puri.sm: Neutralizing the Intel Management Engine on Librem Laptops
Howdy all, (This is a few months old, but I haven't seen it discussed here.) The Librem notebook computers from Purism are reportedly running with an *entirely quarantined* Intel Management Engine: Bring out the Champagne! The ME is not only quarantined, it is now officially neutralized and the Librem remains working beyond the 30 minutes time limit that Intel had put in place! […] And so we removed plenty of stuff, but most importantly, we completely removed the ME kernel as well as the network stack. <URL:https://puri.sm/posts/neutralizing-intel-management-engine-on-librem-laptops/> They did this with the work that went into the ‘me_cleaner’ tool <URL:https://github.com/corna/me_cleaner>. This is part of Purism's work to port Coreboot to their computers <URL:https://puri.sm/posts/librem-13-coreboot-report-february-25th-2017/>. The Intel Management Engine is hostile to user freedom: […] there is a growing cryptographic bond between proprietary non-free signed binaries and the hardware that they run on. This bond renders it mathematically impossible to give each user control. Cryptography is superb when in the hands and control of each user, but it is nasty when it strips the users’ control. […] While finishing our first coreboot port, we have successfully neutralized the Intel ME thanks to the great work of the “me_cleaner” project, removing its kernel, network stack, and about 92% of the Intel ME binary. There remains a little over 7% before complete removal. <URL:https://puri.sm/learn/intel-me/> -- \ “I must say that I find television very educational. The minute | `\ somebody turns it on, I go to the library and read a book.” | _o__) —Groucho Marx | Ben Finney
On Fri, Jun 16, 2017 at 03:45:16PM +1000, Ben Finney wrote:
Howdy all,
(This is a few months old, but I haven't seen it discussed here.)
It's really good to see this, and a good reminder that every impossible to break wall has a weak spot. Hopefully we can use this opportunity to liberate some more machines and have them running as free as possible BIOSes. I don't exactly know the issues with Intel ME since it's such a closed system, but the fact that we don't know what it does and that it prevents itself from being removed is a good enough reason to remove it, I think. It might be worth looking at the list of supported hardware of me_cleaner <https://github.com/corna/me_cleaner/issues/3> and go hunting for newer hardware than 2008 thinkpads. Jookia.
Hi, I helped write me_cleaner specifically to remove the remaining huffman encoded modules such as its kernel and network stack. The truth is, nobody currently knows the consequences of writing 0xff over these specific regions, i.e., perhaps NSA still has a way to upload firmware updates through the ME bootloader when it is stuck in this mode. We simply don't know. But it is an important step forward in the process of removing the ME. I think Purism is inflating the news on this out of proportion to market their product. If Purism was truly interested in freedom they would have chosen a chipset such as Sandy/Ivy bridge which we have already working without any RAM initialization blobs. I did suggest this to them in the early days, but it seems Todd took my email and plagiarised it for their early marketing campaign. Overall I have not been impressed by Purism. My 2c, Damien On 16/06/17 15:45, Ben Finney wrote:
Howdy all,
(This is a few months old, but I haven't seen it discussed here.)
The Librem notebook computers from Purism are reportedly running with an *entirely quarantined* Intel Management Engine:
Bring out the Champagne! The ME is not only quarantined, it is now officially neutralized and the Librem remains working beyond the 30 minutes time limit that Intel had put in place!
[…] And so we removed plenty of stuff, but most importantly, we completely removed the ME kernel as well as the network stack.
<URL:https://puri.sm/posts/neutralizing-intel-management-engine-on-librem-laptops/>
They did this with the work that went into the ‘me_cleaner’ tool <URL:https://github.com/corna/me_cleaner>.
This is part of Purism's work to port Coreboot to their computers <URL:https://puri.sm/posts/librem-13-coreboot-report-february-25th-2017/>.
The Intel Management Engine is hostile to user freedom:
[…] there is a growing cryptographic bond between proprietary non-free signed binaries and the hardware that they run on. This bond renders it mathematically impossible to give each user control. Cryptography is superb when in the hands and control of each user, but it is nasty when it strips the users’ control.
[…] While finishing our first coreboot port, we have successfully neutralized the Intel ME thanks to the great work of the “me_cleaner” project, removing its kernel, network stack, and about 92% of the Intel ME binary. There remains a little over 7% before complete removal.
Damien Zammit <damien@zammit.org> writes:
I helped write me_cleaner specifically to remove the remaining huffman encoded modules such as its kernel and network stack.
Thank you for working on ‘me_cleaner’!
The truth is, nobody currently knows the consequences of writing 0xff over these specific regions […] But it is an important step forward in the process of removing the ME.
I've had a private conversation with the ThinkPenguin folks, who had a view that Intel is a dead end for making computers that respect user freedom. So I'm glad to see you say that last sentence with more optimism :-) -- \ “In prayer, it is better to have a heart without words than | `\ words without heart.” —Mohandas K. Gandhi | _o__) | Ben Finney
participants (3)
-
Ben Finney -
Damien Zammit -
Jookia