
Freedom and security issues on x86 platforms - stargrave
http://mail.fsfeurope.org/pipermail/discussion/2016-April/010912.html
======
nickpsecurity
Unbelievable. Yet again, we have a post on finding x86 alternative that's most
FOSS friendly. Yet again, the author is unaware of or ignores the _only
architecture_ that's open, has GPL cores, and an ecosystem. That's SPARC.
Oracle's T1 and T2 cores are open-source to study. More appropriately, Cobham-
Gaisler's Leon3 HW is dual-licensed under GPL and commercial. The Leon4 is
4-cores. SPARC ISA is open. Open Firmware exists.

So, why is SPARC left off in all these analyses? It's right there ready to
pick up and deploy. More open, easy to acquire, and trustworthy (far as
licensing) than than a POWER chip although slower for sure.

~~~
mordocai
I'd imagine people don't bother looking at an oracle technology and just
assume it is closed or unsupported due to the ways they generally operate.

That doesn't make it right to do this, but that'd be my guess.

I certainly didn't know SPARC was open until your comment.

~~~
jclulow
As far as I know, Oracle has not made any SPARC intellectual property
available since the acquisition of Sun. The T1 and T2 lines were emphatically
Sun-era products.

~~~
valarauca1
So if API's are copyright-able.

And SPARC T1/T2 are GPL CopyLeft.

Shouldn't Oracle have to open source T3/T4/T5/M7 processors also?

(No I don't have the money required to sue Oracle and keep this suit open for
the 2 decades settlement will take).

~~~
nkurz
No, that's not how open-source licensing usually works.

Assuming Oracle own all the IP rights (having purchased them from Sun), they
aren't bound by the terms of the GPL. The GPL grants certain permissions to
others if they comply with its terms, but the person who offers the license
doesn't lose any rights they already have. They have no obligation to keep
successive generations of derivative products open source.

~~~
moefh
True, that's even spelled out in the GPL itself (that's from GPL 2, but GPL 3
has similar content in section 9):

> 5\. You are not required to accept this License, since you have not signed
> it. However, nothing else grants you permission to modify or distribute the
> Program or its derivative works. These actions are prohibited by law if you
> do not accept this License. Therefore, by modifying or distributing the
> Program (or any work based on the Program), you indicate your acceptance of
> this License [...]

The copyright owner obviously doesn't need the license to have permission to
modify the code, so they're not bound by it.

------
speeder
I've been looking into this recently.

Basically, the things mentioned on the text, made free software bios and
firmwares impossible, some of the free software projects that exist now are
mostly "binary blobs loaders", having more binary blob than free software code
running.

There is some good analysis on why even Intel can't fix this if they wanted
to, unless they stopped shipping some features entirely, their Intel ME system
rely on a couple of proprietary third party code, that has on contract with
Intel explicit prohibitions of Intel ever letting anyone seeing their source,
or the keys needed to sign them.

Also, Intel ME can't be really trusted, the code is not really "reverse-
engineeringable", and it works as a full second OS of sorts, it even has its
own JVM running, if someone somehow decide to inject spy software into it, you
will never know, also I assume that the first destructive virus to latch into
that stuff, will take the world truly by surprise depending on when it
triggers (for example if it spreads silently but triggers the destructive
payload on a specific date).

Also, these features can be abused to abuse the market itself, for example by
intentionally making the hardware underperform, and then sell "superior"
hardware that has the only difference some software.

~~~
ashitlerferad
People have certainly done ME reverse engineering:

[http://me.bios.io/](http://me.bios.io/)

~~~
jjaredsimpson
>there is a little man inside your pc... and his thing is bigger than yours.
Your wife knows this.

I'm supposed to believe this technology is dangerous. But the advocates are
children.

~~~
kbenson
I think you're supposed to be able to distinguish the message from the medium.
Certain styles can definitely make that harder, but ultimately if you can't
examine an issue by the facts presented, the failure falls on you, as do the
consequences.

To be clear, I also think the referenced bit is childish and detracts from the
message. I just don't think that should affect your belief in whether it's
important.

~~~
oldmanjay
If a piece is written with a confusingly inappropriate tone for the subject
matter, you can't solely blame the reader for being confused since it was the
expressed intent of the author to instill that state.

~~~
kbenson
Well, it's a wiki, so "author" is very loose (and when I checked at the time
of my original comment, the change to add some of that verbiage was the most
recent change, if still quite old). Ultimately, much of the information on the
internet is presented without reference, so tone is the least of our problems.
We need to be able to read what is being presented, and decide whether it's
important enough to use that we should verify it. In this case, the tone
shifts, but the message is along the same lines (the ME is your adversary), if
very crudely done.

