Hacker News new | past | comments | ask | show | jobs | submit login

It's a shame that ME can't be removed or disabled on modern Intel CPU's. Same goes for AMD and maybe companies that implement something like ME in ARM. OpenSPARC is quite dead, sadly enough.

Highly recommended read about x86 security: http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf

The author of this paper is also the developer of Qubes OS. They recently added another requirement to laptops who are 'Qubes certified': they must run Coreboot. It's not Libreboot yet, but that is a huge leap forward for x86 security. Hopefully this will trigger vendors to make their hardware Coreboot compatibile. It won't do anything about Intel ME, but it is a step in the right direction.

I ordered a Thinkpad x200 to flash it with Libreboot last week, just to have at least one device without any malware (in RMS sense)

> ... for around $5,300 USD.

Well, let me take a step back and first say that the project is impressive and I really like it.

But the cost is staggering.

For something rather more low-end, but good enough for some common tasks, don't forget EOMA68: https://www.crowdsupply.com/eoma68/micro-desktop

I own a Novena. It's a fun piece of hardware.

As just a day-to-day computer for software development, how does it work out? Can it run Firefox/Chromium just fine? What sort of issues have you had?

I've got a couple of Novenas. It's good for development except for web-browsing; for whatever reason firefox and chromium are both pretty sluggish on it. Everything else seems fine; I suspect that it's mostly down to video drivers, which are still somewhat in a state of flux (but getting better).

I'm skeptical about whether the video drivers are the culprit for poor web browsing performance. Yes, there's WebGL, but do Firefox and Chromium depend that critically on OpenGL for rendering ordinary web pages?

Yeah, Novena will be much more usable once the etnaviv drivers are ready.

I believe both the Librem laptops and the ORWL PC will soon use Coreboot, and they are much cheaper.

There's zero chance that the future Librem laptops will be "truly" open source. They will still have ME or AMD equivalent. Their entire marketing campaign is frustratingly dishonest.

They're quite competent con men. If you call them out about it (as the Coreboot developers did) especially on Reddit, they give very dismissive, yet non-committal comments

"We're in talks with Intel" "They really want to do this" "We're going to make a petition to show interest to Intel"

The reality is that even Google with their Chromebooks, despite hiring most of the Coreboot team and shipping volume into the likely millions of units, was unable to persuade Intel. Even for the absolutely tiny set of CPU models they use

Those still have the eeeeevil ME, although maybe in a semi-dormant form.

I have an x200 sitting around (although the case is cracked after a drop) but I've held off on trying libreboot because it requires a ~$50 piece of hardware to flash it (a BeagleBone Black)

Don't need a beagle bone black. I have flashed my laptop (T500) with a raspberry pi just fine.

That's true. They don't officially support the Raspberry Pi because it needs proprietary drivers and thus breaks the "chain of trust" needed for flashing Libreboot.

It's a bit over-the-top paronoid to expect firmware modifying software in GPU drivers, but I understand their point.

To call the binary blobs on the Pi "GPU drivers" is an understatement. The VC4 is running the full ThreadX operating system. The Pi is closer to a VC4 board with a secondary ARM coprocessor tacked on than it is to an ARM board.

Oh wow, I didn't knew this. Will look into this, thanks.

All the same, is your adversary really going to use this to attack your machine? They'd have to predict a number of things quite in advance, as well as sneak an attack into the blob.

Hm, well I have always run it headless. Should be possible to make sure the GPU driver isn't ever loaded.

> The Raspberry Pi boots from its GPU and only non-free software is currently available for the GPU, even starting the machine requires a large (2MB) blob of non-free, unsupportable software


Also from that page:

Broadcom publicly released some code, licensed as 3-Clause BSD, to aid the making of an open source GPU driver. The "rpi-open-firmware" effort to replace the VPU firmware blob started in 2016: https://github.com/christinaa/rpi-open-firmware. See more at https://news.ycombinator.com/item?id=11703842

The VC4 GPU actually is the primary chip; it boots the ThreadX operating system on the VC4 first, then ThreadX loads the user-configured system onto the ARM core. Whether you run headless or not, ThreadX is running on the VC4.

Could you direct me to a tutorial on that? I contacted the Libreboot devs before and they told me they wouldn't give any info out about using a different device

Sorry didn't see this yesterday. Don't know if you will come back. Here is some a page that helped me with the wiring: https://web.archive.org/web/20150908054150/http://blogs.fsfe... and https://github.com/bibanon/Coreboot-ThinkPads/wiki/Hardware-...

ty ty

I'll trade you a BBB for an RPi.

Haha really? Can't you get an rPi for super cheap now, like $20?

I have hope in Risc-V.

I don't have any hope for other hardware. The only hope that I have is that Intel will change their mind and remove it, or make it fully open source.

The sad thing is that ME isn't even developed by Intel, but a third party. They sublicense it to Intel. So even if Intel would be willing to distribute the source, they couln't.

AFAIK not even Google could get Intel to share the source code on their chips in order to make some of their Chromebooks. If Google can't do it, I doubt a handful of "GNU extremists" are going to change their minds.

If Intel said, "needs to be open source or we'll find another supplier" then it would become open source.

Unless the current supplier is the NSA.

Agreed. But it has to rewritten, that takes some time and costs money. It's another barrier preventing Intel to chanige their mind about it. But in the end it would be open source if Intel changed their mind.

I think someone has to leak everything, Snowden-style, although with all the increasing "security" that could be a bit difficult... nevertheless, if someone does decide to be a hero and do it, I fully support their efforts.

Unless this leak revealed that the NSA forced Intel and AMD to include ME in their chips to advance their mass spying efforts such a leak would be a crime. Snowden's case is different since he was revealing info that Americans (or their reps) have a right to know. The intelligence agencies are building a mass surveillance infrastructure that is prima facie not compatible with a free country and almost certainly a violation of the constitution. The constitution and amendments do not directly apply to Intel and they are free to do whatever they want and we are free to buy or not to buy as we see fit.

TBH, I think there is a lot of focus on this ME technology and I see no reason that at some point someone is going to crack the model or the encryption and reveal exactly what it is doing and how to disable it.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact