Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
Quoting Alessandro Selli (alessandrose...@linux.com): > On Fri, 8 Sep 2017 at 00:22:40 -0400 "taii...@gmx.com" > wrote: >> IBM has done a variety of bad things, but that doesn't mean OpenPOWER >> isn't a really good one. > > * That the presence of a BMC chip on POWER means it has a backdoor This among other bits was more than a little over the top, Allesandro. I respect that you're a passionate free software person, but the existence in the initial Talos II design of an almost decade-old BMC chip for which (it has been said) there is not public documentation does not establish that 'it has a backdoor', and you are doing no favour to public discourse by so claiming. As I pointed out, FSF expects to give an extremely rare Respects Your Freedom certification to the Talos II system (subject to checking the final design, but they and Raptor Engineering have reportedly been coordinating closely), so, unless you're prepared to argue that Alessandro Selli understands free software but FSF does not, you really ought to reconsider your rhetoric. Thank you. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
Quoting Alessandro Selli (alessandrose...@linux.com): > No, I just pointed out that the fact that IBM does indeed put hardware > and software remote-control devices inside it's chips is an established > and documented truth. [...] Noted without comment: https://www.fsf.org/blogs/licensing/support-the-talos-ii-a-candidate-for-respects-your-freedom-certification-by-pre-ordering-by-september-15 We've previously supported [link] the work of the folks at Raptor Engineering. This time, rather than a crowdfunding effort, we are asking you to support their work by pre-ordering the Talos II. [link] [...] For the future of free computing, we need to build and support systems that do not come with such malware [RM: Intel Management Engine, propriatary boot firmware, and the like] pre-installed, and the Power9-based Talos II promises to be a great example of just such a system. Devices like this are the future of computing that Respects Your Freedom. That is Raptor Engineering's ultimate goal as well, to create a machine that can pass RYF certification. They've already been working with us on the details, and things are looking good. We'll have to do another evaluation once it is actually produced to be sure it meets our certification standards, but we have high hopes. Author Donald Robertson, writing on behalf of FSF, goes on to ask computer users supporting software freedom to place pre-orders for the Raptor Engineering Talos II by Sept. 15th, 2017. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On Fri, 8 Sep 2017 at 23:55:08 -0400 "taii...@gmx.com" wrote: > On 09/08/2017 07:18 PM, Alessandro Selli wrote: > >> On Fri, 8 Sep 2017 at 00:22:40 -0400 >> "taii...@gmx.com" wrote: >> >>> On 09/07/2017 02:18 PM, Rick Moen wrote: >>> Quoting taii...@gmx.com (taii...@gmx.com): [... space-saving ...] >>> Mr. Selli has said: >>> *That IBM's POWER CPU's have a hardware level backdoor and have had >>> backdoors in the past whilst providing no real evidence to support that >>> those claims, >>I did provide with the evidence: >> https://lists.dyne.org/lurker/message/20170907.084234.3d39055c.en.html > That .pdf you linked is for IBM's x86 products, which they stopped > making 7 years ago. > > Irregardless that is a BMC not a backdoor - a BMC is a standard server > feature It's a standard server backdoor. The BMC chip implements the IPMI protocol: https://www.ibm.com/support/knowledgecenter/linuxonibm/liaai.ipmi/liaaiipmi.htm IPMI is a standardised message-based hardware management interface. A hardware chip known as the Baseboard Management Controller (BMC), or Management Controller (MC), implements the core of IPMI. The only good IPMI is the one that isn't there: https://web.archive.org/web/20170709023319/http://fish2.com/ipmi/itrain-gz.html An embedded server called the BMC implements IPMI and lives on server motherboards; it typically run Linux and has its own little CPU, memory, and storage. The BMC also provides remote web access along with email capabilities, LDAP support, emulation of remote CDs and other media, and a host of other capabilities. The BMC is powerful, and operates and controls the server at a very low-level. Designed to operate when the bits hit the fan it runs even when the server is powered off. Anyone who has control of either the BMC or IPMI (they’re closely related) enjoys complete control of the server. > and on POWER9 the code is entirely open source Yes, of course, as it's based on Linux it has to be. > and you can run > whatever you please on the BMC chip as there isn't hardware code signing > enforcement like with Intel ME/AMD PSP. Can I remove it? I'd like to know that, because while it's good that "there isn't hardware code signing enforcement", that could just mean it's not necessary as it sits in ROM that cannot be removed without tampering the motherboard hardware. So, can I remove the BCM? Can I have a TALOS system without a parallel OS running in it's own CPU that has full control of what my OS does? >>Why do you write easy to disprove falseness? Don't you have a minimum >> of self-respect? > Ah the pot calling the kettle black. >>> he bolstered that argument by stating that IBM's work with >>> the US military is suspect and thus concludes guilt by association. >>No, I just pointed out that the fact that IBM does indeed put hardware >> and software remote-control devices inside it's chips is an established >> and documented truth. > Again a BMC isn't a backdoor It is by it's very nature and definition: https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface The Intelligent Platform Management Interface (IPMI) is a set of computer interface specifications for an autonomous computer subsystem that provides management and monitoring capabilities independently of the host system's CPU, firmware (BIOS or UEFI) and operating system. IPMI defines a set of interfaces used by system administrators for out-of-band management of computer systems and monitoring of their operation. For example, IPMI provides a way to manage a computer that may be powered off or otherwise unresponsive by using a network connection to the hardware rather than to an operating system or login shell. [... room saving ...] >>Again, this is a faith-based assumption as only IBM knows what's >> inside their proprietary hardware. Anyone who's had experiences on >> their AS400 and RS600 platforms knows how darned proprietary their >> hardware is. You're free to believe they changed and they now value the >> commoner's freedom more than the interests of the governments they >> serve, of course. You are *not* free to write falsity and disparage >> people who hold different opinions, though. > I would say buying TALOS where am IBM backdoor is simply fringe > speculation It's a matter of fact: it has a BMC chip, which implements IPMI, which has all the characteristics and properties and functions of a backdoor. > is much better than a purism where it is an absolute fact. Not Purism, rather Intel: what Purism develops, they document and release as OS. >>> *That TALOS is proprietary closed source hardware - which isn't true - >>> as not being that is the entire point of it. >>I repeatedly asked you if there is anyone who has
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On 09/08/2017 07:18 PM, Alessandro Selli wrote: On Fri, 8 Sep 2017 at 00:22:40 -0400 "taii...@gmx.com" wrote: On 09/07/2017 02:18 PM, Rick Moen wrote: Quoting taii...@gmx.com (taii...@gmx.com): I also find a bit questionable your going around attempting to tarnish the reputation of someone with a real name, while concealing your own. Criticism isn't allowed? This is of course nothing like what I said. I dislike when people deal with speculation instead of proven facts when judging technical merits. Then, _address what you perceive as speculation_. I apologize - I should have done that in the first place instead of resorting to name calling. Mr. Selli has said: *That IBM's POWER CPU's have a hardware level backdoor and have had backdoors in the past whilst providing no real evidence to support that those claims, I did provide with the evidence: https://lists.dyne.org/lurker/message/20170907.084234.3d39055c.en.html That .pdf you linked is for IBM's x86 products, which they stopped making 7 years ago. Irregardless that is a BMC not a backdoor - a BMC is a standard server feature and on POWER9 the code is entirely open source and you can run whatever you please on the BMC chip as there isn't hardware code signing enforcement like with Intel ME/AMD PSP. Why do you write easy to disprove falseness? Don't you have a minimum of self-respect? Ah the pot calling the kettle black. he bolstered that argument by stating that IBM's work with the US military is suspect and thus concludes guilt by association. No, I just pointed out that the fact that IBM does indeed put hardware and software remote-control devices inside it's chips is an established and documented truth. Again a BMC isn't a backdoor IBM sells POWER chips to both the the US Military and the Chinese Military, doing that is largely as to why they are still in business - as the worlds third maker of high performance computing hardware one simply can't and shouldn't ignore the worlds two largest consumers. IBM has done a variety of bad things, but that doesn't mean OpenPOWER isn't a really good one. * That the presence of a BMC chip on POWER means it has a backdoor BMC chips are a common server feature required for remotely administering a computer without headache, this one is owner controlled (no hw code signing enforcement) and has full source code available to the public after POWER9 is released. Again, this is a faith-based assumption as only IBM knows what's inside their proprietary hardware. Anyone who's had experiences on their AS400 and RS600 platforms knows how darned proprietary their hardware is. You're free to believe they changed and they now value the commoner's freedom more than the interests of the governments they serve, of course. You are *not* free to write falsity and disparage people who hold different opinions, though. I would say buying TALOS where am IBM backdoor is simply