
Purism Librem Laptops Completely Disable Intel’s Management Engine - mike-cardwell
https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-management-engine/
======
nerdponx
There's a blog post on their site that goes into detail on how this is done:
[https://puri.sm/posts/deep-dive-into-intel-me-
disablement/](https://puri.sm/posts/deep-dive-into-intel-me-disablement/)

~~~
dmix
That's a fun article. Thanks. The best part was the wifi breaking randomly.
This is why I could never be a hardware guy:

> Therefore, I started progressively whitelisting more modules so me_cleaner
> wouldn’t remove them, and testing if it affected the wifi module. This was
> annoying to test because I’d have to change me_cleaner, neutralize the ME
> firmware, then copy the image from my main PC to the Librem then flash the
> new image, poweroff, then restart the machine, and if the Wifi wasn’t
> working, which was 99% of the time, I had to copy the files through a USB
> drive.

Sounds painful. We've all had debugging experiences like that once in our
lives.

I appreciate their effort and public documentation!

------
jonathanstrange
Call me cynic, but it wouldn't surprise me if the NSA intercepted those in
their hardware interception program[1] and install spyware on them whenever
they are delivered to an address outside the US.

[1] [https://www.extremetech.com/computing/173721-the-nsa-
regular...](https://www.extremetech.com/computing/173721-the-nsa-regularly-
intercepts-laptop-shipments-to-implant-malware-report-says)

~~~
dmix
That's why the OS should check to make sure the ME is still disabled and not
boot otherwise, or signature check it somehow, create a hardware indicator,
etc. But then there's still the harddrive firmware and who knows what else.

Still, this is upping the bar quite a bit if you're security conscious. In
security all you can do is make the attackers lives harder, you can't fool
proof it.

Plus they mentioned two different open source tools to disable it yourself
(via software, not hardware as they do here). So you can buy a laptop with
cash off craigslist and do it yourself if you're super paranoid.

~~~
squarefoot
"But then there's still the harddrive firmware and who knows what else."

Graphics card blobs, wifi cards blobs, etc. Just about every vital subsystem
on a modern PC/phone/tablet etc. has been compromised by design through closed
device drivers so that someone with enough skills and access to those
information (such as some 3 letter agencies) can create a sort of covert
channel where data can be computed, read or stored and transmitted without any
means of intercepting that by any applications, because every part it's going
to pass through contains some closed code that can be instructed to encrypt
and tunnel the data from one place to another.

This came to mind years ago when I was struggling with a network card
requiring a firmware blob that refused to load. I started wondering why were
they making things so complicated for users and admins by keeping drivers
closed; that blob could have contained just about every possible malware in
existence and I would never have noticed it. Then I had a flash: disk drives
also contain closed firmware, and video cards too. I recall having thought
"heh, if they had a blob into the CPU as well they could close the circle and
build a system where they can move information inside the machine or
receive/transmit them from/to the external world completely unbeknown to the
user. Then years later I read about Intel ME and got a thousand flashes
because I almost saw that coming.

To me there is no such thing as a trustworthy system anywhere in the world, at
least not until every single line of its software, firmware and hardware has
been opened for public scrutiny. There is too much at stake, and surveillance
is a damn rich business both for companies and people in power.

~~~
fghtr
I think you may be interested in a development of a stateless laptop [1] by
Joanna Rutkowska. They are trying to prevent any data storage outside of the
user knowledge and control.

[1]
[https://blog.invisiblethings.org/papers/2015/state_harmful.p...](https://blog.invisiblethings.org/papers/2015/state_harmful.pdf)

------
hedora
I really want one of these, but the ergonomics look awful.

Is there a technical reason they only come with low resolution (1080p)
screens? (“Linux” is not a valid reason...)

Also, as much as I would like a 15” screen, the off center keyboard is a deal-
breaker. It’s just asking for RSI.

Does anyone own one? How is the trackpad / keyboard / battery life / fan
noise? Maybe I can deal with 1080p in exchange for a reasonable OS and
security.

~~~
broodbucket
1080p is considered low res! Crazy the times we live in. There are still
laptop manufacturers making 1366x768 displays, the worst resolution ever
invented.

I understand pixel density is nice, but for the vast majority of workflows you
do _not_ need anything better than 1080p on a 15" display.

