[coreboot] Re : Re: Coreboot Purism BIOS is free? open?

Alberto Bursi alberto.bursi at outlook.it
Mon Dec 25 00:52:22 CET 2017

"TrustZone is only an operational mode of the CPU, not a whole computing 
subsystem like ME with its own CPU running its OS"

Both do the same job, allowing a customer to run its applications in a 
"safe" environment.

I don't know why Intel could not just do something similar to TrustZone, 
maybe Intel CPUs have too much legacy modes so trying to make another 
mode is too hard, or Intel went for the more secret and "safe" way it 
could do, as a dedicated processor is much more secret and "safer".

"the physical and .. legal owner for me.."

Many embedded devices are just tools to provide a service. You did not 
buy the hardware, you bought the service.

Like for example the smartphones provided by mobile carriers. You bought 
a phone contract where the phone was included (for cheap), but the phone 
is not really yours.

They keep pushing this mindset into PCs where it does not belong (yet), 
but in embedded it's very common.

"If ARM SoCs can live without this kind of ... companion for the main 
CPU, what remains the argument of Intel to convince us of the fact the 
their CPUs cannot live without their beloved ME running side-by-side"

Because they used their ME also for themselves, to keep their own 
proprietary components "safe". As I said, the ME is responsible of 
initialization and of running some advanced hardware features (like fan 
control or power management).

It's called "eating their own dog food". 

They genuinely think ME is so great and safe that they are the first 
using it to hide their own secrets.


On 12/25/2017 12:07 AM, echelon at free.fr wrote:
> Thank you Alberto for the answers, but I was not questioning the ME "per-se".
> Anyway, if ME is required for platform initialization, why not stopping it after said "platform initialization"?
> Also you said "ARM provides TrustZone, which is something like Intel ME". Permit me to disagree : TrustZone is only an operational mode of the CPU, not a whole computing subsystem like ME with its own CPU running its OS..
> Also as you said ARM ltd doesn't strongarm (pun unintented..) its customers to make ALWAYS Trustzone uncontrolable by the "end user" (the physical and .. legal owner for me..)
> If ARM SoCs can live without this kind of ... companion for the main CPU, what remains the argument of Intel to convince us of the fact the their CPUs cannot live without their beloved ME running side-by-side (I know, I know, Intel doesn't have to speak to us miserable microbes, their real customers are more noble entities...)
> But anyway (and I will stop here with my trolls..), back to the main topic of this thread:
>   - Purism guys : I for one, I think that you are doing a really great job (my previous mail was a troll/sarcasm, take it with a tongue in cheek :-P) and I wish you great successes, but as other senders said in this thread, I think that we, the Libre community cannot put big hopes in the promises of entities like Intel or AMD anymore, and should actively explore alternatives to the x86 world (and encourage initiative like Talos..)
> That being said have a nice and happy Christmas!
>    Florentin Demetrescu
> ----- Mail d'origine -----
> De: Alberto Bursi <alberto.bursi at outlook.it>
> À: coreboot at coreboot.org, echelon at free.fr
> Envoyé: Sun, 24 Dec 2017 22:27:28 +0100 (CET)
> Objet: Re: [coreboot] Coreboot Purism BIOS is free? open?
> Meh, Intel ME is necessary for x86 platform initalization. Without ME
> the PC does not start at all.
> Anyway, the ME is used to provide third parties control and "security"
> over the user's system by cutting out the middleman (board firmware).
> Due to technical reasons they added all this functionality in a single
> place, because it would be silly to have 3 different hardware backdoors
> when you can just have one doing 3 different things.
> On consumer PCs it provides DRM, and on office PCs it provides limited
> (but quite useful) remote management, plus more (it can execute a
> customer's dedicated java applications on its own integrated JVM, for
> example).
> For example I've seen some Dell PCs that had integrated some kind of
> third party anti-theft functionality inside their UEFI firmware, where
> you would license a third party software and then connect your PC's UEFI
> firmware to their servers or something, so when it is stolen it can
> still be tracked whenever it connects to the internet again.
> Don't know if this feature is using the Intel ME, but it is an example
> of feature the OEM might want to add to their products.
> Intel themselves also added random stuff to the ME (like advanced fan
> speed control), just because they had a relatively powerful processor in
> there, so why not add more features to it. see here
> https://en.wikipedia.org/wiki/Intel_Management_Engine#Modules
> Does the industry ask for this? Maybe. What is sure is that Intel thinks
> that this backdoor thingy offers features their customers want or might
> find interesting to add features to their products. These features
> should be the ones sought after by end users.
> And "Customers" in this case is companies designing PCs and embedded
> systems with Intel products. Not people, end users. End users buy
> motherboards or PCs from Intel's customers.
> Note that ARM provides TrustZone, which is something like Intel ME, but
> is a generic feature, the OEM can do whatever it wants with it, even
> disable and not use it at all.
> AMD mindlessly followed Intel's footsteps by integrating ARM cores
> running the TrustZone feature, and calling this Platform Security Processor.
> So it's not just Intel that thinks his customers might want more control
> over the products they sell to the end user. Maybe they are all
> misguided. Maybe not.
> Remember, it does not matter what is actually real, but what company
> managers think is real.
> There is many people that still thinks that "secret" is "safe", and that
> does not understand that software will have bugs, that it's only a
> matter of time before it becomes vulnerable.
> For example, HDCP (HDMI cable antipiracy feature) is still in use even
> if it was (and is) regularly busted by 30$ devices. Not even for
> pirating, usually it is busted because it is causing compatibility
> issues in devices.
> The people in charge of government agencies in the US know better, at
> least. They asked for a ME feature to disable it in the hardware with
> High Assurance Platform certification.
> And due to Intel being cheap, this switch is available in all MEs after
> version 11, Intel didn't make a custom ME only for the US government.
> Currently it requires using external tools to edit the setting on the
> motherboard's flash chip (or being an OEM), same as the older method of
> nuking modules manually.
> I hope I helped you understand the most likely reasons why ME exists.
> -Alberto
> On 12/24/2017 08:46 PM, echelon at free.fr wrote:
>>    By the way you said : "ODMs/OEMs are the real customers of Intel/AMD" and "Intel/AMD serve them law" (which law???)
>>    I have a scoop : a friend of mine happened to work in the marketing department of a (very large) OEM, and speaking about ME he told me that Intel OBLIGED them to adopt and integrate the ME! (in the beging the OEM guys were reluctant..)
>>    Of course this is only "street whispering" (and I will not force you to buy this..) but, but, as we say in Romanian "there is no smoke without fire..." ;-)
>> Just my 2 satoshis..
>>     Florentin
>> ----- Mail d'origine -----
>> De: echelon at free.fr
>> À: coreboot at coreboot.org
>> Envoyé: Sun, 24 Dec 2017 20:31:53 +0100 (CET)
>> Objet: Re : Re: [coreboot] Coreboot Purism BIOS is free? open?
>>    No you didn't answer my question Peter, sorry!..
>>    I am NOT questioning the "legitimacy" of ME/PSP (be it from a purely corporate/financial point of view..). (By the way I have no "legitimacy" myself to put this question of "legitimacy" to begin with..)
>>    I simply don't understand (and this is why I pollute the coreboot ML with this blah-blah..) why ALL (I insist on capital letters _ALL_) the systems (consumer/office even .. industrial..) have to have this kind of .. "technology" activated ALL the time (at least from the Intel/AMD point of view)??
>>    For me this is simply irrational!.. Period!..
>> (And for the fact that consumer devices outnumber office/industrial/governmental devices, I will belive you when I see REAL statistics, sorry!..)
>>     Florentin
>> ----- Mail d'origine -----
>> De: Peter Stuge <peter at stuge.se>
>> À: coreboot at coreboot.org
>> Envoyé: Sun, 24 Dec 2017 18:29:48 +0100 (CET)
>> Objet: Re: [coreboot] Coreboot Purism BIOS is free? open?
>> echelon at free.fr wrote:
>>> (can we anymore speak about "owner"?..)
>> We can and we must, if we want to own anything at all.
>> Don't get tricked into merely consuming services and products;
>> take ownership and shape your reality.
>> echelon at free.fr wrote:
>>> But what has Netflix (or Sony, or the entertainment industry in
>>> general...) to LEGALLY gain by strongarming Intel/AMD to keep
>>> ME/PSP activated on all x86 platforms (not only consumer ones!..)?
>> Philipp Stanner wrote:
>>> I don't get it, too.  ME has nothing to do with what you can do
>>> with your machine and what it can perform.
>>> Even if 90% of users use their machine for multimedia purposes...
>> Follow the money. What drives Intel sales? We can't know. Who are the
>> strongest partners officially? That would be Microsoft (with Windows)
>> and ODMs/OEMs. Intel serves them, by law.
>> I guess that consumer devices significantly outnumber office devices.
>> That's where the content industry comes into play.
>> MSFT wants UEFI Secure Boot, so that OEMs are not required to deliver
>> security.
>> Content industry wants PAVP, so that hardware owners can not legally
>> access unecrypted versions of the content.
>> ME is Intel's answer to both those requirements and a few more, as
>> described pretty clearly in the PSTR[1] book.
>> And the DMCA and EUCD legal foundations align (un?)surprisingly well
>> with the technical implementation details.
>> //Peter
>> [1] http://www.apress.com/9781430265719

More information about the coreboot mailing list