fringe speculation is much better than a purism where it is an absolute fact. *That TALOS is proprietary closed source hardware - which isn't true - as not being that is the entire point of it. I repeatedly asked you if there is anyone who has their chips' blueprints, which is a prime condition to be able to call their hardware anything other than proprietary. You always turned a deaf ear to these requests. Uhh no I didn't, as I have stated (and as you would know had you read the TALOS2 website) the POWER9 datasheets and HDL's are currently under embargo and will be released to the general public when the hardware is - the makers of TALOS 2 have them as they are a member of the OpenPOWER foundation. After the release of POWER9 the board and BMC firmware sources will be provided, Ok, so nothing available *now* from IBM is openhardware. For a strange reason this is acceptable from IBM/Talos, while it's a disgrace when Purism does the same thing. Go figure. Again, the public will get the spec sheets and HDL's when the hardware is released - why do you consider this equivalent to purism? they will never be able to get intel to release anything, their hardware has been out for many years and they still don't even have a blobbed coreboot. and both the CPU/board and the BMC are owner controlled due to the absence of hardware enforced code signing. ...that you know of, as the available hardware is proprietary and closed-source. No it isn't, which you would know if you read the TALOS2 website. Full documentation and HDL's will be available for all components All right, good. I'll believe what I will see. besides the onboard broadcom nics which currently require a firmware blob I wonder why you felt entitled at railing against Purism for having considered equipping their laptops with Nvidia GPUs while it's perfectly OK that TALOS uses a NIC from one of the most opensource unfriendly vendors. A network interface isn't a critical component like a graphics device is, it doesn't control w
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On Fri, 8 Sep 2017 at 00:22:40 -0400 "taii...@gmx.com" wrote: > On 09/07/2017 02:18 PM, Rick Moen wrote: > >> Quoting taii...@gmx.com (taii...@gmx.com): >> I also find a bit questionable your going around attempting to tarnish the reputation of someone with a real name, while concealing your own. >>> Criticism isn't allowed? >> This is of course nothing like what I said. >> >>> I dislike when people deal with speculation instead of proven facts >>> when judging technical merits. >> Then, _address what you perceive as speculation_. > I apologize - I should have done that in the first place instead of > resorting to name calling. > > Mr. Selli has said: > *That IBM's POWER CPU's have a hardware level backdoor and have had > backdoors in the past whilst providing no real evidence to support that > those claims, I did provide with the evidence: https://lists.dyne.org/lurker/message/20170907.084234.3d39055c.en.html Why do you write easy to disprove falseness? Don't you have a minimum of self-respect? > he bolstered that argument by stating that IBM's work with > the US military is suspect and thus concludes guilt by association. No, I just pointed out that the fact that IBM does indeed put hardware and software remote-control devices inside it's chips is an established and documented truth. > IBM sells POWER chips to both the the US Military and the Chinese > Military, doing that is largely as to why they are still in business - > as the worlds third maker of high performance computing hardware one > simply can't and shouldn't ignore the worlds two largest consumers. > > IBM has done a variety of bad things, but that doesn't mean OpenPOWER > isn't a really good one. > > * That the presence of a BMC chip on POWER means it has a backdoor > > BMC chips are a common server feature required for remotely > administering a computer without headache, this one is owner controlled > (no hw code signing enforcement) and has full source code available to > the public after POWER9 is released. Again, this is a faith-based assumption as only IBM knows what's inside their proprietary hardware. Anyone who's had experiences on their AS400 and RS600 platforms knows how darned proprietary their hardware is. You're free to believe they changed and they now value the commoner's freedom more than the interests of the governments they serve, of course. You are *not* free to write falsity and disparage people who hold different opinions, though. > *That TALOS is proprietary closed source hardware - which isn't true - > as not being that is the entire point of it. I repeatedly asked you if there is anyone who has their chips' blueprints, which is a prime condition to be able to call their hardware anything other than proprietary. You always turned a deaf ear to these requests. > After the release of POWER9 the board and BMC firmware sources will be > provided, Ok, so nothing available *now* from IBM is openhardware. For a strange reason this is acceptable from IBM/Talos, while it's a disgrace when Purism does the same thing. Go figure. > and both the CPU/board and the BMC are owner controlled due to > the absence of hardware enforced code signing. ...that you know of, as the available hardware is proprietary and closed-source. > Full documentation and HDL's will be available for all components All right, good. I'll believe what I will see. > besides the onboard broadcom nics which currently require a firmware > blob I wonder why you felt entitled at railing against Purism for having considered equipping their laptops with Nvidia GPUs while it's perfectly OK that TALOS uses a NIC from one of the most opensource unfriendly vendors. > as there are no open source non-intel gigabit NIC's Is not having Intel hardware more important than having opensource components inside a TALOS workstation? > - but the FSF > says that this minor detail doesn't prevent it from receiving RYF > certification as they are behind the POWER-IOMMU and as such are not > capable of doing anything malicious. Good. > * That the reason he/purism hasn't made owner controlled hardware is > because it is "too expensive" I don't remember writing anything like this. Quote, please? > Purism's "Librem" 15" laptop is $2,000 False, again: https://puri.sm/shop/librem-15/ $1,599.00, now running a rebate to $1,449.00 Compare with this: https://secure.raptorcs.com/content/TL2WK2/purchase.html Talos™ II Secure Workstation$4,750.00 > - in comparison one can have a > TALOS-2 DIY build for $2.6K Do you realize your "errors" are regularly one-sided, they always play in favour of TALOS and to the detriment of Purism? How do you expect to be trusted as a neutral source of information, given that you also never provide pointers to third-party documentation to back your claims? You're really comparing apples to oranges: Purism sells finished laptops, TALOS sells rack servers and wor
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On Thu, 7 Sep 2017 23:16:08 -0700, Rick wrote in message <20170908061608.gc9...@linuxmafia.com>: > Quoting taii...@gmx.com (taii...@gmx.com): > > > I apologize - I should have done that in the first place instead of > > resorting to name calling. > > I thank you. > > (In fairness, Mr. Selli then return-volleyed the same thing, which was > not 'cricket' either but rather amusing in context.) > > Thank you as well for the attempt to hold a serious conversation about > the obstacles to truly open hardware. > > > No it isn't, I have had 5 separate targeting hacking attacks on me > > in my 10 years on the internet - one of those people attempted to > > find my physical location so he could SWAT me which is why I never > > use my real name nor have any type of social media. > > I can only say that some passive-aggressives in the online community > have tried to 'get Moen fired', which has been hilarious to watch. > I think it rather unnerves them when they notice that my Web site has > my real street address, real telephone number, and, best of all, my > exact latitude, longitude, and altitude expressed as 'ICBM > address'. ;-> ..I used to have a ping target "If it responds, you missed." service going. ;o) -- ..med vennlig hilsen = with Kind Regards from Arnt Karlsen ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On 08.09.2017 09:53, Erik Christiansen wrote: No, one of the variety of CPUs implemented on FPGAs, so not so curious at all. Some FPGAs contain RAM areas, improving the gate efficiency of e.g. a CPU implementation. No, that's just boring ;-) I'm thinking of generating VHDL from fw rules and synthesize that into an FPGA. OTOH, for such applications we could also think about different computer architectures (maybe transputers, etc) -- mit freundlichen Grüßen -- Enrico, Sohn von Wilfried, a.d.F. Weigelt, metux IT consulting +49-151-27565287 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On 07.09.17 17:34, Enrico Weigelt, metux IT consult wrote: > On 07.09.2017 16:12, Erik Christiansen wrote: > > > If the firewall is on a FPGA, then we know what every gate is doing, as > > we have the VHDL source for it. > > An purely FPGA-based firewall (w/o an cpu in it), specifically > synthesized for a given ruleset seems an very interesting approach. No, one of the variety of CPUs implemented on FPGAs, so not so curious at all. Some FPGAs contain RAM areas, improving the gate efficiency of e.g. a CPU implementation. Erik ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
