Intel vs AMD - What is the best option? ME - PSP

Hello! :3

So this is just really about me wanting to get a new computer and have a hard time deciding on what CPU to buy. As my current computer isn’t able to support Virtualization. Which I never thought I would need, but here we are, got really excited when the Whonix 15 got released.

That was a bit off topic; so straight to the point. I have heard that Intel has this ME, and AMD has PSP. And they both got backdoors(obviously as they won’t release the source code).

And I have seen me_cleaner as an Intel option but isn’t it dangerous if used incorrectly? Like the OS shutting down after 30 seconds if you remove too much code. And would it be “profitable” if I went through the trouble of doing it myself? Thinking about what I could break and the cost.

AMD doesn’t have a PSP cleaner of what I know. But it is still unknown of what it does. ME might be more dangerous than PSP…

I have no problem using Intel over AMD or vice versa. Right now I have an AMD processor. Please help me

https://forums.puri.sm/t/should-the-next-librem-be-amd-based/3010

Much as I hate to admit it (I’m an AMD fanboy), Intel is probably better for this* - there are known methods of crippling the ME and I know of no investigations into exactly what the PSP does, what it can do and whether it can be lobotomised in our favour.

*Only for newer stuff. Older, slower AMD chips do not have a PSP - the FX series are the latest and fastest x86 CPUs which do not have another CPU acting as the system’s gatekeeper. I’m running them in my main, games and server machines right now and it’s one reason why I’m reticent about getting a Ryzen upgrade.

There is no difference.
Both contain black boxes and even if you can clean some part of ME there is still a lot of black boxes and hidden code

The only good option available right now is raptorcs systems like their blackbird with power cpu, there is no closed firmware, with NIC exception, but it got reversed engeenered so an open firmware should be released in the next moths. The cons, is you can use only linux, is not a real cons for me, but you know someone like windows or hackintosh, and another big cons, not every program run as should be because lack of proper modules, i.e. there is no JIT yet for firefox, that’s mean javascript run in software rendering and some pages will be slow as hell, someone is working on it btw.
I (like to) think in the next years we will have more options thanks to openpower risc-v and company like purism who do their best for open hardware, unfortunally x86 is not an option for privacy minded people, and if you have to buy an x86 system just buy what you like, there is not real differences

@Caliga

Like kakaroto said;

No, it’s not toggle-able. The post you linked to is from a misinformed user, this looks like it only disables the BIOS communicating with the PSP, but the PSP is still active.

I believe this is correct. As something like that would just not exist. If they also hide the source code there much be something PSP does that is “important”. And to just disable it just doesn’t feel right.

Um. So you recommend Intel then? I didn’t understand the meaning of the FX series does not have another CPU acting as the system’s gatekeeper.

@eagle Thanks for your input. Yeah I hope something happens with Risc-V too.

I considered buying the ASUS Chromebook C201, since it can run with 100% free software, but I ultimately decided that I couldn’t live with such a low-powered processor.

Here are the PCs that are compatible with Libreboot:

Desktops (AMD, Intel, x86)

Gigabyte GA-G41M-ES2L motherboard
Intel D510MO motherboard
ASUS KCMA-D8 motherboard
Intel D945GCLF
Apple iMac 5,2

Servers/workstations (AMD, x86)

ASUS KFSN4-DRE motherboard
ASUS KGPE-D16 motherboard

Laptops (ARM)

ASUS Chromebook C201

Laptops (Intel, x86)

Lenovo ThinkPad X60/X60s
Lenovo ThinkPad X60 Tablet
Lenovo ThinkPad T60 (some exceptions)
Lenovo ThinkPad X200
Lenovo ThinkPad R400
Lenovo ThinkPad T400
Lenovo ThinkPad T500
Lenovo ThinkPad W500
Apple MacBook1,1
Apple MacBook2,1

If I choose to go with Intel. Does the newer generation of processors like the 20-series have more stuff put into ME than the 10-series. Or can they remotely do live OTA updates anytime they want? So it doesn’t really matter if I buy the 20 or the 10-series? Or is it even possible to update it remotely?

If you go with Purism, only a fraction of the code remains and stops to execute after a second.
Full stopped. The core it is executed on is halted.
(None of the regular cores that you know about)

AMD seems to be on the “wave” currently with their 7 nm process. intel is behind.

in regards to the FREED AMD side the G34 soket from the workstation/server side seems nice but the fact that i can’t use a AM4/TR4/SP3 Noctua based cooler on this soket seems a bad deal to me personally.

if your threat level is low to none then i would just buy a signed FSF approved gigabit NIC and be done with it.

the most concerning is the iGPU/dGPU side of things. no alternatives here since the firmware is locked nice and tight and the open source driver is best on the AMD side (but limited depending on your use case scenario)

In short: yes, Intel is unfortunately the best choice right now. Not because they sell CPUs without an evil overlord, but because their evil overlord is the only one which we know how to (mostly?) disable.

Better the devil you know than the friend you don’t.

(warning: titanic wall of text) Gatekeeper explanation:

If you think of the ME or PSP, you might consider it as a secondary CPU - after all, it’s not the one which was advertised to you, you might not even know that it’s there and it is definitely not the chip with the highest performance. However, it is the most important processor in your system. The CPU has its own privilege levels, used to separate users from one another (enforced by the kernel), users from the OS (normal/root user); and OSes from each other (virtualisation). There are even parts of memory that the CPU cannot access - the system management mode (SMM) tables and also the parts where the ME/PSP stores its own code and data.

The ME has no such restrictions. It can read and write every single part of memory without interference - even the SMM region. It can peek and poke into every single hypervisor or kernel protected area. If your system has selective memory encryption, “trusted computing” functionality or other similar things - that’s the ME handling that. It takes over, does something and then returns control to the CPU without the CPU having any idea as to what has just happened. It even determines whether your system will even boot up - the ME shuts down your computer in 30 minutes if it’s not happy, AMD chips won’t even start until the PSP explicitly releases the reset line.

It will only execute code which carries Intel or AMD’s digital signature. You have absolutely no control over it. In short, with something like this active and running, you are not the true owner of your computer. This chip is. And so is anyone who can run code on it.

When I say “gatekeeper”, this is what I’m referring to - this tiny little “secondary” CPU is the real master of your system. It might be quiet for the vast majority of the time, but if it speaks up then nothing can disobey its orders.

All Intel CPUs after Core 2 have the Management Engine built in to the CPU itself. Core 2 had the ME as part of the chipset (I actually had an nVidia chipset for my ancient Core 2 system, so it didn’t have this management engine. It is, however, still vulnerable to Meltdown).

AMD’s equivalent, the PSP, got more attention recently when it was noticed that all Ryzen chips would have the PSP built in. Their older desktop CPUs, the FX series (sometimes called the “bulldozer” series, the particular one I’m using right now is an FX-8300), did not have this “feature”. This means that the master of the system is still the user who set it up. It should be noted that the PSP is not a new addition with Ryzen, it existed in their APU series of chips which were low power integrated graphics laptop parts

As for why they said “no” when people asked for the PSP’s code to be released, I imagine that the two main reasons are:
a) They probably licensed the base OS from someone else and therefore can’t give it away.
b) It’s what implements any DRM stuff which their chips support, which they would be explicitly prohibited from sharing.
c) The paranoid amongst you would give a third reason: they don’t want their backdoors being publicly known.

Honestly, the community made the wrong request there. A much better wish would be “please release a barebones firmware which does the absolute minimum required to boot the system and then halts the PSP, we don’t need any of the special sauce, just the signed image from you and also the code with a reproducible build process so that we can see that what we compile matches what we get”. That wouldn’t have the issue of releasing any proprietary code, it wouldn’t expose any DRM stuff and it would have been harder for them to reasonably say “no”.

Better for us, but less likely and requiring more effort on AMD’s part would be “we’d like a signed stub firmware that does everything above but can also load another firmware that we make and build ourselves”.

In any case, this is just wishful thinking on my part.

when you say “the CPU itself” - do you mean the whole CPU die (the module that fits inside the soket on any non-embeded desktop-motherboard) ?

Yes. The CPU module. The very next sentence clarifies that:

as in: not part of the CPU itself

Well dam. I actually read through all of that. Thanks alot for taking your time writing all that. I guess it doesn’t really matter if I go Intel or AMD, as I have been running PSP for a few years already XD

But I might actually go Intel.