~~~
andy_ppp
No _you_ don’t need better than 1080p but most developers need crisp text and
I would like to go further and 4k 15inch displays would be perfect for me as
it would allow me to have smaller text without a loss of quality.

~~~
jchw
It's a bit absurd to argue that you _need_ a high pixel density to code. It's
no longer an insane luxury, but even being a relatively younger programmer I
remember 640x480 being the highest resolution my first personal computer could
display. What fundamentally changed about programming that now we can't even
do it without 200 PPI displays?

Obviously, nothing. High resolution for most people is still just a 'nice to
have.' But even 1080p@15" will produce relatively crisp text. I'd argue East
Asian languages are the only ones to significantly improve in legibility, as
sub-pixel rendering pretty much does what it needs to do for English nowadays.

That being said, I absolutely will always go for high DPI and everything, I
just don't think it's sane to argue it's an absolute must for what amounts to
typing and reading text.

~~~
mrec
> _I remember 640x480 being the highest resolution my first personal computer
> could display_

<FourYorkshiremen> Eeee, you were lucky. My first personal computer maxed out
at 320x256, or 160x256 if you wanted more than 4 colours. </FourYorkshiremen>

~~~
zimpenfish
> 320x256

LUXURY. We had 32x24 b&w characters and we were glad of them.

(ZX81, nominally 256x192 pixels but only accessible as 8x8 character cells.)

~~~
clort
I seem to recall that there were characters made up of all the options of
quarter squares, so you could have a pixellated display of 64x48 at least

edit: seems like HN doesn't support these characters but see
[https://en.wikipedia.org/wiki/Block_Elements](https://en.wikipedia.org/wiki/Block_Elements)

I made a 'zooming through a tunnel' program in assembler once, using them

~~~
zimpenfish
You are, indeed, correct -
[https://en.wikipedia.org/wiki/ZX81_character_set](https://en.wikipedia.org/wiki/ZX81_character_set)

Although in the context of developing on small screens, they're not very
helpful.

(And if you redefined the character set on the fly, you could make things like
Forty-Niner.
[https://www.youtube.com/watch?v=OTTWMIQVznM](https://www.youtube.com/watch?v=OTTWMIQVznM)
)

------
guaka
For website of a purist software freedom company I was surprised to see
Privacy Badger show up with a red 5:

ajax.googleapis.com fonts.googleapis.com secure.gravatar.com fonts.gstatic.com
code.jquery.com

~~~
belorn
Can someone explain why you would want to link to fonts/js libraries rather
than have a copy on the server and server that yourself?

~~~
askvictor
One reason would be that the browser will cache them if they are used in
multiple sites, so loading will be much faster on subsequent sites using the
same resources. Another might be that such resources load faster off a CDN
than your own server.

~~~
nilved
In practice, this never happens. The value is certainly less than the data
you're selling about your users to Google.

~~~
askvictor
What data are you giving to Google (or another CDN) by loading jQuery or a
font from them? What does the ToS say? Genuine question.

Edit: here's the ToS:
[https://developers.google.com/speed/libraries/terms](https://developers.google.com/speed/libraries/terms)
If you believe Google, they're not collecting anything.

~~~
nilved
Don't be naive.

------
ploggingdev
What do the security experts think about Librem products? Does it live up to
what's promised? Any gotchas users need to be aware of? I have not come across
their comments on this topic, so links to the same would be appreciated if I
missed them.

~~~
whamlastxmas
They have a track record of lying about their product, though disabling IME is
a big step towards living up to their marketing.

~~~
bo1024
Examples?

------
hawski
Is there any other new hardware other than Purism and Chromebooks that uses
Coreboot/Libreboot?

EDIT: A list from coreboot site [1] does not look comprehensive as it is not
mentioning Chromebooks or Purism.

[1] [https://www.coreboot.org/Products](https://www.coreboot.org/Products)

~~~
ac29
PC Engines uses coreboot for their APU boards (usually used as routers or
firewalls).

The price/performance & energy efficiency isn't too compelling in my opinion,
but if you like the idea of running your router, firewall or other network
appliance on x86 with an open source BIOS and OS, its worth looking into.

------
forapurpose
> The Management Engine (ME), part of Intel AMT

Not hugely consequential, but Intel's product line is confusing enough without
any help. AMT for years has been an application that runs on ME (unless
something has changed). From the authoritative book, _Platform Embedded
Security Technology Revealed: Safeguarding the Future of Computing with Intel
Embedded Security and Management Engine_ by Xiaoyu Ruan, a security researcher
with the Platform Engineering Group at Intel (2014)

 _The list of old inventions finding new applications in new domains goes on.
The new applications benefit a much wider population and improve more people’s
quality of life.

When Intel’s Active Management Technology (AMT) first appeared in 2005, it was
marketed as an advanced system management feature for Intel 82573E series
gigabit Ethernet controllers. In 2007, a new embedded coprocessor, namely the
management engine, was introduced. Originally, the management engine was
designed primarily for implementing the AMT rather than running security
applications. At that time, the main problem that was supposed to be resolved
by the embedded engine and AMT was the high expense and difficulty of system
management by network administrators. The management engine was a component of
Intel chipsets with vPro technology. The Intel AMT implementation was moved
from gigabit Ethernet controllers to the management engine and became a
feature of vPro.

Intel AMT is not the only application on the management engine. The first
security application on the engine was the integrated TPM ..._

------
sspiff
You can also order Dell machines with ME disabled. Additionally, most current
Dell systems can disable Intel ME in the BIOS settings as well. This is a trap
door setting - once disabled, there is no way to turn it back on.

From what I've heard, this disabling is done through the Intel HAM (high
assurance mode), but I have no idea what the differences between the Dell and
Purism approaches are.

~~~
n1000
Could you provide sources for this? I have never heard of such a Dell
machine... My understanding was that there are currently no real options to
run an Intel CPU laptop without ME.

~~~
nickpsecurity
Probably Optiplex given its use in high-security defense sector which,
combined with Separation Kernel Protection Profile, would have all kinds of
security/hardening requirements:

[https://gdmissionsystems.com/cyber/products/trusted-
computin...](https://gdmissionsystems.com/cyber/products/trusted-computing-
cross-domain/trusted-multilevel-computing-solution)

[http://www.integrityglobalsecurity.com/pages/solutions.html](http://www.integrityglobalsecurity.com/pages/solutions.html)

[https://www.ghs.com/products/safety_critical/integrity-
do-17...](https://www.ghs.com/products/safety_critical/integrity-do-178b.html)

Warning: These companies' marketing folks like to go overboard. Sharing for
the technical data and Dell references but not endorsing every claim you see.
;)

~~~
sspiff
It was indeed an Optiplex system. You can find reference to it in this KB
article[1] about replacement system boards.

[1]
[http://www.dell.com/support/article/be/nl/bebsdt1/sln145409/...](http://www.dell.com/support/article/be/nl/bebsdt1/sln145409/manageability-
mode-options-on-replacement-system-boards-for-the-dell--optiplex--755---kb-
article---327359?lang=en)

------
jxramos
On a side note I liked reading about a phone campaign by the same group. This
post introduced me to it.

Librem 5 – A Security and Privacy Focused Phone
[https://puri.sm/shop/librem-5/](https://puri.sm/shop/librem-5/)

------
brobinson
Great news!

Does anyone know of any efforts to remove the ME equivalent from AMD's
processors?

------
scoopr
I've been looking at librem laptops, as I'd kinda like a dedicated linux
laptop. But as with many of these kinds of projects, i18n concerns are
secondary, and in this case, there is no scandinavian/nordic keyboard options
:/ (And I do appreciate that it might not be quite simple to have all kinds of
keyboard configurations available)

~~~
zsoltgyongyosi
It's surprisingly easy to switch to the English layout. As a programmer, it
was refreshing to leave behind the convoluted key combinations while coding.
(I'm looking at you, `tilde`, on a Hungarian keyboard)

On Linux, writing accents using a compose key isn't much slower than typing
the letters directly either.

~~~
oelmekki
I've considered a few times switching to a qwerty (from french azerty), but
there are two things that made me pull back:

1\. french people I know who use qwerty tend to not write any accentuated
characters anymore. I'm ready to accept compose keys are usable, but it
clearly seems to encourage incorrect spelling when you use a language with a
lot of accentuated characters in a sentence

2\. vim. I really don't see myself fighting to remap my habits and workflows,
given what I perceive as very few benefits switching layout would provide

~~~
reirob
Hello, I'm living in France and I made the switch to qwerty and it was one of
my best work-hacks in my live (after learning touch typing). It took around 3
weeks to get used. The advantage is soo huge! Just to take your fears - I'm a
heavy VI user and I have to say after switching to qwerty you will get to love
VI even more. Not even talking about programming.

Regarding your concern with accents: Under Linux I am using English
(International with AltGr dead keys) which allows me to compose accents by
pressing AltGr then the key(s) that represent the accent and then the base
character. So for à I press AltGr+Backtick and then 'a'. The advantage is that
it gives me all of the accents that I need in Europe - there is no problem in
writing German äÄöÖüÜß, and even for French you can easily have a œ in cœur -
I would not even know how to get this one on an azerty keyboard.

For Windows there is as well a possibility to install this layout.

The other advantage is, that if you work a lot with different countries - I am
remotely often on customer's computers via different remote sessions - then no
matter what country, you always have qwerty - on Windows it's normally just
one Alt+Shift away.

Definitely good investment and I will not go back (by the way I had to learn 3
layouts in my life - German, then French and now I am so happy with qwerty.

~~~
abecedarius
Has nobody made a kind of autocorrect that just adds accents and such? Of
course you’d sometimes have to fix them yourself, but my experience so far
learning French on an iPad (coming from English and not wanting to learn a new
keyboard too) has been that this ought to be a reasonable approach.

~~~
oelmekki
I like the idea, actually. But I can guarantee that given how
teachers/parents/old people always complain that young french people can't
write french properly, they would brutally yell at this idea :)

------
G8WyaX
What about the
[https://en.wikipedia.org/wiki/Baseband_processor#Security_co...](https://en.wikipedia.org/wiki/Baseband_processor#Security_concerns)
in Purism 5 phone?

~~~
flashdance
The Purism 5 is going to be using a baseband processor that's similar to ones
used in car infotainment systems. It won't share RAM with the CPU and will be
isolated from the rest of the phone. It'll even have a hardware kill switch,
where you can physically sever the circuit, if you're that paranoid!

The CEO of purism did an interview where he went to a moderate degree of depth
on the technical side, you can watch it here if you're curious. He mentions
all of the above features in it, and more!

[https://www.youtube.com/watch?v=4SwE9W8JasA](https://www.youtube.com/watch?v=4SwE9W8JasA)

~~~
flashdance
Just noticed I said Purism 5. It's called the Librem 5--and of course I see
this after it's too late to edit! :'(

------
em3rgent0rdr
I'm still waiting for them to ship a Librem 15 I ordered exactly 2 weeks ago.
The product page still says "Available to ship from inventory (1-2 weeks ETA),
while quantities last" so I don't know why that hasn't shipped or why they
haven't responded to my email about an update of status.

------
kevin_thibedeau
Intel is going to screw them over soon with a hardware revision.

------
dredmorbius
Question: how would one ensure that such systems aren't interdicted, presuming
that concern falls within your threat model?

[http://www.spiegel.de/international/world/the-nsa-uses-
power...](http://www.spiegel.de/international/world/the-nsa-uses-powerful-
toolbox-in-effort-to-spy-on-global-networks-a-940969.html)

------
skocznymroczny
How do you verify it's disabled? It's like saying "it's open source, it has no
backdoors!"

------
driverdan
I love the concept but not the prices. In comparing their 13" to the Macbook
Pro 13" I found the prices are about the same. The Macbook has a much better
screen, a better touchpad, and the resale value will be much higher so its
lifetime cost will be lower.

~~~
cat199
Except for the long run you're pretty much guaranteed a brick when apple drops
hardware support if you plan on running MacOS..

Not sure if these have replaceable battery which is another gotcha, so it
might be a moot point in the 'disposable hardware' era..

That said, lack of replaceable battery on macs will change the resale value
picture.. don't think that's really hit things yet..

------
nerdponx
Does disabling the IME have implications for performance or energy
consumption?

~~~
bradfa
Probably no implications on performance or energy consumption. Disabling it
will prevent many remote management capabilities which are desirable in
corporate environments.

Some details: [https://www.kernel.org/doc/Documentation/misc-
devices/mei/me...](https://www.kernel.org/doc/Documentation/misc-
devices/mei/mei.txt)

------
pmoriarty
How much do they cost and where can I buy them?

~~~
flukus
The products page of the linked article:
[https://puri.sm/products/](https://puri.sm/products/) . That Librem 11 looks
tempting...

~~~
em3rgent0rdr
Librem 11 looks tempting, but important to note that "To be announced
(prototyping and supplier negotiations phase)" which probably means several
more months...

~~~
broodbucket
and now they have a phone to build.

------
louithethrid
I want to see the layout in that chip, i want to see the dissasembly that ran
on it. Playing dead with a clock signal still going into it- thats not enough.

------
tekjenitalor
If in doubt act correctly and in due accordance with all applicable law and
regulation: all will then be fine.

If you can't follow our rules then you deserve to be persecuted, surveilled
and imprisoned at our whim but always know that you are being watched and your
past will be used against you.

Luddite time?

