Discussion:
How do you deal with backdoored CPUs ?
(too old to reply)
Dario Niedermann
2018-04-25 14:36:46 UTC
Permalink
Free software users and advocates, especially (I am one myself).

How do you deal with the fact that modern-day CPUs have backdoors
in the form of so-called "security processors" (AMD's PSP and
Intel's vPro) running secret software with full access to the
computer's RAM and an independent TCP/IP stack?

I'm going through hell right now because I need a new laptop and
I can't find an unused one from a time when AMD didn't put such
crap into their CPUs (WTF do they do with old, unsold laptops?
Do they melt them?)

What use is it running only open-source software when your CPU is
executing secret proprietary code behind your back?
--
Dario Niedermann. Also on the Internet at:

gopher://darioniedermann.it/ <> https://www.darioniedermann.it/
Dirk T. Verbeek
2018-04-25 17:06:07 UTC
Permalink
Post by Dario Niedermann
Free software users and advocates, especially (I am one myself).
How do you deal with the fact that modern-day CPUs have backdoors
in the form of so-called "security processors" (AMD's PSP and
Intel's vPro) running secret software with full access to the
computer's RAM and an independent TCP/IP stack?
I'm going through hell right now because I need a new laptop and
I can't find an unused one from a time when AMD didn't put such
crap into their CPUs (WTF do they do with old, unsold laptops?
Do they melt them?)
What use is it running only open-source software when your CPU is
executing secret proprietary code behind your back?
One solution:
"https://puri.sm/products/"
Dario Niedermann
2018-04-25 20:29:00 UTC
Permalink
Post by Dirk T. Verbeek
"https://puri.sm/products/"
I had considered them, but I've found their claims don't hold up to
scrutiny.

They still (have to) use secret firmware blobs[1], which is why the
FSF and the Coreboot team won't endorse them. Also, the language on
their site is very ambiguous. Their warrant canary[2] only says *they*
didn't place any backdoors into their hardware (no word about
pre-existing backdoors). They claim they disabled Intel's ME (backdoor)
but if you dig deeper[3] in their site, they basically admit it's only
work in progress (shady!)

Frankly, I doubt that Intel's backdoors (or AMD's) can be disabled
with any certainty that they will stay put. Unless someone finds a way
to chisel them off the die, they're there and we have no way of knowing
what they're doing.


[1] https://web.archive.org/web/20150315112952/http://blogs.coreboot.org/blog/2015/02/23/the-truth-about-purism-why-librem-is-not-the-same-as-libre/

[2] https://github.com/purism/warrant-canary/blob/master/canaries/librem-hardware-warrant-canary-20180401.txt

[3] https://puri.sm/learn/intel-me/
--
Dario Niedermann. Also on the Internet at:

