[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

[LUG] Hardware security and privacy and Intel Management Engine (ME)

To: DCLUG ML <list@xxxxxxxxxxxxx>
Subject: [LUG] Hardware security and privacy and Intel Management Engine (ME)
From: Ben Whorwood <ml-devcornlinuxgrp@xxxxxxxxxx>
Date: Mon, 23 Nov 2015 14:15:15 +0000
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1444208763; h=Sender:Content-Type:Content-Transfer-Encoding:List-Subscribe:List-Help:List-Post:List-Unsubscribe:List-Id:Reply-To:Subject:To:MIME-Version:From:Date:Message-ID; bh=AqC8IFwn5CXGBl4rwl3Uv4wQpNCNBr6uMF6WLx42Uhs=; b=OJT3ZL2vnxZxGyAyDVER1YtiIgMZkxqA9b48Ymeh/RP72dYU+K5dVWdQ1gLincNLNIkvf7Yhr68IsQdK54+fMqkzG99nEM/UpdXU+bwiLKLNmsl3Q2dgNYNUTfAL23GdLnsNGSFAuD4D/MiOWBcTbG/O3PhZAIQaK2S3TvKEv6E=;

Have been researching free (libre) hardware and liberated hardwarelately and thought this was quite relevant considering the recentdiscussions on security and privacy in general.


http://libreboot.org/faq/#intel

Introduced in June 2006 in Intel's 965 Express Chipset Family of(Graphics and) Memory Controller Hubs, or (G)MCHs, and the ICH8 I/OController Family, the Intel Management Engine (ME) is a separatecomputing environment physically located in the (G)MCH chip. In Q32009, the first generation of Intel Core i3/i5/i7 (Nehalem) CPUsand the 5 Series Chipset family of Platform Controller Hubs, orPCHs, brought a more tightly integrated ME (now at version 6.0)inside the PCH chip, which itself replaced the ICH. Thus, the ME ispresent on all Intel desktop, mobile (laptop), and server systemssince mid 2006.

...

In summary, the Intel Management Engine and its applications are abackdoor with total access to and control over the rest of the PC. TheME is a threat to freedom, security, and privacy, and the librebootproject strongly recommends avoiding it entirely. Since recentversions of it can't be removed, this means avoiding all recentgenerations of Intel hardware.


Ties to Richard Stallman and his famous FSF Thinkpad X60:

https://stallman.org/stallman-computing.html

Security is always a trade off against convenience but in this instancethe convenience is the ability to make use of entire product lines fromIntel (and other manufacturers). At the end of the day it comes down torequirements and a personal choice about where to draw the line (*whatmight keep you awake at night*).

Luckily I spend most of my time developing in Emacs and use Xmonad(rarely sometimes XFCE) as a WM in Debian so requirements are low. Usingthis as a base setup I can't imagine any GUI or system I need to uselocally needing more than 2 cores and 3GB+ RAM so should be good keepingto pre Intel ME hardware (Intel Core 2 Duo, etc) for the foreseeablefuture. Test servers and such can be external and scaled horizontallymoving into distributed systems and parallel processing (e.g. basicexample using a Raspberry Pi with nginx as staging server for webdevelopment rather than running Apache locally).

It seems like most of the promise lies with ARM architecture as an openplatform moving forward so it will be interesting to see what develops here.


Some interesting projects in the mobile space as well...

http://neo900.org/


~Ben

--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

Prev by Date: Re: [LUG] Compresses Deb installer
Next by Date: [LUG] South West Cyber Security Cluster
Previous by thread: Re: [LUG] Compresses Deb installer
Next by thread: [LUG] South West Cyber Security Cluster
Index(es):
- Date
- Thread