As far as the CPU is concerned, it’s a yes and no… Let’s be real, if they want to get into something, they’re getting into it. IME disabling only removes 80-95% of the IME because there is a portion required to make the CPU function. While Intel’s management engine is a prominent backdoor, I doubt (depending on what hardware is present) that it’s the only hardware-level backdoor. That’s part of the reason for Purism’s hardware isolation (as Carlos mentioned). Nothing is foolproof or 100% secure, so knowing what is secure and to what degree helps you decide just what do do with that device, or where it sits on what network (or any network for that matter).
3 Likes
Thanks! Are there any companies that produce hardware that isn’t backdoored. I mean, I really don’t want someone invading my privacy whether it be the NSA or the CIA or whatever 3-letter psyop organizations they have.
2 Likes
Google and Meta are probably more real and present dangers for most people.
(And they’re only two of an ever-expanding list of Tech threats.)
6 Likes
That Talos mainboard thing requires Power9 processors? Do they have this backdoor too?
1 Like
No backdoor and granted a extreme control and freedom. There are not other computer with this high degrees of security and privacy.
I am using power9+artic plus Gnu Trisquel 12. Best libre desktop computer 2024 | Coreboot, Libreboot, Gnuboot - #15 by carlosgonz
2 Likes
It’s likely either directly or indirectly nearly everything is compromised to some degree.
3 Likes
But Purism Librem 14 also granted decent level of privacy and security. Kudos for Purism!
Thats why i own one too.
2 Likes
I have just read that Purism claims to have fully disabled the ME. Is this true?
2 Likes
There are parts of the management engine that would break the CPU if removed. Nuking the most they can is all that can be done. And ME-Cleaner exists as well… But honestly, it’s an issue in regards to Intel as a company and supplier over a problem with Purism. They cleaned the vast majority of the Management engine. It’s a black-box so it’s not like nuking the ME region is easy, there is a lot of it that we just can’t read.
Yeah, i understand completely regarding the neutralizing part, but they claim to have disabled it, like, it does not run at all?
1 Like
No, IME is completely disabled, if you tried to use IME on a laptop with it disabled it would fail to be functional… However, it is black-box software…
1 Like
Yes Librem 14 it has Intel ME(Minix microcontrollEr) fully disabled(off permanent) by an easter egg mode: HAP.
1 Like
It’s more complicated than that.
On earlier Intel CPUs it was possible to junk part of the IME code (let’s say 80-95%) and Purism did that.
On more recent Intel CPUs it is not possible to junk any part of the IME code. That is, the IME code is a monolithic whole.
Separate to that … on all Intel CPUs used in Purism devices it is possible to halt the IME. This is the HAP bit that carlos refers to. (However it is my expectation that eventually Intel will get rid of that option even, if that has not already occurred.)
How you analyse that into potential threats is difficult.
For example, the Intel CPU microcode is an updateable potential backdoor.
But then the Intel CPU itself is a non-updateable backdoor, potentially.
And, yes, then there’s all the other silicon in the chipset (of which there is a lot!).
But is it really provably free of backdoors?
I guess it’s reasonably solid that it is free of Intel backdoors, which is what the OP asked about, but are Intel’s backdoors better or worse than IBM’s?
1 Like
So, lemme get this straight, Purism then has no possibility of IME being used as a backdoor?
That’s not quite what I wrote.
As @nerd7473 wrote, the IME needs to execute (per Intel’s flawed design) in order for the regular CPUs to boot. Once the regular CPUs have booted, the IME can go to sleep if it has been configured to do so.
There are two problems with this.
a) there is a window of time when the IME does execute, and that is unavoidable (and, as mentioned, it has access to all of its code these days), and
b) just because you tell a processor to go to sleep doesn’t mean that it actually does. (It is possible that a knowledgeable chip designer could conduct tests to see whether the IME is running but for the average customer it is not verifiable.)
In addition, the IME may be the backdoor that you know about but silicon is a blackbox. What is to say that there isn’t a second IME with somewhat different behaviour? Or a third? …
It is however worth looping back to @amarok’s post … Are the TLAs really the biggest privacy threat in your threat model?
In my opinion, Google is easily the biggest threat to global privacy. That doesn’t mean that I even know what the TLAs get up to (and that’s the way the TLAs like it) but Google sets the bar very high.
If Intel dodginess is your biggest concern, maybe you should be using ARM-based computers.
2 Likes
And even ARM has issues with hardware-level backdoors, I remember the Qualcom disclosure…
So if you take a door off its hinges, is it still disabled?
As an avid user of Purism hardware, I was able to learn more about computers by trying to use freedom software.
