Scrolling up they recommend avoiding Purism hardware because
> In particular, the Intel Management Engine is a severe threat to privacy and security, not to mention freedom, since it is a remote backdoor that provides Intel remote access to a computer where it is present.
However, the Intel ME has been disabled in Purism hardware since 2017.
Just to clarify and save anyone else from the ambiguity - it looks like TFA should be tagged [2009], while parents link from Pusim is more recent (2017).
Since Intel/AMD also designs the processor they can also put in backdoors beyond ME, microcode updates, etc. If you don’t trust proprietary blobs, I respect that. But you can’t trust proprietary silicon either.
Yeah, microcode updates are proprietary software too. The weird result is that if you want a system with no proprietary software, you end up having to use the original microcode which is burned onto the chip and counts as hardware.
It's not a perfect solution but maybe it's a reasonable place to draw the line, until we have open source hardware processors using RISC-V or something.
It's probably reasonable to assume that half the attendees at DEFCON can use that backdoor. There are several known vulnerabilities listed in the linked Wikipedia article which have to be patched with a firmware update that some OEMs didn't bother to provide and most users didn't bother to install.
Really? I am curious to know what observations or evidence you base your arguments/predictions on? Do you believe they have an (even better than 'post-Snowden leaks') search-engine like PRISM, but for private networks all around the world?
Could a user tell it's happening? What signals would indicate this? Is it increased CPU usage disguised as a system process?
And are you talking about mainstream proprietary OS'es like MacOS and Windows? I already know a little about Intel ME and proprietary silicon, but I don't know where to find a proper analysis, or a blog or book that deep dives into the ramificitions of the existense of these backdoors.
It seems to also not be in the mainstream consciousness just how serious it could be?
> Could a user tell it's happening? What signals would indicate this? Is it increased CPU usage disguised as a system process?
Intel AMT allows redirecting graphics output and keyboard/mouse/USB input over network connection. It's like a hardware device connected to HDMI port to capture screen and to USB ports to send inputs, but it's built right into the motherboard. It doesn't spawn a process in the operating system or use resources to any meaningful degree. The OS knows about AMT only what the hardware tells it, if anything at all.
Unlike software-based remote desktop solutions (VNC, TeamViewer), it's independent from the operating system. As long as the system is connected to power, AMT can run. You can log into a fully shut down computer, power it on and see boot logos and access BIOS before the OS even begins to load. You can use AMT to install operationg system on a PC with completely empty hard drive by virtually attaching a CD/DVD or USB install media.
It's extemely powerful management interface, but it's close-sourced and has a history of serious security flaws.
It is documented and accessible. Not to the extent many people want, but enough to use it. If your CPU and motherboard combination supports remote management, you can usually turn it on by pressing Control+P during boot (launches configuration screen; see motherboard's manual if it doesn't) and then use freely available software like Manageability Commander from Intel's site to manage the PC.
Mandatory disclaimer: it's highly recommended to keep the network port with active management interface isolated in a separate network with no internet access.
The mere fact that you would expect a system process or anything else visible to the operating system, indicates that you haven't read much about Intel ME :/
> indicates that you haven't read much about Intel ME :/
I wrote in my comment:
> I already know a little about Intel ME and proprietary silicon
So yes this is true, I know only 'a little'. I have only understood that it is a small proprietary OS running underneath the user's OS. I guess from your comment I learned now that this means it is something you can only get at with a diagnostic tool, and it is outside the control of the user's operating system.
Yes I do not have a CS degree, and I am not a classically trained SWE. Instead I am a self-taught web app developer, with mainly skills in web apps, and not much knowledge yet around OS'es and computing hardware. Yet I am curious to go deeper into Intel ME, since it's existence and the consequences of that do affect me (since I have an intel chip in my computer), hence my questions.
You write:
> The mere fact that
This sounds like you're not wiling to step into a teaching role or share your insights. Do you think it is beneath you to answer questions? It sounds like you want to shame me for my technical incompetence in this area. Is this accurate? If yes, I would like to request that you please not reply to my posts, unless you answer my question authentically and with basic respect/kindness.
I wish HN was friendlier to beginners, or people willing to ask 'stupid' or 'naive' questions and who have a beginners mindset.
> I have only understood that it is a small proprietary OS running underneath the user's OS.
It's not running underneath the user's OS. Both Intel ME and AMD's equivalent run on on a completely separate processor; think of it as a small CPU hidden next to the main CPU. This means that, for instance, "increased CPU usage" will not happen.
> a completely separate processor; think of it as a small CPU hidden next to the main CPU
Damn that seems a sneaky strategy by Intel, especially since they retain the master key. So are all these big chipset manufacturers selling chips with this massive backdoor that not many people know about? Scary stuff.
Thank you for sharing this! If you know of any beginner-friendly sources on this, I'd be grateful to see those.
Do non-US based chipmakers like Samsung have a similar systems in their chips?
> Usually, snark remarks like "really?" mean that all venues for learning are excluded. Why would someone step in to teach in this case?
Text does not translate intention well... It was a 'really?' filled with curiosity, and an eagerness to try to understand what the original poster was basing his statements on (that the NSA and others can all use this backdoor). I feel that there is within me an eagerness to learn more. It was not meant as a snarky comment at all. Thanks for telling me how my comment came across to you! (not snarky again.)
Libreboot is making a strong case for using open firmware in systems, yet it supports only a limited set of mostly outdated system boards. Isn't that a sign that it failed? After so many years?
Don't get me wrong, I definitely support the idea of open firmware and I would gladly adopt libreboot and replace any BIOS firmware on all of my systems. But, not a single system (Intel ME in all of them) is supported. I could donate some of my systems, and money, but how would that help? 20 years of efforts (including the efforts of coreboot) don't seem to have generated any adoption rate. Or is there some info I didn't get?
In order for libreboot or coreboot to support a system, that system must be almost entirely reverse engineered. As Intel shoved more and more functionality into ME, they also ramped up how aggressively they protected those parts of the system. There is significant crypto involved at this point, and Intel considers almost every component a trade secret to be fiercely protected. It's almost impossible to get access to this information, even under NDA, even as a hardware manufacturer (i.e. system OEMs).
It's not for lack of trying; the lack of adoption is because Intel is actively hostile to efforts like these and they hold all the cards.
The problem is that the solution is political, not commercial. In terms of political process the "just leave it to us, we'll look after you" argument is winning.
After all this time, I'm still trying to work out what is in it for Intel and AMD to force these technologies into their chips with no supported option to disable them and then to be so secretive about what they're doing and exactly who has access to what. I'm not generally one for crazy conspiracy theories, but I have to wonder what is going on behind closed doors that this is still being done by both of the two big PC CPU manufacturers despite all the negative press over the years and why national information security agencies haven't made more of a fuss about it.
It’s not a “crazy conspiracy theory” to suggest that intelligence agencies pressure private industry to help them out. Just look at PRISM or Crypto AG. If Intel or AMD tried to refuse they’d be blacklisted for government contracts like Quest, or worse: think about the CIA spying on Congress scandal.
Maybe once the Chinese or some other adversary get caught using this backdoor to steal secrets, or decide to brick a few million systems remotely, just maybe then security will be considered over spyability.
Negative press is still likely too small to register on business radar. They might be heavily lobbied by movie industries, as they need these features for DRM.
Yea, that was disappointing indeed. After reading the first several paragraphs,
I was hoping that the answer would be get an AMD processor instead of Intel , but nope.
I hope that in the future some manufacturer(s) start making fully open source verifiably secure RISC-V (or ARM) processors, and that we have a migration over to that.
Feel free to call it a conspiracy theory, but I firmly believe the IME/PSP is an operation by one of those three letters.
Intel Management Engine is abbreviated as IME, and AMD Platform Security Processor is abbreviated as PSP. Those are each same abbreviation as Input Method Editor, a mandatory keyboard input layer for East Asian languages, and PlayStation Portable, Sony’s game console which cryptographic security is famously hacked, by the way.
That can’t be coincidence. Those are names intentionally chosen to make technical information hard to search for.
So a “clean” CPU can only be built outside of sphere of influence of whichever agency managing IME/PSP, and of course has to be free from its Red counterparts as well. I don’t think that will happen naturally.
