First I wanna thank purism for the outstanding and important work they do
I have 3 Questions I hope someone can answer. Maybe someone from the PURISM team is reading and has some answers.
Intel ME neutralizing
I know that Purism is “only” deactivating the Intel ME by setting the HAP-Bit for the Librem 14. I have read the article from Positive Technologies http://blog.ptsecurity.com/2017/08/disabling-intel-me.html.
In the “closing thought” section at the end, where they (try to) prove that the ME is truly disabled, under 2. they state that if they “remove some critical ME modules and enable HAP mode, Intel ME does not crash”.
As I understand it, by setting the HAP bit they were able to delete modules which they could not have deleted if the HAP-bit was not set.
So why is it not possible for PURISM to neutralize or as ptsecurity says “damage” at least a good portion of the ME code after setting the HAP-Bit?
Wat is the difficulty? Does the newer ME require more modules to work than RBE KERNEL SYSLIB and dBUP?
Intel ME tampering
As I understand it, Purism users are pretty good equipped against firmware attacks regarding the BIOS-firmware because of the Pure Boot Bundle (coreboot, read only flash-chip and most importantly Heads).
Is Pure Boot/Heads also able to detect ME tampering? Could you imagine a method how to detect tampering which e.g. was conducted by reflashing/reactivating the ME?
To my knowledge a small portion of the ME is on the CPU-ROM storage but most of the ME is stored in the Flash-Chip (SPI) next to the BIOS.
A question regarding Joanna Rutkowskas’ idea of a stateless laptop (https://blog.invisiblethings.org/papers/2015/state_harmful.pdf). She is talking about having a “trusted stick”. However, her main point, as I understand her, is a read-only firmware partition, either read-only (SPI)-chip or just a USB-stick etc. So I would rather call it “Read-only (firmware) laptop”.
I know that it has been a topic in this forum a few times.
I would just like to know from a Purism member (hopefully one is reading this) if it were possible to implement the idea and how hard it would be for Purism / a manufacturer to do it? Do you think the Intel ME would work with read-only firmware, i.e. read-only SPI or the like?
Could you design such a Chip, let it be manufactured and flash the ME on it? Which of these steps would be the most difficult/impossible?
The disadvantages of a read-only SPI would be that you cannot update anything, right? This must be one of the reasons why Joanna is proposing a external user device with read/write toggle.