Purism Disables Intel ME On Its Privacy-Focused Librem Laptops
Purism, a startup that aims to develop privacy-focused devices, announced that it has now disabled Intel's Management Engine (ME). The company, and many privacy activists, believe that because Intel's ME is a black box to the user, it could hide backdoors from certain intelligence agencies. Alternatively, it may contain vulnerabilities that could even be unknown to Intel, but which might still be exploited by sophisticated attackers to bypass the operating system's security.
[...] The Librem laptops use Coreboot firmware, which is an open source alternative to BIOS and UEFI for Linux. The company said that using Coreboot is one of the primary reasons why they were able to disable Intel ME in the first place. Coreboot allowed them to dig down on how the processor interacts with this firmware and with the operating system.
Purism had already "neutralized" the Intel ME system on its Librem laptops, which essentially meant that the mission-critical components of Intel ME were removed. However, this could still cause some errors, because the Intel ME would still be "fighting" Coreboot's attempt to neutralize it. With the new method that disables it, the Intel ME can be shut down gracefully. Purism's laptops will continue to support both methods for extra security, just in case the Intel ME is able to "wake-up" somehow, after it's disabled.
[...] Both Librem 13 and Librem 15 laptop models will now ship with Intel ME disabled by default. Customers who have purchased the older Librem laptops will also receive an update that will disable Intel ME on their systems.
Related: Purism Exceeds $1 Million in Funding for Librem 5 Linux-Based Smartphone
How-To: Disabling the Intel Management Engine
Related Stories
"The most popular mobile operating system on the planet, Android, is already based on Linux, but with Google in charge of it, many consumers cannot depend on it for privacy. With that said, Purism is planning to fight the impossible fight against Android and iOS with the "Librem 5" smartphone. This is a device that will run a privacy-focused Linux-based OS called "Pure OS," but the hardware is wide open for any OS, really. Purism is trying to raise $1.5 million through crowdfunding, and earlier today, it reached a significant milestone -- $1 million! Maybe the fight isn't impossible after all..." - via BetaNews
In the news:
https://puri.sm/shop/librem-5/
https://news.ycombinator.com/item?id=15436716
https://news.ycombinator.com/item?id=15090156
https://www.reddit.com/r/linux/comments/74cl80/purism_librem_5_has_surpassed_1000000_raised_in/
https://www.reddit.com/r/linux/comments/75bjmp/librem_5_funded_hooray/
We've covered that it was possible and in theory how to do so before but I think having a proper How-To written up will save even us nerd types some hair pulling. Here's what you'll need to start:
- an Intel-CPU-based target PC — that does not have Boot Guard enabled — on which you wish to disable the IME;
- the target PC may be running an OEM BIOS (such as AMI, Dell etc.), or coreboot;
- a Raspberry Pi 3 Model B single board computer ('RPi3'), for use as an external flash programmer;
- a spare >= 8GB microSD card (to hold the 64-bit Gentoo O/S image we will use for the RPi3);
- an appropriate IC clip for your target PC's flash chip, e.g.:
- a Pomona 5250 for SOIC-8 chips;
- a Pomona 5208 for unsocketed DIP-8 chips, or
- a Pomona 5252 for SOIC-16 chips;
- 8 female-female connector wires (to attach the appropriate clip to the RPi3's GPIO header);
- a maintenance manual for your target PC, where available, to assist in safe disassembly / reassembly; and
- whatever tools are stipulated in the above.
Given the above list, you'll obviously need to be comfortable identifying and connecting an IC clip to your flash chip. So, it's not a procedure for most grandmothers but neither is especially complex or difficult for the vast majority of desktop machines (laptop/other difficulty will vary widely). Also, the guide explicitly does not cover PLCC or WSON flash chips, so you're out of luck here if your board has such.
Happy hacking, folks.
Professor Andrew S. Tanenbaum from the Department of Computer Science at Vrije Universiteit Amsterdam wrote "An Open Letter to Intel" regarding Intel's use of MINIX 3 to run the Intel Management Engine (video) built into their processors:
Thanks for putting a version of MINIX 3 inside the ME-11 management engine chip used on almost all recent desktop and laptop computers in the world. I guess that makes MINIX the most widely used computer operating system in the world, even more than Windows, Linux, or MacOS. And I didn't even know until I read a press report about it. Also here and here and here and here and here (in Dutch), and a bunch of other places.
[...] Note added later: Some people have pointed out online that if MINIX had a GPL license, Intel might not have used it since then it would have had to publish the modifications to the code. Maybe yes, maybe no, but the modifications were no doubt technical issues involving which mode processes run in, etc. My understanding, however, is that the small size and modular microkernel structure were the primary attractions. Many people (including me) don't like the idea of an all-powerful management engine in there at all (since it is a possible security hole and a dangerous idea in the first place), but that is Intel's business decision and a separate issue from the code it runs. A company as big as Intel could obviously write its own OS if it had to. My point is that big companies with lots of resources and expertise sometimes use microkernels, especially in embedded systems. The L4 microkernel has been running inside smartphone chips for years.
Professor Tanenbaum did the initial design and development of MINIX, a microkernel used primarily for teaching. He has helped guide it through the years as a small community around it has grown. Lately it has adopted much of the NetBSD userspace. The IME is a full operating system system running inside x86 computers. It gets run before whatever system on the actual hard disk even starts booting.
(Score: 3, Interesting) by looorg on Sunday October 22 2017, @04:53PM (3 children)
Will there be some general solution to disable this that won't involve soldering and voiding warranties? For more machines, not only Librem laptops, and motherboard manufacturers or are they all deep in the Intel pocket(s)?
(Score: 2) by Runaway1956 on Sunday October 22 2017, @05:06PM
So - do you want a computer, or a prophet? Hell, I'll take a stab at prophesying. Yes, one day, everyone will be able to bypass Intel's management. At least within ten years after Intel has gone bankrupt, and some other corrupt investors have taken over for them. Of course, then you'll be wanting someone to bypass IntelRehydrated's new management engine.
(Score: 3, Interesting) by takyon on Sunday October 22 2017, @06:01PM
Added related IME story from the 15th
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Informative) by Anonymous Coward on Sunday October 22 2017, @06:22PM
There is MEcleaner https://github.com/corna/me_cleaner [github.com]
I disabled Intel ME on my i5 7600k with a modded BIOS and flash.
(Score: -1, Flamebait) by Anonymous Coward on Sunday October 22 2017, @05:06PM (15 children)
"Neutralize", "disable", "fighting", all vague marketing speak. Unless they explicitly disclose their method and a procedure to verify its efficacy, you would be better off spending the money on lottery tickets.
(Score: 4, Informative) by FatPhil on Sunday October 22 2017, @05:17PM (4 children)
https://puri.sm/posts/deep-dive-into-intel-me-disablement/
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Sunday October 22 2017, @05:24PM
The link provides nothing specific/concrete, just more mush nonsense.
(Score: -1, Troll) by Ethanol-fueled on Sunday October 22 2017, @08:00PM (2 children)
Intel == Jews, and Jews have no loyalty to the nations subject to Jew infestations.
(Score: 0) by Anonymous Coward on Sunday October 22 2017, @09:35PM
Just stop with the stupidity already. We get it - you're not bright and you're okay with it. Please don't inflict your ignorance on the rest of us.
(Score: 0) by Anonymous Coward on Monday October 23 2017, @09:18AM
Don't be discouraged. Your freedom of speech is important, even if people disagree.
OTOH you are right and you know it when people get all up in arms when you say something like that.
(Score: 0, Interesting) by Anonymous Coward on Sunday October 22 2017, @05:19PM (9 children)
Agreed.
Also, they have chosen Debian as the basis for their distro, which means it will include a huge, opaque systemd blob.
No thanks!!!
(Score: 5, Informative) by Nerdfest on Sunday October 22 2017, @06:34PM (8 children)
systemd is not an opaque blob, just a bad implementation of a horrific architectural decision.
(Score: 1, Interesting) by Anonymous Coward on Sunday October 22 2017, @06:51PM (3 children)
Pretty damn "opaque" if you are used to text logs.
(Score: 2) by Azuma Hazuki on Sunday October 22 2017, @07:54PM (1 child)
On the other hand if Debian works, Devuan should also. I will always love Arch and Gentoo best but I've used Devuan and it's really good. It feels nice, less corporate and more techie.
I am "that girl" your mother warned you about...
(Score: 1, Informative) by Anonymous Coward on Monday October 23 2017, @04:20AM
Yeah. antiX is also based on Debian.
It's been around since 2006.
Never shipped with Lennart's crap by default.
It's entirely possible to have a Debian-based distro without systemd.
-- OriginalOwner_ [soylentnews.org]
(Score: 0) by Anonymous Coward on Monday October 23 2017, @07:40PM
you can have it output to normal text logs, you lazy fuck.
(Score: 3, Interesting) by https on Sunday October 22 2017, @08:21PM (3 children)
Systemd originators have acknowledged that they won't make any didactic documentation available. Well, not literally said so, but actions are pretty loud. The only available docs are post-hoc by third parties, and you have to be careful of the dates on them because...
They openly admit to having no fixed design.
Can you tell me why I should waste any more than one minute studying something like that?
Offended and laughing about it.
(Score: 5, Insightful) by jmorris on Sunday October 22 2017, @09:30PM (2 children)
No, that is old news. They did at least get the message about proper documentation. You don't have to follow Pottering's blog anymore to know how it works, there are manpages and stable webpages. Gotta give credit where due, if only from a purely selfish desire to make my objections to the concept informed ones. Because I don't care how documented it is, I don't even care if it eventually 'works' (for some value of works) because the idea is defective and abhorrent. I don't want Windows Service Manager ported in, even if Pottering's misfits manage to implement it better than Microsoft's code monkeys.
(Score: 2) by bart on Monday October 23 2017, @06:51PM
Hardly any of its files or functions or structs have any explanation whatsoever of their purpose. Something like doxygen, Redhat never heard of obviously.
(Score: 2) by gawdonblue on Tuesday October 24 2017, @06:46AM
I fuckin' hate systemd. It's made two of my machines unbootable, or perhaps infinitely rebootable is a better description. Small issues that would have resulted in a meaningful error message and perhaps some reduced functionality under previous init systems now prevent the whole system from booting.
For example, my laptop will boot from any non-systemd live CD but as soon as a systemd-infected distro is tried the whole thing goes into beserker mode.
Poottering is either an idiot or is working for Microsoft. Systemd is fuckin shite and should be shoved up that stooge sideways.
(Sorry about the swearing, but I've just learnt that my workplace is now using Microsoft's SAAS shit and has signed me up without asking me if I agree, including to the so-called privacy policy which gives MS carte-blanche. Fucking idiots.)
(Score: 2) by VLM on Sunday October 22 2017, @06:05PM (6 children)
Some of the costs seem weird.
I have ESXi hosts with 2TB SATA SSDs and I paid roughly "six hundred bucks" per SSD. Purism charges a mere $1199 or about 2x.
The ESXi hosts are on kind of obscure supermicro hardware using unusual high speed ECC ram that painfully costs me a hair over three hundred bucks per 32 gig stick (and each ESXi host has multiple sticks... it adds up fast, thanks vcenter/vsan/nsx), but its fast so I don't really care. This laptop place uses memory that's even more obscure, apparently, at $200 for 16 gigs so presumably 32 gigs would cost four hundred bucks.
The irony of "protecting your digital life" is like most people everything I do is cloudy and "as a service" and network connected so I have a chromebook and I use the built in HTML5 chrome browser to talk to my own Apache Guacamole server to do RDP/VNC/SSH and I have somewhat inferior native apps on the chromebook. I am not entirely sure what I'd do with something that boils down to "a portable web browser with a raspberry pi duct taped to the back". I guess I could play modded minecraft on it and similar games, but I'm not really into paying $1599++++ just to portably play minecraft.
(Score: 2) by bzipitidoo on Sunday October 22 2017, @07:04PM (4 children)
Yeah, a quick look had me thinking that Purism charges a high premium for their hardware. I'd like a PC without a potential backdoor, but not for that much more money, Perhaps an AMD Ryzen based laptop would be better, when AMD gets around to it? Yet I've heard AMD has backdoors of their own.
Disabling the Management Engine is all very well, but perhaps a better way to handle this issue is put a firewall and packet sniffer and analyzer between the afflicted Intel PC and the Internet. Find out what the Management Engine's traffic looks like, and block it. Also, perhaps turn one into a honeypot, and see if Intel or the NSA or whoever can be caught red handed, spying on that PC.