Ok, I'll bite. I call it(the chosen names) a conspiracy theory. I'll explain.
Search for "intel me" or "amd psp" or "ime psp" and you will find what you're looking for. If you're reading about it or hearing about it you will most likely also know the brand or the company behind it. If you're searching for psp and only find Sony stuff then of course you will repeat your query with more context. Is that not the first thing you will learn when you google something?
More importantly, they could have chosen much better words/abbreviations for not being "googleable". But they didn't because the IME/PSP is also something they sell to enterprise customers and very openly so.
Don't get me wrong. I'm still skeptical if those features are needed on consumer hardware and of the intentions behind it but the name being intentionally hard to search for is not something I'm worried about.
There are modern alternative systems with an open firmware stack, for example the Talos II running Power9. Granted, it is not available as a cheap, slick and slim power efficient laptop, but it is real, only twice as expensive and very capable. https://en.m.wikipedia.org/wiki/POWER9
There's also the Blackbird which is even more affordable - https://raptorcs.com/content/BK1B01/intro.html. It's still sadly more than I could justify spending - for my non-portable needs I use a ~5 year old Intel NUC which was cheap as chips and still going strong. But if that ever changes a Talos POWER-based system is at top of my list.
The Talos guys pop up in the comments on HN now and then and they're very pleasant.
What I was saying was it’s more affordable than the Talos II mentioned earlier in this thread. I agree that it’s not exactly cheap, but I don’t think it’s for everyone.
> It's like computing got utterly corrupted post-2008 and there's yet to be a fix.
The ironic thing is that OP's posted article were news from 2009. Now, a decade later, we almost expect another total Intel CPU failure every year due to all the problems the architecture had while still promising sandboxed security.
But, as with all self-claimed "secure systems". If there's no audit, it cannot be seen as unsecure. Security through obscurity is pretty much the definition of how the hardware sector protects their IP these days.
And, of course, RISC V will be the solution. But honestly, I stopped believing in it years ago. As long as there's no computer system available in the same price range as the market leaders (aka Intel and AMD), you can forget about it.
I think the market for enthusiast machines shrinking might just help make the case for lower but still meaningful volume of RISC-V machines. That said, I do think it’s unclear how there would ever be a pathway for them to go from hobbyist machines to competing with AMD and Intel.
RISC-V has found a niche in anything embedded that needs some decent performance, especially in storage and networking. With a little imagination you can see some products there merge with other functionalities and take over larger markets, e.g. a NAS product line incorporating smart home and smart speaker functionality, evolving into 'home box' systems.
I would be willing to overpay a fair bit for NAS and other network equipment running open source hardware and software from the ground up. That’s an application of RISC-V I truly believe in.
Still, looking at the struggle ARM has had in spite of its ubiquity in even now fairly high performance devices, I will probably remain skeptical, for now, about such a transition. We have ARM NASes, routers, even competent servers! And yet... no real desktop towers. (At least a few exist, but I am thusfar unable to find any that are sold B2C retail or even second hand that look enticing.)
I wouldn't necessarily agree with "very little progress", but:
Thinkpad X220 is from 2011, but was far from alone in reaching such battery life (it's just the one I have first-hand experience with). Workstation laptops from the time (e.g. Thinkpad W510) can take 32 GB, just as most laptops today, and thus remained viable machines for a long time. Many-core systems are more possible today, but also far from the standard. 4-8 cores is still the default.
We'd also want to compare apples with apples.
The X200 (libreboot certified) has a maximum battery life (idle test) of 8,15 hours, while the past generation X1 has a battery life of over 24h in the same test.
When it comes to normal (wifi) usage, the current X1 has about 10h, while the x200 has a bit more than 3,5h of battery life.
Keep in mind that the X1 is faster, less bulky, weighs less and probably has a much, much better screen.
Today, you get the power of a W510 in a much smaller package (compare a current Gigabyte Aero 15 to a W510, say). Even a P1 (X1 chassis) outperforms the W510 by every metric, and is downright tiny in comparison.
Now, a current P53 features 16GB of RAM.. on its GPU! It can 128GB of faster RAM total.
But considering Intel itself - yes, more progress could have been had (and it'll come via AMD).
Nevertheless, the P53 processor is more than three times faster benchmarks compared to the W510. It's bound to be more extreme in desktops.
Most importantly, however, is the fact that the libreboot certified laptops are largely sold out (except the X200's) according to the certification website. In any case, they eventually will be.
So I feel that my point still stands.
With all due respect to the FS people, the critique of all alternatives (Purism, System76) may be valid.
But their approach amounts to simply not using a performant and portable machine, or eventually no laptop at all.
This has nothing to do with repair because the product is not broken by any meaningful definition of the word "broken". It's just ill-designed from a certain POV.
In the context of the proposed laws, does it have to be already broken for it to be considered repairable?
Personally I'd rather not see the law as a bludgeon aimed at Intel's head but rather as a protocol or platform for communication about this issue. For example an if they released their overclockable CPUs with an individual encryption key for the ME, putting the end-users' interests first, I might be interested in being their customer once again. Right now I have a 2500k SandyBridge and no reason at all to upgrade, and certainly not with an Intel device.
It would be nice if all these Intel engineers that comment on all kinds of social and technological issues also commented on these topics regarding their company. Last time that I asked one of them if there is any plan to let us disable ME or make it foss I got no reply.
> One module is the operating system kernel, which is based on a proprietary real-time operating system (RTOS) kernel called “ThreadX”. The developer, Express Logic, sells licenses and source code for ThreadX. Customers such as Intel are forbidden from disclosing or sublicensing the ThreadX source code.
Now that Microsoft has acquired Express Project [0], I wonder if those terms will change, especially since they're trying to compete in IoT against Amazon (who acquired FreeRTOS). Of course, this is a relatively small issue compared to the rest highlighted in the post though.
Asking someone who took their last (undergraduate) architecture course more than a decade ago: Is it possible to design a motherboard that will shield the user against Intel ME / AMD PSP-induced shadiness? Would it be possible to do this without performance impact?
I heard someone from Purism talk about designing their own mainboard against ME, but it seems like they found a better and more complete solution by now which uses Coreboot:
That is a great question. I would assume that they are because the Intel management technology is currently built in to ALL Intel chips for the past 10 years. It may be a good thing that Apple is looking at building their own ARM based Macs.
> Libreboot has support for fam15h AMD hardware (~2012 gen) and some older Intel platforms like Napa, Montevina, Eagle Lake, Lakeport (2004-2006). We also have support for some ARM chipsets (rk3288). On the Intel side, we’re also interested in some of the chipsets that use Atom CPUs (rebranded from older chipsets, mostly using ich7-based southbridges).
This is why I still run Intel hardware, even with the ME. A truly free computing platform seems to be incompatible with high performance modern chips at the moment.
Hypothetical: The keys are available one way or another, now anyone can sign firmware.
... Is this even worse?
Sure we can get our SPI programmers out and be sure whats on there, but what about 99% of all other users who are now exposed not only Intels potential abuse of ME, but all vendors and anyone who intercepts devices. I obviously don't like IME/PSP but perhaps the only safe option is to push for removal not opening.
How does it help that they're in your basement? Are you using them for anything? If not, when will you know to switch to them?
What's the threat model and what would be your signal to go start using them and abandoning your presumably more modern system, and how would you keep the software on them secure? Will you use Gentoo, given that Debian has dropped PPC?
Threat model? Uhm. I think your asking me a bit too parameterized as I don't get your question. I will begin using them permanently of we get even more scandals. Also they are there as a fall back, but precisely for this purpose to protect myself against backdoored CPU architectures.
Ubuntu1604 works perfectly.
They are set up and ready to use.
I have Python 3.x and all other major packages ready for me to be productive with.
Can you build a modern browser to run on PPC? Say, latest fully patched firefox? Because using the browser that comes with Ubuntu 16.04 is not an option, security wise.
No SSL => MITMer can definitely read your traffic trivially.
Broken SSL => MITMer can possibly negotiate insecure and read your traffic anyway. MITMer can also possibly cause a denial-of-service, or get arbitrary code execution on that one chip that controls your entire CPU.
If I had to choose, I would take the first option.
(This precludes options like removing the IME entirely, or updating it to a version with non-broken SSL.)
