[HN Gopher] How Purism avoids Intel's Active Management Technology
___________________________________________________________________
How Purism avoids Intel's Active Management Technology
Author : jermier
Score : 106 points
Date : 2020-08-16 15:37 UTC (7 hours ago)
(HTM) web link (puri.sm)
(TXT) w3m dump (puri.sm)
| shmerl wrote:
| Looking forward to AMD laptops with Coreboot support as well.
| clmgs wrote:
| AMD has a similar backdoor:
|
| https://en.wikipedia.org/wiki/AMD_Platform_Security_Processo...
| fsflover wrote:
| Probaly won`t happen since AMD have their own secret code which
| no one could neutralize yet.
| shmerl wrote:
| Supposedly it's already in the works:
| https://twitter.com/jeremy_soller/status/1286457590289858560
| nullc wrote:
| Welp. Their response to Raptor in that thread just forever
| cost System76 my business.
|
| System76 takes the position that compatibility with x86
| binaries is worth having to take closed, remote-access-
| enabled, binary firmware. That's a position someone can
| take.
|
| Responding "So what?" and "I was expecting this" is just
| nasty and unprofessional.
| shmerl wrote:
| Yeah, that was strange. Sounds like there is some
| argument history behind it.
| kbenson wrote:
| It does read like that, but even so, the initial question
| from Raptor Computing Sys was very well worded and not
| disrespectful at all. The inability to at a minimum leave
| it as "We've covered this before, and disagree on some
| items. We'll have to agree to disagree and leave it at
| that." or even "I'm doing what I can, we'll see where it
| ends up in the end" or "See the official account for
| official statements" is the troubling part. Then a gain,
| that doesn't appear to be uncommon on Twitter, where
| everyone seems to have trouble disambiguating their
| professional and personal lives, and those of the people
| they are responding to (which is related).
| boring_twenties wrote:
| Recent (1-2 years?) AMD BIOS supports disabling the Platform
| Security Processor (their ME equivalent).
|
| I haven't been able to figure out what exactly this means,
| but it does seem to be disabled _after_ system
| initialization. Kind of like Intel 's HAP bit, except user-
| settable.
| floatboth wrote:
| Either like the HAP bit, or less -- only disabling its
| visibility to the OS on the PCIe bus.
| boring_twenties wrote:
| Yeah, I'm a little confused as to why they'd bother
| implementing and deploying this feature without even a
| cursory explanation of what it does...
| neilv wrote:
| Purism just needs TrackPoint and thicker keyboards, and I can
| upgrade my stockpile of ThinkPads. :)
| https://www.neilvandyke.org/coreboot/
| sscarduzio wrote:
| The trackpoint is the single reason I never bought a Thinkpad.
| NikolaNovak wrote:
| It's certainly one of those "acquired tastes", though like
| with 3.5mm elimination, I don't understand the sheer vitriol
| against it by those who happen not to use it. Why do you
| care? If everything else in Thinkpad appealed to you, why
| would an eminently ignorable feature be such a HUGE ("single
| reason") deal breaker?
|
| In my mind, either a) There are other reasons and this is a
| convenient conscious or subconscious scapegoat; or b) it's an
| extremely emotional decision, and as such certainly relevant
| to holder ("Whatever floats your boat!":) but not necessarily
| applicable or translatable to anybody else.
|
| I'd be curious (genuinely!) to hear more - were you actually
| tempted by any Thinkpads in the past but rejected them due to
| trackpoint, and if so can you elaborate why - what use case
| did they prevent or what inconvenience did they cause? Thx
| muchly! :)
| Godel_unicode wrote:
| The trackpoint is ugly. It's a giant throwback pimple in
| the middle of the keyboard, which there's no way to get
| around looking at all the time. Thinkpads being ugly is
| kind of their thing, so it doesn't surprise me that lots of
| Thinkpad people don't mind it or even see it as a plus, but
| to me seeing a trackpoint is like seeing a floppy drive. I
| used one for years, and I'm really happy that trackpads
| have gotten good enough that I'll never need to use one
| again.
|
| Edit: display notches are actually probably a better
| comparison. They're ugly and even though I don't use it I
| can't get rid of it except by using hardware designed not
| to have it.
| phreack wrote:
| It's an acquired taste, but luckily also very easy to ignore
| in my experience.
| R0b0t1 wrote:
| Disabling is not removing. People have found motherboards that
| should ostensibly not support vPro (e.g. Asus gaming
| motherboards) that do report vPro ME functionality.
|
| There is no reason to believe the software switch is working,
| especially when even a system integrator can accidentally enable
| the features. If someone wants them on they turn on.
|
| Purism sells snakeoil. Presenting their offerings as FOSS-
| compatible would be honest. Claiming additional security is not.
| fsflover wrote:
| Even though it`s true that ME is not 100% removed, most of it
| is.
|
| https://puri.sm/learn/software-freedom-in-perspective/
| boring_twenties wrote:
| The part that can't be removed still has had critical
| security vulnerabilities, though.