gopher://darioniedermann.it/ <> https://www.darioniedermann.it/
Computer Nerd Kev
2018-04-25 22:54:53 UTC
Permalink
Post by Dario Niedermann
Free software users and advocates, especially (I am one myself).
How do you deal with the fact that modern-day CPUs have backdoors
in the form of so-called "security processors" (AMD's PSP and
Intel's vPro) running secret software with full access to the
computer's RAM and an independent TCP/IP stack?
I'm going through hell right now because I need a new laptop and
I can't find an unused one from a time when AMD didn't put such
crap into their CPUs
If you don't mind sacrificing performance, maybe one of the single
board computers could be an option. There are Raspberry Pi based
laptop designs such as the Pi-Top, which is available as a kit,
but even the Pi uses an Nvidia GPU with closed-source firmware.
Maybe there's another single board computer design that is fully
open source.
Post by Dario Niedermann
(WTF do they do with old, unsold laptops? Do they melt them?)
Maybe, after a year or two of failing to shift them even with
discounts. I don't know how you've been shopping so far, but
perhaps you should try looking in some small independent
computer stores. They're probably more likely to hang on to
an old model (either at the back of the shelf or in a box out
the back) after it has run its normal course.
Post by Dario Niedermann
What use is it running only open-source software when your CPU is
executing secret proprietary code behind your back?
It's a fair point. But when it comes to PCs, you may now be in
the same boat as those who still need a parallel port on their
laptop.
--
__ __
#_ < |\| |< _#
Mike Spencer
2018-04-26 05:24:59 UTC
Permalink
Post by Computer Nerd Kev
Post by Dario Niedermann
(WTF do they do with old, unsold laptops? Do they melt them?)
The problem with old laptops is that the batteries die. Buy a "new"
battery and get "new old stock" that's as old as the computer. My
very old laptops work but no batteries are available. My medium
old one is great, like it better than the new(ish) one but "new"
batteries are no better than old ones, running an hour max and taking
16 hrs or more to recharge. Happily, the library has outlets under
the tables so I can use it there; not away from power though.
Post by Computer Nerd Kev
Maybe, after a year or two of failing to shift them even with
discounts. I don't know how you've been shopping so far, but
perhaps you should try looking in some small independent
computer stores. They're probably more likely to hang on to
an old model (either at the back of the shelf or in a box out
the back) after it has run its normal course.
Post by Dario Niedermann
What use is it running only open-source software when your CPU is
executing secret proprietary code behind your back?
Yeah, pits.
Post by Computer Nerd Kev
It's a fair point. But when it comes to PCs, you may now be in
the same boat as those who still need a parallel port on their
laptop.
My medium-old laptop (Panasonic CF-48) has serial, parallel, PCMCIA,
USB, ethernet, extern monitor and mouse ports, runs Linux with X,
networks etc. etc. just great but just enough battery move it from
here to there when needed.
--
Mike Spencer Nova Scotia, Canada
Richard Kettlewell
2018-04-26 09:28:31 UTC
Permalink
Post by Computer Nerd Kev
Post by Dario Niedermann
Free software users and advocates, especially (I am one myself).
How do you deal with the fact that modern-day CPUs have backdoors
in the form of so-called "security processors" (AMD's PSP and
Intel's vPro) running secret software with full access to the
computer's RAM and an independent TCP/IP stack?
AFATIK we disable it in our x86-based products (don’t ask for details,
I’m not involved in production), although in any case the parts used
weren’t impacted by the recent vulnerabilities.
Post by Computer Nerd Kev
Post by Dario Niedermann
I'm going through hell right now because I need a new laptop and
I can't find an unused one from a time when AMD didn't put such
crap into their CPUs
If you don't mind sacrificing performance, maybe one of the single
board computers could be an option. There are Raspberry Pi based
laptop designs such as the Pi-Top, which is available as a kit,
but even the Pi uses an Nvidia GPU with closed-source firmware.
Maybe there's another single board computer design that is fully
open source.
The first part of the boot chain is proprietary too.
Post by Computer Nerd Kev
Post by Dario Niedermann
What use is it running only open-source software when your CPU is
executing secret proprietary code behind your back?
It's a fair point. But when it comes to PCs, you may now be in the
same boat as those who still need a parallel port on their laptop.
PCs have had proprietary firmware (BIOS/UEFI) since 1981 and x86 has had
proprietary microcode since 1978. If you want a 100% free platform, the
PC isn’t it and never has been.
--
https://www.greenend.org.uk/rjk/
Dario Niedermann
2018-04-26 09:45:00 UTC
Permalink
Richard Kettlewell
2018-04-26 12:08:09 UTC
Permalink
Post by Richard Kettlewell
PCs have had proprietary firmware (BIOS/UEFI) since 1981 and x86 has had
proprietary microcode since 1978. If you want a 100% free platform, the
PC isn’t it and never has been.
Well, a proprietary BIOS is one thing; a secret co-processor is another.
In software freedom terms it’s not materially different. A fundamental
part of your system is something you cannot modify or (often) even read.
Especially back when proprietary BIOSes weren't produced in a de-facto
police state. So the historical angle doesn't provide a fair
comparison to the current situation, IMO.
I think you’re being naive about the historical situation there
too. Most of this stuff has been manufactured in China for years, not a
country noted for its respect for individual rights.
--
https://www.greenend.org.uk/rjk/
Theo
2018-04-29 18:39:17 UTC
Permalink
Post by Richard Kettlewell
Post by Richard Kettlewell
PCs have had proprietary firmware (BIOS/UEFI) since 1981 and x86 has had
proprietary microcode since 1978. If you want a 100% free platform, the
PC isn’t it and never has been.
Well, a proprietary BIOS is one thing; a secret co-processor is another.
In software freedom terms it’s not materially different. A fundamental
part of your system is something you cannot modify or (often) even read.
There is also limited difference between 'software', 'firmware' and
'hardware'. Who wrote the microcode for your CPU? Who designed the
architecture? Who did the transistor layout? Who fabbed it? Who packaged
it and shipped it to you?

