/hrt/ - Hardware Removal-of-botnet Thread

PogoLinux got back to me edition
Last thread (1/3)

This general is dedicated to the creation of a list of hardware that is relatively botnet-free.
The Intel ME and other components are a serious threat to user privacy.

>"But what's the Intel ME, user?"
I'm glad you asked! The Intel ME, or Management Engine, is a secondary co-processor in every single Intel chip in the last decade.
It runs a MINIX-based operating system and has full networking capabilities, drivers, and a goddamn web server in it.
networkworld.com/article/3236064/servers/minix-the-most-popular-os-in-the-world-thanks-to-intel.html
This page offers additional information, and explains that it can read your files and applications, act as a keylogger, capture the screen, inject rootkits, etc.
libreboot.org/faq.html#intelme
Very nasty stuff.

>"HAHA INTEL BTFO! SCREW YOU GOYS I GOT RYZEN!!"
AMD has its own botnet, called the PSP, or Platform Securiy Processor.
Here's what it is:
libreboot.org/faq.html#amd-platform-security-processor-psp
Here's Libreboot asking for it to be opened up in Ryzen:
libreboot.org/amd-libre.html
Here's Plebbit asking for it:
reddit.com/r/linux/comments/5xvn4i/update_corebootlibreboot_on_amd_has_ceo_level/
Here's Edward motherfucking Snowden asking for it:
mobile.twitter.com/Snowden/status/837367956229206016
And here's AMD telling everyone to go fuck themselves:
yro.slashdot.org/story/17/07/19/1459244/amd-has-no-plans-to-release-psp-code

>"b-but how can I avoid this? Im scared, user!"
That's the point of this thread. To highlight options that are out there that are relatively free of botnets.
This will include the typical Librebooted memepads and whatnot, but a big part of this is also exploring alternative architectures.

Other urls found in this thread:

libreboot.org/docs/hardware/#desktops-amd-intel-x86
libreboot.org/docs/hardware/#serversworkstations-amd-x86
libreboot.org/docs/hardware/#laptops-intel-x86
puri.sm/learn/freedom-roadmap/
crowdsupply.com/eoma68/micro-desktop
imx6rex.com/open-rex/
coreboot.org/Chromebooks
docs.google.com/presentation/d/1eGPMu03vCxIO0a3oNX8Hmij_Qwwz6R6ViFC_1HlHOYQ/edit#slide=id.p
inforcecomputing.com/products/single-board-computers-sbc/qualcomm-snapdragon-820-inforce-6640-sbc
cavium.com/Table.html
en.wikipedia.org/wiki/Free_and_open-source_graphics_device_driver#ARM
lwn.net/Articles/738225/
github.com/altreact/archbk/issues/3
raptorcs.com/TALOSII/
nxp.com/products/microcontrollers-and-processors/power-architecture-processors
powerpc-notebook.org/faq/
embeddedplanet.com/product/single-board-computers/
lemote.com/html/product/
embeddedplanet.com/single-board-computers/processor/cavium-oceteon-ii/
crowdsupply.com/gnubee/personal-cloud-1
crowdsupply.com/gnubee/personal-cloud-2
sifive.com/products/freedom/
lowrisc.org/
openfirmware.info/Open_Firmware
openfirmware.info/OpenBOOT
code.coreboot.org/p/openboot/source/tree/1/
firmworks.com/open_firmware/literature/ofpci.pdf
code.coreboot.org/p/openfirmware/
phoronix.com/scan.php?page=news_item&px=AMD-PSP-Disable-Option
twitter.com/tekwendell/status/938854263563964417
8
en.wikipedia.org/wiki/SPARC#Implementations
en.wikipedia.org/wiki/OpenCores
opencores.org/
computinghistory.org.uk/det/32324/Tadpole-SPARCbook-3/
firmwaresecurity.com/2017/12/06/bheu-slides-on-intel-me-vuln-uploaded/
cnx-software.com/2017/03/11/macom-x-gene-3-server-on-chip-is-equipped-with-32-64-bit-arm-cores-clocked-at-3-0-ghz/
apm.com/news/macom-announces-sampling-of-x-gene-3-server-on-a-chip-solution/
twitter.com/AnonBabble

(2/3)
For inclusion into this list, if the processor is made by Intel Corporation or Advanced Micro Devices, the device must be 100% free as in Libreboot.
Otherwise, a less-extreme stance is taken, and something like Coreboot or U-boot will suffice.