Quoting taii...@gmx.com (taii...@gmx.com): > I apologize - I should have done that in the first place instead of > resorting to name calling. I thank you. (In fairness, Mr. Selli then return-volleyed the same thing, which was not 'cricket' either but rather amusing in context.) Thank you as well for the attempt to hold a serious conversation about the obstacles to truly open hardware. > No it isn't, I have had 5 separate targeting hacking attacks on me > in my 10 years on the internet - one of those people attempted to > find my physical location so he could SWAT me which is why I never > use my real name nor have any type of social media. I can only say that some passive-aggressives in the online community have tried to 'get Moen fired', which has been hilarious to watch. I think it rather unnerves them when they notice that my Web site has my real street address, real telephone number, and, best of all, my exact latitude, longitude, and altitude expressed as 'ICBM address'. ;-> Glad to make your virtual acquaintance, anyway. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On 09/07/2017 02:18 PM, Rick Moen wrote: Quoting taii...@gmx.com (taii...@gmx.com): I also find a bit questionable your going around attempting to tarnish the reputation of someone with a real name, while concealing your own. Criticism isn't allowed? This is of course nothing like what I said. I dislike when people deal with speculation instead of proven facts when judging technical merits. Then, _address what you perceive as speculation_. I apologize - I should have done that in the first place instead of resorting to name calling. Mr. Selli has said: *That IBM's POWER CPU's have a hardware level backdoor and have had backdoors in the past whilst providing no real evidence to support that those claims, he bolstered that argument by stating that IBM's work with the US military is suspect and thus concludes guilt by association. IBM sells POWER chips to both the the US Military and the Chinese Military, doing that is largely as to why they are still in business - as the worlds third maker of high performance computing hardware one simply can't and shouldn't ignore the worlds two largest consumers. IBM has done a variety of bad things, but that doesn't mean OpenPOWER isn't a really good one. * That the presence of a BMC chip on POWER means it has a backdoor BMC chips are a common server feature required for remotely administering a computer without headache, this one is owner controlled (no hw code signing enforcement) and has full source code available to the public after POWER9 is released. *That TALOS is proprietary closed source hardware - which isn't true - as not being that is the entire point of it. After the release of POWER9 the board and BMC firmware sources will be provided, and both the CPU/board and the BMC are owner controlled due to the absence of hardware enforced code signing. Full documentation and HDL's will be available for all components besides the onboard broadcom nics which currently require a firmware blob as there are no open source non-intel gigabit NIC's - but the FSF says that this minor detail doesn't prevent it from receiving RYF certification as they are behind the POWER-IOMMU and as such are not capable of doing anything malicious. * That the reason he/purism hasn't made owner controlled hardware is because it is "too expensive" Purism's "Librem" 15" laptop is $2,000 - in comparison one can have a TALOS-2 DIY build for $2.6K thus making an actual owner controlled device with significantly higher performance only an additional $600 which isn't really an obstacle for someone that can already afford a $2K computer (there are a variety of low cost low/mid performance owner controlled devices, now the high performance sector has one too) * That the HAP mode "disabled" ME and makes a purism laptop somehow equivalent to TALOS when it comes to privacy and security. ME_Cleaner even with HAP mode doesn't disable ME - a black box supervisor processor is still mandatory for the x86 boot process and is capable of a variety of dirty tricks so even if one can verify that it is actually off (difficult...by using an electron microscope perhaps?) there are various things that it could have done before powering off. ME cleaner is nerfing/cleaning, nothing more. * That we should contribute and trust a company that is attempting the sisyphean task of truly disabling ME. Google has many times attempted to get intel to provide a method to disable ME and remove it from the boot process for their in house computers and the coreboot laptops they sell, they have not been successful - thus if a billion dollar company can't pull it off a small upstart certainly can't. I am sure it is **technically** possible to disable ME, but it would require years of research and hundreds of thousands in R&D for a single intel CPU generation making it pointless. There are real owner controlled devices out there now, I see no reason to chase a pie in the sky dream of a free x86 - which simply isn't ever going to happen. If purism had in 2013 consulted a skilled hardware engineer and not insisted on peddling intel quanta rebrands they would have probably made one of the following: * An 2013 AMD FT3 device, easily made open source (the Lenovo G505S has only a few blobs that can be easily replaced) with sandy bridge equivalent performance * A performance ARM device such as an AppliedMicro CPU * A POWER mobile workstation type laptop, which is possible with POWER9's lower wattage CPU's. * A KCMA-D8 laptop - the C32 platform has 35W 8 core CPU's and already has libre firmware so one would simply have to make a custom 1U "laptop" case, battery etc. The fact that they haven't retasked to do one of the above means that I distrust them and that they are sucking resources from real computing freedom projects and thus my nerves get twinged every time someone talks them up, moreso someone highly skilled such as mr. selli who I believe sho
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On 09/07/2017 11:12 AM, Edward Bartolo wrote: Quote: "Please take this discussion somewhere else, it has NOTHING to do with Devuan" This discussion has taught me that Intel CPUs from 2008 onwards also come with GRATIS but QUESTIONABLE functionalities, that many including myself, frown upon. If there are non-risky hacks that readers can use to 'harden' their computer against this unwelcome feature, please go ahead and provide it, even here. This has to do with Devuan as it has to do with security. Purchase these reasonably priced owner controlled non ME/PSP devices if you can't afford brand new server/workstation hardware like TALOS2: * KCMA-D8 dual socket libre firmware workstation motherboard - $250 - you could make a build for under $500 with this considering how cheap the C32 cpu's are these days - in a few months the OpenBMC port will also be out of beta for the KCMA-D8 and KGPE-D16 boards. The D8/D16 have an IOMMU, a TPM accessory and supports IOMMU-GFX so you can attach a graphics card to a VM in case you want to play windows video games without dual booting. One 4386 CPU is equal to an FX-8310 so one can play the latest games and have decently fast compiles. * Lenovo G505S laptop - owner controlled mostly open source coreboot (needs blobs for video and power/fan control) - has an IOMMU. Unfortunately it is impossible to truly disable ME/PSP without significant effort, the HAP stuff everyone is talking about is simply nerfing it - a proud technical achievement yes but there is no proof that it is off and it and its black box code is still integral to the boot process and thus able to perform a variety of dirty tricks that will work even after it supposedly turns its-self off and at the end of the day buying new intel products is financially supporting the next generation of DRM development. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
Quoting taii...@gmx.com (taii...@gmx.com): > >I also find a bit questionable your going around attempting to tarnish > >the reputation of someone with a real name, while concealing your own. > Criticism isn't allowed? This is of course nothing like what I said. > I dislike when people deal with speculation instead of proven facts > when judging technical merits. Then, _address what you perceive as speculation_. Instead ttempting cheap character assassination, from behind cover of anonymity, suggests you have no real argument. > I don't use my "real" name on the internet for the same reason I > don't want a computer with ME/PSP. Once again, you are deflecting and changing the subject. I said nothing against being anonymous. I merely said that slagging reputations of real named people with unsupported derogatory allegations, especially when you refuse to name yourself, is disreputable and bogus. Of course, you don't actually need to worry about 'taii...@gmx.com' developing a bad reputation: At some point, you can just walk away from that 'nym and be someone else, which is the whole point, isn't it? It makes the character assassination ploy a bit transparent. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On Thu, Sep 07, 2017 at 05:25:47PM +0200, Enrico Weigelt, metux IT consult wrote: > IMHO, even this discussion isn't strictly related to devuan That's why we're talking on dng not on devuan-dev. The latter is for development of Devuan specifically. The former came with the slogan "campfire for systemd refugees". > it's still related to the bigger picture, why FOSS exists at all. Why would anyone bother to use free software if you have no free hardware to run it on? Hardware with merely closed internal workings but well-defined programmer-facing specs has been so far considered acceptable, but nowadays we're faced with hardware that actively works against you! Security is simply not possible on such gear. > Actually, I'm very happy w/ the things posted here (*incl* the OTs). I'd consider a discussion of bind vs nsd, or user questions somewhat OT (even if usually helpful). I don't see how talk about direct threats towards openness of development would be against the spirit of such list -- be that replacing half of the system with an opaque unmodular blob with bugs unfixable[1] for an outsider, so are backdoors or DRM in the hardware. > Maybe we could split the list into multiple ones, for several topic > types. (eg. strictly technical ones, like packages/patches, general > discussions, etc) There's probably not enough traffic for separating user-facing stuff yet; strictly packaging stuff already has a list of its own. Also, note my sig: it has the swirl rather than the chevron in it. All of Devuan development I do migrates through Debian first. Yet I don't have a feeling of being unwelcome here. And, I guess it's up to Jaromil and co to declare what's acceptable here: they're the owners of this list after all. I do understand your anger about a spat between someone calling another poster a Purism shill while the other person derided Talos in turn. That was ugly. But, if you exclude this shout-fest, the rest of the thread was worth the electrons it came