:: Re: [DNG] TALOS 2 - The Libre Owner…
Top Page
Delete this message
Reply to this message
Author: Adam Borowski
Date:  
To: dng
Subject: Re: [DNG] TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server
On Sun, Sep 03, 2017 at 03:41:23PM +0200, Alessandro Selli wrote:
> This is the present state of the matter:
> https://puri.sm/learn/avoiding-intel-amt/
>
> "So, there is no hardware level remote access to Purism hardware?"


AMT is merely a way to configure the built-in backdoor that allows you to
partially use it for your purposes. There is no proof, merely allegations,
that the backdoor allows someone with the secret trigger to control it in
other cases, but Intel has made a string of very weird engineering decisions
that make no sense if there's no such hidden backdoor but make perfect sense
if there is.

> > Listen to coreboot and libreboot's reasoning why this will never work.
> >
> > https://libreboot.org/faq.html
> >
> > look at the parts about purism and intel.
>
> Nothing new there.


An argument remains valid (which doesn't imply true nor untrue) until
refuted; it doesn't stop being irrelevant only because it's old. As far as
it's currently known, there's no real way to disable Intel's ME, and that
flag hack announced this week which might or might not do the trick very
likely doesn't already work on CPUs which get out of the production line
today.

> They just say that the only way to be sure is
> "avoiding all modern [>=2008] Intel hardware." Plus: "libreboot project
> recommends avoiding all modern [>=2013] AMD hardware."
>
> This leaves out just ARM, SPARC and Power CPUs. Mind if I ask you: what
> are your PCs and laptops running on?


Laptop: Allwinner A64 (2016).
Desktop: Phenom II X6 1055T (2011).
Mail server: Xeon E5440 (2007).

Yes, neither is very fast, but at least the desktop feels adequate for all
tasks I use it for -- the only thing I've recently wished would compile
faster is the kernel.

And if you do need more oomph directly under your desk, Talos 2 may be
expensive but it's there.

The mail server currently suffers from inadequate I/O, but that's because 1.
it uses spinning rust (replaceable), 2. it runs a lot of other stuff. Mail
load itself (for ~80 users) could be handled by a single NanoPi NEO that's
the size of a coin (4 cores, 512MB ram).


Obviously I deal with a lot more servers than this, but only these three
machines handle any of my data I consider sensitive.


> Do you believe that all ARM, SPARC and Power suppliers do not put anything
> in their CPUs that users and developers do not know about?


ARM has TrustZone which most vendors don't allow running your own code on,
but on Allwinner A64 (at least Pine64 and Pinebook) you get to compile and
load it yourself. It also has an arisc that improves deepest sleep states
(when the ARM CPU is off) but it has no ROM and needs its code loaded at
runtime -- it's not needed for regular operation. Unlike ATF for the
TrustZone, no free code currently exists but if you don't load anything, you
merely

> Again, the only way to be sure is buying hardware from a vendor that
> produces it's own hardware, CPUs included, openly releasing their full
> specifications, blue-prints and software. Do you know any?


In theory, you could buy a FPGA and load openrisc or riscv on it, but I'm
nowhere that kind of hardware hacker for that.


Meow!
-- 
⢀⣴⠾⠻⢶⣦⠀ 
⣾⠁⢰⠒⠀⣿⡁ Vat kind uf sufficiently advanced technology iz dis!?
⢿⡄⠘⠷⠚⠋⠀                                 -- Genghis Ht'rok'din
⠈⠳⣄⠀⠀⠀⠀