Findings so far
x86:
For desktops, there's lots of C2Ds and atoms listed, but also some very nice opterons and apparently an iMac
libreboot.org/docs/hardware/#desktops-amd-intel-x86
libreboot.org/docs/hardware/#serversworkstations-amd-x86
For Laptops, you have the CD and C2D memepads
libreboot.org/docs/hardware/#laptops-intel-x86
Purism doesn't do libreboot, but their roadmap includes this as a future goal.
puri.sm/learn/freedom-roadmap/
The last AMD chip that came without the PSP is Piledriver.
VIA also makes x86 processors. Proprietary BIOS, but maybe Coreboot potential?

ARM:
Obviously there's a shit ton of SBCs
One of these is EOMA68, which features 3D-printable housings, and potential RYF cert.
crowdsupply.com/eoma68/micro-desktop
iMX6 Rex is an education-based SBC that combines elements of a Pi and an Arduino. It uses U-Boot.
imx6rex.com/open-rex/
For a laptop option with an open firmware, try ARM Chromebooks.
I'm dead serious. Open it up, remove the write protection, reflash coreboot with different payload (Not seaBIOS or Depthcharge), install loonix of choice.
coreboot.org/Chromebooks
docs.google.com/presentation/d/1eGPMu03vCxIO0a3oNX8Hmij_Qwwz6R6ViFC_1HlHOYQ/edit#slide=id.p
Inforce has an SBC with high-specs and an open GPU
inforcecomputing.com/products/single-board-computers-sbc/qualcomm-snapdragon-820-inforce-6640-sbc
Cavium makes some god-tier processors. Be on the lookout for that.
cavium.com/Table.html

(3/3)
In general, your biggest concern with ARM is the GPU drivers.
Mali is fucked. PowerVR too. Vivante GC and Qualcomm Ardreno are fine. Broadcom VideoCore is partial.
en.wikipedia.org/wiki/Free_and_open-source_graphics_device_driver#ARM
MALI MIGHT BE GETTING OPENED UP PRAISE LINUX TORVALDS TECH TIPS
lwn.net/Articles/738225/
Some anons have reported that lighter environments like XFCE are usable on stuff like Mali without the driver, but it's not ideal.
One user said he couldn't remove the ChromeOS on his libreboot C201. This github issue talks about a solution.
github.com/altreact/archbk/issues/3

OpenPOWER:
Raptor Engineering sells POWER9 workstations, that may soon be getting RYF certification.
They're expensive as fuck, but probably the most powerful non-botnet computers that exist. Comparable to Xeons/Epyc.
raptorcs.com/TALOSII/

PowerPC:
The company that still makes this is NXP
nxp.com/products/microcontrollers-and-processors/power-architecture-processors
Here is a project for a Libre PowerPC laptop using NXP, shooting for RYF certification.
powerpc-notebook.org/faq/
EmbeddedPlanet has several PowerPC SBCs, most using NXP.
embeddedplanet.com/product/single-board-computers/

MIPS:
The /csg/ of desktops. Lemote is a chink company that sells libre MIPS boards, using PMON firmware.
lemote.com/html/product/
A German user on this board says he is going to work with Lemote to resell their stuff.
EmbeddedPlanet also has MIPS boards with processors from Cavium with U-boot firmware.
embeddedplanet.com/single-board-computers/processor/cavium-oceteon-ii/
GnuBee has two low power NAS devices. They're cheap, they use MIPS, and they're going for RYF!
crowdsupply.com/gnubee/personal-cloud-1
crowdsupply.com/gnubee/personal-cloud-2

RISC-V:
Only SBCs here. SiFive has some.
sifive.com/products/freedom/
There's also LowRISC
lowrisc.org/

How can we verify this "removal" works if we don't even know how Intel ME works in the first place?

If I understand correctly it's possible to significantly reduce the payload of ME but not removing it all together. How do we know this is enough? Why wouldn't the rudimentary code still be dangerous to us? Can all functionality be restored remotely?

