Intel® Management Engine (ME)

LOL

arstechnica.com/information-technology/2017/11/intel-warns-of-widespread-vulnerability-in-pc-server-device-firmware/

Other urls found in this thread:

libreboot.org/docs/hardware/#desktops-amd-intel-x86
libreboot.org/docs/hardware/#serversworkstations-amd-x86
libreboot.org/docs/hardware/#laptops-intel-x86
puri.sm/learn/freedom-roadmap/
coreboot.org/Chromebooks
docs.google.com/presentation/d/1eGPMu03vCxIO0a3oNX8Hmij_Qwwz6R6ViFC_1HlHOYQ/edit#slide=id.p
inforcecomputing.com/products/single-board-computers-sbc/qualcomm-snapdragon-820-inforce-6640-sbc
cavium.com/Table.html
en.wikipedia.org/wiki/Free_and_open-source_graphics_device_driver#ARM
github.com/altreact/archbk/issues/3
ghacks.net/2017/11/22/find-out-if-your-intel-cpu-is-vulnerable-to-intel-manageability-engine-vulnerabilities/
raptorcs.com/TALOSII/
nxp.com/products/microcontrollers-and-processors/power-architecture-processors
powerpc-notebook.org/faq/
embeddedplanet.com/product/single-board-computers/
lemote.com/html/product/
embeddedplanet.com/single-board-computers/processor/cavium-oceteon-ii/
sifive.com/products/freedom/
lowrisc.org/
lwn.net/SubscriberLink/738649/81007748bf15c1e5
hooktube.com/watch?v=lR0nh-TdpVg
libreboot.org/faq.html#amd-platform-security-processor-psp
twitter.com/NSFWRedditGif

Resposting for those looking for relatively botnet-free options

(1/2)
Findings so far
x86:
For desktops, there's lots of C2Ds and atoms listed, but also some very nice opterons and apparently an iMac
libreboot.org/docs/hardware/#desktops-amd-intel-x86
libreboot.org/docs/hardware/#serversworkstations-amd-x86
For Laptops, you have the CD and C2D memepads
libreboot.org/docs/hardware/#laptops-intel-x86
Purism doesn't do libreboot, but their roadmap includes this as a future goal.
puri.sm/learn/freedom-roadmap/
The last AMD chip that came without the PSP is Piledriver.
VIA and Zhaoxin Semiconductor apparently also make x86 processors.

ARM:
Obviously there's a shit ton of SBCs (Olimex, Beagle, etc).
For a laptop option with an open firmware, try ARM Chromebooks.
I'm dead serious. Open it up, remove the write protection, reflash coreboot with different payload (Not seaBIOS or Depthcharge), install loonix of choice.
coreboot.org/Chromebooks
docs.google.com/presentation/d/1eGPMu03vCxIO0a3oNX8Hmij_Qwwz6R6ViFC_1HlHOYQ/edit#slide=id.p
Inforce has an SBC with high-specs and an open GPU
inforcecomputing.com/products/single-board-computers-sbc/qualcomm-snapdragon-820-inforce-6640-sbc
Cavium makes some god-tier processors. Be on the lookout for that.
cavium.com/Table.html
In general, your biggest concern with ARM is the GPU drivers.
Mali is fucked. PowerVR too. Vivante GC and Qualcomm Ardreno are fine. Broadcom VideoCore is partial.
en.wikipedia.org/wiki/Free_and_open-source_graphics_device_driver#ARM
Some anons have reported that lighter environments like XFCE are usable on stuff like Mali without the driver, but it's not ideal.
One user said he couldn't remove the ChromeOS on his libreboot C201. This github issue talks about a solution.
github.com/altreact/archbk/issues/3

Here
ghacks.net/2017/11/22/find-out-if-your-intel-cpu-is-vulnerable-to-intel-manageability-engine-vulnerabilities/
My system can't seem to return any results, though I think I'm fine. Seems like older "K" CPUs are fine.

