[HN Gopher] How Purism avoids Intel's Active Management Technology ___________________________________________________________________ How Purism avoids Intel's Active Management Technology Author : jermier Score : 106 points Date : 2020-08-16 15:37 UTC (7 hours ago) (HTM) web link (puri.sm) (TXT) w3m dump (puri.sm) | shmerl wrote: | Looking forward to AMD laptops with Coreboot support as well. | clmgs wrote: | AMD has a similar backdoor: | | https://en.wikipedia.org/wiki/AMD_Platform_Security_Processo... | fsflover wrote: | Probaly won`t happen since AMD have their own secret code which | no one could neutralize yet. | shmerl wrote: | Supposedly it's already in the works: | https://twitter.com/jeremy_soller/status/1286457590289858560 | nullc wrote: | Welp. Their response to Raptor in that thread just forever | cost System76 my business. | | System76 takes the position that compatibility with x86 | binaries is worth having to take closed, remote-access- | enabled, binary firmware. That's a position someone can | take. | | Responding "So what?" and "I was expecting this" is just | nasty and unprofessional. | shmerl wrote: | Yeah, that was strange. Sounds like there is some | argument history behind it. | kbenson wrote: | It does read like that, but even so, the initial question | from Raptor Computing Sys was very well worded and not | disrespectful at all. The inability to at a minimum leave | it as "We've covered this before, and disagree on some | items. We'll have to agree to disagree and leave it at | that." or even "I'm doing what I can, we'll see where it | ends up in the end" or "See the official account for | official statements" is the troubling part. Then a gain, | that doesn't appear to be uncommon on Twitter, where | everyone seems to have trouble disambiguating their | professional and personal lives, and those of the people | they are responding to (which is related). | boring_twenties wrote: | Recent (1-2 years?) AMD BIOS supports disabling the Platform | Security Processor (their ME equivalent). | | I haven't been able to figure out what exactly this means, | but it does seem to be disabled _after_ system | initialization. Kind of like Intel 's HAP bit, except user- | settable. | floatboth wrote: | Either like the HAP bit, or less -- only disabling its | visibility to the OS on the PCIe bus. | boring_twenties wrote: | Yeah, I'm a little confused as to why they'd bother | implementing and deploying this feature without even a | cursory explanation of what it does... | neilv wrote: | Purism just needs TrackPoint and thicker keyboards, and I can | upgrade my stockpile of ThinkPads. :) | https://www.neilvandyke.org/coreboot/ | sscarduzio wrote: | The trackpoint is the single reason I never bought a Thinkpad. | NikolaNovak wrote: | It's certainly one of those "acquired tastes", though like | with 3.5mm elimination, I don't understand the sheer vitriol | against it by those who happen not to use it. Why do you | care? If everything else in Thinkpad appealed to you, why | would an eminently ignorable feature be such a HUGE ("single | reason") deal breaker? | | In my mind, either a) There are other reasons and this is a | convenient conscious or subconscious scapegoat; or b) it's an | extremely emotional decision, and as such certainly relevant | to holder ("Whatever floats your boat!":) but not necessarily | applicable or translatable to anybody else. | | I'd be curious (genuinely!) to hear more - were you actually | tempted by any Thinkpads in the past but rejected them due to | trackpoint, and if so can you elaborate why - what use case | did they prevent or what inconvenience did they cause? Thx | muchly! :) | Godel_unicode wrote: | The trackpoint is ugly. It's a giant throwback pimple in | the middle of the keyboard, which there's no way to get | around looking at all the time. Thinkpads being ugly is | kind of their thing, so it doesn't surprise me that lots of | Thinkpad people don't mind it or even see it as a plus, but | to me seeing a trackpoint is like seeing a floppy drive. I | used one for years, and I'm really happy that trackpads | have gotten good enough that I'll never need to use one | again. | | Edit: display notches are actually probably a better | comparison. They're ugly and even though I don't use it I | can't get rid of it except by using hardware designed not | to have it. | phreack wrote: | It's an acquired taste, but luckily also very easy to ignore | in my experience. | R0b0t1 wrote: | Disabling is not removing. People have found motherboards that | should ostensibly not support vPro (e.g. Asus gaming | motherboards) that do report vPro ME functionality. | | There is no reason to believe the software switch is working, | especially when even a system integrator can accidentally enable | the features. If someone wants them on they turn on. | | Purism sells snakeoil. Presenting their offerings as FOSS- | compatible would be honest. Claiming additional security is not. | fsflover wrote: | Even though it`s true that ME is not 100% removed, most of it | is. | | https://puri.sm/learn/software-freedom-in-perspective/ | boring_twenties wrote: | The part that can't be removed still has had critical | security vulnerabilities, though. | floatboth wrote: | But how would anyone interact with that part? | | If it has no NIC access and the OS doesn't have access to | it