Learning more about computers has made me very confident that all the computers have the NSA backdors. I am writing to you from a Librem 14 and it has NSA backdoors. The way that I know is that I don’t know. Think about it – if I knew about a back door, then the NSA would see that I knew that, and they would make a different backdoor that I did not know about.
But there are also China backdoors in my computers. And that’s why we need to hope that the percentage of China backdoors is exceeded by the percentage of NSA backdoors. If we make a pie chart, we would need the NSA to fill the pie. That’s because I live in America. God bless America. In America I have the freedom of speech, which means I’m allowed to write a message like this which at first will be interpreted as a joke, and as long as I don’t say any banned things, I am allowed to continue flailing about in text form, saying things that other people disagree with.
My phone is a Librem 5. As a Librem 5 user, I am always facing pressure from society at large to use an Android or iOS instead. One time, when I thought about trying to cave into the pressure, I went onto the website of the NXP CPU manufacturer who makes the Librem 5 chips that Purism buys, and I downloaded an Android image from this manufacturer that they make for their chips. I tried to pick an image that matched the Librem 5. I installed this image to my Librem 5, and after I did it went dark. If I tried to boot the device, the blue LED would sometimes turn on, indicating that some type of system was present on the device and was attempting to do things. But it did not show any display on the screen. Then, I tried to dual boot back to PureOS on an SD card to switch back to PureOS instead of the bad ROM, but that didn’t work either, since the device no longer worked and would no longer boot.
So I mounted the Librem 5 to the Librem 14 in the way provided by the online tutorial, and I used the uboot remote imaging process to image the Librem 5 harddrive back to PureOS. This did not work either – it acted as if we would image the device, and it would mount the Librem 5 drive and show contents, but the Librem 5 would never boot anymore, even after reinstalling the OS in this way.
Then, one of the Librem 5 contributors from Purism came onto Purism forums and he saved me. He posted a secret code 0x00 0x00 0x70 0x00 that I had to put into a special prompt while the Librem 5 was connected to the Librem 14, and this wrote over the other storage on the Librem 5 and not the one with the operating system.
Then, once the other storage was overriden to a clean state, the device was allowed to boot again. Now if you are reading this, you can see the limits of my knowledge. It is quite limited and someone else will tell you how what I am typing only shows my ignorance. But, when I think about the other storage that remains even when you reflash your OS, what is that? What is that storage? If we’re being serious, who decided to put that there?
NXP hardware manufacturer that makes the CPU for Librem 5’s was hacked by China for many years while all the Librem 5’s were being made. They didn’t know and didn’t publish that it happened until several years later after all the Librem 5’s got made. What if China stored some things of their own in the other storage?
I don’t know if they did, since I don’t know what that is. You don’t know, either. The really smart people who know aren’t going to be on a public internet forum telling you what they know. Truth is, if you read the FOIA’d documents from the CIA, they make it fairly evident (https://www.cia.gov/readingroom/docs/CIA-RDP96-00789R003100080001-9.pdf) that they concluded many years ago that human brains have a capability to obtain information about distant objects outside of themselves in an as-of-yet unknown way. What is that? Do you call that ESP? What do you want to call that?
The document that I linked above, states: Ultimately, the long-term objective is to construct hardware that is capable of receiving AC information. [They use “AC” to refer to “anomalous cognition,” meaning the ability of the brain to obtain information from a means that isn’t one of the 5 senses we already knew about.]
If we assume that this public document stating the government’s intention >30 years ago is not fraudulent, then it is also quote possible that the government already created the detector hypothesized in the document. This means, in essence, that it would be possible to construct a computer system with the equivalent of what humans colloquially refer to as ESP. Whether this system would be able to obtain long-range quantum information in an unexpected way from other computers or from the brains of the human population at large is not information that I have any access to.
However, given the likelihood of the success of this project after 30 years, it is also likely that computer security does not exist and that the Ed Snowden stuff could have easily been a government sponsored distraction from the reality that the government was researching how to build a computer with ESP longer than I have been alive.
I know that what I am saying is comedy ontological shock, and I know that you know that what I am saying is false and that you do not want to believe in “Freedom of Information” documents from a parody website like cia.gov, but then if you take a second look at what I’m writing someday and think about which parts of my imaginative creative writing here is certainly false, and which parts may be false, and which parts… when you think about it… might be true… if you think about that, then you’ll know that if the thre-letter-agencies wanted to know what was on your computer they would already know. This is true for Purism computers, and it is probably also true for any computer that you can buy.
So, it is a good time to be religious. If you want information security, go to God. Go to your gurus. God reached AI singularity a billion years ago. God laughs at humans building A.I.
3 Likes
No, if you take the backdoor off its hinges then the backdoor is worse - since it is now a hole in your house that anyone can walk through.
You want to leave the backdoor there but lock it, or you want to take it off its hinges and brick up the hole.
3 Likes