Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Sunday January 15 2017, @12:21AM   Printer-friendly
from the where-there-is-a-will,-there-is-a-way dept.

In some shiny good news to us of the tinfoil hat crew, Phoronix is reporting:

Many free software advocates have been concerned by Intel's binary-only Management Engine (ME) built into the motherboards on newer generations of Intel motherboards. The good news is there is now a working, third-party approach for disabling the ME and reducing the risk of its binary blobs.

Via an open-source, third-party tool called me_cleaner it's possible to partially deblob Intel's ME firmware images by removing any unnecessary partitions from the firmware, reducing its ability to interface with the system. The me_cleaner works not only with free software firmware images like Coreboot/Libreboot but can also work with factory-blobbed images. I was able to confirm with a Coreboot developer that this program can disable the ME on older boards or devices with BootGuard and disable Secure Boot. This is all done with a Python script.

Those unfamiliar with the implications on Intel's ME for those wanting a fully-open system can read about it on Libreboot.org.

Looks like I may not have to go ARM on my next desktop build after all.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Funny) by aristarchus on Sunday January 15 2017, @03:50AM

    by aristarchus (2645) on Sunday January 15 2017, @03:50AM (#453996) Journal

    AMD has their own version of this so why aren't we bashing on them as well?

    Good question! Because they don't? Or perhaps you could enlighten us all, in order to begin the AMD bashing. AMD is certainly how I have avoided processor serial numbers and multiplication mistakes and ME and all the other goodness that Intel has thrown at us over the decades.

    Starting Score:    1  point
    Moderation   0  
       Troll=1, Funny=1, Total=2
    Extra 'Funny' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 1, Informative) by Anonymous Coward on Sunday January 15 2017, @06:06AM

    by Anonymous Coward on Sunday January 15 2017, @06:06AM (#454023)

    AMD ship with Trustzone, starting in 2015 I believe. The software is 'Pro Control Center'. Not sure if it's only the high end CPUs or the whole line...

    http://techreport.com/news/29121/amd-goes-pro-with-trustzone-enabled-apus [techreport.com]

    http://www.amd.com/en-us/innovations/software-technologies/security [amd.com]

    • (Score: 4, Interesting) by The Mighty Buzzard on Sunday January 15 2017, @11:30AM

      by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Sunday January 15 2017, @11:30AM (#454052) Homepage Journal

      As far as I've been able to dig up, it's the whole line produced after the Phenom II. I'll grant you I didn't dig all that hard though.

      --
      My rights don't end where your fear begins.
      • (Score: 0) by Anonymous Coward on Monday January 16 2017, @05:57PM

        by Anonymous Coward on Monday January 16 2017, @05:57PM (#454443)

        Fam 16h and above, and possibly not EVERY Fam 16h, but definitely all models in laptops or FM2+ desktop processors (Original Desktop FM2, AM3+ and below, and POSSIBLY AM1 don't contain the TrustZone variant. Some of the others may have the older LM32 variant in their southbridges however, which I am not fully versed on if it is signed or unsigned code necessary to operate it. There is a C3 presentation from the last couple years involving reserve engineering and exploiting of the LM32 variant, including running his own code, but not as I remember if it could be injected into a bios engine and booted 'natively'.)

        AM4 has the same TrustZone based implementation as the previous chips, meaning for anybody sane it is a non-starter compared to Intel. AMD's only two benefits over Intel the past could years had been ECC and lack of ME style DRM in the CPU/motherboard chipsets, and they have now eliminated BOTH of those advantages, outside of server chips for the ECC.

        Intel ME is now the 'better' of the two if you get 2 generation old processors or earlier. The TrustZone based kernel doesn't even allow the CPU to boot without being initialized first, and unless it gets proven otherwise, it is a single system image blob in the firmware, rather than a series of blobs like the Intel versions have been up until this point.

        The real solution at this point is open hardware. But every attempt at it so far lacks ambition. There are lots of small embedded CPU derivatives, including RISC-V and SuperH based, but none that have bothered to even implement an old (and out of patent!) memory subsystem, or seperate northbridge chip to handle interfacing with quantities of RAM so even a minimally useful desktop/notebook board could be produced. If I didn't know better I would almost think these projects were intentionally placed to make it seem like the economics necessary to produce a CPU ASIC aren't there, even though it has been managed for Bitcoin and a variety of niche processors for other markets (Including the Parallela 'supercomputer on a chip' processor, which got produced but never went beyond the dev board with FPGA interfacing and being slaved to a main processor.)

  • (Score: 0) by Anonymous Coward on Sunday January 15 2017, @08:43AM

    by Anonymous Coward on Sunday January 15 2017, @08:43AM (#454041)

    They didn't chose the company name "intel" for no reason! Not like "Google", which they only chose because "Skynet" was already in use.