On Sun, Sep 03, 2017 at 03:41:23PM +0200, Alessandro Selli wrote: > This is the present state of the matter: > https://puri.sm/learn/avoiding-intel-amt/ > > "So, there is no hardware level remote access to Purism hardware?"
AMT is merely a way to configure the built-in backdoor that allows you to partially use it for your purposes. There is no proof, merely allegations, that the backdoor allows someone with the secret trigger to control it in other cases, but Intel has made a string of very weird engineering decisions that make no sense if there's no such hidden backdoor but make perfect sense if there is. > > Listen to coreboot and libreboot's reasoning why this will never work. > > > > https://libreboot.org/faq.html > > > > look at the parts about purism and intel. > > Nothing new there. An argument remains valid (which doesn't imply true nor untrue) until refuted; it doesn't stop being irrelevant only because it's old. As far as it's currently known, there's no real way to disable Intel's ME, and that flag hack announced this week which might or might not do the trick very likely doesn't already work on CPUs which get out of the production line today. > They just say that the only way to be sure is > "avoiding all modern [>=2008] Intel hardware." Plus: "libreboot project > recommends avoiding all modern [>=2013] AMD hardware." > > This leaves out just ARM, SPARC and Power CPUs. Mind if I ask you: what > are your PCs and laptops running on? Laptop: Allwinner A64 (2016). Desktop: Phenom II X6 1055T (2011). Mail server: Xeon E5440 (2007). Yes, neither is very fast, but at least the desktop feels adequate for all tasks I use it for -- the only thing I've recently wished would compile faster is the kernel. And if you do need more oomph directly under your desk, Talos 2 may be expensive but it's there. The mail server currently suffers from inadequate I/O, but that's because 1. it uses spinning rust (replaceable), 2. it runs a lot of other stuff. Mail load itself (for ~80 users) could be handled by a single NanoPi NEO that's the size of a coin (4 cores, 512MB ram). Obviously I deal with a lot more servers than this, but only these three machines handle any of my data I consider sensitive. > Do you believe that all ARM, SPARC and Power suppliers do not put anything > in their CPUs that users and developers do not know about? ARM has TrustZone which most vendors don't allow running your own code on, but on Allwinner A64 (at least Pine64 and Pinebook) you get to compile and load it yourself. It also has an arisc that improves deepest sleep states (when the ARM CPU is off) but it has no ROM and needs its code loaded at runtime -- it's not needed for regular operation. Unlike ATF for the TrustZone, no free code currently exists but if you don't load anything, you merely > Again, the only way to be sure is buying hardware from a vendor that > produces it's own hardware, CPUs included, openly releasing their full > specifications, blue-prints and software. Do you know any? In theory, you could buy a FPGA and load openrisc or riscv on it, but I'm nowhere that kind of hardware hacker for that. Meow! -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢰⠒⠀⣿⡁ Vat kind uf sufficiently advanced technology iz dis!? ⢿⡄⠘⠷⠚⠋⠀ -- Genghis Ht'rok'din ⠈⠳⣄⠀⠀⠀⠀ _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng