:: Re: [DNG] Purism Librem and disabli…
Top Page
Delete this message
Reply to this message
Author: Alessandro Selli
Date:  
To: dng
Subject: Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re:TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On Fri, 8 Sep 2017 at 00:22:40 -0400
"Taiidan@???" <Taiidan@???> wrote:

> On 09/07/2017 02:18 PM, Rick Moen wrote:
>
>> Quoting Taiidan@??? (Taiidan@???):
>>
>>>> I also find a bit questionable your going around attempting to tarnish
>>>> the reputation of someone with a real name, while concealing your own.
>>> Criticism isn't allowed?
>> This is of course nothing like what I said.
>>
>>> I dislike when people deal with speculation instead of proven facts
>>> when judging technical merits.
>> Then, _address what you perceive as speculation_.
> I apologize - I should have done that in the first place instead of
> resorting to name calling.
>
> Mr. Selli has said:
> *That IBM's POWER CPU's have a hardware level backdoor and have had
> backdoors in the past whilst providing no real evidence to support that
> those claims,


I did provide with the evidence:
https://lists.dyne.org/lurker/message/20170907.084234.3d39055c.en.html

Why do you write easy to disprove falseness? Don't you have a minimum
of self-respect?

> he bolstered that argument by stating that IBM's work with
> the US military is suspect and thus concludes guilt by association.


No, I just pointed out that the fact that IBM does indeed put hardware
and software remote-control devices inside it's chips is an established
and documented truth.

> IBM sells POWER chips to both the the US Military and the Chinese
> Military, doing that is largely as to why they are still in business -
> as the worlds third maker of high performance computing hardware one
> simply can't and shouldn't ignore the worlds two largest consumers.
>
> IBM has done a variety of bad things, but that doesn't mean OpenPOWER
> isn't a really good one.
>
> * That the presence of a BMC chip on POWER means it has a backdoor
>
> BMC chips are a common server feature required for remotely
> administering a computer without headache, this one is owner controlled
> (no hw code signing enforcement) and has full source code available to
> the public after POWER9 is released.


Again, this is a faith-based assumption as only IBM knows what's
inside their proprietary hardware. Anyone who's had experiences on
their AS400 and RS600 platforms knows how darned proprietary their
hardware is. You're free to believe they changed and they now value the
commoner's freedom more than the interests of the governments they
serve, of course. You are *not* free to write falsity and disparage
people who hold different opinions, though.

> *That TALOS is proprietary closed source hardware - which isn't true -
> as not being that is the entire point of it.


I repeatedly asked you if there is anyone who has their chips'
blueprints, which is a prime condition to be able to call their hardware
anything other than proprietary. You always turned a deaf ear to these
requests.

> After the release of POWER9 the board and BMC firmware sources will be
> provided,


Ok, so nothing available *now* from IBM is openhardware. For a
strange reason this is acceptable from IBM/Talos, while it's a disgrace
when Purism does the same thing. Go figure.

> and both the CPU/board and the BMC are owner controlled due to
> the absence of hardware enforced code signing.


...that you know of, as the available hardware is proprietary and
closed-source.

> Full documentation and HDL's will be available for all components


All right, good. I'll believe what I will see.

> besides the onboard broadcom nics which currently require a firmware
> blob


I wonder why you felt entitled at railing against Purism for having
considered equipping their laptops with Nvidia GPUs while it's perfectly
OK that TALOS uses a NIC from one of the most opensource unfriendly vendors.

> as there are no open source non-intel gigabit NIC's


Is not having Intel hardware more important than having opensource
components inside a TALOS workstation?

> - but the FSF
> says that this minor detail doesn't prevent it from receiving RYF
> certification as they are behind the POWER-IOMMU and as such are not
> capable of doing anything malicious.


Good.

> * That the reason he/purism hasn't made owner controlled hardware is
> because it is "too expensive"


I don't remember writing anything like this. Quote, please?

