Up until a week or so ago, I had also thought (apparently mistakenly) that the same ME process we used in the past would also work with the CPU in the L14. It looks like we can only do the disable part for now, which is of course a shame. If it mentions “disabled and neutralized” on any of our marketing, that would simply be based on that initial mistaken assumption that this new CPU and ME would be able to have the same treatment.
I’ll look into fixing that now if it’s on the product page still.
@MrChromebox does the problem neutralizing the librem 14’s intel ME extend to the librem mini v2? In other words, is the mini v2’s ME disabled and neutralized or just disabled?
i don’t really know how this work internally so forgive me if i assume too much … when we dl and flash a new Coreboot/Pureboot version on the LMv1/v2 and L14v1, does that mean we also install updates to the intel-microcode but in a disabled but NOT neutered state ?
It’s so sad to hear that.
This means, that all people, who bought a Librem Mini last year (including myself), were misled. Because all of the last year, in the product description it was written, that Intel ME is disabled and neutralized (exactly the same, as in the description of previous laptops).
I don’t understand, why Purism discontinued previous laptops with a truly disabled and neutralized Intel ME, while they can’t neutralize ME in the new processors.
They could at least use old processors in the new products (Librem Mini, Librem 14), while they can’t neutralize ME in the new processors. Why not do so?
Also, I think, it would be a good idea to divide all products into 2 categories: 1) products, focused on maximum privacy and security (less powerful, but with really disabled and neutralized Intel ME);
2) products, more focused on power and high performance (with the new processors, discrete GPU, etc.).
We really need this separation of the products.
This of course sounds like a good idea, but it would require a lot of resources to manage more products, which Purism probably does not have. Not even speaking about the very small market for such devices…
The people who preordered the Librem 14 were misled too.
I find curious that they announced the Librem 14 with a neutralized ME but knowing very well that it was not possible to neutralized it on the Librem mini. Ok, its not the same CPU but it should have send some kind of warning. I find also curious Kyle’s answer that he was surprised to learn (several months after the announcement of Librem 14) that it was not possible to neutralize the ME. I think that the head of security at purism should have been aware of this, long before anyone else.
because Intel is going in the other direction and so Purism could forever be locked into old processors and eventually would have no processors at all(!)
because I don’t know whether the CPU is socketed on the Mini i.e. could not be made current if at some future point in time a current CPU gets neutralized
Intel is the problem. There is no future with Intel if you want full control over the software on your computer (and AMD is the same problem).
You are implying that this was a deliberate deception on Purism’s part, but it was Purism employee Matt DeVillier (MrChromebox) who is told us that the Intel ME can’t be neutralized (~90% of the code replaced with zeros) in the L14 and Mini, so this doesn’t look like a case of deliberate deception.
To me this looks like a case of poor communication within the company and there only being one employee who does the Coreboot ports and really knows the technical details. The articles on the Purism web site about the neutralized ME were written before DeVillier joined the company and DeVillier works remotely, so it doesn’t surprise me that the changes in the ME may have not been communicated inside the company.
It is also worth pointing out that Purism was the first company to sell PCs with a disabled ME and was the only company (as far as I know) that sold PCs with the ME neutralized. At this point, System76, TUXEDO Computers and ThinkPenguin also disable the ME, but I doubt that would have happened if Purism hadn’t done it first and provided the commercial pressure for the other Linux laptop sellers.
Sorry if my english commmunication skill are not that sharp. I am implying that I find this curious, this is it. Whatever the reason, I don’t know. You might be right. It may be a communication problem… But in a company that employs what? 25 people? That might be considered curious too. I mean, come on. The neutralized ME is one of their big feature. It was advertised as neutralized. It seem to me, from a customer perspective, that so many people miss the opportunity here to connect the dots. Is there no last check up before shipping a product?
Purism has 41 employees or contractors according to its web page, but the important point is that DeVillier works alone and remotely. I have worked in a similar situation with a tech company about twice the size of Purism, and I often didn’t communicate the technical details of my work to anyone at the company. As I recall, DeVillier had several technical problems with Coreboot when the Mini was launched, so his conversations with the management at Purism were probably focused on fixing those issues.
You wonder how Kyle Rankin didn’t know, but it doesn’t surprise me, because the Wikipedia article on the Intel Management Engine and the me_cleaner documentation don’t mention this change. I did a Google search for “Intel changes Management Engine 8th generation” and many other variations with “Whiskey Lake”, “Coffee Lake”, “disable” and “neutralize” and I couldn’t find a single article talking about this change in the ME.
You would have to be pretty deep in the technical weeds to know about Intel changing the Management Engine to no longer allow the code to be replaced with zeros, because this hasn’t been publicized on any of the tech news sites (at least I haven’t been able to find any articles about it with a Google search). I’m the type of person who reads the release notes every time there is a new Coreboot version, and I didn’t know about it, so it doesn’t surprise me that Purism’s management didn’t know.
