I’m an AMD fanboy. Is that a logical argument? No. But that’s just the way I am.
I’m pretty confident of being able to stick Coreboot on a motherboard’s flash chip on my own, so that’s a service that I don’t need to pay for. My “external programmer” (read: Raspberry Pi with a SOIC clamp) can handle any difficulties that the board’s BIOS might choose to throw in my way.
Are you such a hard fanboy that even worse security and less freedom do not bother you? You cannot neutralize and disable the PSP spying module in AMD processors, while in Intel ones you can do that with ME.
Not completely true, as it depends on the architecture involved. Everything from Nahalem to Broadwell still has some IME modules left, which are ROMP and BUP. After Broadwell, which is Skylake to now, there are at least 4 modules, rbe, kernel, syslib and bup. While Purism has been able to neutralize most of the IME, their progress is currently locked by me_cleaner, and they have been unable to successfully neutralize the IME in their lastest product offerings, which are the Librem Mini (v2) and Librem 14 (v1).
You can learn more about the me_cleaner tool used by Purism in the URL below.
If Purism is able to completely reverse engineer the remaining IME modules, I would consider purchasing a hypothetical motherboard bundle from Purism, but as it stands, the risk of a theoretical attack using the remaining IME is too great to justify the expense.
This is assuming that Purism still intends on using x86.
Yes I would if Purism already has them in stock. No to pre-order, back order, or crowdfunding campaign. I’m still waiting for my L5 phone I ordered a couple years ago. That’s the reason I have yet order one of their laptops or Librem mini. If Purism sells their components thru other sites like Newegg then chance Purism would be more recognizable, spreading privacy and security knowledge deeper into variety communities that the wolves aka (Microsoft, Apple, Nivida, Facebook, and rest of data-sniffers) are struggling to keep their sheep unconscious.
For me, my days of tinkering like that are over. I want a fully assembled and quality tested endpoint that runs Linux - my OS of choice for the last 20 years. Others will have different journeys. This is mine.
The ability to disable the ME is in my opinion the only thing Intel processors have going for them, and my understanding is that more and more of the ME has to stay enabled on newer chips for them to work.
AMD is much more user-friendly and generally a better value for the performance you get. It’s a shame there hasn’t been progress (as far as I’ve heard, anyway) on disabling the PSP.
I think Intel and AMD are converging on the same unsatisfactory state of affairs - a homunculus CPU that you simply can’t disable, and nor can you change the code that runs on it, and likely nor can you audit the code that runs on it.
This is the antithesis of freedom. This is the opposite of what Purism is trying to achieve.
I wouldn’t quite go that far. I am happy to install RAM and/or disk. Beyond that, I want an assembled, complete computer.
I think that will run into lack of economies of scale.
Perhaps the next logical step would be … what about that Librem Mini v3 has a standard mobo size?
At which point it seems like AMD would be the better choice based on the price/performance and their support for features like ECC memory that Intel disables on its consumer-grade CPUs. Unless Purism wants to look into a POWER-based system.
I did a search to see if there had been progress on disabling the PSP, but unfortunately found nothing promising. A group called CTS Labs claimed to have found 13 vulnerabilities in AMD CPUs in 2018 which they called AMDFLAWS, and even said they were interested in working with libreboot/coreboot to get them to run on AMD CPUs, but aside from one talk in 2019 (after all of the vulnerabilities were patched) and apparently an initial disclosure report that is no longer available, they haven’t published anything and there doesn’t seem to be any current effort on their part to contribute to libreboot/coreboot. Linus Torvalds said it was all an attempt to manipulate AMD’s stock, and given that CTS Labs seems to have gone completely dark after this talk (their AMDFLAWS technical paper is still “coming soon” on their website) I’m inclined to agree. Even if that’s not the case, they apparently have no real interest in making these exploits useful to free software projects.
there is a LOT of political pressure these days on chip makers …
the best product would be a fully open-architecture (like RISC-V) that is very power efficient and can be used to compartmentalize various www activities. namely you would buy a FEW of those and use each for different www activities …
the more demanding desktop/workstation graphics workloads can be computed WITHOUT internet access most of the time … STILL
Does this mean we are doomed? Is Purism fighting a losing battle? For instance, could Intel come out with an ME next year that Purism simply cannot disable (or at least not without rendering the CPU useless)?
If this is the case, now might be time to buy Purism computers in bulk and stash them away for use in the coming dystopian nightmare.
One answer to that, given that the ME is 100% black box and has unlimited access to the system, is “no”.
If you have a separate dedicated NIC then you avoid certainpractical attacks although I don’t see any reason why the homunculus CPU firmware couldn’t in theory contain a device driver etc. for the separate NIC.
Network access (trojan horse for remote inwards access, exfiltration) is only one part of security fail. The homunculus CPU could be used by a legitimately authorized local user to conduct a privilege escalation attack.
The security fail is limited only by your imagination.
If I had the money to buy a purism desktop, I would buy a powerpc computer from raptor CS. I don’t understand the point of continuing on and on about this already lost battle against ME and PSP on x86. You cannot remove either as they are intrisic to the CPU on if it works or not. ME is disabled woth HAP bit for NSA and other glow in the darks but that is it. The values behind these companies show no care of changing and instead only becoming worse in this area.
Also, if this wasn’t clear enough as someone previous has already said on this thread but nobody is really listening, the ME is still there on purism products. They can use whatever fancy word whether neutralised or anything else but it is still there. This is why they haven’t tried to get RYF for those products because we all know it is still there. They’ve disabled it in the form of breaking it’s legs and cutting an arm, but it still exists and starts before anything else so if mr spy at intel were to come along and activate a super secret backdoor at beginning before booting, who is saying it can’t be hacked? Even if they did remove it fully, then you wouldn’t have microcode to protect your computer. With x86, you ONLY have the option of being insecure.