> Purism's "Librem" 15" laptop is $2,000


False, again:
https://puri.sm/shop/librem-15/
$1,599.00, now running a rebate to $1,449.00

  Compare with this:
https://secure.raptorcs.com/content/TL2WK2/purchase.html
Talos™ II Secure Workstation    $4,750.00


> - in comparison one can have a
> TALOS-2 DIY build for $2.6K


Do you realize your "errors" are regularly one-sided, they always play
in favour of TALOS and to the detriment of Purism? How do you expect to
be trusted as a neutral source of information, given that you also never
provide pointers to third-party documentation to back your claims?

You're really comparing apples to oranges: Purism sells finished
laptops, TALOS sells rack servers and workstations or components/DIY
kits. Be back with your comparisons when TALOS will produce laptops.

[...]

> * That the HAP mode "disabled" ME and makes a purism laptop somehow
> equivalent to TALOS when it comes to privacy and security.


Again, please quote where I wrote such a thing. I challenged the idea
that TALOS products are safe products as privacy and security are
concerned just because they are made out of IBM parts, and I challenged
the idea they are free from hardware and software that is designed to
remotely access the hardware and the OS.

> ME_Cleaner even with HAP mode doesn't disable ME - a black box
> supervisor processor is still mandatory for the x86 boot process and is
> capable of a variety of dirty tricks so even if one can verify that it
> is actually off (difficult...by using an electron microscope perhaps?)


You just put a protocol analyzer on the chip pins as you operate it.

> there are various things that it could have done before powering off.
> ME cleaner is nerfing/cleaning, nothing more.


There are various things that IMM/RSA could do at boot time and at
poweroff, too. Why I am to believe it does nothing or that it only does
benign operations? Because IBM states so?
I am wary of TALOS not because I know their hardware is bugged, but
because I cannot understand how can it be that:

1) a never heard before manufacturer runs a crowdfunding effort to
produce a 3,700$ POWER8 workstation;
2) the crowdfunding fails miserably:
https://www.crowdsupply.com/raptor-computing-systems/talos-secure-workstation
14% funded
3) shortly after they manage to fund:
*) a $4,750 POWER9 Workstation;
*) a $5,100 POWER9 Rack Mount Development Platform;
*) a $3,950 POWER9 Desktop Development System.

If they had the money, why run a crowdfunding?
Why invest so much money to deliver three very costly systems that
were turned down by the public so little time before?

I smell something fishy here.

> * That we should contribute and trust a company that is attempting the
> sisyphean task of truly disabling ME.


Again, you're putting words in my mouth that I never spoke. Do you
know what this shows of *you*, not me?

> Google has many times attempted to get intel to provide a method to
> disable ME and remove it from the boot process for their in house
> computers and the coreboot laptops they sell, they have not been
> successful - thus if a billion dollar company can't pull it off a small
> upstart certainly can't.


I cannot find references, will you please let me read those you have?

> I am sure it is **technically** possible to disable ME, but it would
> require years of research and hundreds of thousands in R&D for a single
> intel CPU generation making it pointless.
>
> There are real owner controlled devices out there now, I see no reason
> to chase a pie in the sky dream of a free x86 - which simply isn't ever
> going to happen.


You mean there are a few devices that are *believed* to be exempt of
hidden, impossible to disable and unremovable remote control features.
What I have said it that while we have proof that Intel and AMD chips do
have remote control features that cannot fully be removed or disabled,
we do not know if other manufacturer's remote control features can be.
Some say IMM activates only under the user's supervision and control.
But it cannot be removed, and it's still there even when the user tells
it to keep quiet and mum. As we're speaking of proprietary,
closed-source hardware, we can only take the manufacturer's word for
what they contain and do not contain, what they do and do not do.

> If purism had in 2013 consulted a skilled hardware engineer and not
> insisted on peddling intel quanta rebrands they would have probably made
> one of the following:
> * An 2013 AMD FT3 device, easily made open source (the Lenovo G505S has
> only a few blobs that can be easily replaced) with sandy bridge
> equivalent performance
> * A performance ARM device such as an AppliedMicro CPU
> * A POWER mobile workstation type laptop, which is possible with
> POWER9's lower wattage CPU's.
> * A KCMA-D8 laptop - the C32 platform has 35W 8 core CPU's and already
> has libre firmware so one would simply have to make a custom 1U "laptop"
> case, battery etc.