on. Meow! [1]. Taking too much effort, for someone with decent general programming skills but unfamiliar with the system in question, makes such a system too closed to be allowed to live. I'm not a kernel dev yet I can fix easy kernel problems -- no such thing with systemd. -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢰⠒⠀⣿⡁ Vat kind uf sufficiently advanced technology iz dis!? ⢿⡄⠘⠷⠚⠋⠀ -- Genghis Ht'rok'din ⠈⠳⣄ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On 07.09.2017 16:12, Erik Christiansen wrote: If the firewall is on a FPGA, then we know what every gate is doing, as we have the VHDL source for it. An purely FPGA-based firewall (w/o an cpu in it), specifically synthesized for a given ruleset seems an very interesting approach. Anyone here w/ some practical vhdl experience ? --mtx ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On 07.09.2017 16:42, Rowland Penny wrote: On Thu, 7 Sep 2017 16:32:42 +0200 Adam Borowski wrote: On Thu, Sep 07, 2017 at 11:51:46PM +1000, Erik Christiansen wrote: I have tried asking nicely WILL YOU SHUTUP!!! hey, please calm down. IMHO, even this discussion isn't strictly related to devuan, it's still related to the bigger picture, why FOSS exists at all. Actually, I'm very happy w/ the things posted here (*incl* the OTs). Maybe we could split the list into multiple ones, for several topic types. (eg. strictly technical ones, like packages/patches, general discussions, etc) --mtx ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On Thu, 7 Sep 2017 16:32:42 +0200 Adam Borowski wrote: > On Thu, Sep 07, 2017 at 11:51:46PM +1000, Erik Christiansen wrote: I have tried asking nicely WILL YOU SHUTUP!!! I don't care about your drivel, it has nothing directly to do with Devuan Rowland ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On Thu, Sep 07, 2017 at 11:51:46PM +1000, Erik Christiansen wrote: > On 07.09.17 13:32, Adam Borowski wrote: > > On Thu, Sep 07, 2017 at 09:17:20PM +1000, Erik Christiansen wrote: > > > If our hosts cannot be trusted not to phone home to folk wearing dark > > > glasses, then would it not suffice to employ a simple embedded host with > > > a small die, such as an ARM, e.g. Beaglebone Black, as a firewall? > > > > It's not hard to trigger a backdoor using a higher level protocol, from > > Javascript, etc. > > But no-one who is awake would enable java or any of that stuff on a firewall. > Back doors on the LAN can't phone home through a minimal-silicon RISC > embedded firewall which is just too small to contain any secondary CPU. > It just needs to run a minimal kernel with packet routing capability. > Everything else is a door into vacuum. You don't make a separate TCP connection, you put it into a stream the user already has. And no firewall can distinguish a https connection from another, other that the destination (the black glasses guys won't use a .nsa.gov server) or perhaps some flow patterns if you tunnel certain long-lived protocols inside the https connection -- which isn't possible if they use anything that resembles a typical browsing session. Meow! -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢰⠒⠀⣿⡁ Vat kind uf sufficiently advanced technology iz dis!? ⢿⡄⠘⠷⠚⠋⠀ -- Genghis Ht'rok'din ⠈⠳⣄ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On Fri, 8 Sep 2017 00:12:02 +1000 Erik Christiansen wrote: > On 07.09.17 14:05, Alessandro Selli wrote: > > ROMB is the ROM Bypass and that too is builtin the PCH chip: > > Erik Excuse me, but can you lot not take a hint ??? Please take this discussion somewhere else, it has NOTHING to do with Devuan Rowland ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On 07.09.17 14:05, Alessandro Selli wrote: > ROMB is the ROM Bypass and that too is builtin the PCH chip: > > Loading starts with the ROM program, which is contained in the > built-in PCH read-only memory. Unfortunately, no way to read or > rewrite this memory is known to the general public. However, one can > find pre-release versions of ME firmware on the Internet containing > the ROMB (ROM BYPASS) section which, as we can assume, duplicates the > functionality of ROM. Many thanks Alessandro for elucidating that. I'm experiencing some culture shock on reading it. I have not made a survey of the open source CPU cores implemented on FPGAs, but a quick "fpga linux board" google shows multiple candidates. Running a minimal kernel with little more than packet routing filtering and a local management interface - console only if we're paranoid, means we _are_ in full control of all network traffic in and out of out LAN. (I do not plan to use wlan.) Presumably all externally initiated connections are already blocked. Then if we only allow outgoing connections to whitelisted IPs, we're beginning to make things more difficult for snoops. Vulnerabilities on our hardware-compromised hosts are less exploitable if they can't be reached, I figure. If the firewall is on a FPGA, then we know what every gate is doing, as we have the VHDL source for it. Erik ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On 07.09.17 13:32, Adam Borowski wrote: > On Thu, Sep 07, 2017 at 09:17:20PM +1000, Erik Christiansen wrote: > > If our hosts cannot be trusted not to phone home to folk wearing dark > > glasses, then would it not suffice to employ a simple embedded host with > > a small die, such as an ARM, e.g. Beaglebone Black, as a firewall? > > It's not hard to trigger a backdoor using a higher level protocol, from > Javascript, etc. But no-one who is awake would enable java or any of that stuff on a firewall. Back doors on the LAN can't phone home through a minimal-silicon RISC embedded firewall which is just too small to contain any secondary CPU. It just needs to run a minimal kernel with packet routing capability. Everything else is a door into vacuum. Erik ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On Thu, 7 Sep 2017 at 13:41:25 +0200 Alessandro Selli wrote: > On Thu, 7 Sep 2017 at 21:17:20 +1000 > Erik Christiansen wrote: > > > The notion of an extra embedded CPU or two on big Intel chips is not > > difficult to credit, but where is the postulated entire minix OS loaded > > from? > > It's in the report by the Positive Technologies team: > http://blog.ptsecurity.com/2017/08/disabling-intel-me.html > > We see increasing interest in Intel ME internals from researchers > all over the world. One of the reasons is the transition of this > subsystem to new hardware (x86) and software (modified MINIX as an > operating system). The x86 platform allows researchers to make use > of the full power of binary code analysis tools. Previously, firmware > analysis was difficult because earlier versions of ME were based on > an ARCompact microcontroller with an unfamiliar set of instructions. Sorry, i think I misinterpreted your question. Did you ask where in the Intel hardware is the Minix OS loaded from? In the above report I read that: Similarly, we are sure that the ROM integrated into the PCH is practically the same as ROMB, which also does not contain any code allowing an exit from HAP mode. PCH is the Platform Controller Hub: Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) chip and a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer. The "set of built-in peripherals" most notably include the ethernet and the WiFi controllers, depending on the specific chips involved. ROMB is the ROM Bypass and that too is builtin the PCH chip: Loading starts with the ROM program, which is contained in the built-in PCH read-only memory. Unfortunately, no way to read or rewrite this memory is known to the general public. However, one can find pre-release versions of ME firmware on the Internet containing the ROMB (ROM BYPASS) section which, as we can assume, duplicates the functionality of ROM. Bye, -- Alessandro Selli http://alessandro.route-add.net VOIP SIP: dhatarat...@ekiga.net Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
Le 07/09/2017 à 10:48, taii...@gmx.com a écrit : On 09/07/2017 04:30 AM, Alessandro Selli wrote: On Wed, 6 Sep 2017 at 17:12:27 -0400 zap wrote: Agreed! Talos is at least *LIBRE!* No, it ain't: https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/ "BMCs and the IPMI Protocol Baseboard Management Controllers (BMCs) are a type of embedded computer used to provide out-of-band monitoring for desktops and servers. These products are sold under many brand names, including HP iLO, Dell DRAC, Sun ILOM, Fujitsu iRMC, *IBM IMM*, and Supermicro IPMI." IBM stuff is plagued by embedded controlware, too. Alessandro, I've read that thread with great interest and I think you forgot a "detail": BMC software is open on IBM Power, meaning you can replace it by your own, or patch the existant if you prefer. Wether there is yet another backdoor is only a supposition and it applies to everything you can buy, not specifically IBM. At least, if there is one, it is known only to the manufacturer and the 3-letter agencies, not to the general hacker. And I'm optimistic because of the following law: the time of life of a secret decreases when the number of persons who share it increases, and in this case there must be a number of engineers. Didier ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On Thu, 7 Sep 2017 at 21:17:20 +1000 Erik Christiansen wrote: > The notion of an extra embedded CPU or two on big Intel chips is not > difficult to credit, but where is the postulated entire minix OS loaded > from? It's in the report by the Positive Technologies team: http://blog.ptsecurity.com/2017/08/disabling-intel-me.html We see increasing interest in Intel ME internals from researchers all over the world. One of the reasons is the transition of this subsystem to new hardware (x86) and software (modified MINIX as an operating system). The x86 platform allows researchers to make use of the full power of binary code analysis tools. Previously, firmware analysis was difficult because earlier versions of ME were based on an ARCompact microcontroller with an unfamiliar set of instructions. > If our hosts cannot be trusted not to phone home to folk wearing dark > glasses, They do not just that they phone home, the worst part is that they pick up the phone, your phone! > then would it not suffice to employ a simple embedded host with > a small die, such as an ARM, e.g. Beaglebone Black, as a firewall? Maybe, but it's difficult to know exactly what triggers the numerous ME modules and functions of a running system - it's best disabling everything at boot time. You are supposed to filter both incoming and outgoing traffic, which is not very easy when you do not know what you need to block. Plus, I do not remember where I read it, but there are functions in WiFi AP/DSL modems that were found to have backdoors that are triggered by a precise sequence of IP packets the unit receives where both headers and payload matter, which makes for a complicated deep packet inspection firewall that you need to set up. What we actually need is Openhardware products ready to supplant current off-the-shelf proprietary chips and controllers. -- Alessandro Selli http://alessandro.route-add.net VOIP SIP: dhatarat...@ekiga.net Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On Thu, Sep 07, 2017 at 09:17:20PM +1000, Erik Christiansen wrote: > If our hosts cannot be trusted not to phone home to folk wearing dark > glasses, then would it not suffice to employ a simple embedded host with > a small die, such as an ARM, e.g. Beaglebone Black, as a firewall? It's not hard to trigger a backdoor using a higher level protocol, from Javascript, etc. -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢰⠒⠀⣿⡁ Vat kind uf sufficiently advanced technology iz dis!? ⢿⡄⠘⠷⠚⠋⠀ -- Genghis Ht'rok'din ⠈⠳⣄ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