Meanwhile, I hope that being just another geek out of millions, that the sheer quantity of of communication to look through, keeps most of us safe. There's always a chance any of us could be singled out, of course, but to monitor and intimidate us all seems like too big a job.
(Score: 1, Interesting) by Anonymous Coward on Sunday October 22 2017, @07:33PM (1 child)
The 2 plus years Purism's laptop was running a bog standard AMI bios, even though they'd sworn it was going to be open source from top to bottom and developed as such.
Purism is a scam pure and simple. It is FINALLY after a number of years (and like 4 generations of CPUs) living up to its hype and its kickstarter promises, but honestly, who would trust a company like this that doesn't seem to 'eat their own dogfood' as the saying goes.
This is almost as bad as the linux foundation directory using a MAC running OSX to run a presentation at a Linux Conference.
Both should be fired out of a cannon and ridiculed from their current niche.
(Score: 0) by Anonymous Coward on Sunday October 22 2017, @11:10PM
I don't even think it was Purism that accomplished this, but their wording leads one to believe that it was.
(Score: 1, Interesting) by Anonymous Coward on Sunday October 22 2017, @09:32PM (1 child)
Sadly SMM and AMT have their own mode instructions that aren't publicly documented and that could potentially* escalate from ring3 all the way down to ring-2 and -3 which are a single browser sandboxing exploit away from owning your box.
Overall, working with Intel like Purism is the correct way to go about this. It's quite possible some processors have internal erratas calling for different disabling steps for rings -2 and -3 that, if not followed, could leave your system at risk. So, at the very least we really need Intel to confirm which processors are safe to disable ME on. Ideally, of course, Purism will manage to get Intel to produce a few CPUs with ME fused off the circuitry. It's still a relatively compromised position of trusting Intel to not blatantly lie to us. But otherwise there are modern techniques to sift through the available instructions ( https://www.youtube.com/watch?v=KrksBdWcZgQ [youtube.com] ) that we can run at hypervisor mode and, with a great degree of certainty, be sure there aren't too many surprises under the hood.
Of course, an open source fixed width instruction set with exposed pipelines or fully documented branching that we can fuzz all possible instructions on and measure their execution times to know with absolute certainty there aren't any special backdoor in the CPU is the dream. But I fear it will take a while longer before we'll ever see something like that in the consumer markets.
*Either due to a hardware bug or a bad software implementation due to a lack of proper documentations.
(Score: 0) by Anonymous Coward on Sunday October 22 2017, @09:36PM
p.s. I meant the consumer Desktop market... There are already a few such cores we can trust in the embedded and server world.
(Score: 0) by Anonymous Coward on Sunday October 22 2017, @07:23PM
From everything I've heard, minecraft is a bigger cpu hog, before including mods and addons and other items.
That said, the VC4 in the Pi, while good enough to render some semi-modern games, just doesn't have the throughput required to run anything complex above 640x480 at an acceptable framerate. It is either 20 or 40GFlops of peak performance, which for reference is about the same performance as the AMD 760G chipset's Radeon HD3000(3100?) IGP, only with half to a quarter the memory bandwidth (depending on your AM2/3 cpu) and a simpler opcode set, reducing both features and real world peak performance.
Having said that: Broadcom, via the VC4, at least until the VC5 comes out with the same sort of mandatory signing as AMD and Nvidia now have, is actually the MOST OPEN 'generally programmable' GPU hardware available today. The Vivante and Adreno aren't bad either, but given the difference in availability, the RPi/VC4 can be found in almost any electronics store today and there is almost complete firmware for initializing it openly. With Vega, AMD has closed that door in both the cpu and gpu, making the Pi actually the more open and potentially secure device. It may turn out NOT to be, but just based on the ability to change code if a security exploit IS ever detected, it is already much better.
(Score: 3, Interesting) by aiwarrior on Sunday October 22 2017, @07:56PM (1 child)
Has anybody though of using U-BOOT for this kind of BIOS/UEFI stuff? It seems to be widely adopted in everything but Intel architectures and is extremely powerful and has lots of resources available.
(Score: 0) by Anonymous Coward on Monday October 23 2017, @12:58AM
Yes, u-boot doesn't cut it when nobody knows what the secret sauce required to initialize the platform, and not to mention, platform specific initialization code.