As some people already started commenting this announcement (they are highlighting that since it’s impossible to disable ME completely all your neutralizing efforts are just marketing) it should be beneficial to launch in parallel awareness campaign of what exactly is disabled and what are remaining attack vectors (and how those could be mitigated). Just to remain translucent
We’ve written a lot on the subject already. This page has links to much deeper dives: https://puri.sm/learn/intel-me/ and has been on our site for a very long time. I usually link to it whenever I write a post that mentions the ME.
The perfect is the enemy of the good here. We already bypass most of the issues people would have by starting with an ME that doesn’t have AMT. In some cases people who talk about disabling the ME only trigger that HAP bit that tells it to disable itself. In our case the reason we discuss disabling and neutralizing is that we go a step further to zero out as much of the ME as we can and still boot. This leaves the following modules:
- KERNEL: The ME kernel
- RBE: The equivalent of the “bootloader” for the ME, verifies the signature of the KERNEL, SYSLIB, and BUP modules and loads them into RAM
- SYSLIB: The basic memcpy, strcmp and other essential library functions for the kernel
- BUP: The “bring up” module which initializes the hardware
So then you are left with people arguing (without evidence of course) that the above four modules are a place where there is additional remote administration backdoors, among other conspiracies. Technically possible? Maybe? Is that what they are doing? Unlikely. The problem is that paranoia alone does not make for good security–I’ve often found that paranoid folks come up with the most convoluted and overly-complex security measures–and complexity is the enemy of good security. So while it would be great to completely remove/replace the ME, in the mean time I think what we have is much safer than the default and a large step in the right direction.
Also, with PureBoot, this section of firmware is something that gets measured at each boot so there’s no opportunity to store additional state in this code at a later date.
are these servers also in use for librem one?
IOW, Rome wasn’t built in a day. (Lots of people say that but exactly how long did it take to build Rome?)
If anyone is in the market or interested in the specs: https://puri.sm/products/librem-server/
Edit: But you can’t buy on the web site (not that I am in the market).
Not yet, but perhaps one day
Yeah it’s an enterprise product so for now you get to talk to our enterprise sales team to help figure out what solution works best but we also want to have a self-service option on the store soon.
Where can I find the physical dimensions of the server? I mean 1U denotes height, I would expect it to be a standard 19" width, but depth?
It’s a good point–each of the three options have different depths. I’ll try to get that data on there in the next day or two.
I figured that. At a quick read, a customer would need to know what additional parts are needed to be supplied by the customer, known compatible parts, what config options are available at order time from Purism, more detailed info on some of the specs, … so actually talking to someone is good.
If you are adding dimensions, you might want to add in the weight too, particularly for international customers. I understand that the weight will increase as parts are added but at least the starting weight.
there are only 40mm (at max) fans that fit in there so that’s a good visual scale to compare it too.
it’s a blade rack server. the noise is going to be bazooka with 6 of those 40 mm bastards in there.
noctua has some quiet 40mm ones but expensive (6y warranty is not bad)
Yeah, my 1U server has 8 of the noctua fans in it and you can only hear the CPU fan when it ramps up so I’m not worried about that. My question on dimensions, is primarily about depth since the 1U height is pretty well defined, and rack width is also pretty standard. The enclosure I use is a short depth enclosure so I am very limited on server options. BTW do calculate your specific thermal requirements before switching out the fans in your server as insufficient airflow can cause major problems.
I am curious where you got that it is a blade server as I didn’t read anything about that nor does it look like a blade server. Everything I’ve seen is that it is a 1U rackmount and I’ve not yet encountered a 1U blade as blades are normally mounted in a special chassis and have a fairly unique IO setup.
As far as the sound goes, I would expect it to be capable of getting loud but spend most of it’s time at a more general thrumm since the fans should support variable speeds and spend the majority of their time at the lower RPM.
Of course sound is typically the least of my worries in a data center/server room.
I’m interested in the IPMI you all are using. To me IPMI seems to be one of the most obvious attack vectors as it has access to the entire system.
I only wish I had a need for a dataserver at the moment. Looking forward to needing one in the future though!
@Kyle_Rankin,
What does the Purism Manufacturer Warranty cover and for how long?
Aside from the Xeon CPU, are binary blobs needed for any of the other hardware components?
for the moment, we’ll be shipping with the BMC (and thus IPMI) disabled. We hope to offer these with OpenBMC or u-BMC eventually.
the only binary components in the firmware are the ME firmware (neutered and disabled) and Intel FSP blob. There’s CPU microcode as well, but I don’t consider that a blob (it’s not executable code).
I just noticed something, are all the network connections on the front of the server and not the back where the rest of my cable management is?
I would buy a Purism home NAS with RYF and a robust file system (mdraid1, zfs, btrfs, …) to protect my massive audio and video collection, as well as an email and document archive. Secure boot with a Librem key would also be a great selling factor.
It would be the ultimate way to de-google my life. Laptop, phone, and my-cloud.
Probably best added to Your Purism products wish list
This particular product looks to have more grunt and a higher price tag than, in my opinion, all but a very few home users would need or accept.
Would you have a solution to control the fan speed of my librem server (bought in july 2021) ? It is only working at full speed… Because of that i am not using it at the moment. Through coreboot, coretemp driver, updating the EC, the bios ?
re-enable the BMC via jumper and it should be auto-controlled by the BMC, and possibly overridden via IMPI
thanks for your answer, but I tried everything except reenabling the BMC for privacy and security reasons.
And (tested) the IMPI of the mainboard (X10SDV-8C-TLN4F) does NOT override the BMC. The fan control only goes thru the BMC (see also the docs and forum from supermicro). So I had to install in the rack a Corsair Controller Pro (cooling controller) to control the cpu fan without the BMC.
IMPI is the interface to the BMC, it’s not functional if the BMC is disabled via jumper