I do think you have a point though. It's not entirely up to the reader, there
is a minimum threshold of clearly communicating facts that needs to be met by
the author. But I don't think it's safe to say something that's unclear in
tone means it was the expressed intent of the author to cause confusion. Humor
can add quite a bit to an argument if done right, as humor often has the
ability to cut through some of our preconceptions. Humor done wrong might be
confusing, but that could very well be unintentional.

------
darpa_escapee
ARM architectures also suffer from this. You'll be hard pressed to find a
board that doesn't require a propriety board support package somewhere in the
stack.

Ironically, it is usually the bootloader that is/requires a blob or it is the
DTB.

I remember being in middle school and reading Stallman's articles on the
dangers of a TPM-oriented push by manufacturers. As cliche as it is, Stallman
was right.

The push for platform security is also a push for platform ownership.
Tinkering/hacking/your ability as a hardware owner is at ends with corporate
security needs and that is a shame.

~~~
em3rgent0rdr
I'm using ASUS C201 which uses ARM. It was a Chromebook, now running libreboot
and parabola linux.

~~~
andrey_utkin
How is it regarding GPU driver (or what Mali is)? Are you running binary mali
driver or FOSS lima?

~~~
em3rgent0rdr
I don't really do GPU-intensive stuff on it. It renders webpages & youtube
fine, which is probably the most graphical intensive stuff. I'm currently
using it mostly for porting MuseScore to arm, mainly using qtcreator for
development.

The external hdmi doesn't really work properly...I remember not being able to
run external monitor in full screen, or at the same time as the lcd screen.

I just installed and ran glxgears. It gets 250 FPS and a default window size.
But I do get an command line error libGL error: unable to load driver:
rockchip_dri.so, so I don't think I'm getting GPU.

------
zmanian
Intel ME checks to see if a certain portion of the BIOS flash memory is
writable before it allows the main OS to boot.

What x86 Chromebooks do is they allow that region to be writeable but then
zero that region on every boot. If your ME was backdoored, it was shipped that
way from the factory.

It's so disappointing that Intel undermined the entire trusted computing stack
for some unproven ideas of around ME revenue generating opportunities.

------
zmanian
Joanna has proposed a model where we minimize the trust we put in x86 with a
peripheral. Seems like a plausible path forward to me.

[http://blog.invisiblethings.org/2015/12/23/state_harmful.htm...](http://blog.invisiblethings.org/2015/12/23/state_harmful.html)

~~~
dnc
There was an excellent talk related to this that Joanna Rutkowska gave at the
32c3 conference (she talked quite a bit about Intel's ME too, I was completely
unaware of its existence up to that point):
[https://media.ccc.de/v/32c3-7352-towards_reasonably_trustwor...](https://media.ccc.de/v/32c3-7352-towards_reasonably_trustworthy_x86_laptops)

------
mmastrac
Given that chip development has been hitting diminishing returns for a few
years it might be time for Open Source to eat the world of processors as well.

It feels like the sort of opportune market that server operating systems,
databases and web servers occupied: less of a visual aesthetic and more of a
better-design-wins market.

It's not going to be easy - I'd guess that it would take at least 10 years for
a project to get any sort of traction outside of a very small niche group.

~~~
maaku
People are working on that, and it might take less time than you think:

[http://riscv.org/](http://riscv.org/)

~~~
mmastrac
Yep. But I stick to my guess that it'll take a decade for real change to
happen. Obviously the goalposts are a bit fuzzy, but I feel like you have to
give the hardware a chance to make it through three generations (assuming
three-year lifespan on devices) before someone launches something that is
within the ballpark of devices shipping at the same time.

------
Luker88
Check libreboot.org

On their FAQ page: [https://libreboot.org/faq](https://libreboot.org/faq) ,
you can see the question "Why is the latest{Intel,AMD} hw unsupported?"

They go into more detail than the provided link. Also, dropped supports starts
in 2008 for Intel, 2013 for amd.

The truth is: we need something like this to protect the whole boot process.
But unless we can put our keys/sw in there, we will never be sure.

~~~
Galanwe
I was at FOSDEM this year (2016) and there was a talk from the leader of
LibreBoot.

Honestly, his talk on the state of the project was very bitter. He literally
said that there is absolutely no hope that LibreBoot will ever be able to cope
with ME, and that the fight is over since 2008.

As much as I would absolutely love to be able to run a free firmware, unless
there is a major change/outsider in the hardware manufacturer world, it seems
very unlikely that it will be possible on current x86 architectures.

