipset in 2014. According to CTS, the X370 contains a microcontroller with backdoors left in place by ASMedia that can be exploited by code with administrator privileges.

The Anandtech interview makes the point that the Ryzen vulnerabilities are less of a threat to datacenters because processors run in virtualized mode in which there's no direct access by virtualized machines to the hardware. I tend to agree, and consider that the major risk is to individual consumers rather than professional users, whether datacenters or corporate networks. But the threat to consumers is real (pending further verification) and should not be minimized by AMD's supporters.

The departure of Global Foundries Sanjay Jha

With the uproar over the conduct of CTS and Viceroy, the most significant news impacting AMD has been overshadowed. This was the sudden departure of Sanjay Jha and his replacement by Dr. Thomas Caulfield as CEO of Global Foundries.

Naturally, Global Foundries tried to put this in the best possible light. Jha was “passing the baton” to his successor:

“GF is a strategic asset for the global semiconductor industry and our shareholder. We will continue to invest to differentiate and grow the business and further consolidate the industry through partnerships, in a way that allows us to better serve our customers,” said Ahmed Yahia Al Idrissi, Chairman of the GF Board of Directors. “Sanjay delivered on strategic milestones which set the company on the right path and we would like to thank him for his significant contributions. Tom, with his 25-year track-record of operational excellence and delivering for customers, will take the company to the next level of success.”

But the lack of anything like succession planning, which would normally accompany a planned transition suggests that this was not planned at all, at least not by Jha. And I'm inclined to think that if things were going along swimmingly, Jha would still be CEO.

The quote above contains an important clue: “Operational excellence.” The fact that Caulfield is seen as supplying this key ingredient suggests that the GF Board considers it to have been insufficient under Jha.

This in turn suggests that all is not well with 7 nm. But we kind of already knew that. As late as June of 2017, GloFo was still assuring the world that it would be in high volume production in the second half of 2018. Then, in an interview with Anandtech, GloFo CTO Gary Patton backed off from that, indicating that 7nm would be in high volume production:

By the end of the year or most likely in early 2019, with a couple of key partners. Our ASIC customers, of which there are quite a few, are also lead users of our 7nm process.

Skipping 10 nm and going directly to 7 nm was always a risky gamble, especially for a foundry without a good track record of bringing leading processes into production on time.

There seems to be a lot of good feeling in the tech media about the fact that GloFo's leadership, the CEO and CTO, both came from IBM (IBM). I think this may be misplaced. IBM's semiconductor manufacturing business had been falling behind the leading edge in semiconductor processes for years before it was finally sloughed off to GloFo.

IBM had never managed to get into high volume production in FinFETs. IBM had never advanced to a mass production 14 nm scale process, let alone gone further. How are the remnants of IBM's semiconductor manufacturing business supposed to save the day for GloFo?

Investor takeaways

AMD supporters have been quick to call the CTS report “much ado about nothing,” and in fact I doubt that security vulnerabilities in general will ever be sufficient to affect the price of a processor company, whether Intel or AMD. Certainly, the Meltdown and Spectre vulnerabilities have not caused Intel's stock to collapse. Just the opposite. Since January 5, Intel is up over 14%. In general, processor vulnerabilities appear to be a poor pretext to short a processor manufacturer.

But I wanted to take a moment to recapitulate where I stand on AMD, since it was recently pointed out to me that Tipranks has claimed that I rate AMD a buy. I don't.

AMD has two main problems right now. The biggest is the loss of Raja Koduri to Intel (INTC), and what that says about the competitiveness of AMD's GPUs. I'm sure Koduri didn't leave because he wasn't making enough money at AMD. He left because he didn't see a future there, having to compete with Nvidia (NVDA).

Before too many years, AMD will have two competitors in GPUs rather than one. AMD was struggling just to compete with Nvidia. AMD having to fight off both Nvidia and Intel is a complete non-starter.

Vega will receive no refresh this year. But Nvidia will probably launch a new GPU architecture this year. There's uncertainty about when it will be announced and when it will launch, and even what it will be called (Turing? Ampere?). But there's really no doubt that it is on its way, and it will leave Vega even further behind.

AMD's other main problem is GloFo. Much has been made of a statement to Anandtech by CEO Su that AMD would use both TSMC (TSM) and Global Foundries for 7 nm. Since the last renegotiation of the Wafer Supply Agreement (WSA) with GloFo, AMD already was using TSMC to build the semi-custom processors for its game console business. Presumably that will continue as TSMC's 7 nm process becomes available.

The renegotiated WSA hasn't let AMD out of its obligation to use GloFo for processors and GPUs, and won't unless there's yet another renegotiation. The idea that AMD will be allowed to split its business at will between TSMC and GloFo is wishful thinking on the part of AMD fans. GloFo simply needs AMD's business too much for that to happen.

AMD's dependence on GloFo for its core processor businesses is its main problem. Intel will have its 10 nm process in mass production this year. The first parts that come out will be for ultrathin notebooks and tablets, a key area for Ryzen Mobile APUs. With these being fabricated on the GloFo 14 nm process, the collision with Intel is likely to be bloody and painful for AMD.

So, once again, AMD's fate is tied very closely to Global Foundries, which just had a change of leadership, and has probably delayed its leading edge 7 nm process into next year. AMD is looking like a very poor turnaround bet. I continue to rate AMD a sell.

Nvidia is part of the Rethink Technology Portfolio and is rated a buy.

Disclosure: I am/we are long NVDA, TSM.

I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.