Yeah I personally do not trust the ""Fix"".

In beginning of the second post, I mention that my rule is basically "Libreboot or it's not happening" for Intel and AMD processors, but "At least Coreboot or equivalent" for the rest.

Isn't the status of Intel ME with libreboot still unknown?

as far as I know the status of ME with Libreboot is "Gone".

That sounds great but won't the CPU brick itself after 5 mins, then?

No. People with Libreboot Memepads don't have this problem. Ask Stallman, or Luke Smith, or that user with the Momiji wallpaper, or anyone who has one of those things.

Thanks for the info.

Only newer ones do that, ie. Sandy Bridge and newer, but Libreboot doesn't run on any of them

>It runs a MINIX-based operating system and has full networking capabilities, drivers, and a goddamn web server in it.
Do they have some sort of datasheet on it? Maybe it is possible to paint pins on CPU and disable this shit?

Will me_cleaner work on an i5-3330?

If such a thing existed, I certainly haven't heard about it. If we're going by the conspiracy theory angle that Intel did this for the NSA/CIAniggers, then I seriously doubt there is any sort of public datasheet from Intel themselves on how this shit works on a low level.

I am not sure, if NSA/CIAniggers can store that much information... But the fucking backdoor, that is not cool

Don't SPARC systems have Open Firmware, and and open and royalty free ISA?

It fact they have Intel ME documentation for manufacturers, at least ME system tools with which you can flash CPU or chipset I guess.

It means, that it is possible to disable it with this kit...

Got any implementations of that?

Show me your botnet-free machines, /hrt/!

Do you think that PPC doesn't have backdoors?

By the way, Some sort of Intel 486 is backdoor free system...

...

I'm pretty sure they don't have a hidden OS running under the hood. Plus they use OpenFirmware, and PowerPC is an open architecture now.

Hmmm. Maybe I should buy old G4 macbook?

Soon...

Get a PowerBook instead if you can. I have this iBook because it's a maxed out top of the line model and I got it for a really good price. But I'd take one of the last 12" PowerBooks over it any day of the week.

I used to have this in the list, but then some anons informed me the that "Open" firmware used on macs wasn't really OPEN. It was a proprietary implementation of an IEEE standard.
However, If you can prove that the OpenFirmware is actually open, then I'll add them back.

Let's make PowerPC laptops!
And run Mac OS 10.5 there...

What with all the recent IME developments, does that mean I can finally and permanently disable the IME on my x201 thinkpad?

The IEEE standard is just called "IEEE 1275-1994", and Open Firmware is one of its multiple implementations. It also happens to be under a BSD license. Same with OpenBoot (Sun)
openfirmware.info/Open_Firmware
openfirmware.info/OpenBOOT

What's the best way to block everything but desired communication? A separate uncompromised appliance?

Has the source for Sun's builds appeared though? If it's BSD it could be made proprietary on the actual implementations. The only genuinely FOSS firmware I've found on that site only appears to work under QEMU or the OLPC.

What do you mean exactly?

Firewall, that block all ports, but 80...

>Has the source for Sun's builds appeared though?
Here you go:
code.coreboot.org/p/openboot/source/tree/1/

You can remove everything except the initialization code that's still needed to prevent the CPU from shutting itself down after 30 minutes.

>You can remove everything except the initialization code that's still needed to prevent the CPU from shutting itself down after 30 minutes.
Hm, we have binary files, why we can't disassemble them and make use of it?

And what about AMD systems?

Is this exactly what's used on the old ibooks/powerbooks?

for AMD, I don't think there's any removal tools/stuff like that, but their botnet got added later, so you can get some slightly newer stuff like that really sweet looking D16 server Mobo

So I can just build this and flash it to an Ultra or Blade series machine without modifications? Doesn't it need tailoring to each device, like any other firmware?

No, that's Sun's implementation. Apple used firmworks' (Source: firmworks.com/open_firmware/literature/ofpci.pdf ), the source code for which is located here:
code.coreboot.org/p/openfirmware/
Technically you could, since it's agnostic about pretty much everything and pulls the basic device drivers from FCode stored in the devices' ROMs.

Still worth checking, maybe you can disable it if you can.

