Europe built sovereign clouds to escape US control. Forgot about the processors
5 hours ago
- #hardware security
- #digital sovereignty
- #cloud computing
- Europe invests over €2 billion in sovereign cloud initiatives to reduce US legal exposure, with frameworks like France's SecNumCloud providing 'immunity from extraterritorial laws.'
- However, most cloud infrastructure relies on Intel or AMD processors, which contain management engines (Intel ME/CSME, AMD PSP) operating at Ring -3, below the OS and outside host control.
- These management engines are persistent, network-connected, and can be exploited as backdoors, allowing undetectable data exfiltration and remote control, as seen in past attacks like PLATINUM.
- US laws like RISAA 2024 classify hardware manufacturers as 'electronic communications service providers,' subjecting them to secret orders, potentially compromising silicon-level sovereignty.
- SecNumCloud certification does not assess silicon vulnerabilities; it focuses on operational controls, threat modeling, and legal protections, leaving hardware-layer risks unaddressed.
- Experts disagree on the practicality of these risks: some argue operational controls (network isolation, monitoring) make backdoors unreachable except for nation-state actors, while others highlight inherent vulnerabilities.
- The gap between sovereignty rhetoric and silicon reality is often overlooked in policy debates, with no immediate solution; alternatives like RISC-V are decades away from competitiveness.
- European digital sovereignty thus faces a fundamental question: whether reliance on non-sovereign silicon is an acceptable risk or a critical vulnerability needing mitigation.