The notion of an extra embedded CPU or two on big Intel chips is not difficult to credit, but where is the postulated entire minix OS loaded from? If our hosts cannot be trusted not to phone home to folk wearing dark glasses, then would it not suffice to employ a simple embedded host with a small die, such as an ARM, e.g. Beaglebone Black, as a firewall? Buy two, take the lid off the chip on one, to confirm that there's only enough silicon complexity to provide one RISC CPU, and paranoia might be able to be reigned in. With a microscope, purely optical or USB, it is not that hard to identify recognisable structures such as ALU, registers, ROM, etc. Any second CPU capable of running a TCP stack would show up. If that's not enough, then an ethernet sniffer running on unsubvertible low level 16 bit embedded hardware, running a low level RTOS, could monitor traffic to the firewall, logging all destination IPs, protocol, etc., revealing unwarranted traffic. Conspiracy theories are lotsa fun, but if there's a problem with substance, then restoring user control needn't be that hard, I figure. Erik ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On Thu, 7 Sep 2017 at 06:29:59 -0400 "taii...@gmx.com" wrote: > On 09/07/2017 05:01 AM, Rick Moen wrote: > >> Quoting taii...@gmx.com (taii...@gmx.com): >> >> [speaking to Alessandro Selli] >> >>> You are constantly defending them and snubbing your nose at superior >>> products so it is obvious you work for purism. >> Can I ask for a bit more civility, please? Mr. Selli is a fairly >> passionate free software person, more than adequately accounting for his >> views, which I respect even though we have sometimes disagreed rather >> strongly. There is zero justification for attributing ulterior motives >> to him. >> >> I also find a bit questionable your going around attempting to tarnish >> the reputation of someone with a real name, while concealing your own. > Criticism isn't allowed? I dislike when people deal with speculation > instead of proven facts when judging technical merits. I provided links and quotes to back what I wrote. Of course I could still be wrong, but your criticism was not based on anything factual - at least you did not provide facts to back your claims. > Could POWER have an undocumented backdoor? Of course - anything is > possible when it comes to something that complex. > Do modern x86 processors have one that is impossible to remove? That is > a proven fact. * Does POWER have an undocumented backdoor? Of course, that is a proven fact. * Could they be disabled or at least partially removed? No one knows. * Do modern x86 processors have undocumented backdoor? Of course, that is a proven fact. * Could they be disabled or at least partially removed? Yes, as Rick Moen reported on Thu, 31 Aug 2017 21:46:39 -0700 documenting his claims and quoting the works of the Positive Technologies team. > I don't use my "real" name on the internet for the same reason I don't > want a computer with ME/PSP. No one can hack your brain remotely because they know your real name. Concealing it just makes whatever you claim dubious and unverifiable without third-party documentation - that you *always* fail producing. Greetings, -- Alessandro Selli http://alessandro.route-add.net VOIP SIP: dhatarat...@ekiga.net Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On 09/07/2017 05:01 AM, Rick Moen wrote: Quoting taii...@gmx.com (taii...@gmx.com): [speaking to Alessandro Selli] You are constantly defending them and snubbing your nose at superior products so it is obvious you work for purism. Can I ask for a bit more civility, please? Mr. Selli is a fairly passionate free software person, more than adequately accounting for his views, which I respect even though we have sometimes disagreed rather strongly. There is zero justification for attributing ulterior motives to him. I also find a bit questionable your going around attempting to tarnish the reputation of someone with a real name, while concealing your own. Criticism isn't allowed? I dislike when people deal with speculation instead of proven facts when judging technical merits. Could POWER have an undocumented backdoor? Of course - anything is possible when it comes to something that complex. Do modern x86 processors have one that is impossible to remove? That is a proven fact. I don't use my "real" name on the internet for the same reason I don't want a computer with ME/PSP. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On Thu, 7 Sep 2017 at 04:48:43 -0400 "taii...@gmx.com" wrote: > On 09/07/2017 04:30 AM, Alessandro Selli wrote: > >> On Wed, 6 Sep 2017 at 17:12:27 -0400 >> zap wrote: >> >>> Agreed! Talos is at least *LIBRE!* >>No, it ain't: >> https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/ >> >> "BMCs and the IPMI Protocol >> >> Baseboard Management Controllers (BMCs) are a type of embedded >> computer used to provide out-of-band monitoring for desktops and >> servers. These products are sold under many brand names, >> including HP iLO, Dell DRAC, Sun ILOM, Fujitsu iRMC, *IBM IMM*, and >> Supermicro IPMI." >> >>IBM stuff is plagued by embedded controlware, too. > > Uhh no it is Yes it is. > There is a major difference between ME/PSP and IBM's POWER-BMC - One is > open source and owner controlled the other two aren't. Anything from IBM and Power-related is proprietary. Again, could you show us blueprints of the CPU and the Remote Supervisor Adapter present in IBm's chipsets? > On 09/06/2017 07:18 PM, Alessandro Selli wrote: > >> On 06/09/2017 at 19:15, taii...@gmx.com wrote: >>> On 09/06/2017 06:36 AM, Alessandro Selli wrote: >>> The steep price. >>> Uhh the laptops you guys are selling now cost just as much as TALOS... >>"you" whom? I am not a seller. > You are constantly defending No, I reported of what they are doing, providing quotations. > them and snubbing your nose at superior > products No, I am only pointing out anything you wrote about the supposed superiority of TALOS is faith-based. > so it is obvious you work for purism. You are constantly defending TALOS and their products based on proprietary, closed-source hardware from a single producer that has decades-log strong relationships with the US military and is known to put remote-control hardware and software in their products that cannot be disabled AFAIK. So, it is obvious you work for TALOS. >>> only they aren't owner controlled. >>That you know of. I remember IBM has always been one of the top USA >> military's purveyors: >> >> http://newspaperarchives.vassar.edu/cgi-bin/vassar?a=d&d=miscellany19700206-01.2.13 >> >> "In fiscal 1909, IBM contracted for $257,000,000.00 worth of its >> products with the United States Department of Defense. 4 The importance >> of IBM's military role has grown with the computerization of the >> American war effort in Vietnam." (1909 is probably an OCR error, there >> are many in the piece; it could be 1969). >> >>I very doubt material from IBM can be thought of being >> freedom-and-liberty loving and exempt from any governmental-friendly >> "features". They just don't put it in their public spec sheets like >> Intel does. > Ahh oh well shucks looks like I had better buy a purism right? at least > then I know for a fact that there is a hardware level backdoor and can > act accordingly! You could buy a costlier product from TALOS and get yourself a system with hardware backdoors that, differently from Intel's, cannot be disabled (at least no one knows how to do it). Enjoy your golden privacy- and freedom-denying cage by Big Blue. -- Alessandro Selli http://alessandro.route-add.net VOIP SIP: dhatarat...@ekiga.net Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