At each step there is the potential for malice. Software and firmware have
some degree of mutability which makes their threat model somewhat different,
but fundamentally you're running on a piece of silicon designed by somebody
else, which is not feasible to physically audit.

There is plenty that security architecture has to say on the subject, but at
the end of the day you have to trust someone. Stopping at the software
level because that's your field of understanding doesn't make the threats of
the layers underneath any less true.

Theo
Dario Niedermann
2018-05-02 10:16:47 UTC
Permalink
Post by Computer Nerd Kev
There are Raspberry Pi based
laptop designs such as the Pi-Top
The Pi-Top is very cool, and it was really looking like my best bet.
But I just found out that the Raspberry Pi doesn't support suspend
and resume.

Damn! That's way too important in a laptop.
--
Dario Niedermann. Also on the Internet at:

gopher://darioniedermann.it/ <> https://www.darioniedermann.it/
Computer Nerd Kev
2018-05-02 22:47:43 UTC
Permalink
Post by Dario Niedermann
Post by Computer Nerd Kev
There are Raspberry Pi based
laptop designs such as the Pi-Top
The Pi-Top is very cool, and it was really looking like my best bet.
But I just found out that the Raspberry Pi doesn't support suspend
and resume.
Damn! That's way too important in a laptop.
The Pi doesn't use much power. Have you checked that it would make
much difference compared to to power saved just by truning off the
screen?
--
__ __
#_ < |\| |< _#
Walter Banks
2018-04-27 18:11:19 UTC
Permalink
Post by Dario Niedermann
Free software users and advocates, especially (I am one myself).
How do you deal with the fact that modern-day CPUs have backdoors
in the form of so-called "security processors" (AMD's PSP and
Intel's vPro) running secret software with full access to the
computer's RAM and an independent TCP/IP stack?
What use is it running only open-source software when your CPU is
executing secret proprietary code behind your back?
Two comments. In the last couple years at security conferences
open-source software has been well down the list of secure software. The
biggest issues have been ad hoc distribution and far less real solid
checking. Open source software is has more than most a carrier of
security issues. The CPU back door software is real but you need to
actually ask what does it matter?

We don't have computers with anything we care about connected to the
internet. This includes anything with customer code and support and our
companys development tools and test suites.

w..
Kenny McCormack
2018-04-28 21:23:35 UTC
Permalink
In article <pbvp48$bpl$***@gioia.aioe.org>,
Walter Banks <***@bytecraft.com> wrote:
...
Post by Walter Banks
We don't have computers with anything we care about connected to the
internet. This includes anything with customer code and support and our
companys development tools and test suites.
Yes, and the really good part is everybody else follows your lead.
Yup, everybody is as careful as you are.

Hmmm.

Target.

Hmmmmmmm.

Sony.

Hmmmmmmmmmm.

Equifax

Hmmmmmmmmmmmmmmmmm.

Facebook. Trump.
--
The randomly chosen signature file that would have appeared here is more than 4
lines long. As such, it violates one or more Usenet RFCs. In order to remain
in compliance with said RFCs, the actual sig can be found at the following URL:
http://user.xmission.com/~gazelle/Sigs/ThePublicGood
Dario Niedermann
2018-04-29 06:51:49 UTC
Permalink
Post by Kenny McCormack
...
Post by Walter Banks
We don't have computers with anything we care about connected to the
internet. This includes anything with customer code and support and our
companys development tools and test suites.
Yes, and the really good part is everybody else follows your lead.
Yup, everybody is as careful as you are.
And it's not just a matter of being careful, either. Many - I guess most
- of us can't avoid having computers with sensitive data connected to
the net.

Also, once you have a secret co-processor on board, how do you know it's
not using the computer's WiFi card to talk to similarly backdoored,
Internet-connected computers nearby? Even the manufacturers sell the
so-called "secure processor" as a remote control...
--
Dario Niedermann. Also on the Internet at:

gopher://darioniedermann.it/ <> https://www.darioniedermann.it/
Loading...