
Why is the latest Intel hardware unsupported in libreboot? (2017) - kostko
https://libreboot.org/faq.html#intel
======
callekabo
Scrolling up they recommend avoiding Purism hardware because

> In particular, the Intel Management Engine is a severe threat to privacy and
> security, not to mention freedom, since it is a remote backdoor that
> provides Intel remote access to a computer where it is present.

However, the Intel ME has been disabled in Purism hardware since 2017.

[https://puri.sm/posts/purism-librem-laptops-completely-
disab...](https://puri.sm/posts/purism-librem-laptops-completely-disable-
intel-management-engine/)

~~~
Deukhoofd
Pretty sure that write up was done around 2009

~~~
29083011397778
Just to clarify and save anyone else from the ambiguity - it looks like TFA
should be tagged [2009], while parents link from Pusim is more recent (2017).

------
osy
Since Intel/AMD also designs the processor they can also put in backdoors
beyond ME, microcode updates, etc. If you don’t trust proprietary blobs, I
respect that. But you can’t trust proprietary silicon either.

~~~
fsflover
[https://en.wikipedia.org/wiki/Defence_in_depth](https://en.wikipedia.org/wiki/Defence_in_depth)

~~~
burnte
Defense in depth fails when the attacker has unrestricted access to the core
of your defense infrastructure.

------
Animats
By now, it's probably reasonable to assume that NSA, GCHQ, the FSB, the Third
Department, and Mossad can all use that backdoor.

~~~
thebruce87m
I wonder if they have to take turns on my PC. Maybe they kick each other off
for a laugh.

~~~
lexicality
mom says it's my turn on the RAT

------
dschuetz
Libreboot is making a strong case for using open firmware in systems, yet it
supports only a limited set of mostly outdated system boards. Isn't that a
sign that it failed? After _so_ many years?

Don't get me wrong, I definitely support the idea of open firmware and I would
gladly adopt libreboot and replace any BIOS firmware on all of my systems.
But, not a single system (Intel ME in all of them) is supported. I could
donate some of my systems, and money, but how would that help? 20 years of
efforts (including the efforts of coreboot) don't seem to have generated any
adoption rate. Or is there some info I didn't get?

~~~
stonogo
In order for libreboot or coreboot to support a system, that system must be
almost entirely reverse engineered. As Intel shoved more and more
functionality into ME, they also ramped up how aggressively they protected
those parts of the system. There is significant crypto involved at this point,
and Intel considers almost every component a trade secret to be fiercely
protected. It's almost impossible to get access to this information, even
under NDA, even as a hardware manufacturer (i.e. system OEMs).

It's not for lack of trying; the lack of adoption is because Intel is actively
hostile to efforts like these and they hold all the cards.

------
Silhouette
After all this time, I'm still trying to work out what is in it for Intel and
AMD to force these technologies into their chips with no supported option to
disable them and then to be so secretive about what they're doing and exactly
who has access to what. I'm not generally one for crazy conspiracy theories,
but I have to wonder what is going on behind closed doors that this is still
being done by both of the two big PC CPU manufacturers despite all the
negative press over the years and why national information security agencies
haven't made more of a fuss about it.

~~~
state_throw_2
It’s not a “crazy conspiracy theory” to suggest that intelligence agencies
pressure private industry to help them out. Just look at PRISM or Crypto AG.
If Intel or AMD tried to refuse they’d be blacklisted for government contracts
like Quest, or worse: think about the CIA spying on Congress scandal.

Maybe once the Chinese or some other adversary get caught using this backdoor
to steal secrets, or decide to brick a few million systems remotely, just
maybe then security will be considered over spyability.

------
reanimus
AMD's in a similar boat, if you scroll a bit further down too :(

~~~
winter_blue
Yea, that was disappointing indeed. After reading the first several
paragraphs, I was hoping that the answer would be get an AMD processor instead
of Intel , but nope.

I hope that in the future some manufacturer(s) start making fully open source
verifiably secure RISC-V (or ARM) processors, and that we have a migration
over to that.

~~~
numpad0
Feel free to call it a conspiracy theory, but I firmly believe the IME/PSP is
an operation by one of those three letters.

Intel Management Engine is abbreviated as IME, and AMD Platform Security
Processor is abbreviated as PSP. Those are each same abbreviation as Input
Method Editor, a mandatory keyboard input layer for East Asian languages, and
PlayStation Portable, Sony’s game console which cryptographic security is
famously hacked, by the way.

That can’t be coincidence. Those are names intentionally chosen to make
technical information hard to search for.

So a “clean” CPU can only be built outside of sphere of influence of whichever
agency managing IME/PSP, and of course has to be free from its Red
counterparts as well. I don’t think that will happen naturally.

~~~
majewsky
Show me any three-letter acronym that doesn't have multiple meanings already
attached to it.