~~~
mmebane
I've been using a Raspberry Pi 3 for the past week, and have been pleasantly
surprised by the performance. It's no speed demon, to be sure, but it's good
enough for all my basic tasks. I wish there were a general "open computing"
branch of the Raspberry Pi Foundation that would produce a $50-$100 "pro"
version with more RAM and faster bus+peripherals.

~~~
makomk
The Raspberry Pi still relies on a closed-source blob running on a CPU core
whose instruction set isn't publicly documented to even boot, but I suppose at
least it's possible to reverse-engineer that unlike Intel ME.

~~~
Sanddancer
Broadcom released a considerable amount regarding the Videocore IV a couple
years ago. Nobody's finished writing an RTOS for it quite yet, but the ISA is
now documented.

[https://www.broadcom.com/docs/support/videocore/VideoCoreIV-...](https://www.broadcom.com/docs/support/videocore/VideoCoreIV-
AG100-R.pdf)

------
jMyles
Hmm. OK, I have two questions - maybe somebody here has answers:

1) "...these proprietary blobs could easily contain code to exfiltrate
encryption keys, remotely activate microphones and cameras..."

This seems basically impossible to actually achieve in reality though, because
there will still associated network traffic that can be sniffed, and will have
been by now, right? I mean, it is plausible that somehow we all just failed to
notice that our computers are sending video traffic to the NSA without our
noticing it?

I can imagine this happening on phones, where the baseband chip is much harder
to actually sniff. But through my LAN? I doubt that.

2) Let's imagine that this post is entirely true. Why do Intel and AMD do
this? If it's not part of a grand conspiracy, then why? Clearly there are far
easier and cheaper ways to achieve what they view as security that don't
require such a crippling approach. What's the upside to them?

~~~
salem
It's called covert channels. It could be done by flipping some unused/ignored
bits in ip4/tcp headers in a stream of traffic that goes past a collection
point.

~~~
jMyles
But this is still easily visible with wireshark, right? Don't you think we'd
have discovered this by now?

~~~
teraflop
How would Wireshark reveal this kind of attack? If the management chip has
direct hardware access, it can hide data in innocuous-looking packets that the
host machine never sees. You would have to monitor both the packets that the
OS _thinks_ it's sending, and the packets actually received by the switch, and
constantly compare them for mismatches. Given the performance cost, I find it
hard to believe that anyone except the most paranoid organizations would
actually do this.

And of course, if you block the obvious exfiltration methods, all you do is
force the attacker to do something more creative. Like modulating inter-packet
timings, or even sending data to a nearby radio receiver by using the system
bus as an antenna.

~~~
nucleardog
> How would Wireshark reveal this kind of attack? If the management chip has
> direct hardware access, it can hide data in innocuous-looking packets that
> the host machine never sees.

Lots of organizations use various forms of intrusion detection. A network
intrusion detection system (NIDS) would be an off-device system which monitors
network traffic for suspicious or obviously malicious packets.

It's certainly no guarantee, but somewhere along the line someone probably
would have noticed _something_ if these systems were exfiltrating data via the
network using something like IPv4 headers. Specifically, a quick look makes it
look like Snort (an open source NIDS) may actually be distributed with rules
to alert on IPv4 reserved bits being set.

~~~
na85
You keep saying that "someone should have noticed something" but as the old
adage goes, _absence of evidence is not evidence of absence_

What you seem to keep missing is that we know from the Snowden leaks that the
capability already exists, and NSA has successfully used implants to do data
exfil in the past.

~~~
Qwertious
_" absence of evidence is not evidence of absence"_

This isn't true. Absence of evidence is _weak_ evidence of absence, and
_suggests_ that it's not the case.

Not disagreeing with anything else in your comment, but that quote completely
defies Bayes 101.

------
the8472
And it's getting worse, SGX[1] allows 3rd party encrypted binary blobs to run
on your CPU without being inspectable.

It's sold as way to protect your secrets from malware. But it more likely will
be used to run DRM code on the user's computer while treating the user as a
hostile entity.

[1] [https://software.intel.com/en-us/sgx](https://software.intel.com/en-
us/sgx)

~~~
MichaelGG
SGX has the potential to be amazing though. With it you can build "trusted"
applications. For example, a Bitcoin mixer that's provably secure. (Well as
secure as trusting Intel and users not to be able to break the chip.)

~~~
the8472
As it is right now you're giving up your liberty
(debugging/inspecting/tinkering) in exchange for security.