Perhaps. Now, I learned of Purism after they debated and settled on
what their products were going to be based on, so I do not know why they
chose to base them on Intel, that I agree is the hardest platform to be
made secure and privacy-respectful among those targeted at devices of
mass production. But I can guess their reasons to go for Intel might
have to do with the same reasons that non-x86 architectures failed in
the '90s and the 2000s and that have kept AMD a small competitor in
Intel's turf. If you remember, in those times a few, daring vendors did
offer Alpha, Sparc, MIPS and Power-based general-purpose workstations to
rival PIII-IV PCs. They were generally regarded as superior machines,
delivering awesome graphics, costlier than Intel or AMD based ones but
more performing, less power-hungry, of longer durability and stability.
Yet they all failed, some shops that offered them suffered bad losses
for betting on non-Intel compatible architectures. The reasons they
failed were mostly attributed to the fact that they:

1) were not Windows compatible (though there was a Windows NT version
ported to Power PReP workstations);
2) could not run unported x86 software;
3) were costlier.

Together with the fact most people just buy what they are most
familiar with and costs less, those early attempts at breaking the
wintel monopoly failed pretty badly. In fact those were the times
Digital, SGI and SUN tried to boost sales of their hardware offering
entry-level Intel-based workstations and servers.

Today those reasons are not as strong at then, but they surely still
hold true. Look at the Munchen Windows-to-Linux migration, even such a
big success is still questioned, sometimes rumors have that the City
Council wants to go back to Windows, almost no one has decided to follow
their example. Plus, the economical motive is stronger today than 15
years ago: today fewer people who'd be glad to run their Linux system on
non-Intel, not-designed-for_Windows hardware, can afford to pay so much
more for a different architecture of comparable performance.
I know that people who'd buy a non-Intel/AMD laptop or workstation do
not intend to run Windows on it as the prime OS, but some colleagues
that develop for big customers (like telcos) are *required* to have
Intel compatible laptops. Even some who are not I know are afraid they
will not be able to deliver what they are required because they are
afraid they will not be able to run Windows or Android under an
hypervisor to perform tests or because they are afraid cross-compilation
will suffer from hard to debug and to resolve quirks that would not have
manifested had they compiled on a native architecture. This is a reason
some of them are happy to tout an Apple machine, even though it costs
more. Many of them are just plain afraid a foreign architecture will
prevent them from enjoying doing something, whatever, they used to take
for granted on any Intel-based machine (gaming?).
I think Purism people wanted to avoid crashing on those same rocks
many other ships run against in the past. Intel and ARM are, indeed,
the primary Linux platforms today.

> The fact that they haven't retasked to do one of the above means that I
> distrust them and that they are sucking resources from real computing
> freedom projects and thus my nerves get twinged every time someone talks
> them up, moreso someone highly skilled such as mr. selli who I believe
> should know better.


I do not question your freedom to feel any way you might feel towards
Purism, but please stop feeling you alone are entitled at running posts
peddling TALOS' "dual socket performance server/workstation hardware ...
designed for the power user market" opening threads that are of no
direct relevance to Devuan. I do not mind OT threads, I am able at
erasing them wholesale if they get too long to read or do not find them
interesting. I do not mind people getting euphoric about a specific
product or manufacturer, though I do enjoy picking at Apple fan-boys.
But I do find ad hominen attacks and baseless allegations about other
posters' personal interests disgusting, especially when they come from
Anonymous Cowards who never provide links to third party material to
substantiate their claims and keep belittling their interlocutor (who
"should know better") for holding a different view from theirs.



--
Alessandro Selli <alessandroselli@???>
Tel. 3701355486
VOIP SIP: dhatarattha@???
Chiave PGP/GPG key: B7FD89FD