(2/2)
OpenPOWER:
Raptor Engineering sells POWER9 workstations, that may soon be getting RYF certification.
They're expensive as fuck, but probably the most powerful non-botnet computers that exist. Comparable to Xeons/Epyc.
raptorcs.com/TALOSII/

PowerPC:
The company that still makes this is NXP
nxp.com/products/microcontrollers-and-processors/power-architecture-processors
Here is a project for a Libre PowerPC laptop using NXP, shooting for RYF certification.
powerpc-notebook.org/faq/
EmbeddedPlanet has several PowerPC SBCs, most using NXP.
embeddedplanet.com/product/single-board-computers/

MIPS:
The /csg/ of desktops. Lemote is a chink company that sells libre MIPS boards, using PMON firmware.
lemote.com/html/product/
A German user on this board says he is going to work with Lemote to resell their stuff.
EmbeddedPlanet also has MIPS boards with processors from Cavium with U-boot firmware.
embeddedplanet.com/single-board-computers/processor/cavium-oceteon-ii/

RISC-V:
Only SBCs here. SiFive has some.
sifive.com/products/freedom/
There's also LowRISC
lowrisc.org/

why is it that only Intel has these issues? i've never seen any headlines about AMD software being broken like this.

Nobody cares about AMEMED. They have issues too, can't remember how is it called though. Plus shite performance compared to Intel.

AMD also has a similar thing called the Platform Security Processor. As for why they don't have as many vulnerabilities, perhaps it's for the same reason that Linux doesn't get as many viruses. Less marketshare.

tfw haslel

tl;dr your tinfoil is too tight

Chinks are still allowed to make freedom devices?

My AMD Ryzen with 8 cores does not have this problem.

They made the first ever freedom device with that old Yeeloong netbook. When I used to post the Hardware Removal-of-botnet Threads (/hrt/), someone said in there that they read through the moonrunes and figured out that they still use Libre firmware.

this makes me feel better for having a laptop with and amd apu from 2011

>amd
>2011
Yeah you're safe. AMD added the botnet around 2013 or so.

The scary thing is that AMD is probably less thoroughly investigated

Would it be possible to have a pre-ME Thinkpad acting as a router that handles/loads all http traffic on the network? So you could ssh into the Thinkpad and view the internet securely, without even having to worry if the box you're sshing from has ME. Is this possible? Would it create a secure home network?

as handsome a she is amd has its own version of ME called PSP

for some reason, vulnerability detection tool is stuck at 100% on my ryzen 7 system :^)

Replacing ME with (cut down) Linux and a golang init. Apparently they reduced their boot time lots too lwn.net/SubscriberLink/738649/81007748bf15c1e5

>tfw my Xeon doesn't give a shit

+15rupees

we have to wait and see, this might be nothing or it might be pretty fucking bad. either way it's not gonna be used against nobodies

trusting intel (((tools))) in the first place

...

Shit, now what?

AMD's version is a bit different, for starters it uses the host OS to run its network stack, whereas the IME can do it without the OS

Secondly, the PSP just doesn't get as much attention since AMD doesn't have as much marketshare and the IME is easier to break into and poke around.

you patch it and hope

yeah and it's not completely broken and vulnerable like ME

The HAP bit disables ME after initialization
The only thing you have to worry about is HDD bootsector hijacking and malicious PCI option ROMs

i think amd is better
>pre 2010 intel - memory sinkhole bug
>post 2010 intel - me
either way with joos u loose

hooktube.com/watch?v=lR0nh-TdpVg

you mean shekels

IT'S HAPPENING

Can someone tell me how do you fix it?

>yeah and it's not completely broken and vulnerable like ME
It's still something that you don't want in your hardware. Please kindly fuck off, and shill your favorite brand elsewhere user. No one in their right mind would ever claim that AMD's version of ME is the proper option.

Yeah and being an enterprise admin that wants to confirm their environment isn't fucked sure is tin foil hattery, it's called being proactive and or good at your job retard.

>Millions of computers could be remotely hijacked through bug in firmware code.
>"bug"

Can you link to source sauce for this :
> for starters it uses the host OS to run its network stack, whereas the IME can do it without the OS

And additional main course details about AMD PSP?

Libreboot has a writeup on PSP
libreboot.org/faq.html#amd-platform-security-processor-psp

>libreboot.org/faq.html#amd-platform-security-processor-psp
> Coming through w/ the source sauce request