There is no evidence that there is such a thing for Intel systems with AMT disabled, either.
But it is easier not to have any AMT/ME/PSP at all: no need to clean anything and nothing to worry about.
I could secure it with a hyper-visor, I guess, but what if I just want to run Linux?
Possible to run Linux under a hypervisor as well, by using something like QubesOS (which contains Xen).
- AtomDis of AtomBIOS is clear enough to make sure there aren't any
backdoors ( https://pastebin.com/xKW9FV58 ),
You have made (up?) that claim before. If it is clear to you and you have the knowledge to implement a free graphics driver for the G505s, please do it
I could be a car mechanic without being able to build a new car from scratch. When I looked under this car's hood (AtomDis) I saw just a bunch of command tables like SetMemoryClock / AdjustDisplayPll / EnableVGA_Render and data tables like LVDS_Info / VRAM_UsageByFirmware. Haven't seen anything suspicious that could have indicated some potential backdoors there. But if you don't want to run this blob even under a hypervisor like Xen in QubesOS, there's always an option to avoid this blob entirely by running your PC in a headless mode. Meanwhile you can't avoid the closed source Intel FSP the same way.
In addition, there is YABEL option in coreboot to prevent the undocumented access of OptionROMs to other PCI devices - which also helps to reduce the concerns regarding this AtomBIOS blob. I'm not sure there is any equivalent for FSP.
The support for pre-ME/FSP Intel boards shows that maintaining 10y+ old platforms can be fun and works out very well.
But they could still be removed from coreboot just because of "EOL and old"/"no-one is using them". From coreboot 4.3 release notes: " 20 mainboards were removed that aren't on the market for years (and even hard to get on Ebay) ". Stuff like this could happen to any board that is old, or am I wrong here?
The (AMD) platforms are not the problem. Maybe the problem is that their fans got lazy and rested on AGESA, idk.
Its understandable that it could look like we are lazy and resting on AGESA. But maybe we are busy using our coreboot'ed AMD computers for various freedom-related projects - as the tools to create something great? And having to rewrite AGESA would mean we're suddenly working much more on the tools than on the stuff we're creating with them - without any obvious benefit to the not-hardcore-programmers-but-security-conscious people who see that AGESA is open source already
Best regards, Mike Banon
On Fri, Nov 9, 2018 at 9:27 PM Nico Huber nico.h@gmx.de wrote:
On 11/9/18 2:22 PM, Mike Banon wrote:
There might be neither ME nor PSP, but that just means the controllers that are known and researched are absent (it doesn't tell you anything about less researched ones).
There is no evidence that AMD processors contained any "remote management" controllers before late 16h family (Puma). Even the early 16h (Jaguar) is okay in this relation, and G505S CPU is 15h (Richland) - so, unlike the recent Intels, it does not contain any "remote management" controllers that might be exploited as a hardware backdoor> via some vulnerability.
There is no evidence that there is such a thing for Intel systems with AMT disabled, either.
AMD graphics driver developers force you to put a usually proprietary AtomBIOS into your firmware.
- You can move AtomBIOS from the firmware to GRUB/Linux kernel stage.
Putting it into your firmware is more convenient - but it's not the only solution and could be avoided (e.g. by following some of these instructions - https://bugs.freedesktop.org/show_bug.cgi?id=26891 )
So you can shift the problem? Point is? I could secure it with a hyper-visor, I guess, but what if I just want to run Linux?
- AtomDis of AtomBIOS is clear enough to make sure there aren't any
backdoors ( https://pastebin.com/xKW9FV58 ),
You have made (up?) that claim before. If it is clear to you and you have the knowledge to implement a free graphics driver for the G505s, please do it! If not, I suppose you lie deliberately.
This list is about open-source firmware, if you want to make random claims about proprietary firmware, please do it somewhere else.
The G505s still uses AGESA (a hard to maintain AMD reference code). This (and actually the native coreboot AMD code too) might get moved away from our master branch after any release.
You are correct, it could be that one day coreboot will go full Intel.
That's not what I said. Actually, there is actively maintained AMD code in our repo. I was talking about unmaintained code.
But that is more likely to happen simply because the corporations participating in the development of coreboot aren't interested at any AMD boards.
Nope, it's because the unmaintained code is no fun at all to work with. If I (as a non-corporate contributor) want to clean something up across the whole tree, there are sub-trees where I instantly see what I have to do, see how beautiful things turn out... there are also sub-trees that give me a bad time, delay a few hour job for days and as such lower the potential of non-corporate contributors. The code that runs on G505s lives in the latter sub-trees.
So the future coreboot indeed might support only some Google/Purism computers together with Intel/Facebook/etc. in-house proprietary boards, and there will not be any coreboot-supported boards without Intel ME + full complex set of their blobs (FSP etc.)
That's unlikely. The support for pre-ME/FSP Intel boards shows that maintaining 10y+ old platforms can be fun and works out very well. The (AMD) platforms are not the problem. Maybe the problem is that their fans got lazy and rested on AGESA, idk.
The last time I worked on a bigger patch set in my spare time, I nearly gave up after some nights of work because of the unmaintainable mess around {cpu,nb,sb}/amd/
If its difficult to write the crossplatform code in some cases or if you aren't interested at AMD boards (understandable if you don't have any), you could use something like "ifdef INTEL_BOARD then Enable_Feature_X else Dont_Enable". Better to live without some not-essential features than removing the boards, especially since there really aren't a lot of coreboot-supported motherboards.
That makes no sense at all. Either you want to have new features, up to date support etc., then we have to maintain it on the master branch. If we "ifdef" things out, it's the same as having it on a separate branch.
I believe it's only a question of time until coreboot maintainers are finally fed up with it.
The majority of platform-specific problems discussed at the mailing lists are directly related to Intel. Sometimes I'm seeing so many of them flooding my inbox, I'm wondering how the coreboot maintainers aren't fed up with Intel mess.
Your statistics are biased by the fact that almost nobody uses coreboot for AMD (in production) compared to Intel. But to be honest, Intel does a mess indeed, but it's not half as bad as the unmaintained (even the native) AMD code.
Here are some long thread examples:
*) "How to get correct memory params for FSP" *) "[skylake] Can not turn monitor on" *) "Kabylake unable to boot with post code 0x71" + could dig out much more if required.
Even from a bystander's point of view it is quite obvious that many of these Intel-specific problems have been caused by the improper software design and insufficient source code quality. Luckily you seem to recognize these problems, as I could see from some of your messages like this one - https://mail.coreboot.org/pipermail/coreboot/2018-November/087722.html . Whether this has been caused by Intel outsourcing to developing countries, or "quantity-over-quality" approach, I don't know. However: despite the Intel source code being as messy as AMD (if not more messy) you don't see any serious discussions regarding the removal/rewrite of Intel, and we all know why.
Nope, as said above, the unmaintained AMD is a hell a lot messier.
A good solution would be to write native coreboot code for this platform from scratch. Something at least of the quality of intel/x4x (and the compatible southbridges) would be much appreciated and would likely maintain itself for some years.
But that will not protect AMD code from removal. When someone will want to remove it, in any case they will find a reason: either "EOL and old" (could happen to intel/x4x regardless of its' source code quality) or "no feature/property X we've introduced and absolutely require" (something like "late vs early init") or simply "why should we care about AMD boards if we work with/at Intel". Maybe then the coreboot project will be forked and there will be two coreboots: one for the people, and another for corporations.
Well, I'm with the people. And if I would fork coreboot for the people, the unmaintained AMD code would be high up on the list of what to drop to be able to support the rest better. You seem to be absolutely con- fused about coreboot development. There are a lot active non-corporate developers in the community. You are asking them to maintain the crappy code too, for less fun and no money. How should that ever work out?
Sorry, but it seemed more like "Please avoid AMD if possible, its' going to be removed". Problem that its hard to avoid AMD without going Intel, and there are a lot more reasons to avoid Intel than AMD: in addition to the earlier introduction of remote management controllers and being a monopoly, there are serious Intel-only security vulnerabilities like Meltdown which requires a 5%-30% performance degrading patch and Intel hyperthreading will be disabled soon ( https://www.theregister.co.uk/2018/11/02/portsmash_intel_security_attack/). Perhaps it makes more sense to say
" Please avoid Intel if possible "
but I don't want to start "Intel vs AMD" holy war there, especially since it seems we are greatly outnumbered by Intel-employed/partnered/sympathetic folks (how could one be sincerely sympathetic to Intel is a big question though).
Yeah, it's weird. I'm absolutely not on the Intel side. I just can't stand your biased bullshit. So I'm looking for arguments against AMD when I see your unfounded arguments against Intel. Not because I don't like AMD but because I don't like this list to look dubious, i.e. that we would accept biased arguments without correcting them.
Nico