| floatboth wrote:
| But how would anyone interact with that part?
|
| If it has no NIC access and the OS doesn't have access to
| it because it's not hanging on PCIe anymore, so if it's
| only there for system bringup, it's essentially sealed off
| from the world.
| boring_twenties wrote:
| It might require physical access, as with
| https://www.intel.com/content/www/us/en/security-
| center/advi... but that's still pretty bad as it allows
| for rootkits completely undetectable from the OS
| environment.
| [deleted]
| R0b0t1 wrote:
| ME hasn't been removed at all. The hardware is still on the
| machine.
| teddyh wrote:
| That's a useless definition of "removed"; using that
| definition, ME can _never_ be "removed" _at all_! But
| that's not what we're talking about here. A more useful
| definition would be to use "removed" as in "not a security
| problem anymore".
| boring_twenties wrote:
| That definition doesn't change much, because the part
| that can't be removed can and will leave your system
| vulnerable to exploits like this one:
| https://www.intel.com/content/www/us/en/security-
| center/advi...
| R0b0t1 wrote:
| > using that definition, ME can never be "removed" at
| all!
|
| This is my point. It can't be removed. It will always
| remain a security problem.
| dongvsascript wrote:
| that's like saying having a flimsy house door lock lying
| in your kitchen drawer is a security problem.
|
| you have hardware on the cpu no longer accessible by
| software. you have a mellanox network card the me can't
| talk to. it's there, in the kitchen drawer. it's no
| longer in the door -so not a security problem.
|
| the 'issue' requires physical access to the machine, and
| for you to be logged in with an admin account. if someone
| is physically sitting next to your server and logged in
| as root, you have no security anymore. they don't need to
| break into anything, the can just run what they want
| already.
|
| someone is in your car with keys in the ignition. you're
| saying they can steal your car by hacking the
| entertainment system because it's insecure.
| R0b0t1 wrote:
| No, this is more akin to having a flimsy plywood door
| with a plastic lock right next to your real one but
| acting like you've solved the issue by taping a "please
| don't use" sign over it.
|
| Intel ME is still there. It is still potentially remotely
| configurable and remotely updateable. That those features
| are not advertised is irrelevant, they can be assumed to
| be there or easily added.
| tenebrisalietum wrote:
| It's not possible to remove, or at least account for all
| behavior of, the ME entirely until the BUP part is reverse
| engineered. You can't take that part out yet and have a working
| CPU as far as I understand.
|
| I'm surprised you didn't mention the FSP which is a binary blob
| from Intel required to be run by any boot firmware (UEFI,
| Coreboot, or whatever) very early in the platform
| initialization process (to my understanding, basically as soon
| as possible after the reset vector, in the PEI phase) before
| anything is useable.
|
| Baby steps. Don't let perfect be the enemy of good. Success
| here could indicate to CPU vendors there are people who care
| about these things.
| boring_twenties wrote:
| > Success here could indicate to CPU vendors there are people
| who care about these things.
|
| If the Libreboot FAQ[1] is to be believed, then we are well
| past this stage. It states:
|
| > Even Google, which sells millions of chromebooks (coreboot
| preinstalled) have been unable to persuade them.
|
| [1] https://libreboot.org/faq.html
| R0b0t1 wrote:
| I know it isn't possible. Half measures are attractive short
| term but can serve to normalize failure, as is currently
| happening. Most people I know view Purism favorably and think
| it has actually made ME irrelevant. It hasn't, all the
| hardware is still there and can be enabled. You still are not
| the de facto owner of the machine.
| kelnos wrote:
| > _but can serve to normalize failure_
|
| I agree, but it's not like they've given up. They're still
| working on it, and hope to find a way to permanently remove
| all the software that enables it, and run their own
| software instead. Whether or not they'll eventually be
| successful is of course an open question.
|
| The alternative, at least right now, is that Purism doesn't
| sell any hardware at all, goes out of business, and then
| there's no one working credibly on this. That would be an
| even worse failure, IMO.
| zatop wrote:
| That's why for the long term they mention:
|
| " We released a petition for, and continue to work with
| Intel to free it entirely (what Intel is calling a "ME-
| less" design). "
|
| Do you have a better solution that trying to neutralise it
| + starting a petition + talking with Intel to remove it ?
|
| If you to want to criticize brands for selling privacy
| snakeoil, and not making you "the de facto owner of the
| machine" then we should address your criticism at Apple,
| not Purism
| tenebrisalietum wrote:
| > It hasn't, all the hardware is still there and can be
| enabled.
|
| Can it be enabled by Intel?
|
| A system that has ME installed with a NIC the ME can't
| access (non-Intel) seems like it makes the ME irrelevant
| via suffocation.
|
| I'm not sure of the technical details of this board or if
| the ME can access non-Intel NICs.
| zatop wrote:
| Even if they are not yet 100% sure, it's still far better than
| any other laptop from any other brand who don't even bother
| trying to do anything about it
| fmajid wrote:
| I am wary of Purism because of this:
|
| https://www.phoronix.com/scan.php?page=news_item&px=Zlatan-T...
| [deleted]
| cantrevealname wrote:
| I've been hearing about Intel's Active Management Technology for
| years, but I'd like to see a demonstration of how an attack would
| work. I have an unused laptop with:
|
| 1. an Intel CPU that supports the vPro feature set
|
| 2. an Intel networking card
|
| 3. the corporate version of the Intel Management Engine (Intel
| ME) binary (well, definitely, a corporate laptop that used to get
| updates, but how do I check for ME?)
|
| Is there a website I can visit that can initiate a remote
| takeover (I'm consenting to it)? Why isn't this possible? What
| other step is required on my side to make it possible? Is it
| possible only through the physical ethernet connection? Why
| aren't we seeing wide scale exploits based on AMT?
| fsflover wrote:
| https://news.ycombinator.com/item?id=16238765
| abtom wrote:
| "... the fundamental rule of technological progress: if
| something can be done, it probably will be done, and possibly
| already has been." -Edward Snowden (Permanent Record)
| rcxdude wrote:
| There have been two really severe AMT vulnerabilities
| (basically allowing complete takeover of the PC through the
| network). These have been patched and no widescale exploitation
| of them has been reported AFAIK. The other vulnerabilities
| essentially allow for a super-rootkit: if you can get arbitrary
| code execution in the AMT from the OS then you can escalate an
| exploit into a rootkit which is basically impossible to detect
| or remove, and this kind of exploitation has been seen in the
| wild.
| cantrevealname wrote:
| > _severe AMT vulnerabilities (basically allowing complete
| takeover of the PC through the network)_
|
| Does this mean when the PC was connected by ethernet cable?
| Even by wifi? The exploit could have worked by visiting an
| arbitrary website? With no click? (I'm not being skeptical. I
| just want to understand what's required for the exploit to
| work.)
| wlesieutre wrote:
| Here's one from 2017:
| https://www.tomshardware.com/news/intel-amt-patch-
| may-8,3434...
|
| Connected to Ethernet (with Intel hardware), but doesn't
| need to be turned on. Must have vPro and AMT enabled.
| threatripper wrote:
| Absence of evidence is not the evidence for absence.
|
| If the backdoor exists you will need to know a secret to open
| it. Currently, the public obviously doesn't know this secret or
| the doors would be wide open for virtually anybody. Because we
| don't know the secret key, we cannot open them to prove that
| they exist. So we don't know for sure if the backdoors exist.
| But the way the IME is designed and handled makes it possible
| and plausible that backdoors could exist. It's up to Intel to
| prove that they don't exist.
| closeparen wrote:
| I hear a lot about disabling the management engines... what about
| activating them for yourself?
| rzzzt wrote:
| Your computer could run Linux or Doom even while it's off!
| mietek wrote:
| (2017)
| [deleted]
| seemslegit wrote:
| What are the odds that the chips that don't feature AMT/ME don't
| have it physically as opposed to it just being crippled in
| firmware ? In which case if one is worried about government
| backdoors this should alleviate exactly zero concerns.
| wmf wrote:
| This topic is well understood so there's no need for "odds".
| All the chips have ME. AMT is a firmware feature that can be
| removed or not bought.
| kelnos wrote:
| > _We choose Intel CPUs that do not have vPro_
|
| The Wikipedia article they link about vPro says:
|
| > _Intel vPro technology ... [includes] VT-x, VT-d..._
|
| Does this mean that Purism hardware won't support virtualization
| extensions? Seems like that would be a big downside, and would
| make it a non-starter for a lot of people (including myself).
| rzzzt wrote:
| The second sentence on Wikipedia says: _When the vPro brand was
| launched (circa 2007), it was identified primarily with AMT,
| thus some journalists still consider AMT to be the essence of
| vPro._
|
| (They have also added a small asterisk to the Purism article to
| clarify - I'm also just reading it now so don't know if it was
| there before)
| sukilot wrote:
| You have dig past the marketing labels and into the actual
| specs. Some CPUs have VT-x but not vPro
|
| https://ark.intel.com/content/www/us/en/ark/products/149091/...
| floatboth wrote:
| where "some" means pretty much _all_ consumer CPUs.
| Godel_unicode wrote:
| That's absolutely not true, there are a ton of modern
| consumer CPUs with vpro. Here's a comparison of the 10500
| through the 10900{,k}, all of which have vpro. https://ark.
| intel.com/content/www/us/en/ark/compare.html?pro...
|
| Here's the more complete list of Core processors which have
| vpro platform eligibility. It's quite long. https://ark.int
| el.com/content/www/us/en/ark/search/featurefi...
| fsflover wrote:
| Qubes OS, which requires VT-d, works flawlessly on my Librem
| 15, so virtualization is there.
| xbar wrote:
| Still no 16x10 screens. Welcome to the failbin.
| pastrami_panda wrote:
| A bit harsh, but sure, once you go 16:10 it's very hard to go
| back to 16:9 laptops.
___________________________________________________________________
(page generated 2020-08-16 23:00 UTC)