Nov 16, 2017

Parts of this presentation has some explanation: https://schd.ws/hosted_files/osseu17/84/Replace%20UEFI%20wit... (obviously you can ignore Intel x86 specific stuff like the ME).

OpenPOWER apparently does something similar, i.e. a minimal firmware that loads a Linux kernel + simple userspace from flash.

Nov 08, 2017

"An end user of the machine has to take manual steps to specifically enable the functionality for remote management."

Nah, the stuff is already there, running, listening, and able to do things. Your tools enable you to see it doing it or extra functionality on top of the base software. Here's a nice presentation by a team working to replace as much of it as possible to show all the horrors:

https://schd.ws/hosted_files/osseu17/84/Replace%20UEFI%20wit...

The difference between this and all those peripherals you brought up is that we wanted the peripherals because they were useful to us. They were even publicly advertised in the store or online description of the computer. We neither asked for nor were sold on a pile of software running things like web servers that we couldn't turn off, see, or secure. As in, we already buy security and monitoring products since that matters to us. Yet, we can't even see that software much less secure it.

An intentional, unwanted backdoor and hidden OS is different concept from accidental flaws in firmware on peripherals we found useful. Also, we have options with those ranging from not buying the peripheral to using one with little programmability to isolating it with IO/MMU. Not for CPU backdoors. And again, there's other vendors using open firmware showing all this secrecy and lack of user control was totally unnecessary. It's like Intel and AMD have an ulterior motive in not letting us turn off features that were built to support DRM and/or spying.

Nov 07, 2017

> While I am unsure if switchting to Linux for ME is a good solution

FWIW, this is NOT at all the goal of the NERF project that this zdnet article talks about. So what the idea is roughly:

- Remove or disable the ME as much as possible (impossible to do 100% since e.g. the ME is responsible for booting up the main CPU, but it appears you can remove a large part of it)

- Replace the upper levels of the UEFI firmware stack and the bootloader with Linux + a minimal userspace written in Go (u-root).

See https://schd.ws/hosted_files/osseu17/84/Replace%20UEFI%20wit... for more details.

Nov 07, 2017

This article is not FUD and crap. The source of the numbers quoted is here:

https://schd.ws/hosted_files/osseu17/84/Replace%20UEFI%20wit...

I know Ron Minnich. He is one of the founders of the coreboot project. He's been at this (replacing proprietary firmware with a free software alternative) for a very long time and he knows what he is talking about.

Nov 06, 2017

Related talk and slides: https://www.youtube.com/watch?v=iffTJ1vPCSo https://schd.ws/hosted_files/osseu17/84/Replace%20UEFI%20wit...

Interesting Atom boards mentioned in the talk: https://minnowboard.org/

Nov 06, 2017

Replace UEFI with Linux: https://schd.ws/hosted_files/osseu17/84/Replace%20UEFI%20wit...

Nov 03, 2017

this reminds me of the effort to replace a lot of the intel management stuff with linux and have userland all written in go

https://schd.ws/hosted_files/osseu17/84/Replace%20UEFI%20wit...

Nov 01, 2017

> Is this related to Purism announcing that they had successfully disabled the Intel Management Engine on their laptops? Or is that unrelated?

It is completely unrelated.

Intel ME is about a remote servicing interface that exists on all current Intel processors. While it has some usages for managing computers in a corporate setting or managing servers (keyword to look for: Intel Active Management Technology (Intel AMT), which needs Intel vPro), it exists on nearly all current Intel processors (except, I think, Intel, Quark; but this processor is built for completely different purposes). Thus there are rumors that it is a backdoor for, say, 3-letter agencies. I don't want to spread any rumors here, but just say: Because Intel ME is very large and complicated (according to https://www.youtube.com/watch?v=iffTJ1vPCSo 5 MB in size) it is a real concern that lots of security gaps will be found (and some have been found in the past), which, because of Intel ME's structure (according to https://schd.ws/hosted_files/osseu17/84/Replace%20UEFI%20wit... it runs on ring -3) can easily lead to really dangerous security holes. Just for this reason alone any responsible admin should try to disable Intel ME so that this security liability does not have to stay open.

PRISM is a surveillance program by the NSA.