I'm coming from a place of good faith here so bear with me. My understanding is that any vulnerability here would also exist in accessing any HTTPS website. I'm assuming you wouldn't choose to browse the web without SSL/TLS, so I'm assuming the difference here is that it's the CPU management chip instead of your browser?
I suppose that if you broke SSL/TLS you could commandeer arbitrary AWS/GCP/Azure instances.
For that matter, do you trust SSL/TLS significantly less than SSH?
I guess I'm still having trouble wrapping my head around the idea of not using SSL/TLS.
My browser is sandboxed. The worst it can do is ransomware my files – and the Tor Browser can't even do that thanks to the AppArmor rules. (If I set my machine up properly, it wouldn't even be able to ransomware my files.)
The CPU management chip can ransomware my files while the computer is "off", corrupt my backups as I load them, steal my passwords, steal my bank details, dynamically modify the traffic to make it look like my bank balance hasn't gone down…
Nitpick: Remote code execution is breaking a TLS implementation (eg. openssl), not breaking TLS itself.
> so I'm assuming the difference here is that it's the CPU management chip instead of your browser?
Yes.
If a vulnerability is found in a SSL/TLS implementation, it can be fixed with a software update.
I don't know how Intel ME works, but I'm guessing updating it is harder to update than a browser.
> For that matter, do you trust SSL/TLS significantly less than SSH?
I'm not the GP, but I'm guessing they do. TLS solves a more complex problem than SSH, as SSH assumes the user validates a server's public key manually (even though they usually don't, but TOFU [1] makes it somewhat harder to exploit), whereas a TLS server's key can change at any time.
There is no specific TLS flaw. The TLS spec is very complicated, so it's difficult to make a library that implements it without bugs. Insofar as TLS implementations have bugs, the TLS implementation in by browser can be updated to fix those bugs. The TLS implementation in my IME cannot.
I'll preface this question with the disclaimer that I'm a true believer in the mission of Coreboot/Libreboot. Playing devil's advocate, if Intel were to release the signing key for the ME, or Intel Boot Guard, wouldn't this increase the likelihood of a malicious vendor preinstalling a rootkit in hardware that uses Intel CPUs?
To answer in advance regarding the likelihood of this happening. There's already been enough instances of various hardware vendors using very nefarious means to extend the capabilities of their devices and peripheral device drivers. Also, what reason do we have to assume that Google's own interest in this area is any more trustworthy? I suppose it's a moot point for many whether or not google can get rootkit level access to people's devices when so many people are using Android.
Of course, I consider the presence of the ME to inherently constitute a rootkit for alphabet-soup US government agencies and the Mossad already.
Any big corporation with security competence is going to seriously care about the security of their corporate and production fleet; the stakes for securing systems only ever increases over time, and threats are only getting more sophisticated. So you don’t necessarily need to believe in the altruism of a corporation to see why their interest in secure computing at lower levels of the stack may actually line up with user’s interests more or less.
But honestly, the best argument here is don’t trust anyone; In theory anyone can inspect the source code and binaries for Corebooted devices. It’s not perfect and there’s obviously cases where you can never be 100% sure there’s no tricks, but IMO it’s still a lot better than the alternative of having roughly the same drawbacks but no visibility.
I’m not sure where this fits in in the grand scheme of things though, because in all honesty trust in computing seems like it’s an unending rabbit hole ripe for abuse. Intel ME may even have been born with genuinely good intentions, but I do think it’s secretive, blackbox nature is the absolute worst part of it all.
(Obligatory disclaimer, I work for Google, all of these opinions are just my personal opinions.)
> ...you don’t necessarily need to believe in the altruism of a corporation to see why their interest in secure computing at lower levels of the stack may actually line up with user’s interests more or less.
Of course. We're not talking about just any corporation here though, not even just any hardware manufacturer. You're right that security is in everyone's interests. My mentioning Google is referencing a company whose business consists of collecting and marketing information on their users. I think this changes the risk profile somewhat.
> ...In theory anyone can inspect the source code and binaries for Corebooted devices...