That's generally a bad trade. Sadly one that many people are willing to make
until it bites them.

It would be a lot better if secure mode had its own supervisor mode that
worked through a master key that could be installed at boot time.

~~~
Kadin
It's really a question of who you trust. There are lots of scenarios where you
might trust the developer of a particular piece of software more than you
trust the entire software stack running on your PC. This is especially true
for a nontechnical / casual / grandma user, who has no hope of ever auditing
_or even having more than a vague idea of what 's running_ on their computer
at a given time, and probably is running (or at least needs to be assumed to
be running) six different kinds of malware all the time. To someone like that,
the PC itself is a hostile environment which they don't want to share certain
information (e.g. their banking details, crypto keys, etc.) with. SGX allows
you to ensure that.

If you take on premise that the PC is not safe and under your control, but is
instead hostile and compromised, basically an outpost of the Internet in your
house, then SGX and similar start to make sense. For many people, their
computer is always going to be hostile; it was never "theirs" to begin with,
so SGX doesn't really cost them anything, and the ability to let a single
application basically force its way down to the hardware and elbow everything
else in the stack out of the way is an improvement over having to trust the
OS, browser, etc.

In a way it represents an abject failure on the part of the dominant OS
developer (Microsoft) to produce a consumer computing platform that the
average user can trust, as well as the failure of most other alternatives
(e.g. DoD-style smartcards) to take off in the consumer market.

~~~
the8472
None of that justifies the absence of an ultimate user override.

There is no need to give up freedoms for that security.

Only when DRM comes into play you can really explain why the user is not in
control here.

------
Animats
The way to blow this wide open is to catch Intel's "management engine" doing
something really bad and publicize it. It could do for Intel what John German
did for Volkswagen AG.[1]

One approach would be to build some honeypots likely to attract attention.
Give them a job that's not too traffic intensive but is suspicious, such as
encrypted IRC. Record all traffic in and out of the box using external
hardware. Get them fake encrypted traffic from suspicious sources (Tor,
strange sites in suspicious countries, etc.) Wait for strange packets to show
up that are not meaningful to the host software but cause something to happen
on the target.

[1]
[http://www.bbc.com/news/business-34519184](http://www.bbc.com/news/business-34519184)

------
holri
There is also an additional possibility: Recycle old computers. A Intel 2008
laptop performs OK with a modern GNU/Linux with an efficient Desktop (for
example XFCE4). This also helps avoiding CO2 emissions, saves rare earths and
energy. And it is a statement against a unsustainable throwaway society.

~~~
krylon
The problem with such old devices is that some of them can be impressively
reliable, at an age of ~8 years, one has to worry about the device starting to
fail. If you want to keep the device going once something breaks, getting
replacement parts can become interesting. Not impossible per se, but depending
on how popular a particular device was in its day, finding spare parts can be
very time-consuming.

Still, I agree. I have a 2008 netbook at home I still use regularly, and I
hardly throw away a computer that still basically works.

------
616c
The fight is increasingly political, so advocate and donate where you can.

We lose when we give up, I suppose. I know what the Libreboot guy said before
on his blog, alluded to here, but this is why, as crusty as some might find
him, we most generally support Stallman's politics.

~~~
jensen123
I wish the FSF was a bit more nuanced. For example, if DRM causes ordinary
computers to come with proprietary code that is impossible to remove, then
that is bad indeed. Then you no longer control your own computer. The same
computer that you might use for political activities, for example.

On the other hand, if entertainment computers, such as blu-ray players or
gaming consoles are locked-down and full of DRM, then I don't see a big
problem. Sure, the government could potentially ban some movies in the future,
and require the manufacturers to update the firmware on your machine so that
it will no longer play those movies. But movies and games are expensive to
produce, and without DRM most of them probably wouldn't get produced in the
first place. In any case, movies and games aren't really that important,
compared to say books and articles.

