Scrolling up they recommend avoiding Purism hardware because<p>> In particular, the Intel Management Engine is a severe threat to privacy and security, not to mention freedom, since it is a remote backdoor that provides Intel remote access to a computer where it is present.<p>However, the Intel ME has been disabled in Purism hardware since 2017.<p><a href="https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-management-engine/" rel="nofollow">https://puri.sm/posts/purism-librem-laptops-completely-disab...</a>
Since Intel/AMD also designs the processor they can also put in backdoors beyond ME, microcode updates, etc. If you don’t trust proprietary blobs, I respect that. But you can’t trust proprietary silicon either.
Libreboot is making a strong case for using open firmware in systems, yet it supports only a limited set of mostly outdated system boards. Isn't that a sign that it failed? After <i>so</i> many years?<p>Don't get me wrong, I definitely support the idea of open firmware and I would gladly adopt libreboot and replace any BIOS firmware on all of my systems. But, not a single system (Intel ME in all of them) is supported. I could donate some of my systems, and money, but how would that help? 20 years of efforts (including the efforts of coreboot) don't seem to have generated any adoption rate. Or is there some info I didn't get?
After all this time, I'm still trying to work out what is in it for Intel and AMD to force these technologies into their chips with no supported option to disable them and then to be so secretive about what they're doing and exactly who has access to what. I'm not generally one for crazy conspiracy theories, but I have to wonder what is going on behind closed doors that this is still being done by both of the two big PC CPU manufacturers despite all the negative press over the years and why national information security agencies haven't made more of a fuss about it.
Reading this always makes me sad. It's like computing got utterly corrupted post-2008 and there's yet to be a fix.<p>The tragedy of all this is that a 2008 laptop should be more than enough for today's needs if web development wasn't greedy and was resource aware.
This is really sad. I am sure hundreds of hours were spent on this project with now essentially does nothing.<p>Does this mean all free software advocates are stuck on archaic pre 2010 hardware?
It would be nice if all these Intel engineers that comment on all kinds of social and technological issues also commented on these topics regarding their company. Last time that I asked one of them if there is any plan to let us disable ME or make it foss I got no reply.
<i>> One module is the operating system kernel, which is based on a proprietary real-time operating system (RTOS) kernel called “ThreadX”. The developer, Express Logic, sells licenses and source code for ThreadX. Customers such as Intel are forbidden from disclosing or sublicensing the ThreadX source code.</i><p>Now that Microsoft has acquired Express Project [0], I wonder if those terms will change, especially since they're trying to compete in IoT against Amazon (who acquired FreeRTOS). Of course, this is a relatively small issue compared to the rest highlighted in the post though.<p>[0] <a href="https://blogs.microsoft.com/blog/2019/04/18/microsoft-acquires-express-logic-accelerating-iot-development-for-billions-of-devices-at-scale/" rel="nofollow">https://blogs.microsoft.com/blog/2019/04/18/microsoft-acquir...</a>
Asking someone who took their last (undergraduate) architecture course more than a decade ago: Is it possible to design a motherboard that will shield the user against Intel ME / AMD PSP-induced shadiness? Would it be possible to do this without performance impact?
> What can I use, then?<p>> Libreboot has support for fam15h AMD hardware (~2012 gen) and some older Intel platforms like Napa, Montevina, Eagle Lake, Lakeport (2004-2006). We also have support for some ARM chipsets (rk3288). On the Intel side, we’re also interested in some of the chipsets that use Atom CPUs (rebranded from older chipsets, mostly using ich7-based southbridges).<p>This is why I still run Intel hardware, even with the ME. A truly free computing platform seems to be incompatible with high performance modern chips at the moment.
Hypothetical: The keys are available one way or another, now anyone can sign firmware.<p>... Is this even worse?<p>Sure we can get our SPI programmers out and be sure whats on there, but what about 99% of all other users who are now exposed not only Intels potential abuse of ME, but all vendors and anyone who intercepts devices. I obviously don't like IME/PSP but perhaps the only safe option is to push for removal not opening.
> Traffic is encrypted using SSL/TLS libraries, but recall that all of the major SSL/TLS implementations have had highly publicized vulnerabilities.<p>I'm not sure this is a valid criticism...wouldn't we be more worried if they were using anything else instead?
I'll preface this question with the disclaimer that I'm a true believer in the mission of Coreboot/Libreboot. Playing devil's advocate, if Intel were to release the signing key for the ME, or Intel Boot Guard, wouldn't this increase the likelihood of a malicious vendor preinstalling a rootkit in hardware that uses Intel CPUs?<p>To answer in advance regarding the likelihood of this happening. There's already been enough instances of various hardware vendors using very nefarious means to extend the capabilities of their devices and peripheral device drivers. Also, what reason do we have to assume that Google's own interest in this area is any more trustworthy? I suppose it's a moot point for many whether or not google can get rootkit level access to people's devices when so many people are using Android.<p>Of course, I consider the presence of the ME to inherently constitute a rootkit for alphabet-soup US government agencies and the Mossad already.
What about sbc's? afaik, they wouldn't be subject to any of this and since Intel and amd are doomed, wouldn't something like a pinebookpro or rpi make for a secure, yet affordable, solution?
stupid question I'm mildly wondering<p>> Another module is the Dynamic Application Loader (DAL), which consists of a Java virtual machine<p>What does that mean in regards to using intel hardware and oracle's java license mentioning nuclear weapons?<p>I thought it mentioned nuclear facilities but it looks like it changed at some stage.