On 23.12.2017 22:08, Ivan Ivanov wrote:
Sadly the ARM processor also have the ME-like backdoor (called "TrustZone).
Some have. Some not. Some have it and it's owner-controllable. It's not about the ISA and some optional architectural feature, it's about the chip you buy.
And even MIPS is going this road soon (check out the "MIPS OmniShield" news).
Could it be the requirement of US Government - for all the consumer CPU to have backdoors ? My last hopes are on POWER 9 and RISC V now ; meanwhile sticking to the AMD pre-PSP tech
Forget it. RISC-V already has SMM like tech in the architecture. But that doesn't matter as long as you can buy chip's that are owner con- trollable. Such features make it harder to keep everything secure but they don't force the silicon vendor to lock you out (as long as you don't ask to be able to watch Netflix in high resolution or something like that).
Nico
(was [coreboot] Coreboot Purism BIOS is free? open?) Regarding the "AMD pre-PSP" devices, I have a very naive question : are some of them still in production or none of them? (i.e all one can buy nowadays are only "pre-owned" devices with a life expectancy far less than that of a new one..) What about the opteron line? Are they still in production? Sorry for hijacking the thread and thank you for answers.. Florentin
----- Mail d'origine ----- De: Nico Huber nico.h@gmx.de À: Ivan Ivanov qmastery16@gmail.com, Alberto Bursi alberto.bursi@outlook.it, coreboot@coreboot.org Envoyé: Sat, 23 Dec 2017 22:19:14 +0100 (CET) Objet: Re: [coreboot] Coreboot Purism BIOS is free? open?
On 23.12.2017 22:08, Ivan Ivanov wrote:
Sadly the ARM processor also have the ME-like backdoor (called "TrustZone).
Some have. Some not. Some have it and it's owner-controllable. It's not about the ISA and some optional architectural feature, it's about the chip you buy.
And even MIPS is going this road soon (check out the "MIPS OmniShield" news).
Could it be the requirement of US Government - for all the consumer CPU to have backdoors ? My last hopes are on POWER 9 and RISC V now ; meanwhile sticking to the AMD pre-PSP tech
Forget it. RISC-V already has SMM like tech in the architecture. But that doesn't matter as long as you can buy chip's that are owner con- trollable. Such features make it harder to keep everything secure but they don't force the silicon vendor to lock you out (as long as you don't ask to be able to watch Netflix in high resolution or something like that).
Nico
On 12/23/2017 04:50 PM, echelon@free.fr wrote:
(was [coreboot] Coreboot Purism BIOS is free? open?) Regarding the "AMD pre-PSP" devices, I have a very naive question : are some of them still in production or none of them? (i.e all one can buy nowadays are only "pre-owned" devices with a life expectancy far less than that of a new one..) What about the opteron line? Are they still in production? Sorry for hijacking the thread and thank you for answers.. Florentin
Yes of course you can still buy a new KGPE-D16 and KCMA-D8 opteron board, performance with their best CPU's is equivilant to AM3+ FX-8310 (or almost two FX-8310 for the 16 core CPU's) Those two boards are owner controlled (no ME/PSP) and have 100% libre firmware (open source silicon init), they also have an open source firmware for the BMC available for secure libre remote management. You can play modern games in a VM on them via IOMMU-GFX, or use qubes (quite nice for that as they have dual USB controllers)
MSRP: KCMA-D8 - $315 KGPE-D16: $415
I wouldn't bother buying a new Opteron CPU however as a CPU has an estimated lifespan of 20+ years, but the board should definitely be brand new. There is also the Lenovo G505S, an owner controlled pre-PSP AMD laptop that can run coreboot with open source silicon init. (unlike the purism laptops which use the intel FSP binary blob) which you can find as a refurb.
Although I suggest also looking in to a TALOS 2 running POWER9, which is significantly faster and much more secure. https://raptorcs.com
Yes Peter.... But what has Netflix (or Sony, or the entertainment industry in general...) to LEGALLY gain by strongarming Intel/AMD to keep ME/PSP activated on all x86 platforms (not only consumer ones!..)? (I can see other motivations.. but I keep the hypothesis that the entertainment industry has only morally acceptable principles in dealing with the cpu manufacturers..) No matter if the "user" (can we anymore speak about "owner"?..) intends to "watch Netflix in high resolution" or not al all? Excuse me but I insist : REALLY for >50% of the PC users nowadays the primary usage of their PC is to whatch Netflix (or play (legally..) acquired games)?.. I'm waiting for the stats.. Florentin
----- Mail d'origine ----- De: Peter Stuge peter@stuge.se À: coreboot@coreboot.org Envoyé: Sun, 24 Dec 2017 00:00:03 +0100 (CET) Objet: Re: [coreboot] Coreboot Purism BIOS is free? open?
Ivan Ivanov wrote:
Could it be the requirement of US Government - for all the consumer CPU to have backdoors ?
I guess that the private sector is a much stronger force...
Nico Huber wrote:
watch Netflix in high resolution
//Peter
I don't get it, too. ME has nothing to do with what you can do with your machine and what it can perform.
Even if 90% of users use their machine for multimedia purposes...
Am 24. Dezember 2017 14:02:41 MEZ schrieb echelon@free.fr:
Yes Peter.... But what has Netflix (or Sony, or the entertainment industry in general...) to LEGALLY gain by strongarming Intel/AMD to keep ME/PSP activated on all x86 platforms (not only consumer ones!..)? (I can see other motivations.. but I keep the hypothesis that the entertainment industry has only morally acceptable principles in dealing with the cpu manufacturers..) No matter if the "user" (can we anymore speak about "owner"?..) intends to "watch Netflix in high resolution" or not al all? Excuse me but I insist : REALLY for >50% of the PC users nowadays the primary usage of their PC is to whatch Netflix (or play (legally..) acquired games)?.. I'm waiting for the stats.. Florentin
----- Mail d'origine ----- De: Peter Stuge peter@stuge.se À: coreboot@coreboot.org Envoyé: Sun, 24 Dec 2017 00:00:03 +0100 (CET) Objet: Re: [coreboot] Coreboot Purism BIOS is free? open?
Ivan Ivanov wrote:
Could it be the requirement of US Government - for all the consumer CPU to have backdoors ?
I guess that the private sector is a much stronger force...
Nico Huber wrote:
watch Netflix in high resolution
//Peter
-- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot
-- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot
echelon@free.fr wrote:
(can we anymore speak about "owner"?..)
We can and we must, if we want to own anything at all.
Don't get tricked into merely consuming services and products; take ownership and shape your reality.
echelon@free.fr wrote:
But what has Netflix (or Sony, or the entertainment industry in general...) to LEGALLY gain by strongarming Intel/AMD to keep ME/PSP activated on all x86 platforms (not only consumer ones!..)?
Philipp Stanner wrote:
I don't get it, too. ME has nothing to do with what you can do with your machine and what it can perform.
Even if 90% of users use their machine for multimedia purposes...
Follow the money. What drives Intel sales? We can't know. Who are the strongest partners officially? That would be Microsoft (with Windows) and ODMs/OEMs. Intel serves them, by law.
I guess that consumer devices significantly outnumber office devices. That's where the content industry comes into play.
MSFT wants UEFI Secure Boot, so that OEMs are not required to deliver security.
Content industry wants PAVP, so that hardware owners can not legally access unecrypted versions of the content.
ME is Intel's answer to both those requirements and a few more, as described pretty clearly in the PSTR[1] book.
And the DMCA and EUCD legal foundations align (un?)surprisingly well with the technical implementation details.
//Peter
No you didn't answer my question Peter, sorry!.. I am NOT questioning the "legitimacy" of ME/PSP (be it from a purely corporate/financial point of view..). (By the way I have no "legitimacy" myself to put this question of "legitimacy" to begin with..) I simply don't understand (and this is why I pollute the coreboot ML with this blah-blah..) why ALL (I insist on capital letters _ALL_) the systems (consumer/office even .. industrial..) have to have this kind of .. "technology" activated ALL the time (at least from the Intel/AMD point of view)?? For me this is simply irrational!.. Period!.. (And for the fact that consumer devices outnumber office/industrial/governmental devices, I will belive you when I see REAL statistics, sorry!..) Florentin
----- Mail d'origine ----- De: Peter Stuge peter@stuge.se À: coreboot@coreboot.org Envoyé: Sun, 24 Dec 2017 18:29:48 +0100 (CET) Objet: Re: [coreboot] Coreboot Purism BIOS is free? open?
echelon@free.fr wrote:
(can we anymore speak about "owner"?..)
We can and we must, if we want to own anything at all.
Don't get tricked into merely consuming services and products; take ownership and shape your reality.
echelon@free.fr wrote:
But what has Netflix (or Sony, or the entertainment industry in general...) to LEGALLY gain by strongarming Intel/AMD to keep ME/PSP activated on all x86 platforms (not only consumer ones!..)?
Philipp Stanner wrote:
I don't get it, too. ME has nothing to do with what you can do with your machine and what it can perform.
Even if 90% of users use their machine for multimedia purposes...
Follow the money. What drives Intel sales? We can't know. Who are the strongest partners officially? That would be Microsoft (with Windows) and ODMs/OEMs. Intel serves them, by law.
I guess that consumer devices significantly outnumber office devices. That's where the content industry comes into play.
MSFT wants UEFI Secure Boot, so that OEMs are not required to deliver security.
Content industry wants PAVP, so that hardware owners can not legally access unecrypted versions of the content.