because it's not hanging on PCIe anymore, so if it's | only there for system bringup, it's essentially sealed off | from the world. | boring_twenties wrote: | It might require physical access, as with | https://www.intel.com/content/www/us/en/security- | center/advi... but that's still pretty bad as it allows | for rootkits completely undetectable from the OS | environment. | [deleted] | R0b0t1 wrote: | ME hasn't been removed at all. The hardware is still on the | machine. | teddyh wrote: | That's a useless definition of "removed"; using that | definition, ME can _never_ be "removed" _at all_! But | that's not what we're talking about here. A more useful | definition would be to use "removed" as in "not a security | problem anymore". | boring_twenties wrote: | That definition doesn't change much, because the part | that can't be removed can and will leave your system | vulnerable to exploits like this one: | https://www.intel.com/content/www/us/en/security- | center/advi... | R0b0t1 wrote: | > using that definition, ME can never be "removed" at | all! | | This is my point. It can't be removed. It will always | remain a security problem. | dongvsascript wrote: | that's like saying having a flimsy house door lock lying | in your kitchen drawer is a security problem. | | you have hardware on the cpu no longer accessible by | software. you have a mellanox network card the me can't | talk to. it's there, in the kitchen drawer. it's no | longer in the door -so not a security problem. | | the 'issue' requires physical access to the machine, and | for you to be logged in with an admin account. if someone | is physically sitting next to your server and logged in | as root, you have no security anymore. they don't need to | break into anything, the can just run what they want | already. | | someone is in your car with keys in the ignition. you're | saying they can steal your car by hacking the | entertainment system because it's insecure. | R0b0t1 wrote: | No, this is more akin to having a flimsy plywood door | with a plastic lock right next to your real one but | acting like you've solved the issue by taping a "please | don't use" sign over it. | | Intel ME is still there. It is still potentially remotely | configurable and remotely updateable. That those features | are not advertised is irrelevant, they can be assumed to | be there or easily added. | tenebrisalietum wrote: | It's not possible to remove, or at least account for all | behavior of, the ME entirely until the BUP part is reverse | engineered. You can't take that part out yet and have a working | CPU as far as I understand. | | I'm surprised you didn't mention the FSP which is a binary blob | from Intel required to be run by any boot firmware (UEFI, | Coreboot, or whatever) very early in the platform | initialization process (to my understanding, basically as soon | as possible after the reset vector, in the PEI phase) before | anything is useable. | | Baby steps. Don't let perfect be the enemy of good. Success | here could indicate to CPU vendors there are people who care | about these things. | boring_twenties wrote: | > Success here could indicate to CPU vendors there are people | who care about these things. | | If the Libreboot FAQ[1] is to be believed, then we are well | past this stage. It states: | | > Even Google, which sells millions of chromebooks (coreboot | preinstalled) have been unable to persuade them. | | [1] https://libreboot.org/faq.html | R0b0t1 wrote: | I know it isn't possible. Half measures are attractive short | term but can serve to normalize failure, as is currently | happening. Most people I know view Purism favorably and think | it has actually made ME irrelevant. It hasn't, all the | hardware is still there and can be enabled. You still are not | the de facto owner of the machine. | kelnos wrote: | > _but can serve to normalize failure_ | | I agree, but it's not like they've given up. They're still | working on it, and hope to find a way to permanently remove | all the software that enables it, and run their own | software instead. Whether or not they'll eventually be | successful is of course an open question. | | The alternative, at least right now, is that Purism doesn't | sell any hardware at all, goes out of business, and then | there's no one working credibly on this. That would be an | even worse failure, IMO. | zatop wrote: | That's why for the long term they mention: | | " We released a petition for, and continue to work with | Intel to free it entirely (what Intel is calling a "ME- | less" design). " | | Do you have a better solution that trying to neutralise it | + starting a petition + talking with Intel to remove it ? | | If you to want to criticize brands for selling privacy | snakeoil, and not making you "the de facto owner of the | machine" then we should address your criticism at Apple, | not Purism | tenebrisalietum wrote: | > It hasn't, all the hardware is still there and can be | enabled. | | Can it be enabled by Intel? | | A system that has ME installed with a NIC the ME can't | access (non-Intel) seems like it makes the ME irrelevant | via suffocation. | | I'm not sure of the technical details of this board or if | the ME can access non-Intel NICs. | zatop wrote: | Even if they are not yet 100% sure, it's still far better than | any other laptop from any other brand who don't even bother | trying to do anything about it | fmajid wrote: | I am wary of Purism because of this: | | https://www.phoronix.com/scan.php?page=news_item&px=Zlatan-T... | [deleted] | cantrevealname wrote: | I've been hearing about Intel's Active Management Technology for | years, but I'd like to see a demonstration of how an attack would | work. I have an unused laptop with: | | 1. an Intel CPU that supports the vPro feature set | | 2. an Intel networking card | | 3. the corporate version of the Intel Management Engine (Intel | ME) binary (well, definitely, a corporate laptop that used to get | updates, but how do I check for ME?) | | Is there a website I can visit that can initiate a remote | takeover (I'm consenting to it)? Why isn't this possible? What | other step is required on my side to make it possible? Is it | possible only through the physical ethernet connection? Why | aren't we seeing wide scale exploits based on AMT? | fsflover wrote: | https://news.ycombinator.com/item?id=16238765 | abtom wrote: | "... the fundamental rule of technological progress: if | something can be done, it probably will be done, and possibly | already has been." -Edward Snowden (Permanent Record) | rcxdude wrote: | There have been two really severe AMT vulnerabilities | (basically allowing complete takeover of the PC through the | network). These have been patched and no widescale exploitation | of them has been reported AFAIK. The other vulnerabilities | essentially allow for a super-rootkit: if you can get arbitrary | code execution in the AMT from the OS then you can escalate an | exploit into a rootkit which is basically impossible to detect | or remove, and this kind of exploitation has been seen in the | wild. | cantrevealname wrote: | > _severe AMT vulnerabilities (basically allowing complete | takeover of the PC through the network)_ | | Does this mean when the PC was connected by ethernet cable? | Even by wifi? The exploit could have worked by visiting an | arbitrary website? With no click? (I'm not being skeptical. I | just want to understand what's required for the exploit to | work.) | wlesieutre wrote: | Here's one from 2017: | https://www.tomshardware.com/news/intel-amt-patch- | may-8,3434... | | Connected to Ethernet (with Intel hardware), but doesn't | need to be turned on. Must have vPro and AMT enabled. | threatripper wrote: | Absence of evidence is not the evidence for absence. | | If the backdoor exists you will need to know a secret to open | it. Currently, the public obviously doesn't know this secret or | the doors would be wide open for virtually anybody. Because we | don't know the secret key, we cannot open them to prove that | they exist. So we don't know for sure if the backdoors exist. | But the way the IME is designed and handled makes it possible | and plausible that backdoors could exist. It's up to Intel to | prove that they don't exist. | closeparen wrote: | I hear a lot about disabling the management engines... what about | activating them for yourself? | rzzzt wrote: | Your computer could run Linux or Doom even while it's off! | mietek wrote: | (2017) | [deleted] | seemslegit wrote: | What are the odds that the chips that don't feature AMT/ME don't | have it physically as opposed to it just being crippled in | firmware ? In which case if one is worried about government | backdoors this should alleviate exactly zero concerns. | wmf wrote: | This topic is well understood so there's no need for "odds". | All the chips have ME. AMT is a firmware feature that can be | removed or not bought. | kelnos wrote: | > _We choose Intel CPUs that do not have vPro_ | | The Wikipedia article they link about vPro says: | | > _Intel vPro technology ... [includes] VT-x, VT-d..._ | | Does this mean that Purism hardware won't support virtualization | extensions? Seems like that would be a big downside, and would | make it a non-starter for a lot of people (including myself). | rzzzt wrote: | The second sentence on Wikipedia says: _When the vPro brand was | launched (circa 2007), it was identified primarily with AMT, | thus some journalists still consider AMT to be the essence of | vPro._ | | (They have also added a small asterisk to the Purism article to | clarify - I'm also just reading it now so don't know if it was | there before) | sukilot wrote: | You have dig past the marketing labels and into the actual | specs. Some CPUs have VT-x but not vPro | | https://ark.intel.com/content/www/us/en/ark/products/149091/... | floatboth wrote: | where "some" means pretty much _all_ consumer CPUs. | Godel_unicode wrote: | That's absolutely not true, there are a ton of modern | consumer CPUs with vpro. Here's a comparison of the 10500 | through the 10900{,k}, all of which have vpro. https://ark. | intel.com/content/www/us/en/ark/compare.html?pro... | | Here's the more complete list of Core processors which have | vpro platform eligibility. It's quite long. https://ark.int | el.com/content/www/us/en/ark/search/featurefi... | fsflover wrote: | Qubes OS, which requires VT-d, works flawlessly on my Librem | 15, so virtualization is there. | xbar wrote: | Still no 16x10 screens. Welcome to the failbin. | pastrami_panda wrote: | A bit harsh, but sure, once you go 16:10 it's very hard to go | back to 16:9 laptops. ___________________________________________________________________ (page generated 2020-08-16 23:00 UTC)