Post by RS Wood Post by Rich
Intel's CPUs have another Intel inside.
and tightly controlled by Intel. Last week, vulnerabilities in the
Active Management (AMT) module in some Management Engines have
caused lots of machines with Intel CPUs to be disastrously
vulnerable to remote and local attackers. While AMT can be
disabled, there is presently no way to disable or limit the
Management Engine in general. Intel urgently needs to provide one.
This one is particularly galling because (A) it was basically
predicted ages ago that such a system would eventually be a security
problem, and (B) there's no easy way around this one. You can't just
reinstall the OS and apps, this is a weakness one level below that.
Even BIOS is higher up the food chain than this.
I miss the days when AMD was a realistic competitor to Intel.
Except that, as  explains, AMD fares no better.
AMD Platform Security Processor (PSP)
This is basically AMD's own version of the Intel Management Engine.
It has all of the same basic security and freedom issues, although
the implementation is wildly different.
The Platform Security Processor (PSP) is built in on all Family 16h
+ systems (basically anything post-2013), and controls the main x86
core startup. PSP firmware is cryptographically signed with a
strong key similar to the Intel ME. If the PSP firmware is not
present, or if the AMD signing key is not present, the x86 cores
will not be released from reset, rendering the system inoperable.
To note, however, is that AMD claims the 'feature' is only
available in "select APUs" :
AMD gives you a dedicated AMD Secure Processor built into select AMD
Accelerated Processing Units (APUs).
On the other hand, Purism claims to avoid Intel AMT [3, 4]:
Our solution is thus:
1. We choose Intel CPUs that do not have vPro (nor AMT.) Note that
this does not mean that we are confined to using old/pre-2008
2. We do not use an Intel networking card (we use completely
different network chipsets instead.)
3. We do not use the "corporate" version of the Intel Management
Engine (Intel ME) binary.
4. On coreboot-enabled Purism devices, we further neutralize the
Intel ME binary [...], with the intention of reverse-engineering
the remaining parts.
Also, they claim to bug Intel to "free" the ME:
We released a petition for, and continue to work with Intel to free
it entirely (what Intel is calling a "ME-less" design.)
Post by RS Wood
Suppose I could make my next box out of a Raspberry Pi and go
There was a thread in debian-user@ a month or so ago regarding
the proliferation of various privacy-infringing features in
modern systems, and hence the need for free software (including
Debian) to retain compatibility with older hardware. One of the
posters responded that claims of backdoors in CPUs date back to
Well, at least back then, the CPU vendors didn't advertise such
vulnerabilities waiting to happen as 'features'.
Personally, when a motherboard (made c. 2007) on one of my home
boxes failed this year, I've replaced it with a somewhat similar
used one (made in 2008.) Cost me less than 50 USD (including a
Also, it apparently is based on a chipset (SB700 or something
like that) for which AMD /did/ make the specs available, and
which seems to be supported by Coreboot .
FSF associate member #7257 np. Back then -- codekk 8916 3013 B6A0 230E 334A