Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Sunday October 22 2017, @04:42PM   Printer-friendly
from the hold-my-beer,-I-wanna-be-free dept.

Purism Disables Intel ME On Its Privacy-Focused Librem Laptops

Purism, a startup that aims to develop privacy-focused devices, announced that it has now disabled Intel's Management Engine (ME). The company, and many privacy activists, believe that because Intel's ME is a black box to the user, it could hide backdoors from certain intelligence agencies. Alternatively, it may contain vulnerabilities that could even be unknown to Intel, but which might still be exploited by sophisticated attackers to bypass the operating system's security.

[...] The Librem laptops use Coreboot firmware, which is an open source alternative to BIOS and UEFI for Linux. The company said that using Coreboot is one of the primary reasons why they were able to disable Intel ME in the first place. Coreboot allowed them to dig down on how the processor interacts with this firmware and with the operating system.

Purism had already "neutralized" the Intel ME system on its Librem laptops, which essentially meant that the mission-critical components of Intel ME were removed. However, this could still cause some errors, because the Intel ME would still be "fighting" Coreboot's attempt to neutralize it. With the new method that disables it, the Intel ME can be shut down gracefully. Purism's laptops will continue to support both methods for extra security, just in case the Intel ME is able to "wake-up" somehow, after it's disabled.

[...] Both Librem 13 and Librem 15 laptop models will now ship with Intel ME disabled by default. Customers who have purchased the older Librem laptops will also receive an update that will disable Intel ME on their systems.

Related: Purism Exceeds $1 Million in Funding for Librem 5 Linux-Based Smartphone
How-To: Disabling the Intel Management Engine


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by VLM on Sunday October 22 2017, @06:05PM (6 children)

    by VLM (445) Subscriber Badge on Sunday October 22 2017, @06:05PM (#586000)

    Some of the costs seem weird.

    I have ESXi hosts with 2TB SATA SSDs and I paid roughly "six hundred bucks" per SSD. Purism charges a mere $1199 or about 2x.

    The ESXi hosts are on kind of obscure supermicro hardware using unusual high speed ECC ram that painfully costs me a hair over three hundred bucks per 32 gig stick (and each ESXi host has multiple sticks... it adds up fast, thanks vcenter/vsan/nsx), but its fast so I don't really care. This laptop place uses memory that's even more obscure, apparently, at $200 for 16 gigs so presumably 32 gigs would cost four hundred bucks.

    The irony of "protecting your digital life" is like most people everything I do is cloudy and "as a service" and network connected so I have a chromebook and I use the built in HTML5 chrome browser to talk to my own Apache Guacamole server to do RDP/VNC/SSH and I have somewhat inferior native apps on the chromebook. I am not entirely sure what I'd do with something that boils down to "a portable web browser with a raspberry pi duct taped to the back". I guess I could play modded minecraft on it and similar games, but I'm not really into paying $1599++++ just to portably play minecraft.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by bzipitidoo on Sunday October 22 2017, @07:04PM (4 children)

    by bzipitidoo (4388) on Sunday October 22 2017, @07:04PM (#586008) Journal

    Yeah, a quick look had me thinking that Purism charges a high premium for their hardware. I'd like a PC without a potential backdoor, but not for that much more money, Perhaps an AMD Ryzen based laptop would be better, when AMD gets around to it? Yet I've heard AMD has backdoors of their own.

    Disabling the Management Engine is all very well, but perhaps a better way to handle this issue is put a firewall and packet sniffer and analyzer between the afflicted Intel PC and the Internet. Find out what the Management Engine's traffic looks like, and block it. Also, perhaps turn one into a honeypot, and see if Intel or the NSA or whoever can be caught red handed, spying on that PC.

    Meanwhile, I hope that being just another geek out of millions, that the sheer quantity of of communication to look through, keeps most of us safe. There's always a chance any of us could be singled out, of course, but to monitor and intimidate us all seems like too big a job.