ME is Intel's answer to both those requirements and a few more, as described pretty clearly in the PSTR[1] book.
And the DMCA and EUCD legal foundations align (un?)surprisingly well with the technical implementation details.
//Peter
[1] http://www.apress.com/9781430265719
By the way you said : "ODMs/OEMs are the real customers of Intel/AMD" and "Intel/AMD serve them law" (which law???) I have a scoop : a friend of mine happened to work in the marketing department of a (very large) OEM, and speaking about ME he told me that Intel OBLIGED them to adopt and integrate the ME! (in the beging the OEM guys were reluctant..) Of course this is only "street whispering" (and I will not force you to buy this..) but, but, as we say in Romanian "there is no smoke without fire..." ;-) Just my 2 satoshis.. Florentin
----- Mail d'origine ----- De: echelon@free.fr À: coreboot@coreboot.org Envoyé: Sun, 24 Dec 2017 20:31:53 +0100 (CET) Objet: Re : Re: [coreboot] Coreboot Purism BIOS is free? open?
No you didn't answer my question Peter, sorry!.. I am NOT questioning the "legitimacy" of ME/PSP (be it from a purely corporate/financial point of view..). (By the way I have no "legitimacy" myself to put this question of "legitimacy" to begin with..) I simply don't understand (and this is why I pollute the coreboot ML with this blah-blah..) why ALL (I insist on capital letters _ALL_) the systems (consumer/office even .. industrial..) have to have this kind of .. "technology" activated ALL the time (at least from the Intel/AMD point of view)?? For me this is simply irrational!.. Period!.. (And for the fact that consumer devices outnumber office/industrial/governmental devices, I will belive you when I see REAL statistics, sorry!..) Florentin
----- Mail d'origine ----- De: Peter Stuge peter@stuge.se À: coreboot@coreboot.org Envoyé: Sun, 24 Dec 2017 18:29:48 +0100 (CET) Objet: Re: [coreboot] Coreboot Purism BIOS is free? open?
echelon@free.fr wrote:
(can we anymore speak about "owner"?..)
We can and we must, if we want to own anything at all.
Don't get tricked into merely consuming services and products; take ownership and shape your reality.
echelon@free.fr wrote:
But what has Netflix (or Sony, or the entertainment industry in general...) to LEGALLY gain by strongarming Intel/AMD to keep ME/PSP activated on all x86 platforms (not only consumer ones!..)?
Philipp Stanner wrote:
I don't get it, too. ME has nothing to do with what you can do with your machine and what it can perform.
Even if 90% of users use their machine for multimedia purposes...
Follow the money. What drives Intel sales? We can't know. Who are the strongest partners officially? That would be Microsoft (with Windows) and ODMs/OEMs. Intel serves them, by law.
I guess that consumer devices significantly outnumber office devices. That's where the content industry comes into play.
MSFT wants UEFI Secure Boot, so that OEMs are not required to deliver security.
Content industry wants PAVP, so that hardware owners can not legally access unecrypted versions of the content.
ME is Intel's answer to both those requirements and a few more, as described pretty clearly in the PSTR[1] book.
And the DMCA and EUCD legal foundations align (un?)surprisingly well with the technical implementation details.
//Peter
[1] http://www.apress.com/9781430265719
Meh, Intel ME is necessary for x86 platform initalization. Without ME the PC does not start at all.
Anyway, the ME is used to provide third parties control and "security" over the user's system by cutting out the middleman (board firmware). Due to technical reasons they added all this functionality in a single place, because it would be silly to have 3 different hardware backdoors when you can just have one doing 3 different things.
On consumer PCs it provides DRM, and on office PCs it provides limited (but quite useful) remote management, plus more (it can execute a customer's dedicated java applications on its own integrated JVM, for example).
For example I've seen some Dell PCs that had integrated some kind of third party anti-theft functionality inside their UEFI firmware, where you would license a third party software and then connect your PC's UEFI firmware to their servers or something, so when it is stolen it can still be tracked whenever it connects to the internet again. Don't know if this feature is using the Intel ME, but it is an example of feature the OEM might want to add to their products.
Intel themselves also added random stuff to the ME (like advanced fan speed control), just because they had a relatively powerful processor in there, so why not add more features to it. see here https://en.wikipedia.org/wiki/Intel_Management_Engine#Modules
Does the industry ask for this? Maybe. What is sure is that Intel thinks that this backdoor thingy offers features their customers want or might find interesting to add features to their products. These features should be the ones sought after by end users.
And "Customers" in this case is companies designing PCs and embedded systems with Intel products. Not people, end users. End users buy motherboards or PCs from Intel's customers.
Note that ARM provides TrustZone, which is something like Intel ME, but is a generic feature, the OEM can do whatever it wants with it, even disable and not use it at all. AMD mindlessly followed Intel's footsteps by integrating ARM cores running the TrustZone feature, and calling this Platform Security Processor.
