Situation with Intel ME

katuri · February 17, 2017, 8:17pm

Hello,

I’ve tried to search the forum, but I could not find answers to some questions about the situation with intel ME I have.

In this news article about purism written in 2014:

http://www.pcworld.com/article/2860446/this-freedom-loving-laptop-discovered-how-to-make-intel-cpus-boot-without-closed-firmware.html

it is said that the CPU itself “usually” looks for a digitally signed firmware, which is closed-source, but

it discovered that the fusing of the CPUs can be set by the motherboard manufacturer to either look for digitally-signed firmware, or not to. And no, it’s not some dark conspiracy to fuse Intel-based laptops to always look for proprietary firmware—it’s just that no one ever asks for anything else. And, well, you’d have to be building laptops to ask for such a configuration.

So, my first question is: do I understand correctly that it is possible for purism, a laptop-producing company, to buy from Intel CPUs that do not look for digitally-signed firmware? Do I understand correctly that purism started buying such CPUs from Intel from the very beginning?

If the answer to the first question is “yes”:

If I understand correctly, Intel ME chip is another CPU on the motherboard, which also requires firmware and which also checks for a digital signature. Is it possible for purism to buy a version of this chip (or the whole motherboard) that does not check digital signatures? Were there such tries?

The purism’s petition https://puri.sm/posts/petition-for-intel-to-release-an-me-less-cpu-design/ asks for an “ME-less design”, which can be understood differently: as a motherboard that does not have an ME chip at all. And this (to develop a new motherboard with different list of components and different circuits between them) would mean, as I can imagine, much more work for Intel than just to switch off the digital signature checking (which was already done for the CPU itself, if the answer to the first question is “yes”).

I realize that this idea might be obvious if my understanding is correct, but I could not find an answer to my questions (or to find out where my understanding is not correct).

By the way, I have found the information https://puri.sm/posts/intel-me-less-petition-goal-met-early/ that “our next step, in this long journey, is to provide the petition results to our Account Manager within Intel”. This was written in June 2016. Is anything known about any replies from the “Account Manager within Intel”?

Technical question: I’ve seen that some topics on this forum have the “intel me” tag, but I could not find how to attach one to my own topic.

mladen · February 18, 2017, 10:49am

Hi katuri. I’m not sure how to answer your questions 1. Answer to question 2 is, no, and that’s the reason we tried to push Intel to manufacture a ME-less design (they are the ones who came up with such name, not us). But, have you read news about our Coreboot progress: https://puri.sm/posts/librem-13-coreboot-report-february-3rd-2017/? You can subscribe to our news blog to stay up to date about this and other news. Hopefully this will answer all your questions. We will soon have some exciting news regarding Coreboot support.

katuri · February 18, 2017, 3:42pm

I’m still confused. First, does “Answer to question 2 is, no” mean that “purism tried to contact Intel, and Intel refused (or didn’t reply)” or does it mean “purism didn’t try”?

In both cases it seems strange for me to “push Intel to manufacture a ME-less design”, i. e. (as I understand) to “push Intel” in the direction, which requires more work for them (develop a new chipset), than to push (or keep pushing, or at least keep pushing simultaneously) in the direction that requires less work (something like “switch off the flag “the digital signature must be correct””).

Yes, I did read the Coreboot report, but it still didn’t clarify to me the situation with petition. A guess could be that the “Account Manager within Intel” didn’t reply, and then there were no attempts of pushing Intel, because Coreboot is considered more important. But this is just a guess, I don’t know if it is correct.

Also, I am still wondering about question 1 in my original post.

todd-weaver · February 18, 2017, 9:35pm

1. In this news article about purism written in 2014 it is said that the CPU itself “usually” looks for a digitally signed firmware, which is closed-source, but
"it discovered that the fusing of the CPUs can be set by the motherboard manufacturer to either look for digitally-signed firmware, or not to. And no, it’s not some dark conspiracy to fuse Intel-based laptops to always look for proprietary firmware—it’s just that no one ever asks for anything else. And, well, you’d have to be building laptops to ask for such a configuration."