    • (Score: 1, Interesting) by Anonymous Coward on Sunday October 22 2017, @07:33PM (1 child)

      by Anonymous Coward on Sunday October 22 2017, @07:33PM (#586021)

      The 2 plus years Purism's laptop was running a bog standard AMI bios, even though they'd sworn it was going to be open source from top to bottom and developed as such.

      Purism is a scam pure and simple. It is FINALLY after a number of years (and like 4 generations of CPUs) living up to its hype and its kickstarter promises, but honestly, who would trust a company like this that doesn't seem to 'eat their own dogfood' as the saying goes.

      This is almost as bad as the linux foundation directory using a MAC running OSX to run a presentation at a Linux Conference.

      Both should be fired out of a cannon and ridiculed from their current niche.

      • (Score: 0) by Anonymous Coward on Sunday October 22 2017, @11:10PM

        by Anonymous Coward on Sunday October 22 2017, @11:10PM (#586090)

        I don't even think it was Purism that accomplished this, but their wording leads one to believe that it was.

    • (Score: 1, Interesting) by Anonymous Coward on Sunday October 22 2017, @09:32PM (1 child)

      by Anonymous Coward on Sunday October 22 2017, @09:32PM (#586060)

      Disabling the Management Engine is all very well, but perhaps a better way to handle this issue is put a firewall and packet sniffer and analyzer between the afflicted Intel PC and the Internet.

      Sadly SMM and AMT have their own mode instructions that aren't publicly documented and that could potentially* escalate from ring3 all the way down to ring-2 and -3 which are a single browser sandboxing exploit away from owning your box.

      Overall, working with Intel like Purism is the correct way to go about this. It's quite possible some processors have internal erratas calling for different disabling steps for rings -2 and -3 that, if not followed, could leave your system at risk. So, at the very least we really need Intel to confirm which processors are safe to disable ME on. Ideally, of course, Purism will manage to get Intel to produce a few CPUs with ME fused off the circuitry. It's still a relatively compromised position of trusting Intel to not blatantly lie to us. But otherwise there are modern techniques to sift through the available instructions ( https://www.youtube.com/watch?v=KrksBdWcZgQ [youtube.com] ) that we can run at hypervisor mode and, with a great degree of certainty, be sure there aren't too many surprises under the hood.

      Of course, an open source fixed width instruction set with exposed pipelines or fully documented branching that we can fuzz all possible instructions on and measure their execution times to know with absolute certainty there aren't any special backdoor in the CPU is the dream. But I fear it will take a while longer before we'll ever see something like that in the consumer markets.

      *Either due to a hardware bug or a bad software implementation due to a lack of proper documentations.

      • (Score: 0) by Anonymous Coward on Sunday October 22 2017, @09:36PM

        by Anonymous Coward on Sunday October 22 2017, @09:36PM (#586064)

        p.s. I meant the consumer Desktop market... There are already a few such cores we can trust in the embedded and server world.

  • (Score: 0) by Anonymous Coward on Sunday October 22 2017, @07:23PM

    by Anonymous Coward on Sunday October 22 2017, @07:23PM (#586016)

    From everything I've heard, minecraft is a bigger cpu hog, before including mods and addons and other items.

    That said, the VC4 in the Pi, while good enough to render some semi-modern games, just doesn't have the throughput required to run anything complex above 640x480 at an acceptable framerate. It is either 20 or 40GFlops of peak performance, which for reference is about the same performance as the AMD 760G chipset's Radeon HD3000(3100?) IGP, only with half to a quarter the memory bandwidth (depending on your AM2/3 cpu) and a simpler opcode set, reducing both features and real world peak performance.

    Having said that: Broadcom, via the VC4, at least until the VC5 comes out with the same sort of mandatory signing as AMD and Nvidia now have, is actually the MOST OPEN 'generally programmable' GPU hardware available today. The Vivante and Adreno aren't bad either, but given the difference in availability, the RPi/VC4 can be found in almost any electronics store today and there is almost complete firmware for initializing it openly. With Vega, AMD has closed that door in both the cpu and gpu, making the Pi actually the more open and potentially secure device. It may turn out NOT to be, but just based on the ability to change code if a security exploit IS ever detected, it is already much better.