So it's not just Intel that thinks his customers might want more control over the products they sell to the end user. Maybe they are all misguided. Maybe not.
Remember, it does not matter what is actually real, but what company managers think is real.
There is many people that still thinks that "secret" is "safe", and that does not understand that software will have bugs, that it's only a matter of time before it becomes vulnerable.
For example, HDCP (HDMI cable antipiracy feature) is still in use even if it was (and is) regularly busted by 30$ devices. Not even for pirating, usually it is busted because it is causing compatibility issues in devices.
The people in charge of government agencies in the US know better, at least. They asked for a ME feature to disable it in the hardware with High Assurance Platform certification. And due to Intel being cheap, this switch is available in all MEs after version 11, Intel didn't make a custom ME only for the US government. Currently it requires using external tools to edit the setting on the motherboard's flash chip (or being an OEM), same as the older method of nuking modules manually.
I hope I helped you understand the most likely reasons why ME exists.
-Alberto
On 12/24/2017 08:46 PM, echelon@free.fr wrote:
By the way you said : "ODMs/OEMs are the real customers of Intel/AMD" and "Intel/AMD serve them law" (which law???) I have a scoop : a friend of mine happened to work in the marketing department of a (very large) OEM, and speaking about ME he told me that Intel OBLIGED them to adopt and integrate the ME! (in the beging the OEM guys were reluctant..) Of course this is only "street whispering" (and I will not force you to buy this..) but, but, as we say in Romanian "there is no smoke without fire..." ;-) Just my 2 satoshis.. Florentin
----- Mail d'origine ----- De: echelon@free.fr À: coreboot@coreboot.org Envoyé: Sun, 24 Dec 2017 20:31:53 +0100 (CET) Objet: Re : Re: [coreboot] Coreboot Purism BIOS is free? open?
No you didn't answer my question Peter, sorry!.. I am NOT questioning the "legitimacy" of ME/PSP (be it from a purely corporate/financial point of view..). (By the way I have no "legitimacy" myself to put this question of "legitimacy" to begin with..) I simply don't understand (and this is why I pollute the coreboot ML with this blah-blah..) why ALL (I insist on capital letters _ALL_) the systems (consumer/office even .. industrial..) have to have this kind of .. "technology" activated ALL the time (at least from the Intel/AMD point of view)?? For me this is simply irrational!.. Period!.. (And for the fact that consumer devices outnumber office/industrial/governmental devices, I will belive you when I see REAL statistics, sorry!..) Florentin
----- Mail d'origine ----- De: Peter Stuge peter@stuge.se À: coreboot@coreboot.org Envoyé: Sun, 24 Dec 2017 18:29:48 +0100 (CET) Objet: Re: [coreboot] Coreboot Purism BIOS is free? open?
echelon@free.fr wrote:
(can we anymore speak about "owner"?..)
We can and we must, if we want to own anything at all.
Don't get tricked into merely consuming services and products; take ownership and shape your reality.
echelon@free.fr wrote:
But what has Netflix (or Sony, or the entertainment industry in general...) to LEGALLY gain by strongarming Intel/AMD to keep ME/PSP activated on all x86 platforms (not only consumer ones!..)?
Philipp Stanner wrote:
I don't get it, too. ME has nothing to do with what you can do with your machine and what it can perform.
Even if 90% of users use their machine for multimedia purposes...
Follow the money. What drives Intel sales? We can't know. Who are the strongest partners officially? That would be Microsoft (with Windows) and ODMs/OEMs. Intel serves them, by law.
I guess that consumer devices significantly outnumber office devices. That's where the content industry comes into play.
MSFT wants UEFI Secure Boot, so that OEMs are not required to deliver security.
Content industry wants PAVP, so that hardware owners can not legally access unecrypted versions of the content.
ME is Intel's answer to both those requirements and a few more, as described pretty clearly in the PSTR[1] book.
And the DMCA and EUCD legal foundations align (un?)surprisingly well with the technical implementation details.
//Peter
echelon@free.fr wrote:
No you didn't answer my question Peter, sorry!..
Sorry - I misunderstood.
I simply don't understand (and this is why I pollute the coreboot ML with this blah-blah..) why ALL (I insist on capital letters _ALL_) the systems (consumer/office even .. industrial..) have to have this kind of .. "technology" activated ALL the time (at least from the Intel/AMD point of view)??
Only they know, and neither have a reason to publicize it.
I guess it is simply because it's much more complex to have two products which are almost the same, than to have just one.
(And for the fact that consumer devices outnumber office/industrial/governmental devices, I will belive you when I see REAL statistics, sorry!..)
I'm really sorry if it seemed like I was stating a fact - I was merely guessing!
//Peter