
How Purism avoids Intel’s Active Management Technology - jermier
https://puri.sm/learn/avoiding-intel-amt/
======
Cieplak
Clearly there’s demand for an Intel product with these features absent from
the platform controller hub.

I acknowledge that hardware products take years to develop, and they already
have a lot on their plate.

Perhaps Intel doesn’t care about consumer whims, but clearly there’s demand
from companies like Google.

I’m just generally surprised at the lack of public-facing responses from
Intel’s leadership around this and other security issues facing their
platform. It all reads like lawyers trying to minimize their liability.

They’re one of the most important technology platforms today. Everything
besides cellphones runs on Intel.

Despite actually being a monopoly or duopoly, they don’t have to be so stodgy.
I want to love them for their profound impact these past few decades, but it’s
hard when it feels like they don’t listen to their customers.

~~~
yvdriess
The remote access features are probably removed or disabled via microcode
changes. As Purism referred to sourcing recent CPUs without vPro, they are
either directly or indirectly getting those kind of vPro-disabled variants.

------
cantrevealname
I've been hearing about Intel’s Active Management Technology for years, but
I'd like to see a demonstration of how an attack would work. I have an unused
laptop with:

1\. an Intel CPU that supports the vPro feature set

2\. an Intel networking card

3\. the corporate version of the Intel Management Engine (Intel ME) binary
(well, definitely, a corporate laptop that used to get updates, but how do I
check for ME?)

Is there a website I can visit that can initiate a remote takeover (I'm
consenting to it)? Why isn't this possible? What other step is required on my
side to make it possible? Is it possible only through the physical ethernet
connection? Why aren't we seeing wide scale exploits based on AMT?

~~~
threatripper
Absence of evidence is not the evidence for absence.

If the backdoor exists you will need to know a secret to open it. Currently,
the public obviously doesn't know this secret or the doors would be wide open
for virtually anybody. Because we don't know the secret key, we cannot open
them to prove that they exist. So we don't know for sure if the backdoors
exist. But the way the IME is designed and handled makes it possible and
plausible that backdoors could exist. It's up to Intel to prove that they
don't exist.

~~~
selectodude
>It's up to Intel to prove that they don't exist.

That seems a bit over the top to ask them to prove a negative.

~~~
alasdair_
Releasing the code would allow people to verify it.

~~~
shawnz
Releasing the code would _help_ to make it more auditable.

------
neilv
Purism just needs TrackPoint and thicker keyboards, and I can upgrade my
stockpile of ThinkPads. :)
[https://www.neilvandyke.org/coreboot/](https://www.neilvandyke.org/coreboot/)

~~~
sscarduzio
The trackpoint is the single reason I never bought a Thinkpad.

~~~
NikolaNovak
It's certainly one of those "acquired tastes", though like with 3.5mm
elimination, I don't understand the sheer vitriol against it by those who
happen not to use it. Why do you care? If everything else in Thinkpad appealed
to you, why would an eminently ignorable feature be such a HUGE ("single
reason") deal breaker?

In my mind, either a) There are other reasons and this is a convenient
conscious or subconscious scapegoat; or b) it's an extremely emotional
decision, and as such certainly relevant to holder ("Whatever floats your
boat!":) but not necessarily applicable or translatable to anybody else.

I'd be curious (genuinely!) to hear more - were you actually tempted by any
Thinkpads in the past but rejected them due to trackpoint, and if so can you
elaborate why - what use case did they prevent or what inconvenience did they
cause? Thx muchly! :)

~~~
Godel_unicode
The trackpoint is ugly. It's a giant throwback pimple in the middle of the
keyboard, which there's no way to get around looking at all the time.
Thinkpads being ugly is kind of their thing, so it doesn't surprise me that
lots of Thinkpad people don't mind it or even see it as a plus, but to me
seeing a trackpoint is like seeing a floppy drive. I used one for years, and
I'm really happy that trackpads have gotten good enough that I'll never need
to use one again.

Edit: display notches are actually probably a better comparison. They're ugly
and even though I don't use it I can't get rid of it except by using hardware
designed not to have it.

~~~
numpad0
I feel TrackPoint and Trackpad both present at the same time is ugly

But FWIW the inspiration for the red cap is from pickled plum in bento
boxes[0] so

[0]:
[https://images.app.goo.gl/Xf3kHjv9JVMdeXA77](https://images.app.goo.gl/Xf3kHjv9JVMdeXA77)

~~~
searchableguy
> But FWIW the inspiration for the red cap is from pickled plum in bento boxes

I get now why so many anime people love thinkpads.

~~~
numpad0
lol you’re downvoted but right. IBM had a lab to the west of Tokyo where lots
of ThinkPads were said to have born there so not just people like them but
same people make them.

------
kelnos
> _We choose Intel CPUs that do not have vPro_

The Wikipedia article they link about vPro says:

> _Intel vPro technology ... [includes] VT-x, VT-d..._

Does this mean that Purism hardware won't support virtualization extensions?
Seems like that would be a big downside, and would make it a non-starter for a
lot of people (including myself).