The FSF seems to be against DRM EVERYWHERE! They don't seem to realize that
DRM might actually be a good thing for some things. Are there any
organizations out there that I could donate to, that fight/work for open
hardware for general purpose computers, without trying to prevent locked-down
entertainment computers?

~~~
616c
Disclosure: I became a member days ago, and did not want to mention it.
Reading this article made me super proud to have chosen to fork the cash over
before reading this crap as it gets worse all the time.

At the end of the day, I want a hardliner in this space pushing that line
because I know, practically, he cannot win. But if consensus is drawn between
him and the other extremes I find distasteful, I want him to pull the
resolutions and positions as far left as possible, even if that is slightly
left of center.

I worry, as current events show, anything less means that counter-forces to
the free software movement will wear you down with abject greed by slowly
going right of center and taking as much time as it takes to restore the
balance back to their proprietary interests after the initial battle has gone
to free software advocates. And that is how I see it. Very few of my friends
understand the value of highly technical manuals, and that is what open source
is about. My brother recently saw my side with automative hacking and
experimentation countermeasures on the rise, as reported today on HN. But when
I tell non-technical people these manufacturers hide secrets in their faulty
designs and let you pay for their ineptitude, even if you want to fix it for
yourself on your individual unit without harm or influence on them, they do
not get the argument and ask why I think I know better than the compant. They
only get the argument when they are locked out of a system they need for their
very personal context.

Oh well. This is a very personal choice. I love GPL, I love MIT, and I smile
when I think how all these hippies made a world for me in the 60s and 70s I
could not live without today.

~~~
jensen123
I totally agree with you that many corporations seem rather greedy. I wish
those corporations were more nuanced, too. For example, I don't mind if Intel
and AMD make locked down CPU and GPUs for entertainment computers, but it
would have been nice if they also made some open CPUs and GPUs.

I wonder if this greed will be profitable for them in the long run? Obviously,
most people don't care whether their hardware is open or not. However, a tiny
minority of (very) computer literate users do care (a lot). Will it have any
impact if this tiny minority abandons the x86 platform?

------
forty
What about VIA x86 CPUs?
[http://www.viatech.com/en/silicon/processors/](http://www.viatech.com/en/silicon/processors/)
Do they implement some "secure boot"-like features?

~~~
PeCaN
To the best of my knowledge, VIA CPUs have no secure boot, management engine,
or any other proprietary secondary hardware.

Coreboot supports many VIA CPUs and motherboards[1], though it's unclear if it
uses any binary blobs the FSF seems alright with VIA Technologies and
apparently they're cooperative with open-source BIOS[2].

1\.
[https://www.coreboot.org/Supported_Motherboards](https://www.coreboot.org/Supported_Motherboards)

2\.
[https://www.fsf.org/campaigns/supportlinuxbios.html](https://www.fsf.org/campaigns/supportlinuxbios.html)

~~~
puzzlingcaptcha
VIA CPUs do have a crypto engine called Padlock (with all the usual goodies
plus a randomness generator) which is not 'open' so be careful with that.

I recall that some independent company was contracted to audit the entropy
generator in VIA C7 but I can't find it now.

------
mpnordland
It's great that these guys pushing POWER8 at least have a workable situation,
but at least for me, throwing $3,700 at a motherboard (Alone!) just isn't
feasible. I would love to be free of proprietary firmware, but it would seem
that's only for people better off than myself.

~~~
chadzawistowski
You have to start with a single step. Costs could go down over time.

~~~
korethr
While I agree with you, the average buyer of computer components is used to
spending an order of magnitude less on a motherboard. A person can go to their
usual source of computer parts and pick up a motherboard for a couple hundred
USD at the high end. A few thousand USD for motherboard that does not offer an
order of magnitude improvement in raw speed or expandability is going to be a
very hard sell.

~~~
wolfgke
The question is rather: Is there a large overlap between the people who can
afford to spend thousands of dollars for a free (as freedom) POWER8
workstation and the open source idealists who would love to buy such a free
device?

------
riscy
I'd personally like to see the FOSS community try to embrace the POWER
architecture: Ubuntu/Canonical are major members of the OpenPOWER foundation
[1], so at least an entity sympathetic with our philosophy has an influence on
the architecture.

[1] [http://openpowerfoundation.org](http://openpowerfoundation.org)

~~~
nickpsecurity
Red Hat has supported POWER for a long time. Debian does. Even Mint had a PPC
release. The big BSD's do. Amiga's are still on PPC haha. I think it's not a
question of FOSS support by OS developers. It's the users and app that don't
commit to x86 alternatives.

~~~
makomk
One issue with PPC and POWER is that they're generally big-endian and
everything assumes little-endian these days thanks to x86. Even JavaScript is
little-endian now.

~~~
nickpsecurity
That's one of those sad realities of Worse is Better in action. Definitely a
disadvantage. Far as why big-endian was The Right Thing, drfuchs had this to
say:

"Because big-endian matches how most humans have done it for most of history
("five hundred twenty one" is written "521" or "DXXI", not "125" or "IXXD").
Because the left-most bit in a byte is the high-order bit, so the left-most
byte in a word should be the high-order byte. Because ordering two 8-character
ascii strings can be done with a single 8-byte integer compare instruction
(with the obvious generalizations). Because looking for 0x12345678 in a hex
dump (visually or with an automatic tool) isn't a maddening task. Because
manipulating 1-bit-per-pixel image data and frame buffers (shifting left and
right, particularly) doesn't lead to despair. Because that's how any right-
thinking person's brain works."

~~~
wolfgke
It is not obvious whether big or little endian is better. For a nice overview
read [https://fgiesen.wordpress.com/2014/10/25/little-endian-vs-
bi...](https://fgiesen.wordpress.com/2014/10/25/little-endian-vs-big-endian/)

~~~
nickpsecurity
Thanks for the feedback. I'll add it to my collection for this subject and
think on it in the future.

------
hackuser
This sounds similar to basebands on cellular devices: Subsystems controlled by
the vendor, not accessible from the 'user' system, remotely updatable and with
access to everything.

~~~
vox_mollis
Except modern baseband processors usually don't have direct access to main
memory or peripherals - they are usually linked to the rest of the phone via a
serial bus.

ME is very, very different - it transparently has access to everything.

~~~
hackuser
> Except modern baseband processors usually don't have direct access to main
> memory or peripherals - they are usually linked to the rest of the phone via
> a serial bus.

Do you know where I can read more about that? A good, technical, authoritative
resource? In my little bit of research, details are sparse and authoritative
technical details even more sparse.

~~~
5ilv3r
Paranoid android used to have a nice breakdown on which phones had isolated
memory for the baseband and which used shared memory. I cannot find it now,
and their site seems to have taken a very wrong turn in the design department.

~~~
hackuser
fyi: As far as I know, Paranoid Android development stopped last summer, after
OnePlus hired away key developers in February 2015. Here's an article with
much more detail, including its prospects going forward:

[http://www.androidauthority.com/paranoid-android-calling-
it-...](http://www.androidauthority.com/paranoid-android-calling-it-
quits-648429/)

------
ashitlerferad
Earlier posts around the same topic:

[http://blog.invisiblethings.org/2015/10/27/x86_harmful.html](http://blog.invisiblethings.org/2015/10/27/x86_harmful.html)
[http://blog.invisiblethings.org/2015/12/23/state_harmful.htm...](http://blog.invisiblethings.org/2015/12/23/state_harmful.html)

------
0xbadf00d
There's an related Youtube video from Igor Skochinsky's REcon 2014 talk that I
watched this week & found interesting:

[https://www.youtube.com/watch?v=4kCICUPc9_8](https://www.youtube.com/watch?v=4kCICUPc9_8)

May be also be interesting to others wanting further information.

------
TazeTSchnitzel
I wonder if Apple might do something about this. They don't care so much for
the FOSS side of things, obviously, but I wonder if they might demand chips
from Intel without the management engine, because it's a potential attack
vector they can't control.

~~~
tinco
I suspect at some point they will simply drop Intel for their own (ARM)
platform. I think moving will be easy once all app store submissions are in
bitcode.

~~~
JustSomeNobody
I strongly believe you are correct. They have been mentioning that their ARM
processors are desktop worthy. I also believe Apple are displeased with
Intel's current inability to consistently get their new chips to market. All
of this has to make one think Apple will take matters into their own hands
soon. Likely within the next 2 years.

~~~
sspiff
Important bit to note here: the two year timeline is probably only feasible
for low end devices, like the MacBook and MBA.

Towards the higher end, ARM can't hope to field anything in that timeline to
compete with even todays i5 or i7s (or corresponding Xeons). Some people do
use this kind of CPU power.

~~~
twoodfin
I don't have a guess at what Apple is actually going to do, but the Retina
rollout is a plausible model. Even 5+ years after the first Retina product,
it's still not available across the lineup.

I don't think the switch would present a significant problem in marketing or
for developers, so it would purely be a question of having the chips that fit
the products. The Macbook, as you point out, is basically already there.

------
conductor
This is the main reason that I'm reluctant to upgrade my 5-year-old AMD Phenom
II processor.

 _> MIPS is often overlooked. However, China has revived this architecture for
general purpose computing with the Loongson core..._

Baikal-T1 [0] is another interesting MIPS processor that I'd like to play with
(or maybe even use).

[0] - [https://www.linux-mips.org/wiki/Baikal](https://www.linux-
mips.org/wiki/Baikal)

------
kabdib
Even if the ME was opened, the chips themselves are complex enough that nearly
anything could be hidden. State machines that enable backdoors from
instruction sequences can be pretty small (triggering these from a preferred
vector, such as a web browser, seems hard-ish though).

~~~
yuhong
I dislike how libreboot skips microcode updates.

------
cdkersey
It seems superficial to concentrate on a few kilobytes of binary blobs as a
security issue when millions of logic gates are also hidden from user scrutiny
by design in most computers. That the number of people you have to trust now
includes firmware developers in addition to hardware designers is a small
movement in the scheme of things, though it may be a movement in an
undesirable direction.

------
lasermike026
Dependence on a few companies to design and make processors will not work in
the long term. Open source processor design that can be manufactured by anyone
is the way out of this problem. Even if this never happens the attempt to go
there is enough to make the large companies involved with cpus beg and serve.

------
javajosh
Theoretically one way to correct it is to have an external device that blocks
network activity going in or out.

Yes, I realize you could get around this. The superblob could be a) looking
for patterns in JPGs for input, and b) stenographically encoding output
into...anything the user is doing.

Sigh. Nevermind.

------
Thoreandan
I think that, given a large enough group of people willing to make a mass-
purchase of CPUs, Intel would be likely to listen to requests for a batch with
an open-sourced Management Engine component, or some shim akin to the one RHEL
uses to boot UEFI in Secure-Boot mode. (mentioned it on /r/ReverseEngineering
a few months back.)

I don't know who to reach out to at Intel on that suggestion though.

[https://www.reddit.com/r/ReverseEngineering/comments/3pwxjn/...](https://www.reddit.com/r/ReverseEngineering/comments/3pwxjn/rreverseengineerings_weekly_questions_thread/cwdpspb)

~~~
nickpsecurity
The possibility I see is their semi-custom business. A cloud provider or
someone else with the money can have them make one that strips out all the
spyware or DRM stuff. Leaves everything else. Optionally, strips out some
other baggage from backward compatibility that FOSS OS's don't even need.
Preferably, though, smallest possible changes to the chip like straight up
removing the wires connecting ME.

------
profeta
They tested the waters with GPUs. after nobody complained at all, they just
moved to CPUs.

------
ctstover
While I would love a contemporary performance computer that can be trusted, no
such device is even remotely possible in the manufacturing and fabrication
ecosystems of today. Consider for just a moment ALL the chips inside the box.
All the microcode, all the ROM, all the places something could be
intentionally hidden. The idea that you could buy some parts on the internet
at retail price that could satisfy the truly paranoid (ie defense & espionage
communities) is ridiculous.

On the other hand, it still is probably possible to prevent a computers
unrestricted access to the internet. For now at least.

------
rcarmo
When I saw RISCV mentioned as an alternative, I had to check the date twice to
make sure it wasn't an April Fools'. I understand the concerns and all, but
wish the alternatives were a little better picked out.

Most people already mentioned SPARC and ARM as alternatives, so I won't delve
into those arguments other than point out that there will _always_ be
commercial interests at stake here - hardware, unlike software, requires
considerable material resources to create* and distribute (and is still harder
- and therefore rarer - to create for its own sake), so there won't be a wide
variety of viable options out there, and new CPU architectures don't grow on
trees.

Better to lobby for open specs on the "offending" bits of hardware, really.

* - yes, software creation can also require material resources (and a whole lot of time, which can be expensive). Let's not belabor that point...

------
rdtsc
> POWER is the only architecture currently competitive with Intel in terms of
> raw performance, and boots using a fully FOSS firmware with no DRM
> antifeatures embedded.

That's pretty cool. This combined with some benchmarks I saw for server
workload on POWER8 will hopefully revive some interest in the platform.

------
lazyjones
Opterons from 2011-2012 are still available and seem to be the best option to
me for this purpose. They're reasonably performant (16 cores...), affordable
and there are plenty of mainboard options. Software support is excellent of
course. I'm just not sure how valid the "pre-2013 AMD is safe" claim is, since
vendors have been known to include some remote management technology like
Intel's ME in earlier versions before making it a standard feature.

------
sievebrain
Wait until he finds out about microcode!

~~~
em3rgent0rdr
umm...he already knows about microcode obviously. Libreboot does not allow
microcode updates.

------
hackuser
1) _requires FOSS users to purchase a license from Microsoft to boot FOSS on
affected machines that lack an appropriate Secure Boot override._

What "appropriate" Secure Boot overrides are available?

2) _the end user is unable to modify the signed software without a license
from Microsoft, even though they have the source code available to them under
the GPL._

Other parts of the posting imply that we have no idea what the software does,
but thhe statement above says we have the source code. What am I
misunderstanding?