Pardon me if there's a big hole in my understanding of firmware RE, In reference to the Coreboot'ed Chromebooks, it sounds like this should read "anyone can inspect the source code and binaries of Coreboot". We still have to take at face value what firmware is actually installed on a device. I don't mean to sound nitpicky or mean, I just think that Google's motivations warrant extra scrutiny. I agree with your sentiments overall.
> ...Intel ME may even have been born with genuinely good intentions...
This might be the case, but the way Intel has treated the topic could not possibly foster any kind of trust with its user-base. Also, these features offer extremely little to the average user. I'd like to be corrected on this if I'm wrong, what does Intel ME actually do for a user like myself? Surely it would lower costs in a non-trivial way to just remove it for non-corporate customers if the intentions were even the least bit genuine.
Is Google at risk because of this? I have consolidated all my private stuff to only Google instead of spreading it all over FB, MS, Apple, and other vendors.
At risk because of Intel ME/integrity based attacks? I simply don’t know. I assume the risk is managed some way or another, probably a lot with network security. I personally was more bothered by CPU vulnerabilities, and there’s also the looming threat of DRAM vulnerabilities, but for now it seems like almost anything can be effectively mitigated at some cost.
> There's already been enough instances of various hardware vendors using very nefarious means to extend the capabilities of their devices and peripheral device drivers.
Sadly enough I think this is a good point. You could say it's the same as saying closed source software and operating systems would be better for that reason, which I wouldn't agree with at all, but this would feel somewhat different.
You would have to force GPL like sharing of modified firmware, but it seems much more involved to verify this on a vendor to vendor basis than say, finding that Lenovo ships some nefarious Windows software preinstalled. As an enthusiast you can just reflash after purchase to be sure, but the average consumer might suffer.
It sucks but the only real solution I see is to just remove these things altogether again.
>wouldn't this increase the likelihood of a malicious vendor preinstalling a rootkit ?
Vendors already fuse their keys using bootguard. So if they want to install rootkits, they can do that now. Lenovo already did that with superfish. Bootguard doesn't make any assurances about the quality of the bios. It just says to the consumer that this machine's bios came from the vendor. Sort of like the https padlock.
I think what you mean to ask is how we could ensure the integrity of the boot flow up to the OS without bootguard. It can be done higher up in the stack. Chromebooks do it pretty well. There are other projects like heads that do it as well. Your chain of trust needs to extend into the OS for it to be meaningful.
The points you make in your post are very valid. My post was made in the context of the Intel ME's wide range of invasive capabilities. If your purpose was to perform surveillance on your customers, the ME would grant you even more reach than BIOS firmware would. You've already addressed the fact that users need to trust the quality of their firmware at face value. This is hard enough already, let alone with hardware vendors being able to access the ME.
Just to clarify ( as if I haven't clarified this enough ), I'm in favor of Intel releasing the keys.
Sure. This would seem to imply hardware vendors having prior access to the ME. The vast majority of users don't flash their BIOS with custom firmware, simply using whatever firmware the vendors give them. Users having the ability to install their own firmware would mitigate this risk, at the expense of a riskier overall ecosystem.
What about sbc's? afaik, they wouldn't be subject to any of this and since Intel and amd are doomed, wouldn't something like a pinebookpro or rpi make for a secure, yet affordable, solution?
Wasn't being sarcastic. Assuming your workload can support the hardware, why isn't this a viable alternative? I could do ~99% of my job with one. People below are asking about affordable ways around this and it made me think of this
How can this go unnoticed when it is common knowledge? There is difference between don't know and don't care. So far the people that care are a tiny vocal minority. Unfortunately.
So they're (probably) not used 'regularly'. That's mildly reassuring. But I have no doubt they're using it as often as they can get away with, which is more than never.
If you have firmware level access to a device like an NIC, you could theoretically circumvent the NIC reporting any network activity at all from your actions. This wouldn't cover external network monitoring of course, but how often do you scour the packet logs of your router's I/O?
> In particular, the Intel Management Engine is a severe threat to privacy and security, not to mention freedom, since it is a remote backdoor that provides Intel remote access to a computer where it is present.
However, the Intel ME has been disabled in Purism hardware since 2017.
https://puri.sm/posts/purism-librem-laptops-completely-disab...