What about code running on hardware inside the computer?

nems · June 23, 2016, 8:30pm

Is all code running on the electronics inside the computer also open source?
What about the microcode on the CPU?

Backer1 · June 23, 2016, 10:37pm

No, Librem 13 & 15 are using a modern Intel chip which has the mystery, not-open code. Even Libreboot systems have some of this, but the specific concern with modern Intel chips is ME and AMT.

todd-weaver · June 23, 2016, 11:06pm

Code running on the electronics is either free software, or is treated as a circuit, meaning it cannot have the software (firmware) on it software updated, with the exception of storage drives and CPU. Here is a diagram we put together to help understand where we (and the community) are at. Storage drives have firmware that is not-yet-freed, but there is also an option to use drives (nvram) that has no firmware, which we have not finished our security evaluation of. So we may be able to leap-frog that issue and use technology that has no firmware for the drives.

The CPU is another animal altogether, we use x86 Intel CPUs, which uses the Intel ME and FSP binaries. IT DOES NOT USE AMT. This is a common misconception. Intel ME is a nonfree binary provided from Intel that is used in the BIOS/Coreboot and loaded onto the CPU, the Intel FSP is also a binary used with the BIOS/Coreboot. We have a petition you can sign for us to provide to Intel to show how many people are interested in having an ME-less design.

The Intel AMT is NOT the same as the Intel ME. And Purism does not include nor utilize any CPU that supports AMT. Furthermore AMT requires THREE things to allow remote management/access.

A CPU that has Intel vPRO, which means AMT support — Purism does not use CPUs with vPRO (nor AMT)
A Commercial version of the Intel ME — Purism uses the smaller consumer version of the Intel ME
An Intel network card — Purism uses Atheros or Realtek network cards

Therefore, the threat everybody talks about, specifically remote access exploits through Intel AMT, is not possible on Purism products because we do not have any of the three pieces of the chain needed to utilize AMT.

However, we do not remove all threats, because we are using a consumer version of the Intel ME, which is still a binary that we do not have the source code to that runs on the CPU, and this is very bad, just not as bad as a binary PLUS the trifecta of control mentioned above.

I hope that helps

Backer · June 24, 2016, 2:31pm

Thanks for the detail. I stand corrected on the distinction between ME and AMT.