~~~
sukilot
You have dig past the marketing labels and into the actual specs. Some CPUs
have VT-x but not vPro

[https://ark.intel.com/content/www/us/en/ark/products/149091/...](https://ark.intel.com/content/www/us/en/ark/products/149091/intel-
core-i7-8565u-processor-8m-cache-up-to-4-60-ghz.html)

~~~
floatboth
where "some" means pretty much _all_ consumer CPUs.

~~~
Godel_unicode
That's absolutely not true, there are a ton of modern consumer CPUs with vpro.
Here's a comparison of the 10500 through the 10900{,k}, all of which have
vpro.
[https://ark.intel.com/content/www/us/en/ark/compare.html?pro...](https://ark.intel.com/content/www/us/en/ark/compare.html?productIds=199316,199335,199311,199332,199273,199328,199277)

Here's the more complete list of Core processors which have vpro platform
eligibility. It's quite long.
[https://ark.intel.com/content/www/us/en/ark/search/featurefi...](https://ark.intel.com/content/www/us/en/ark/search/featurefilter.html?productType=873&0_VProTechnology=True&1_Filter-
Family=122139)

------
shmerl
Looking forward to AMD laptops with Coreboot support as well.

~~~
fsflover
Probaly won`t happen since AMD have their own secret code which no one could
neutralize yet.

~~~
boring_twenties
Recent (1-2 years?) AMD BIOS supports disabling the Platform Security
Processor (their ME equivalent).

I haven't been able to figure out what exactly this means, but it does seem to
be disabled _after_ system initialization. Kind of like Intel's HAP bit,
except user-settable.

~~~
floatboth
Either like the HAP bit, or less — only disabling its visibility to the OS on
the PCIe bus.

~~~
boring_twenties
Yeah, I'm a little confused as to why they'd bother implementing and deploying
this feature without even a cursory explanation of what it does...

~~~
numpad0
Maybe it’s literally classified

------
closeparen
I hear a lot about disabling the management engines... what about activating
them for yourself?

~~~
rzzzt
Your computer could run Linux or Doom even while it's off!

~~~
stallmanite
The idea of gaining control of the management hardware like this is really
exciting. Can anyone here comment on whether it could plausibly happen? I’m
guessing it would require leaks from Intel because otherwise whoever develops
the capability would presumably keep it close to the vest or sell it for major
$ right?

~~~
wmf
The ME is running Minix/x86 and presumably a vulnerability could be used to
inject new code that isn't signed by Intel.

But what would you do with it? Why not just use the OS?

~~~
stallmanite
I can’t put it into words well but it’s like if I discovered a vestigial limb
attached to my body. I’d want to try firing it up.

------
seemslegit
What are the odds that the chips that don't feature AMT/ME don't have it
physically as opposed to it just being crippled in firmware ? In which case if
one is worried about government backdoors this should alleviate exactly zero
concerns.

~~~
wmf
This topic is well understood so there's no need for "odds". All the chips
have ME. AMT is a firmware feature that can be removed or not bought.

------
swader999
Another vector for attack is shipping. Do you trust that this won't be
intercepted and "customized" on its way to your address from the factory?

~~~
Answerawake
They offer "anti-interdiction service"

[https://puri.sm/posts/anti-interdiction-
services/](https://puri.sm/posts/anti-interdiction-services/)

From the site:

-Customized tamper-evident tape on the sealed plastic bag surrounding the laptop itself

-Customized tamper-evident tape on the internal, branded box

-Glitter nail polish covering the center (or all) screws on the bottom of the laptop

-Pictures of all of the above plus pictures of the inside of the laptop before sealing the bottom case

-All pictures sent to the customer out-of-band, signed by Purism and encrypted against the customer’s GPG key

-All coordination occurring over GPG-protected email

------
mietek
(2017)

------
EE84M3i
"with the intention of reverse-engineering the remaining parts"

this line strikes me as odd. Don't OEMs normally have a contract with Intel
(or someone that does) for licensing the motherboard design that would prevent
them from doing this?