Quoting taii...@gmx.com (taii...@gmx.com): [speaking to Alessandro Selli] > You are constantly defending them and snubbing your nose at superior > products so it is obvious you work for purism. Can I ask for a bit more civility, please? Mr. Selli is a fairly passionate free software person, more than adequately accounting for his views, which I respect even though we have sometimes disagreed rather strongly. There is zero justification for attributing ulterior motives to him. I also find a bit questionable your going around attempting to tarnish the reputation of someone with a real name, while concealing your own. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On 09/07/2017 04:30 AM, Alessandro Selli wrote: On Wed, 6 Sep 2017 at 17:12:27 -0400 zap wrote: Agreed! Talos is at least *LIBRE!* No, it ain't: https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/ "BMCs and the IPMI Protocol Baseboard Management Controllers (BMCs) are a type of embedded computer used to provide out-of-band monitoring for desktops and servers. These products are sold under many brand names, including HP iLO, Dell DRAC, Sun ILOM, Fujitsu iRMC, *IBM IMM*, and Supermicro IPMI." IBM stuff is plagued by embedded controlware, too. Uhh no it is There is a major difference between ME/PSP and IBM's POWER-BMC - One is open source and owner controlled the other two aren't. On 09/06/2017 07:18 PM, Alessandro Selli wrote: On 06/09/2017 at 19:15, taii...@gmx.com wrote: On 09/06/2017 06:36 AM, Alessandro Selli wrote: The steep price. Uhh the laptops you guys are selling now cost just as much as TALOS... "you" whom? I am not a seller. You are constantly defending them and snubbing your nose at superior products so it is obvious you work for purism. only they aren't owner controlled. That you know of. I remember IBM has always been one of the top USA military's purveyors: http://newspaperarchives.vassar.edu/cgi-bin/vassar?a=d&d=miscellany19700206-01.2.13 "In fiscal 1909, IBM contracted for $257,000,000.00 worth of its products with the United States Department of Defense. 4 The importance of IBM's military role has grown with the computerization of the American war effort in Vietnam." (1909 is probably an OCR error, there are many in the piece; it could be 1969). I very doubt material from IBM can be thought of being freedom-and-liberty loving and exempt from any governmental-friendly "features". They just don't put it in their public spec sheets like Intel does. Ahh oh well shucks looks like I had better buy a purism right? at least then I know for a fact that there is a hardware level backdoor and can act accordingly! ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On Thu, 7 Sep 2017 at 10:30:39 +0200 Alessandro Selli wrote: > On Wed, 6 Sep 2017 at 17:12:27 -0400 > zap wrote: > > > Agreed! Talos is at least *LIBRE!* > > No, it ain't: > https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/ > > "BMCs and the IPMI Protocol > > Baseboard Management Controllers (BMCs) are a type of embedded > computer used to provide out-of-band monitoring for desktops and > servers. These products are sold under many brand names, including > HP iLO, Dell DRAC, Sun ILOM, Fujitsu iRMC, *IBM IMM*, and Supermicro > IPMI." > > IBM stuff is plagued by embedded controlware, too. More info: https://www.ibm.com/support/knowledgecenter/STAV45/com.ibm.sonas.doc/imm_users_guide_60y1465.pdf IMM features The IMM provides the following functions: ° Around-the-clock remote access and management of your server ° Remote management independent of the status of the managed server ° Remote control of hardware and operating systems ° Web-based management with standard Web browsers So much for the idea such a thing as a a freedom-loving and people's rights and privacy respectfull technocorporation could exist. Greetings, -- Alessandro Selli http://alessandro.route-add.net VOIP SIP: dhatarat...@ekiga.net Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On Wed, 6 Sep 2017 at 17:12:27 -0400 zap wrote: > Agreed! Talos is at least *LIBRE!* No, it ain't: https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/ "BMCs and the IPMI Protocol Baseboard Management Controllers (BMCs) are a type of embedded computer used to provide out-of-band monitoring for desktops and servers. These products are sold under many brand names, including HP iLO, Dell DRAC, Sun ILOM, Fujitsu iRMC, *IBM IMM*, and Supermicro IPMI." IBM stuff is plagued by embedded controlware, too. -- Alessandro Selli http://alessandro.route-add.net VOIP SIP: dhatarat...@ekiga.net Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On 06/09/2017 at 19:15, taii...@gmx.com wrote: > On 09/06/2017 06:36 AM, Alessandro Selli wrote: > >>The steep price. >> > Uhh the laptops you guys are selling now cost just as much as TALOS... "you" whom? I am not a seller. > only they aren't owner controlled. That you know of. I remember IBM has always been one of the top USA military's purveyors: http://newspaperarchives.vassar.edu/cgi-bin/vassar?a=d&d=miscellany19700206-01.2.13 "In fiscal 1909, IBM contracted for $257,000,000.00 worth of its products with the United States Department of Defense. 4 The importance of IBM's military role has grown with the computerization of the American war effort in Vietnam." (1909 is probably an OCR error, there are many in the piece; it could be 1969). I very doubt material from IBM can be thought of being freedom-and-liberty loving and exempt from any governmental-friendly "features". They just don't put it in their public spec sheets like Intel does. -- Alessandro Selli Tel. 3701355486 VOIP SIP: dhatarat...@ekiga.net Chiave PGP/GPG key: B7FD89FD ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On 09/06/2017 01:15 PM, taii...@gmx.com wrote: > On 09/06/2017 06:36 AM, Alessandro Selli wrote: > >> The steep price. >> > Uhh the laptops you guys are selling now cost just as much as > TALOS...only they aren't owner controlled. > ___ Agreed! Talos is at least *LIBRE!* > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng <>___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On 09/06/2017 06:36 AM, Alessandro Selli wrote: The steep price. Uhh the laptops you guys are selling now cost just as much as TALOS...only they aren't owner controlled. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On Wed, 6 Sep 2017 at 15:58:17 +0100 Arnt Gulbrandsen wrote: > Alessandro Selli writes: > > What makes you think IBM is more trustable than Intel? Who, other than > > IBM, produces Power8 CPUs? Are the blueprints publicly available? > > You're just raising the bar to the point where noone can possibly build an > acceptable product. I'm raising the hardware bar to the same level of free/opensource software. If you find acceptable using proprietary hardware, then you could as well use proprietary software. If you trust FOSS because it's auditable (at least in principle), then I expect you not to place your blind trust to prioprietary hardware because auditing it is too hard. In the past this was not too big an issue, as CPUs were simple enought that undocumented instructions or registers were discovered the sooner or the later. Today it's a whole different matter, and hardware now weights almost (?) as much as software as far as freedom and privacy matter. The only CPU that comes somewhat close to meet the open hardware criteria that I know of is the Opensparc cpu. Strangely, no devices of mass production are based on that platform. Alessandro ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
Alessandro Selli writes: What makes you think IBM is more trustable than Intel? Who, other than IBM, produces Power8 CPUs? Are the blueprints publicly available? You're just raising the bar to the point where noone can possibly build an acceptable product. (Not just you, Alessandro, most people who post to this thread.) Suppose the blueprints are available. Then you could scrutinise them. But how big is the chance that you would notice a single gate out of place? Or worse, a single gate that has a legitimate purpose but could be subverted by a fab-time attacker? We already know that a single-gate attack is possible: "In this paper, we show how a fabrication-time attacker can leverage analog circuits to create a hardware attack that is small (i.e., requires as little as one gate) and stealthy (i.e., requires an unlikely trigger sequence before effecting a chip’s functionality)." Google and read it if you want, the paper makes for sad reading. Or you can make a decision about what to guard against and stop worrying about the rest. Arnt ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On Wed, Sep 06, 2017 at 12:36:59PM +0200, Alessandro Selli wrote: > On Tue, 5 Sep 2017 at 11:53:46 -0400 > "taii...@gmx.com" wrote: > > > > I take it you work for purismraptor has made a legitimately owner > > controlled computer - whats stopping you? > > The steep price. Ditto. It's far more capacity than I need. Currently using a ten-year-old 64-bit AMD processor and it's working fine -- except nonessential components (such as USB) are starting to fail, and I occasionally replace a disk drive in the software RAID. Have not replaced it with a modern system out of security concerns. Want to replace it out of long-term availability cocncerns. -- hendrik ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On Tue, 5 Sep 2017 at 20:14:04 +0200 mdn wrote: > Hello, > To make some precisions: > -The "High Assurance Platform" belongs to a trusted platform program > linked to the U.S. National Security Agency (NSA). A graphics-rich > presentation describing the program can be found here. > http://fm.csl.sri.com/LAW/2009/dobry-law09-HAP-Challenges.pdf It's available at the Internet Archive's Wayback machine: https://web.archive.org/web/20121211162830/http://fm.csl.sri.com/LAW/2009/dobry-law09-HAP-Challenges.pdf > note: the link is dead but I have a backup of the pdf. > If someone needs it just ask. > > -More parts of the ME can be removed thanks to this discovery. > > -The removed part makes the ME go into "TemporaryDisable mode" which is > undocumented, like a lot of of undocumented instructions > https://github.com/xoreaxeaxeax/sandsifter/raw/master/references/domas_breaking_the_x86_isa_wp.pdf. > > -This "TemporaryDisable mode" allows the CPU to initialize without the > ME activated. > > -This hack doesn't work on Apollo Lake platforms. > > So it doesn't remove the ME it "neutralises" it and for what remains we > can only hope that nothing reinitialise it afterwards since the > instruction is called Temporary Disable mode. There are many things that can be removed, as stated in the same provided URL: Setting the HAP bit The aforementioned facts help to reveal the second method of disabling Intel ME: 1. Set the HAP bit. 2. In the CPD section of the FTPR, remove or damage all modules except those required by BUP for startup: RBE KERNEL SYSLIB dBUP 3. Fix the checksum of the CPD header (for more details on the structure of ME firmware, see this paper). > Imo seeing the awful state of X86 platforms, POWER is our only hope to > own what we buy. Not the only one. We also have ARM from a number of producers and Chinese and Russian RISC CPUS. -- Alessandro Selli http://alessandro.route-add.net VOIP SIP: dhatarat...@ekiga.net Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On Tue, 5 Sep 2017 at 11:53:46 -0400 "taii...