And I know, how to make sure this shit is disabled: turn on PSU, measure total current going to mobo without CPU, insert CPU and see if it draws more current without being turned on.

>you can disable it if you can.
I mean it is easier to disable... Typo.

Added the iBooks, Powerbooks, and PowerMacs back to the list.
I've also added a link to the OpenFirmware source in there.

Thanks!

Hmm, I'll have to dig out my Ultra 10 and give this a try.

Nice, thanks.

phoronix.com/scan.php?page=news_item&px=AMD-PSP-Disable-Option

Nobody's sure of the extent of the new bios setting yet, but this could be very promising.

Bump. Would like some more info on this Sparc stuff. Might be something to add to the list.

Going to add a list of supported *nix distros to the list, near the header for each architecture.

twitter.com/tekwendell/status/938854263563964417
Our lord Wendell has spoken
It is pretty much what system 76 does with their laptops PSP is used when booting but after boot it stops.

I do not approve this bread.

Anyone?

final bump + loli

I don't really have much to add, apart from more detail on the retrocomputing projects from the last thread.

An update from Raptor to those who have pre-ordered Talos II systems for the original Q4 2017 window:
(I asked when they were planning on shipping by, as I have a holiday coming up.)

>While we are still on track for the Talos PCBs and related components
>for a late December shipment, IBM has retargeted the final version of
>the POWER9 processor for very early January. Given this, if you need the
>system in Q4 we can ship it to you with an earlier CPU revision, then
>send out the production CPU as soon as it becomes available (advance
>exchange RMA, no cost to you). If you go this route, you would need to
>swap out the CPU(s) in your system (unmount HSF, replace CPU, remount
>HSF). Otherwise we can wait for the production CPU and ship your system
>with the production CPU later in January when you will be available to
>receive it.
>
>Which would you like to do? You have some time to decide, so no rush.
>
>We will be notifying our Q4 customers of this and offering this choice
>individually to each of them. The extra silicon revision on IBM's side
>was just enough to force production CPU availability out of Q4 and into Q1.

OP here. I heard about this from some user on 8 chan. He seemed really pissed about it.

Does anyone have good knowledge of Sparc?
From this user's post it sounds like something worth adding to the list.

>OP here. I heard about this from some user on 8 chan. He seemed really pissed about it.

Link to thread?

8
ch. net
/tech/res/831651
.html

Fuck the spam filter

I use an Ultra Enterprise 250 as my homeserver ( )
And yes, they do use an open ISA and OpenBoot. The experience is pretty much the same as with a ppc Mac, but the distro support gets weaker every day.
I know OpenBoot is released under a BSD license (source code linked in ), but technically that license means they could've done whatever with the code before chucking it into the machines. If you're so paranoid, I guess you could find a PROM image from a Solaris install disk and dissasemble it. It's just FCode, so shouldn't be hard at all.

Really fucking hope TALOS II succeeds. Can't believe what IBM is doing if what is described is true.

Well it looks like there's plenty of options here.
en.wikipedia.org/wiki/SPARC#Implementations

Me too. (even if just for selfish reasons because I don't want to port everything to POWER9 myself for the next 20 years)

I'll be sure to make a build, review, and benchmarking thread once mine arrives.

No mention of FPGA based solutions?

If you don't mind the performance hit, you can already run most relevant architectures in a way that's free down to the gate level.

en.wikipedia.org/wiki/OpenCores
opencores.org/

...

I'd like to take a minute to bring up one of Sup Forums's favorite memes, Gentoo, and how it relates to this.
Gentoo lists ppc as an option for install, but it mostly seems to refer to the old apple stuff, not the POWER stuff like TALOS.
Now granted, supporting that type of ppc isn't bad, as we do have the NXP stuff in the list right now, but since Gentoo is source-based, shouldn't it be possible to install it on the POWER architecture?

I'm not a gentoo expert, so maybe someone could clarify.

Also, Gentoo does support Sparc officially, which is neat.

Good thing I'm posting from Tor then

(USER WAS BANNED FOR THIS POST)

wat

I think Raptor themselves are going to make Gentoo happen. They were talking about it for the Talos 1, so I would guess that any work they had done would be applicable to the Talos 2.

Gentoofags are too NEET to afford POWER9 until it's comparatively as powerful as the aforementioned "old apple stuff".

>until it's comparatively as powerful as the aforementioned "old apple stuff"
what did he mean by this?

They were? I only remember Debian being mentioned.

IIRC Debian, SUSE, RHEL (and hopefully m'linux) are supported at present.

They can't afford a Talos until it's obsolete. They support PPC macs because you can buy them with NEETbucks.

So I mean I guess this is legit?
>open ISA,
>OpenBoot,
>source code link,
>performance and age varying from ancient 80s shit to 5.0 fucking GHz servers from this year, and everything in between.
>Loonix, *BSD, and Illumos
I mean it's not like you can get a desktop or laptop with this, but for server-type stuff, wew

>I mean it's not like you can get a desktop or laptop with this, but for server-type stuff, wew
computinghistory.org.uk/det/32324/Tadpole-SPARCbook-3/

Well I meant something you could reasonably run modern *nix on, but ok

For fuck's sake, I don't want to get rid of the ME botnet only to have to install the systemd botnet

AMD is now offering a UEFI killswitch toggle for the PSP on Ryzen boards.

r/linuxmasterrace/comments/7i6kl7/amd_listened_to_us_and_added_a_psp_disable_option/

The PSP isn't AMD's equivalent of ME any longer, my understanding is that the botnet would still be there

Pic related from 8 chon

Exactly. Fool me once etc.

you're convincing me that half-Sup Forums is more than a bit shit

Main issue with /tech/ is that it's slow as fuck. If I were doing this list mainly on there, It wouldn't be nearly as complete as it is now.

That said, they allowed the posting of libbie lewds, so there's that.

>libbie
The cockatoo was the best proposed mascot by far.

Fun fact. If you search Sparc on DuckDuckGo, you get a site where you can buy weed.

BHEU slides uploaded

firmwaresecurity.com/2017/12/06/bheu-slides-on-intel-me-vuln-uploaded/

IntelME is still a threat, even when "disabled" with HAP flag

And how is systemd a botnet?

It's not, but Sup Forums thinks it is.

Added SPARC.

And this too.

>Samsung Chromebook Plus
>Running GPL coreboot out of box
>Put in developer mode
>Arch Linux
>No more botnet
>under $500

If Talos II isn't $8000 I will consider one

You can also reflash to get rid of the ChromeOS+Depthcharge botnet.

Also, you'll be happy to know that you will soon be able to have a working, comfy GPU.
lwn.net/Articles/738225/
...as soon as that one management guy stops being a faggot.

and TALOS II price varies, but the cheapest mobo+cpu bundle is $2400, and it goes up depending on how much stuff you want them to throw in (case, ECC memory, GPU, second CPU, etc).

I'm also still want to see price on that 32 core 64-bit ARMv8 X-Gene 3

cnx-software.com/2017/03/11/macom-x-gene-3-server-on-chip-is-equipped-with-32-64-bit-arm-cores-clocked-at-3-0-ghz/

$2,400 for Single CPU, $2,850 for Dual. (motherboard only)

My dual CPU build came to under $4K with 32GB RAM, 480GB SSD, 1.2KW PSU, and a Vega 56. Don't bother buying a prebuilt.

wew

We kinda have something similar in the list with the Cavium ThunderX, which has 48 cores, but that one has a higher clockspeed.
Either way, I can't wait to see some good implementations of these.

>1TB RAM

Pity LWN didn't give us his name, title, and home address.

That's nothing.
One of those PogoLinux rackmounts goes up to 8TB, and the modern SPARC stuff can have 16TB.

Servers can have a shitload of RAM.

It's less than 11GB per core.

Oh no

apm.com/news/macom-announces-sampling-of-x-gene-3-server-on-a-chip-solution/

The reference platform ships with the AMI AptioV UEFI BIOS

Fuuuuuuuu

Sent another email to PogoLoonix guy because there wasn't a clear answer on the ARM servers.

Not that it's essential, as we already have TALOS, which has a 4U rackmount option, the Librebooted Opterons, and now the SPARC stuff, but it's always nice to have another option.

Also, would be funny as fuck if this guy found Sup Forums and discovered all of our autism here.