So, my first question is: do I understand correctly that it is possible for purism, a laptop-producing company, to buy from Intel CPUs that do not look for digitally-signed firmware? Do I understand correctly that purism started buying such CPUs from Intel from the very beginning?

Purism can buy Intel CPUs in a wide array of states and configurations from Intel; and we also get them in a pre-manufacture-unfused-state, which allows us to fuse the CPU into configurations that best support user control or leave unfused even, the most recent helpful example I can share is that because Purism gets CPUs with boot guard unfused, we can scrub the ME region. The “digitally signed” firmware you’re referring to takes many forms, we can avoid all except the ME digital signature check; but we CAN neuter the ME leaving just the signature check and hardware bring-up blocks in place, there will be a lot more announcements on this in the coming months. Yes Purism has always bought CPUs that meet the following criteria: no vPRO (no AMT support in the CPU), no fuses fused, in manufacturing mode, with VT-d/VT-x supported.

2. If the answer to the first question is “yes”: If I understand correctly, Intel ME chip is another CPU on the motherboard, which also requires firmware and which also checks for a digital signature. Is it possible for purism to buy a version of this chip (or the whole motherboard) that does not check digital signatures? Were there such tries?

The Intel ME is a region within the CPU that requires signed binary, it is not possible for us to buy a CPU that does not have the Intel ME loaded nor signature checked. You may be referring to Intel AMT, which we avoid, see here https://puri.sm/learn/avoiding-intel-amt/

The purism’s petition https://puri.sm/posts/petition-for-intel-to-release-an-me-less-cpu-design/ asks for an “ME-less design”, which can be understood differently: as a motherboard that does not have an ME chip at all. And this (to develop a new motherboard with different list of components and different circuits between them) would mean, as I can imagine, much more work for Intel than just to switch off the digital signature checking (which was already done for the CPU itself, if the answer to the first question is “yes”).

Intel would merely have to allow the following:

ME-less, meaning a zero byte ME is allowed to run
ME required, meaning anything non zero-byte must pass signature check.

Purism would be fine with that, because we have confirmed a zeroed ME operates on our hardware (for 30 minutes); we have also confirmed that a neutered ME (all networking and backdoors removed, leaving only the signature check and the signed smaller hardware bring-up partition operate fine on our hardware, more on this in the coming months…)

I realize that this idea might be obvious if my understanding is correct, but I could not find an answer to my questions (or to find out where my understanding is not correct).
By the way, I have found the information https://puri.sm/posts/intel-me-less-petition-goal-met-early/ that “our next step, in this long journey, is to provide the petition results to our Account Manager within Intel”. This was written in June 2016. Is anything known about any replies from the “Account Manager within Intel”?

We submitted the petition, and Intel has been in semi-regular communication with regard to the ME-less design, but nothing can be published with regard to that until/unless Intel acts upon a release of an ME-less design. It is important to stress that Purism is pursuing numerous avenues in parallel, neutering the ME, operating without microcode, requesting from Intel to create an ME-less CPU, locating the watchdog timer to disable it–allowing a zero byte ME, among other things.

Thanks for writing!

John_Mayor · March 4, 2017, 5:31am

Hi Katuri!..
.
You’re the future of the Purism Librem effort!.. keep up the excellent work! We’ll only make it if we fight for every last bit, of every last byte!.. and then-- and eventually!-- for every last Qubit!
.
You know… this whole process reminds me of Keanu Reeves, in the Matrix! And the adoption of the ME-less design, is comparable to the acceptance of the “Red pill”!
.
Neo had one important choice to make: decide to step out of the fake world he was living in, or decide to break free, and experience the world as it actually is!.. and could be! And sadly, many are content to be (led) by the “faux world” of “Matrixware Interests”!.. and “Matrixware politics”!
.
The Purism “Matrix-free reality” is a more difficult world!.. for certain! Nevertheless, it will prove to be MUCH MORE POWERFUL!.. and MUCH MORE REWARDING!.. than MOST can even BEGIN to imagine!
.
Please!.. no emails!