Intel Management Engine & AMD Secure Technology #844
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#844
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Backdoor in computers
https://www.youtube.com/watch?v=Lr-9aCMUXzI
You should also make people aware of Firmware Blobs
Alternative seems to be https://en.wikipedia.org/wiki/RISC-V
Is there anything known for ARM architecture?
I don't see why this YouTube video is related to AMD.
Also the video description recommend NordVPN as protection.
Seriously?
I asked Purism when they started producing Intel-based machines why the hell they were supporting Intel and its M.E. They had an /oh shit/ panic moment because they did a bunch of Intel development without knowing about the ME. They refused to throw away the work they had done. Eventually someone worked out how to "disable" (*) ME and Purism took that idea and ran with it - using marketing that kind of implies that Purism did the work. The big problem is not taking credit for someone elses work, but rather that Purism continued to support Intel. Of all chip makers Intel (founder of ALEC) is the most unethical. So Purism is leading consumers to feed the worst player in the market because they don't want the effort of changing directions to favor ethics.
(*) disable is in scare quotes because ME is never fully disabled. It must run to boot the chip, but post-boot it can be disabled to some extent.
Arm
@yugifangx
Arm has Trustzone, which is the same problem as ME. But Arm has multiple producers which at least means there's a competition of pricing and ethics.
AMD
AMD also has a Platform Security Processor, which uses Arm's Trustzone. (diagram)
Privacy and freedom comparison
Intel chips have been non-free proprietary closed-source from day 1 of the ME (around 2008). AMD had a moment of enlightenment where their code was open source for a window of time and this benefited libreboot, but ended in 2013. All modern chips (x86, amd, arm) are spy chips, and all have a non-free blob. So strictly in terms of nuts and bolts privacy it makes sense to condemn all post-2008 Intel chips and post-2013 AMD and ARM. If someone must have a modern chip, all chips are equally at risk for privacy abuse AFAIK.
In this situation, ethical consideration needs amplification. Intel is the most insidiously under-handed and bent against individual consumers. So I boycott Intel, which also means I will not buy a Purism laptop. Shame on Purism for discarding ethics in their decision.
IMO PTIO should direct consumers to the FSF RYF page. The chips are pre-2008 Intel non-spy chips. Under the circumstances buying old chips does not significantly feed Intel, and these are the most privacy-respecting options. I'm not sure why there are no pre-2013 AMD chips on that site. It's hard to endorse anything modern. I would condemn modern Intel chips and urge consumers not to by any new chips off the shelf (a 1 or 2 year old used product less directly supports the spy chip maker than a new product).
So the Purism team use Intel because of better marketing (disable ME shit)?
Ridiculous
I'm not sure why Purism chose Intel in the first place, but often people favor Intel if they're performance junkies. I was already boycotting Intel before the ME scandal hit on ethical grounds. Why Purism stuck with Intel is likely because they already invested effort into it.. but I can only guess. Maybe it goes back to whatever their original reason for choosing intel was.
It would be important to Purism to be able to disable ME/PSP/Trustzone. PSP can also be disabled in the BIOS and the latest UEFI, and the AMD approach is better documented. Not sure about trustzone.
Intel ME is a chip, a piece of hardware with its own OS, Minix, that totally bypasses windows or any other OS the users install above it. It can communicate with less known protocols as I2C and so Purism users do not have "complete visibility into the deeper levels" of their computers.
Removing any intel related software, service and drivers does nothing to the OS into the ROM of the chip.
The way to go is to flash the ROM, like this.
I agree that purism should largely be avoided where possible, since it is possible to get an x86 based computer which provide more software freedom, for alot less money. Cryptogs.de for example. For modern computers, one could take a look at the Talos II and the Talos lite from Raptor, these computers are based upon the power 9 architecture and allow you to run a fully libre stack. These are sadly still expensive machines, soon the Blackbird, also from raptor, will be released and will be about the price of a high end gaming desktop.
Anyway about hardware freedom on x86, This is impossible going forward. The nasty thing is that even if one where to copy Intel ME bit for bit perfectly, they wouldn't be able to use it because the computer will force shutdown after exactly 30 minutes. This is because the code is not signed by intel. Sure, Purism could claim the are "actively working with Intel", but this is just false hope. Even Google has tried to open up intel ME and didn't succeed. If a immensely powerfull mega corperation like Google cannot convince Intel, then a tiny laptop OEM like Purism won't stand a chance.
As for now: if you have alot of money to burn, one could buy a Talos machine and run debian on it. If this is not the case, one will have to settle with an older x86 machine with libreboot to have full hardware freedom, atleast until alternative architectures like RISC-V (look at Sifive) or power 9 (look at Raptor) are more in the reach of the general population.
I have heard something interesting about AMD, their richland processors:
https://freundschafter.com/cybersecurity-cpu-and-system-alternatives-without-intel-me-iamt-and-amd-psp-secure-technology/
IF this is true, the richland processors can be used without a non-free bios, if people do the work of liberating them completely.
You can always partialy deblob Intel ME/TXE firmware images with me-cleaner but it does require external flashing
I think at this point it's really something we can't give advice about. ME can only be partially cleaned on some processors.
It's also a very experimental area, which is subject to permanently damage your device if you don't know what you're doing.
There aren't really any products to recommend. The closest would be the librem laptops or some even older ones that have coreboot.
The interesting thing about ME is in some CPUs it can be disabled. For example there were those Dell offerings that accidentally made their way onto the main page. They were HAP configurations not designed for public customers.
@tya99 Librem use Intel too. Even if they fully can circumstances ME, you have still the much Intel security problems.
And old CPUs: same problem with security holes aka Sidechannel attacks
So I still recommend AMD
Yeah I know they use Intel. Part of the reason they're 7th gen and not 8th gen is because of the related progress on disabling ME on 8th gen hadn't progressed as far as it needed to put that on the market.
Some of the vulnerabilities haven't effected AMD this is true. However PSP is also not open so there could be something lurking there.
I guess in coming years we will find out, particularly as Ryzen is becoming popular in the desktop market. Unfortunately Intel is still very common in the mobile, server markets.
PS: I have both Intel and AMD computers.
System76 is offering several laptops with coreboot and their pop os - i'm waiting to hear from them about coreboot status regarding their Thelio towers