SoylentNews is people
SoylentNews
Hugo Landau has written a blog post about why Intel will never let hardware owners control the Management Engine. The Intel Managment Engine (ME) is a secondary microprocessor ensconced in recent Intel x86 chips, running an Intel-signed, proprietary, binary blob which provides remote access over the network as well as direct access to memory and peripherals. Because of the code signing restrictions enforced by the hardware, it cannot be modified or replaced by the user.
Intel/AMD will never allow machine owners to control the code executing on the ME/PSP because they have decided to build a business on preventing you from doing so. In particular, it's likely that they're actually contractually obligated not to let you control these processors.
The reason is that Intel literally decided to collude with Hollywood to integrate DRM into their CPUs; they conspired with media companies to lock you out of certain parts of your machine. After all, this is the company that created HDCP.
This DRM functionality is implemented on the ME/PSP. Its ability to implement DRM depends on you not having control over it, and not having control over the code that runs on it. Allowing you to control the code running on the ME would directly compromise an initiative which Intel has been advancing for over a decade.
(Score: 2) by c0lo on Tuesday July 24 2018, @12:27AM (10 children)
Yes, I care, but... tel me, is there any actual** choice of running Linux on a trusted CPU?
Personally I don't know any, thus I manage to the best I can (and, depending the circumstances, care).
I'll be happy to learn there are trustworthy CPU's/platforms that can run Linux.
---
** in both meanings: "existing in fact, real" and "existing now, current".
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 5, Informative) by requerdanos on Tuesday July 24 2018, @01:18AM (8 children)
Yes, with caveats.
I have a couple Olimex Olinuxino Lime2 single-board computers that run Debian pretty well. On their website Olimex points out that [olimex.com]:
The caveats to this particular solution:
- Armv7l 32-bit dual-core dirt dog slow (Similar performance to a Pentium 4 2.66)
- 1GB RAM that you can't upgrade
- Free driver for the Mali GPU is not yet full-featured
- GPU supports only 0 to 1 monitors
- No display support if you use mainline kernel (only with their custom 3.4.103)
- except for SATA and serial debug port, peripherals must connect via USB2
I chose these because no nonfree software is required to boot/run them (unlike the R. Pi) and I've been running two of them for years, both running Debian GNU/Linux, one headless, one via KVM. I moved them into a different case recently, so their uptime is only in the months, but before that each had over a year of uptime. I recommend them wholeheartedly for those who can live with their deficiencies.
I use these because they are inexpensive (~US$100) and I am cheap.
There are faster, more expensive (still very limited) systems in this vein, such as the US$550 Nvidia Jetson TX1/TX2 [arrow.com], which have 4 - 8GB of RAM, much better I/O including a PCIe slot, and USB3, and which, while not open hardware, Debian calls [debian.org] fully supported by free software (even if not by Debian itself).
Would something like these count as running Linux on a trusted CPU? I know there are the "yeah, but..." objections that come from these being strange nonstandard developer boards, but then I am a strange nonstandard developer and I suspect you might be one also.
I'd love to see a fast, cheap Desktop ATX board with a no-Management-Engine CPU that would support my usual three-HD-monitor setup. But we're getting there.
(Score: 3, Interesting) by c0lo on Tuesday July 24 2018, @01:26AM
Thanks in heaps.
Hardly can call them a software dev platform, but then again... for interaction with the outside world they seem perfect.
I'll also look what I/O they have on the boards.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by bzipitidoo on Tuesday July 24 2018, @02:44AM (6 children)
Like I said in another story, I'm not trading down to a 133 MHz Pentium MMX with a measly 256M RAM for security from Spectre. Or security from the ME. This ARM chip is better than a 20 year old Pentium system, but it's still a huge performance hit and has other problems. It's too high a price.
We'd all like to be free of Treacherous Computing and DRM, and there are other solutions than trying to avoid the ME. Like, sniff out the kind of traffic that the ME sends and receives, and block it at the firewall. Another possibility is to spoof or DDoS Intel with fake ME traffic. SN had a few stories about the possibility of disabling the ME by exploiting its security flaws to get it to flash itself to oblivion, or at least a permanently disabled state.
Another strategy is to "zerg" them. That's the main way we fight the MAFIAA. There is way too much pirating for any of their strategies to have a hope of really stopping it, and a DRM enforcing ME won't change that. MIcrosoft already tried that approach in the OS a decade ago with the much hated Windows Vista, and it was an abysmal failure. Moving the DRM to hardware won't help.