~~~
wmf
I have no idea what the contracts say, but Purism seems to be comfortable
operating "outside the system" so maybe they just won't have any contract with
Intel.

------
R0b0t1
Disabling is not removing. People have found motherboards that should
ostensibly not support vPro (e.g. Asus gaming motherboards) that do report
vPro ME functionality.

There is no reason to believe the software switch is working, especially when
even a system integrator can accidentally enable the features. If someone
wants them on they turn on.

Purism sells snakeoil. Presenting their offerings as FOSS-compatible would be
honest. Claiming additional security is not.

~~~
tenebrisalietum
It's not possible to remove, or at least account for all behavior of, the ME
entirely until the BUP part is reverse engineered. You can't take that part
out yet and have a working CPU as far as I understand.

I'm surprised you didn't mention the FSP which is a binary blob from Intel
required to be run by any boot firmware (UEFI, Coreboot, or whatever) very
early in the platform initialization process (to my understanding, basically
as soon as possible after the reset vector, in the PEI phase) before anything
is useable.

Baby steps. Don't let perfect be the enemy of good. Success here could
indicate to CPU vendors there are people who care about these things.

~~~
R0b0t1
I know it isn't possible. Half measures are attractive short term but can
serve to normalize failure, as is currently happening. Most people I know view
Purism favorably and think it has actually made ME irrelevant. It hasn't, all
the hardware is still there and can be enabled. You still are not the de facto
owner of the machine.

~~~
tenebrisalietum
> It hasn't, all the hardware is still there and can be enabled.

Can it be enabled by Intel?

A system that has ME installed with a NIC the ME can't access (non-Intel)
seems like it makes the ME irrelevant via suffocation.

I'm not sure of the technical details of this board or if the ME can access
non-Intel NICs.

~~~
wizzwizz4
Well, if ME was activated by the byte sequence PLEASE_ENABLE_ME_42 being
present in RAM, which caused it to look for the Firefox / Chrome network stack
in memory and use _that_ to send passwords to Intel…

Unlikely? Amazingly so. Technically possible? Yes.

------
johnklos
How I avoid Intel's Active Management Technology: I don't buy Intel.

Even neutered Intel seems unnecessarily risky.

~~~
kmeisthax
Unfortunately the same business types who demanded such a ridiculous self-own
as an integrated CPU-level backdoor also pressured AMD into shipping the same
thing. And we know less about the AMD PSP than we do about Intel ME.

ARM is no better, either, at least in practice. Their relatively friendly
licensing terms would allow a vendor willing to make their own silicon in
volume to ship a no-TrustZone, no-Secure-Boot SOC. However, nobody does this.
In fact, moving to ARM has traditionally been used as an excuse to lock out
third-party operating systems and unlicensed software. (Remember Windows RT
tablets?)

------
ur-whale
Their claim demonstrate good itent, but the unfortunate truth is they have no
way of proving or even knowing that it holds.

------
xbar
Still no 16x10 screens. Welcome to the failbin.

~~~
pastrami_panda
A bit harsh, but sure, once you go 16:10 it's very hard to go back to 16:9
laptops.

~~~
Eldandan
I've been able to make the adjustment by buying something with a slightly
larger display. A 13" 16:10 display is comparable to 14" 16:9. At 1080p/1200p
you lose some vertical pixels and a very tiny amount of physical vertical
length, but you gain horizontal pixels and length, along with potentially more
ports.

This was my recent experience choosing between a new XPS 13 or a T14s amd.
Side by side the screens weren't that different. Port selection, keyboard
quality, and trackpoint availability were the tiebreakers in favor of the
Thinkpad. (Didn't care much about the performance difference due to my light
use case.)

~~~
pastrami_panda
I can't really stay productive on anything less than 15". Right now I'm
currently enjoying this years lineup of 17" laptops whose body is basically
what a 15" was some years ago. I do graphics and sound production aside from
programming so I'm really enjoying the extreme screen-to-body ratios. Vapor
chamber cooling is also a nice addition.

But the thing that really gets me is the 16:10 resolution, I could personally
never go back after using it, it just _feels_ correct (to me).

~~~
Eldandan
>I can't really stay productive on anything less than 15".

Agreed. Without a dock/external monitor 13" and 14" are really not the sizes
one should focus on for productivity, except in short bursts. 16:10 really
makes an impact on displays smaller than 17". It took serious justification
for me to give up the XPS 13" 16:10 display in favor of a 16:9 14" laptop. I
absolutely would not have chosen a 13" 16:9 display because of how big of a
net loss it is.