~~~
tremon
1a) switch it off (iff the vendor lets you)

1b) nuke the platform signing key and replace it with your own (iff the vendor
lets you)

2) You're mixing things up. "We have no idea what the software does" refers to
the hardware management code, which can run a full OS stack. But that quote
refers to the tivoization "feature" of Secure Boot: you can recompile your
software, but not run it on the hardware, because you lack the signing keys to
make the machine trust your code. But, see 1)

------
zvrba
This is a one-sided view. It can, and also is, used to implement theft-
protection, thanks to which the police tracked the guy, he got convicted and I
got my expensive laptop back. Yes, the guy reinstalled the OS, but the
tracking SW survived precisely thanks to these technologies.

~~~
brokenmachine
Can you give more details on what OS and tracking SW you were using?

~~~
zvrba
Absolute LoJack, with windows. It installs itself as a windows driver
before/during the boot. It sends location once a day, or more often if you
flag the device as stolen/missing. It can also remotely "brick" the device
(yes, it can be undone by the owner) if the data is of concern.

I deliberately did not set BIOS password so that the laptop remained usable to
whomever got their hands on it.

------
daveheq
Despite all my rage I am still just a rat in a cage.

------
odinduty
> Secure Boot [...] requires FOSS users to purchase a license from Microsoft

Nope.

~~~
ashitlerferad
Requires purchase of a cerficate from one of the authorities Microsoft
recognises (Verisign/Digicert/...) and then the signature of Microsoft on
compiled bootloader code. Either way, you have to pay and you have to get
Microsoft's permission.

~~~
snuxoll
IFF you want to support the default set of keys installed on computers that
ship with Windows. Secure Boot does not prevent you from installing your own
keys, in fact most linux distributions do this already and just use a shim
loader signed by Microsoft, the rest of the chain is signed by custom keys
(the keys are silently and automatically installed for you).

~~~
vetinari
> IFF you want to support the default set of keys installed on computers

Which happens to be a case if you want to use a extension card with its own
BIOS. If it is signed, what key is used? Can you resign with your own?

~~~
drdaeman
IIRC, Secure Boot spec said there must be multiple trust anchors, i.e. it's
not like "user's own or Microsoft", but there can be any combination of
trusted CAs (and I bet there's NSAKEY somewhere, huh).

I'm not sure about the implementations and real-world situation, but as far as
I get it, with X.509 with Secure Boot generally uses, one should be able put
the exact card's vendor certificate (not MS CA root one) to trust the
extension card. (Sadly, I think there's no way to trust one specific
signature.) I guess that's probably very non-trivial in practice.

At worst, one should be able to put their own CA (to sign their own software)
and be forced to add MS CA to trust the third-party software as well. But - if
UEFI implementation allows user-defined CAs - it should be possible to run
your own code without asking Microsoft's permission.

------
excalibur
SHA1

------
cwyers
Okay, so we get a pile of FUD (Secure Boot and Intel ME are DRM features now?
'kay), no acknowledgement of the actual security threats that compel Intel,
AMD, Microsoft and the OEMs to adopt these measures, and an appeal to dump x86
for ARM (um), MIPS (uhhhhhhh), POWER8 (wat), and RISC-V (how?). What is the
point of this, exactly?

~~~
5ilv3r
If a secure boot chain makes you feel nice and fuzzy inside, then perhaps you
might be interested in setting up your own. Without the ability to do so, you
are boned if the trusted entity becomes untrustworthy (such as if the mfg was
to be acquired).

If you alone are the trustworthy entity, things work better.

~~~
cwyers
> If you alone are the trustworthy entity, things work better.

That really, really depends on how trustworthy you are, doesn't it? I would
argue that most computer users don't and shouldn't trust themselves to secure
against low-level threats, and some of the people who do trust themselves
really shouldn't.

~~~
geofft
Yup. I run Debian instead of Gentoo because, for various reasons, I trust the
Debian project to be better at things (like triaging, backporting, compiling,
and testing security updates promptly and correctly) than I trust myself. I
think this is a common decision.

I later extended this logic and bought a Chromebook—a decision I don't take
lightly, as a free-software advocate, but I was not convinced that there was
an alternative that effectively let me retain more control over my computing.
One of the things the Chromebook does that basically nobody else does (systemd
vaguely wants to do this, my previous employer wanted to do this for our
customers, etc., but I don't think anyone actually does) is it enforces a
secure-boot-style thing for the entire OS, and makes it hard for anyone who
doesn't have the signing key to take control of my computing away with me. In
an ideal world, someone other than Google would have the signing key. But per
the logic above, I definitely _don 't_ want it to be me.