@gmx.com" wrote: > On 09/05/2017 06:34 AM, Alessandro Selli wrote: > >> On Sun, 3 Sep 2017 at 07:32:10 -0400 >> zap wrote: >> >>> On 09/03/2017 05:26 AM, Alessandro Selli wrote: On 01/09/2017 at 20:36, zap wrote: >> I doubt it will be owner controlled, as their laptops aren't - they >> still haven't even gotten a blobbed version of coreboot working >> (blobbed init code + ME enabled as they insisted on a crappy intel >> soc) Purism isn't a trustworthy company. > Gee, I thought purism was a trustworthy company, I mean they claim you > can get the latest and the greatest without intel me This is *not* what they claim: https://puri.sm/learn/intel-me/ "Freeing the ME is a challenge, but not impossible" "By working with Intel, motherboard design developers, as well as our coreboot developers, Purism has put in motion a solid approach on how to >>> run a freed Intel ME *in the future*." >>> Sorry, but have you talked to libreboot or coreboot about this? and >>> also, not even google with all their money can convince intel to give >>> their secrets to them. That for me is a solid reason why I said this. >>The secret is no more a secret: >> >> http://blog.ptsecurity.com/2017/08/disabling-intel-me.html >> >> August 28, 2017 >> Disabling Intel ME 11 via undocumented mode >> >> "Our team of Positive Technologies researchers has delved deep into the >> internal architecture of Intel Management Engine (ME) 11, revealing a >> mechanism that can disable Intel ME after hardware is initialized and the >> main processor starts. In this article, we describe how we discovered this >> undocumented mode and how it is connected with the U.S. government's High >> Assurance Platform (HAP) program." > That isn't disabling it, it is still involved in the boot process and > you are simply again trusting intels word that everything is fine with > zero verification. > > I take it you work for purismraptor has made a legitimately owner > controlled computer - whats stopping you? The steep price. > (besides obsession over intel > x86) It is possible to make a POWER laptop with todays lower wattage POWER > cpu's. What makes you think IBM is more trustable than Intel? Who, other than IBM, produces Power8 CPUs? Are the blueprints publicly available? -- Alessandro Selli http://alessandro.route-add.net VOIP SIP: dhatarat...@ekiga.net Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On Tue, 5 Sep 2017 at 16:05:21 +0200 Edward Bartolo wrote: > So, it means, without my knowledge as a computer user, I have a HIDDEN > OPERATING SYSTEM running under my nose. It's much more than that: in the CPU and PCH chip you have 3 (THREE!) cpus derived from vintage 486 plus a few modern opcodes (probably related to hardware cryptography) and an OS derived from Minix that implement ME and related subsystems. > Securitiwise, it is like > running MS Windows notwithstanding I am running Devuan ASCII! > > With all this, a tinfoil hat is completely useless. I need an armoured > hat with the same thickness like a war tank, but will it help? The whole harness is supposed to be disabled as described in the link to the Positive Technologies team. > Hiding a complete OS integrated on the main processor's silicon die, > and to add insult to injury, complete with a dedicated processor, > filesystem and all! Yep, that's it! Three cores that run their own OS separated from the main CPU. Scary! -- Alessandro Selli http://alessandro.route-add.net VOIP SIP: dhatarat...@ekiga.net Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On 06.09.2017 03:14, mdn wrote: If I understood it correctly, they managed to boot an modified firmware on that ME core, so it theoretically should be possible to run an entirely own firmware on it. Maybe barebox or plan9. They did manage to boot a modified firmware but there's still components that aren't yet removed. --it also removes all the modules from the images except RBE, KERNEL, SYSLIB, and BUP-- So the modules RBE, KERNEL, SYSLIB and BUP are still their and if you read correctly --It should be noted that ROM, RBE, and KERNEL are executed at the zero privilege level (in ring-0) of the MIA kernel.-- The interesting question here is whether these parts could be replaced. If I understood it correctly, they didn't remove these parts yet, as they're still needed to bring up the main cpu. I'd guess it's only a matter of time until they found out how to do it on their own. But has I see things it would be faster to go on POWER and besides faster we are 100% sure that there isn't anything in the background that we don't know about. Assuming there'll be suitable and affordable boards in near future. What about ARM ? They began to implement similar ME/PSP functions I unfortunately don't remember the name of it so if someone knows please post it. I'm only aware of the TrustZone stuff. But that's not enabled by default (more precisely: on poweron, the cpu is in "secure" mode, until explicitly switched down to "normal mode"). For a complete lock-down, you'd need a soc w/ internal boot flash (most of the socs boot from external media) and burn the fuses. The CPUs you can buy are usually open (and only closed-down by board vendors, if done at all) - anything else wouldn't work well in embedded world. Completely custom boards are the usual standard here. There's also the GPU problem, there is zero effort from allwinner to free their MALI GPU and worse they persecute those who try to reverse engineer it (see the LIMA driver developer) that's why no 100% free driver is available. Just dont buy that crap. There're other options, eg. vivante is already opened. (nobody who still has a piece of sanity ever uses proprietary drivers) --mtx ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
Le 06/09/2017 04:13, Enrico Weigelt, metux IT consult a écrit : > On 05.09.2017 18:14, mdn wrote: > > > > If I understood it correctly, they managed to boot an modified firmware > on that ME core, so it theoretically should be possible to run an > entirely own firmware on it. Maybe barebox or plan9. They did manage to boot a modified firmware but there's still components that aren't yet removed. --it also removes all the modules from the images except RBE, KERNEL, SYSLIB, and BUP-- So the modules RBE, KERNEL, SYSLIB and BUP are still their and if you read correctly --It should be noted that ROM, RBE, and KERNEL are executed at the zero privilege level (in ring-0) of the MIA kernel.-- Has for the theoretical completely free firmware, only the future will tell us. But has I see things it would be faster to go on POWER and besides faster we are 100% sure that there isn't anything in the background that we don't know about. Because has time goes on the X86 exploration we found surprise after surprise. > > Having a serial console (maybe via some free gpios ?) would be a really > cool things. > >> Imo seeing the awful state of X86 platforms, POWER is our only hope to >> own what we buy. > > What about ARM ? They began to implement similar ME/PSP functions I unfortunately don't remember the name of it so if someone knows please post it. There's also the GPU problem, there is zero effort from allwinner to free their MALI GPU and worse they persecute those who try to reverse engineer it (see the LIMA driver developer) that's why no 100% free driver is available. But still recently there has been people who tries to do something about it. http://lists.phcomp.co.uk/pipermail/arm-netbook/2017-May/013845.html https://people.freedesktop.org/~cbrill/dri-log/?channel=lima&date=2017-06-23 I hope they'll be ok. If you are interested in ARM I suggest that you go on the ARM-netbook mailing list. http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook > > > --mtx > signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On 05.09.2017 18:14, mdn wrote: If I understood it correctly, they managed to boot an modified firmware on that ME core, so it theoretically should be possible to run an entirely own firmware on it. Maybe barebox or plan9. Having a serial console (maybe via some free gpios ?) would be a really cool things. Imo seeing the awful state of X86 platforms, POWER is our only hope to own what we buy. What about ARM ? --mtx ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On 09/05/2017 03:00 PM, Hendrik Boom wrote: so it looks as it that legitimately owner-controlled computer project based on the POWER processor has died. Anyone know better? Is is still continuing in some form? That was TALOS 1 (POWER8), the new hotness is TALOS 2 (POWER9). They are waiting for IBM to release POWER9 CPU's to the public, so it is a real ready to ship product not a crowd-funding campaign - and by my cynical standards it is simply incredible. As a reminder it is $2.1K for the board and CPU, so quite affordable by server hardware pricing standards (you would pay more for less if you went with the closed source x86 for that many threads) and one can buy it with bitcoin too which is pretty sick. Raptor is a great company that has also made the libre firmware and OpenBMC port for various pre-PSP AMD x86 motherboards such as the KGPE-D16 and KCMA-D8 both of which work nicely, they have a proven track record and are a member of IBM's OpenPOWER foundation. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