~~~
numpad0
[https://en.wikipedia.org/wiki/Wikipedia:List_of_TLA_disambig...](https://en.wikipedia.org/wiki/Wikipedia:List_of_TLA_disambiguation_pages)
BEZ, CJK, DXF, IEQ, IXH, JGZ, QFP, QTH, SJX, SXA, XPX, XVF and some more.

------
pmlnr
Reading this always makes me sad. It's like computing got utterly corrupted
post-2008 and there's yet to be a fix.

The tragedy of all this is that a 2008 laptop should be more than enough for
today's needs if web development wasn't greedy and was resource aware.

~~~
davidovitch
There are modern alternative systems with an open firmware stack, for example
the Talos II running Power9. Granted, it is not available as a cheap, slick
and slim power efficient laptop, but it is real, only twice as expensive and
very capable.
[https://en.m.wikipedia.org/wiki/POWER9](https://en.m.wikipedia.org/wiki/POWER9)

See performance benchmarks incomparison with AMD/Intel at:
[https://www.phoronix.com/scan.php?page=article&item=power9-t...](https://www.phoronix.com/scan.php?page=article&item=power9-threadripper-
core9&num=1)
[https://www.phoronix.com/scan.php?page=article&item=power9-t...](https://www.phoronix.com/scan.php?page=article&item=power9-talos-2&num=1)

~~~
smcl
There's also the Blackbird which is even more affordable -
[https://raptorcs.com/content/BK1B01/intro.html](https://raptorcs.com/content/BK1B01/intro.html).
It's still sadly more than I could justify spending - for my non-portable
needs I use a ~5 year old Intel NUC which was cheap as chips and still going
strong. But if that ever changes a Talos POWER-based system is at top of my
list.

The Talos guys pop up in the comments on HN now and then and they're very
pleasant.

~~~
znpy
>
> [https://raptorcs.com/content/BK1B01/intro.html](https://raptorcs.com/content/BK1B01/intro.html)

That motherboard + cpu bundle costs $1732 (plus shipping, I guess).

I mean... Okay, it's super cool, but... I doubt that most people can affort
that.

~~~
smcl
What I was saying was it’s more affordable than the Talos II mentioned earlier
in this thread. I agree that it’s not exactly cheap, but I don’t think it’s
for everyone.

------
rdslw
Can we please change titlle: s/latest Intel/post-2008 Intel/

otherwise is clickbaity.

------
zwaps
This is really sad. I am sure hundreds of hours were spent on this project
with now essentially does nothing.

Does this mean all free software advocates are stuck on archaic pre 2010
hardware?

~~~
vbezhenar
Pre-2010 hardware is not archaic. I would argue that there was very little
progress since 2010.

~~~
zwaps
really? Which laptops from 2010 have 13-15 hours of battery life?

Which consumer/workstation computer from 2010 feature 32-64 cores?

How much RAM could you put into such machines? etc.

~~~
detaro
I wouldn't necessarily agree with "very little progress", but:

Thinkpad X220 is from 2011, but was far from alone in reaching such battery
life (it's just the one I have first-hand experience with). Workstation
laptops from the time (e.g. Thinkpad W510) can take 32 GB, just as most
laptops today, and thus remained viable machines for a long time. Many-core
systems are more possible today, but also far from the standard. 4-8 cores is
still the default.

~~~
zwaps
We'd also want to compare apples with apples. The X200 (libreboot certified)
has a maximum battery life (idle test) of 8,15 hours, while the past
generation X1 has a battery life of over 24h in the same test. When it comes
to normal (wifi) usage, the current X1 has about 10h, while the x200 has a bit
more than 3,5h of battery life. Keep in mind that the X1 is faster, less
bulky, weighs less and probably has a much, much better screen.

Today, you get the power of a W510 in a much smaller package (compare a
current Gigabyte Aero 15 to a W510, say). Even a P1 (X1 chassis) outperforms
the W510 by every metric, and is downright tiny in comparison. Now, a current
P53 features 16GB of RAM.. on its GPU! It can 128GB of faster RAM total.

But considering Intel itself - yes, more progress could have been had (and
it'll come via AMD). Nevertheless, the P53 processor is more than three times
faster benchmarks compared to the W510. It's bound to be more extreme in
desktops.

Most importantly, however, is the fact that the libreboot certified laptops
are largely sold out (except the X200's) according to the certification
website. In any case, they eventually will be.

So I feel that my point still stands. With all due respect to the FS people,
the critique of all alternatives (Purism, System76) may be valid. But their
approach amounts to simply not using a performant and portable machine, or
eventually no laptop at all.

------
ganzuul
I wonder if Right to Repair legislation would help us with this.

~~~
majewsky
This has nothing to do with repair because the product is not broken by any
meaningful definition of the word "broken". It's just ill-designed from a
certain POV.

~~~
ganzuul
In the context of the proposed laws, does it have to be already broken for it
to be considered repairable?

Personally I'd rather not see the law as a bludgeon aimed at Intel's head but
rather as a protocol or platform for communication about this issue. For
example an if they released their overclockable CPUs with an individual
encryption key for the ME, putting the end-users' interests first, I might be
interested in being their customer once again. Right now I have a 2500k
SandyBridge and no reason at all to upgrade, and certainly not with an Intel
device.

------
dependenttypes
It would be nice if all these Intel engineers that comment on all kinds of
social and technological issues also commented on these topics regarding their
company. Last time that I asked one of them if there is any plan to let us
disable ME or make it foss I got no reply.

------
na85
Did I misunderstand or didn't someone find a way to neuter and/or disable
Intel ME by setting the NSA High Assurance bit?

~~~
ornornor
I think it only works for older versions of IME.

------
karlding
_> One module is the operating system kernel, which is based on a proprietary
real-time operating system (RTOS) kernel called “ThreadX”. The developer,
Express Logic, sells licenses and source code for ThreadX. Customers such as
Intel are forbidden from disclosing or sublicensing the ThreadX source code._

Now that Microsoft has acquired Express Project [0], I wonder if those terms
will change, especially since they're trying to compete in IoT against Amazon
(who acquired FreeRTOS). Of course, this is a relatively small issue compared
to the rest highlighted in the post though.

[0] [https://blogs.microsoft.com/blog/2019/04/18/microsoft-
acquir...](https://blogs.microsoft.com/blog/2019/04/18/microsoft-acquires-
express-logic-accelerating-iot-development-for-billions-of-devices-at-scale/)

------
puzzledobserver
Asking someone who took their last (undergraduate) architecture course more
than a decade ago: Is it possible to design a motherboard that will shield the
user against Intel ME / AMD PSP-induced shadiness? Would it be possible to do
this without performance impact?

~~~
fsflover
Probably something like this should help:
[https://blog.invisiblethings.org/papers/2015/state_harmful.p...](https://blog.invisiblethings.org/papers/2015/state_harmful.pdf)

------
xyz-x
Are these side-channel based management technologies turns on even on MacBook
laptops?

~~~
mmphosis
That is a great question. I would assume that they are because the Intel
management technology is currently built in to ALL Intel chips for the past 10
years. It may be a good thing that Apple is looking at building their own ARM
based Macs.

------
aftbit
> What can I use, then?

> Libreboot has support for fam15h AMD hardware (~2012 gen) and some older
> Intel platforms like Napa, Montevina, Eagle Lake, Lakeport (2004-2006). We
> also have support for some ARM chipsets (rk3288). On the Intel side, we’re
> also interested in some of the chipsets that use Atom CPUs (rebranded from
> older chipsets, mostly using ich7-based southbridges).

This is why I still run Intel hardware, even with the ME. A truly free
computing platform seems to be incompatible with high performance modern chips
at the moment.

------
tomxor
Hypothetical: The keys are available one way or another, now anyone can sign
firmware.

... Is this even worse?

Sure we can get our SPI programmers out and be sure whats on there, but what
about 99% of all other users who are now exposed not only Intels potential
abuse of ME, but all vendors and anyone who intercepts devices. I obviously
don't like IME/PSP but perhaps the only safe option is to push for removal not
opening.

~~~
vbezhenar
The best option is UI for users to add their own keys.

------
novok
So what are system76 & purism computers missing with their coreboot systems
compared to the list of problems in this page?

~~~
papermachete
Libreboot is blob-free.

------
unixhero
This is why I have an Apple Powermac G5 or two stored in my basement. These
run entirely free of that backdoor.

~~~
rrdharan
How does it help that they're in your basement? Are you using them for
anything? If not, when will you know to switch to them?

What's the threat model and what would be your signal to go start using them
and abandoning your presumably more modern system, and how would you keep the
software on them secure? Will you use Gentoo, given that Debian has dropped
PPC?

~~~
mmphosis
[https://voidlinux-ppc.org/](https://voidlinux-ppc.org/)

~~~
unixhero
[https://t2sde.org/](https://t2sde.org/)

~~~
potiuper
missing a linux-libre package

------
rckoepke
> Traffic is encrypted using SSL/TLS libraries, but recall that all of the
> major SSL/TLS implementations have had highly publicized vulnerabilities.

I'm not sure this is a valid criticism...wouldn't we be more worried if they
were using anything else instead?

~~~
moonchild
No SSL => MITMer can definitely read your traffic trivially.

Broken SSL => MITMer can possibly negotiate insecure and read your traffic
anyway. MITMer can also possibly cause a denial-of-service, or _get arbitrary
code execution on that one chip that controls your entire CPU_.

If I had to choose, I would take the first option.

(This precludes options like removing the IME entirely, or updating it to a
version with non-broken SSL.)

~~~
rckoepke
I'm coming from a place of good faith here so bear with me. My understanding
is that any vulnerability here would also exist in accessing any HTTPS
website. I'm assuming you wouldn't choose to browse the web without SSL/TLS,
so I'm assuming the difference here is that it's the CPU management chip
instead of your browser?

I suppose that if you broke SSL/TLS you could commandeer arbitrary
AWS/GCP/Azure instances.

For that matter, do you trust SSL/TLS significantly less than SSH?

I guess I'm still having trouble wrapping my head around the idea of not using
SSL/TLS.

~~~
wizzwizz4
My browser is sandboxed. The worst it can do is ransomware my files – and the
Tor Browser can't even do that thanks to the AppArmor rules. (If I set my
machine up properly, it wouldn't even be able to ransomware my files.)

The CPU management chip can ransomware my files _while the computer is "off"_,
corrupt my backups as I load them, steal my passwords, steal my bank details,
_dynamically modify the traffic to make it look like my bank balance hasn 't
gone down_…

------
ajxs
I'll preface this question with the disclaimer that I'm a true believer in the
mission of Coreboot/Libreboot. Playing devil's advocate, if Intel were to
release the signing key for the ME, or Intel Boot Guard, wouldn't this
increase the likelihood of a malicious vendor preinstalling a rootkit in
hardware that uses Intel CPUs?

To answer in advance regarding the likelihood of this happening. There's
already been enough instances of various hardware vendors using very nefarious
means to extend the capabilities of their devices and peripheral device
drivers. Also, what reason do we have to assume that Google's own interest in
this area is any more trustworthy? I suppose it's a moot point for many
whether or not google can get rootkit level access to people's devices when so
many people are using Android.

Of course, I consider the presence of the ME to inherently constitute a
rootkit for alphabet-soup US government agencies and the Mossad already.

~~~
jchw
Any big corporation with security competence is going to seriously care about
the security of their corporate and production fleet; the stakes for securing
systems only ever increases over time, and threats are only getting more
sophisticated. So you don’t necessarily need to believe in the altruism of a
corporation to see why their interest in secure computing at lower levels of
the stack may actually line up with user’s interests more or less.

But honestly, the best argument here is don’t trust anyone; In theory anyone
can inspect the source code and binaries for Corebooted devices. It’s not
perfect and there’s obviously cases where you can never be 100% sure there’s
no tricks, but IMO it’s still a lot better than the alternative of having
roughly the same drawbacks but no visibility.

I’m not sure where this fits in in the grand scheme of things though, because
in all honesty trust in computing seems like it’s an unending rabbit hole ripe
for abuse. Intel ME may even have been born with genuinely good intentions,
but I do think it’s secretive, blackbox nature is the absolute worst part of
it all.

(Obligatory disclaimer, I work for Google, all of these opinions are just my
personal opinions.)

~~~
ganzuul
Is Google at risk because of this? I have consolidated all my private stuff to
only Google instead of spreading it all over FB, MS, Apple, and other vendors.

~~~
jchw
At risk because of Intel ME/integrity based attacks? I simply don’t know. I
assume the risk is managed some way or another, probably a lot with network
security. I personally was more bothered by CPU vulnerabilities, and there’s
also the looming threat of DRAM vulnerabilities, but for now it seems like
almost anything can be effectively mitigated at some cost.

------
imissmymind
What about sbc's? afaik, they wouldn't be subject to any of this and since
Intel and amd are doomed, wouldn't something like a pinebookpro or rpi make
for a secure, yet affordable, solution?

~~~
notwedtm
Perhaps I need more coffee, but I can't tell if there is sarcasm in this or
not.

~~~
imissmymind
Wasn't being sarcastic. Assuming your workload can support the hardware, why
isn't this a viable alternative? I could do ~99% of my job with one. People
below are asking about affordable ways around this and it made me think of
this

------
tutfbhuf
What is the most modern laptop that I can use with libreboot, as of today?

~~~
fsflover
[https://ryf.fsf.org/categories/laptops](https://ryf.fsf.org/categories/laptops)

~~~
tutfbhuf
12 year old Thinkpad with Intel Core 2 Duo

------
crashbunny
stupid question I'm mildly wondering

> Another module is the Dynamic Application Loader (DAL), which consists of a
> Java virtual machine

What does that mean in regards to using intel hardware and oracle's java
license mentioning nuclear weapons?

I thought it mentioned nuclear facilities but it looks like it changed at some
stage.

------
tinus_hn
Realistically if some party made use of these backdoors regularly someone
would probably have noticed the traffic already.

~~~
speedgoose
You have smartphones uploading location data and browser history every day for
years and it almost goes unnoticed.

~~~
tinus_hn
That’s not a secret, it’s pretty well known. It only takes one person to
notice.