Yet another approach is a class action lawsuit against Intel and AMD, and anyone else of the very few who manufacture CPUs who dare to build in back doors. It's only a matter of time before their fool backdoor causes some major failure, in the same vein as Sony's incredibly stupid root kit on their audio CDs. Maybe a compromised ME causes some PC handing critical medical equipment to kill a patient, like the infamous Therac 25 did. Also, I'm sure the military takes a very dim view of their own computer hardware having such back doors. They love other militaries being stuck with such hardware, but they hate it for themselves.
You mentioned MALI. I've been watching for years, wondering which way to jump to get open graphics hardware, Nvidia (Nvidious, you know) or ATI, or someone else, maybe Matrox? Maybe 3dfx would rise from the dead? So far, no one has delivered fully open 3D accelerated graphics. MALI is not open enough.
(Score: 3, Interesting) by jmorris on Tuesday July 24 2018, @03:24AM (3 children)
I'm watching this little fellow: RockPro64 [pine64.org]
From the forums it looks not ready for prime time for now, but look carefully at it. It or something like it is probably the future we seek. See that PCIe slot? It is "open ended" so it could accept a Radeon. Screw waiting for a reverse engineered Mali driver, Radeon is supported by AMD with open docs and developers. If the driver can be ported to ARM64 successfully one could have a quad core machine with 4GB of memory and a real desktop Linux running for $250. This particular product might also have a problem where a long PCIe card could get in the way of the eMMC slot. But if we see more PCIe slots appear on these little Arm boards, that is the way forward. Assuming they do not start getting "Management coprocessors" that can't be controlled.
(Score: 2) by bobthecimmerian on Tuesday July 24 2018, @02:04PM (2 children)
https://en.wikipedia.org/wiki/Free_and_open-source_graphics_device_driver#ATI/AMD [wikipedia.org] "The FOSS drivers for ATI-AMD GPUs are being developed under the name Radeon (xf86-video-ati or xserver-xorg-video-radeon). They still must load proprietary microcode into the GPU to enable hardware acceleration." (Emphasis mine.)
(Score: 0) by Anonymous Coward on Tuesday July 24 2018, @05:40PM (1 child)
It's microcode. I'm not sure that the "source" is anything more than comments next to blobs of bits?
Maybe the industry has advanced but I'm not sure what there is to see
(Score: 0) by Anonymous Coward on Sunday August 05 2018, @08:00AM
Seeing is one thing. Modifying and distributing another.
(Score: 0) by Anonymous Coward on Tuesday July 24 2018, @07:16AM
I'm not trading down to a 133 MHz Pentium MMX with a measly 256M RAM for security from Spectre.
Nor is anyone else ... so i can develop my Spectre exploit with the sure certain knowledge that it will hack everything
It may not be easy, but with the funds provided by
my backersa well-wisher - I will get there in the endBwaa ha ha haar!
(Score: 4, Informative) by urza9814 on Tuesday July 24 2018, @02:52PM
They aren't stuck with it. Companies like Dell have publicly stated that they have specific models which they will only sell to government agencies or specific approved corporate buyers which have these features disabled. I'm sure Intel is cooperating with that, for the right price. Intel has also publicly stated that there are features in the management engine that were placed there specifically to be used by the NSA. So why should the government be concerned when Intel allows them to either remove or custom modify these features? The feds probably have source code and schematics. They don't care about any of this. They aren't going to save you.
https://www.extremetech.com/computing/260219-dell-sells-pcs-without-intel-management-engine-tradeoffs [extremetech.com]
(Score: 2, Informative) by Anonymous Coward on Tuesday July 24 2018, @04:30AM
Talos II lite (power9 cpu) is the only thing with performance same/better than xeon, and in same price range-- everything with software/firmware is free/open on this board.
For 100% free drivers on an ARM board (including GPU), I think there is only the MX6, MX7, and MX8 SOC. There are some boards ( https://wandboard.org [wandboard.org] ) with a raspi form factor. And, some larger form factor boards that include a pci-e etc.
For a headless box, your options open up quite a bit. Look for anything ARM that has been used in a recent chrome book. Google is now requiring manufacturers to get everything but gpu drivers upstream and in-tree in the linux kernel, in order to be used in a chrome book. So,even Chinese SOCs like Rockchip can now run a vanilla kernel* with no proprietary blobs for a headless / frame buffer box (Pine makes a cheap SBC based on rockchip- "rock 64"; $25 with 1G ram, $45 with 4G; their rockpro64 gets you a faster CPU, and pci-e x4 slot with 2G ram $60 4G $80).
*only have read this, No personal exp with rockchip (but that is about to change).