Le 05/09/2017 21:00, Hendrik Boom a écrit : > On Tue, Sep 05, 2017 at 11:53:46AM -0400, taii...@gmx.com wrote: >> >> I take it you work for purismraptor has made a legitimately owner >> controlled computer - whats stopping you? (besides obsession over intel x86) >> It is possible to make a POWER laptop with todays lower wattage POWER cpu's. > > on > https://www.crowdsupply.com/raptor-computing-systems/talos-secure-workstation/updates/the-state-of-owner-controlled-computing-as-talos-winds-down > This is old, here's the new one https://www.raptorcs.com/TALOSII/ Here's the archive.org https://web.archive.org/web/20170904050410/https://www.raptorcs.com/TALOSII/ The website was accessible a few days ago I don't know why it's not accessible right now. > I read > > : Raptor Engineering is grateful to have had the opportunity to run > : this campaign, and would like to thank the community for all of the > : support we received during this nearly year-long endeavor. We will > : not be receiving any of the pledged funds from the crowdfunding > : campaign. If you’ve already placed a pre-order for a POWER8 CPU via > : Crowd Supply, you will be fully refunded. If you placed a > : crowdfunding pledge for a Talos™ product, you have not yet been and > : will not be charged. > : > : We will not be continuing development of the Talos™ systems, however > : we are willing to license parts of the Talos™ technology, such as > : FlexVer™, to other manufacturers. > > so it looks as it that legitimately owner-controlled computer > project > based on the POWER processor has died. > > Anyone know better? Is is still continuing in some form? > > -- hendrik > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > -- Librement BERNARD FR: Veuillez s'il vous plaît utiliser GPG pour nos futures conversations: https://emailselfdefense.fsf.org/fr/ Si c'est email n'est pas signer, il ne vient pas de moi. ENG: Please be kind enough to use GPG for our future conversations: https://emailselfdefense.fsf.org/en/ If this email isn't PGP signed then it isn't mine. -If you can't compile it dump it. signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On Tue, Sep 05, 2017 at 11:53:46AM -0400, taii...@gmx.com wrote: > > I take it you work for purismraptor has made a legitimately owner > controlled computer - whats stopping you? (besides obsession over intel x86) > It is possible to make a POWER laptop with todays lower wattage POWER cpu's. on https://www.crowdsupply.com/raptor-computing-systems/talos-secure-workstation/updates/the-state-of-owner-controlled-computing-as-talos-winds-down I read : Raptor Engineering is grateful to have had the opportunity to run : this campaign, and would like to thank the community for all of the : support we received during this nearly year-long endeavor. We will : not be receiving any of the pledged funds from the crowdfunding : campaign. If you’ve already placed a pre-order for a POWER8 CPU via : Crowd Supply, you will be fully refunded. If you placed a : crowdfunding pledge for a Talos™ product, you have not yet been and : will not be charged. : : We will not be continuing development of the Talos™ systems, however : we are willing to license parts of the Talos™ technology, such as : FlexVer™, to other manufacturers. so it looks as it that legitimately owner-controlled computer project based on the POWER processor has died. Anyone know better? Is is still continuing in some form? -- hendrik ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
Hello, To make some precisions: -The "High Assurance Platform" belongs to a trusted platform program linked to the U.S. National Security Agency (NSA). A graphics-rich presentation describing the program can be found here. http://fm.csl.sri.com/LAW/2009/dobry-law09-HAP-Challenges.pdf note: the link is dead but I have a backup of the pdf. If someone needs it just ask. -More parts of the ME can be removed thanks to this discovery. -The removed part makes the ME go into "TemporaryDisable mode" which is undocumented, like a lot of of undocumented instructions https://github.com/xoreaxeaxeax/sandsifter/raw/master/references/domas_breaking_the_x86_isa_wp.pdf. -This "TemporaryDisable mode" allows the CPU to initialize without the ME activated. -This hack doesn't work on Apollo Lake platforms. So it doesn't remove the ME it "neutralises" it and for what remains we can only hope that nothing reinitialise it afterwards since the instruction is called Temporary Disable mode. Imo seeing the awful state of X86 platforms, POWER is our only hope to own what we buy. Le 05/09/2017 12:34, Alessandro Selli a écrit : > On Sun, 3 Sep 2017 at 07:32:10 -0400 > zap wrote: > >> >> On 09/03/2017 05:26 AM, Alessandro Selli wrote: >>> On 01/09/2017 at 20:36, zap wrote: > I doubt it will be owner controlled, as their laptops aren't - they > still haven't even gotten a blobbed version of coreboot working > (blobbed init code + ME enabled as they insisted on a crappy intel soc) > Purism isn't a trustworthy company. Gee, I thought purism was a trustworthy company, I mean they claim you can get the latest and the greatest without intel me >>> This is *not* what they claim: >>> >>> https://puri.sm/learn/intel-me/ >>> >>> "Freeing the ME is a challenge, but not impossible" >>> >>> "By working with Intel, motherboard design developers, as well as our >>> coreboot developers, Purism has put in motion a solid approach on how to >>> run a freed Intel ME *in the future*." >> Sorry, but have you talked to libreboot or coreboot about this? and >> also, not even google with all their money can convince intel to give >> their secrets to them. That for me is a solid reason why I said this. > > The secret is no more a secret: > > http://blog.ptsecurity.com/2017/08/disabling-intel-me.html > > August 28, 2017 > Disabling Intel ME 11 via undocumented mode > > "Our team of Positive Technologies researchers has delved deep into the > internal architecture of Intel Management Engine (ME) 11, revealing a > mechanism that can disable Intel ME after hardware is initialized and the > main processor starts. In this article, we describe how we discovered this > undocumented mode and how it is connected with the U.S. government's High > Assurance Platform (HAP) program." > > > Good hacking! :-) > > -- Librement BERNARD FR: Veuillez s'il vous plaît utiliser GPG pour nos futures conversations: https://emailselfdefense.fsf.org/fr/ Si c'est email n'est pas signer, il ne vient pas de moi. ENG: Please be kind enough to use GPG for our future conversations: https://emailselfdefense.fsf.org/en/ If this email isn't PGP signed then it isn't mine. -If you can't compile it dump it. signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
El 05/09/17 a les 16:05, Edward Bartolo ha escrit: > Hiding a complete OS integrated on the main processor's silicon die, > and to add insult to injury, complete with a dedicated processor, > filesystem and all! This is the point that makes me doubt about those theories. I'm shure this type of backdoors must be driven with operating system work (collaboration between hardware and software). ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
taii...@gmx.com writes: I take it you work for purismraptor has made a legitimately owner controlled computer - whats stopping you? Is that an actual owner-controlled computer, or is it controlled by whoever is at the keyboard? Or is it controlled by all the people who have a certain password? Arnt ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
Well gee shows over folks we can go home as the good people at the NSA have made a nice little feature to shut off that thing all the kids are complaining about. Hypothetical backdoor team "Aw shucks they got us!" "Damn they're using a non-intel NIC - what will we do now?" If you can't trust some shadowy security research firm who can you trust! ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On 09/05/2017 06:34 AM, Alessandro Selli wrote: On Sun, 3 Sep 2017 at 07:32:10 -0400 zap wrote: On 09/03/2017 05:26 AM, Alessandro Selli wrote: On 01/09/2017 at 20:36, zap wrote: I doubt it will be owner controlled, as their laptops aren't - they still haven't even gotten a blobbed version of coreboot working (blobbed init code + ME enabled as they insisted on a crappy intel soc) Purism isn't a trustworthy company. Gee, I thought purism was a trustworthy company, I mean they claim you can get the latest and the greatest without intel me This is *not* what they claim: https://puri.sm/learn/intel-me/ "Freeing the ME is a challenge, but not impossible" "By working with Intel, motherboard design developers, as well as our coreboot developers, Purism has put in motion a solid approach on how to run a freed Intel ME *in the future*." Sorry, but have you talked to libreboot or coreboot about this? and also, not even google with all their money can convince intel to give their secrets to them. That for me is a solid reason why I said this. The secret is no more a secret: http://blog.ptsecurity.com/2017/08/disabling-intel-me.html August 28, 2017 Disabling Intel ME 11 via undocumented mode "Our team of Positive Technologies researchers has delved deep into the internal architecture of Intel Management Engine (ME) 11, revealing a mechanism that can disable Intel ME after hardware is initialized and the main processor starts. In this article, we describe how we discovered this undocumented mode and how it is connected with the U.S. government's High Assurance Platform (HAP) program." That isn't disabling it, it is still involved in the boot process and you are simply again trusting intels word that everything is fine with zero verification. I take it you work for purismraptor has made a legitimately owner controlled computer - whats stopping you? (besides obsession over intel x86) It is possible to make a POWER laptop with todays lower wattage POWER cpu's. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On 09/05/2017 11:08 AM, Dr. Nikolaus Klepp wrote: > Am Dienstag, 5. September 2017 schrieb Edward Bartolo: >> So, it means, without my knowledge as a computer user, I have a HIDDEN >> OPERATING SYSTEM running under my nose. Securitiwise, it is like >> running MS Windows notwithstanding I am running Devuan ASCII! >> >> With all this, a tinfoil hat is completely useless. I need an armoured >> hat with the same thickness like a war tank, but will it help? >> >> Hiding a complete OS integrated on the main processor's silicon die, >> and to add insult to injury, complete with a dedicated processor, >> filesystem and all! > Welcome to the land of the free ... > > Nik > Or what used to be the land of the free... > <>___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
Am Dienstag, 5. September 2017 schrieb Edward Bartolo: > So, it means, without my knowledge as a computer user, I have a HIDDEN > OPERATING SYSTEM running under my nose. Securitiwise, it is like > running MS Windows notwithstanding I am running Devuan ASCII! > > With all this, a tinfoil hat is completely useless. I need an armoured > hat with the same thickness like a war tank, but will it help? > > Hiding a complete OS integrated on the main processor's silicon die, > and to add insult to injury, complete with a dedicated processor, > filesystem and all! Welcome to the land of the free ... Nik -- Please do not email me anything that you are not comfortable also sharing with the NSA, CIA ... ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng