:: Re: [DNG] Purism Librem and disabli…
Góra strony
Delete this message
Reply to this message
Autor: Taiidan@gmx.com
Data:  
Dla: Alessandro Selli, dng
Temat: Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]
On 09/08/2017 07:18 PM, Alessandro Selli wrote:

> On Fri, 8 Sep 2017 at 00:22:40 -0400
> "Taiidan@???" <Taiidan@???> wrote:
>
>> On 09/07/2017 02:18 PM, Rick Moen wrote:
>>
>>> Quoting Taiidan@??? (Taiidan@???):
>>>
>>>>> I also find a bit questionable your going around attempting to tarnish
>>>>> the reputation of someone with a real name, while concealing your own.
>>>> Criticism isn't allowed?
>>> This is of course nothing like what I said.
>>>
>>>> I dislike when people deal with speculation instead of proven facts
>>>> when judging technical merits.
>>> Then, _address what you perceive as speculation_.
>> I apologize - I should have done that in the first place instead of
>> resorting to name calling.
>>
>> Mr. Selli has said:
>> *That IBM's POWER CPU's have a hardware level backdoor and have had
>> backdoors in the past whilst providing no real evidence to support that
>> those claims,
>    I did provide with the evidence:
> https://lists.dyne.org/lurker/message/20170907.084234.3d39055c.en.html

That .pdf you linked is for IBM's x86 products, which they stopped
making 7 years ago.

Irregardless that is a BMC not a backdoor - a BMC is a standard server
feature and on POWER9 the code is entirely open source and you can run
whatever you please on the BMC chip as there isn't hardware code signing
enforcement like with Intel ME/AMD PSP.
>
>    Why do you write easy to disprove falseness?  Don't you have a minimum
> of self-respect?

Ah the pot calling the kettle black.
>> he bolstered that argument by stating that IBM's work with
>> the US military is suspect and thus concludes guilt by association.
>    No, I just pointed out that the fact that IBM does indeed put hardware
> and software remote-control devices inside it's chips is an established
> and documented truth.

Again a BMC isn't a backdoor
>> IBM sells POWER chips to both the the US Military and the Chinese
>> Military, doing that is largely as to why they are still in business -
>> as the worlds third maker of high performance computing hardware one
>> simply can't and shouldn't ignore the worlds two largest consumers.
>>
>> IBM has done a variety of bad things, but that doesn't mean OpenPOWER
>> isn't a really good one.
>>
>> * That the presence of a BMC chip on POWER means it has a backdoor
>>
>> BMC chips are a common server feature required for remotely
>> administering a computer without headache, this one is owner controlled
>> (no hw code signing enforcement) and has full source code available to
>> the public after POWER9 is released.
>    Again, this is a faith-based assumption as only IBM knows what's
> inside their proprietary hardware.  Anyone who's had experiences on
> their AS400 and RS600 platforms knows how darned proprietary their
> hardware is.  You're free to believe they changed and they now value the
> commoner's freedom more than the interests of the governments they
> serve, of course.  You are *not* free to write falsity and disparage
> people who hold different opinions, though.

I would say buying TALOS where am IBM backdoor is simply fringe
speculation is much better than a purism where it is an absolute fact.
>> *That TALOS is proprietary closed source hardware  -  which isn't true -
>> as not being that is the entire point of it.
>    I repeatedly asked you if there is anyone who has their chips'
> blueprints, which is a prime condition to be able to call their hardware
> anything other than proprietary.  You always turned a deaf ear to these
> requests.

Uhh no I didn't, as I have stated (and as you would know had you read
the TALOS2 website) the POWER9 datasheets and HDL's are currently under
embargo and will be released to the general public when the hardware is
- the makers of TALOS 2 have them as they are a member of the OpenPOWER
foundation.
>> After the release of POWER9 the board and BMC firmware sources will be
>> provided,
>    Ok, so nothing available *now* from IBM is openhardware.  For a
> strange reason this is acceptable from IBM/Talos, while it's a disgrace
> when Purism does the same thing.  Go figure.

Again, the public will get the spec sheets and HDL's when the hardware
is released - why do you consider this equivalent to purism? they will
never be able to get intel to release anything, their hardware has been
out for many years and they still don't even have a blobbed coreboot.
>> and both the CPU/board and the BMC are owner controlled due to
>> the absence of hardware enforced code signing.
>    ...that you know of, as the available hardware is proprietary and
> closed-source.

No it isn't, which you would know if you read the TALOS2 website.
>> Full documentation and HDL's will be available for all components
>    All right, good.  I'll believe what I will see.

>
>> besides the onboard broadcom nics which currently require a firmware
>> blob
>    I wonder why you felt entitled at railing against Purism for having
> considered equipping their laptops with Nvidia GPUs while it's perfectly
> OK that TALOS uses a NIC from one of the most opensource unfriendly vendors.

A network interface isn't a critical component like a graphics device
is, it doesn't control what you see so the device will still be FSF
certified.

The blobs on the broadcom NIC's can and will be replaced with open
source firmware as they have no hardware code signing - unlike nvidia's
graphics devices.
>
>> as there are no open source non-intel gigabit NIC's
>    Is not having Intel hardware more important than having opensource
> components inside a TALOS workstation?

Yes it is.
>> - but the FSF
>> says that this minor detail doesn't prevent it from receiving RYF
>> certification as they are behind the POWER-IOMMU and as such are not
>> capable of doing anything malicious.
>    Good.

>
>> * That the reason he/purism hasn't made owner controlled hardware is
>> because it is "too expensive"
>    I don't remember writing anything like this.  Quote, please?

https://lists.dyne.org/lurker/message/20170906.103659.075c1022.en.html
"Me - I take it you work for purism....raptor has made a legitimately
owner controlled computer - whats stopping you?"
"You - The steep price."

This was also why I assumed you worked for purism.
>
>> Purism's "Librem" 15" laptop is $2,000
>    False, again:
> https://puri.sm/shop/librem-15/
> $1,599.00, now running a rebate to $1,449.00

>
>    Compare with this:
> https://secure.raptorcs.com/content/TL2WK2/purchase.html
> Talos™ II Secure Workstation    $4,750.00

That is the prebuilt cost, not the board/cpu cost.
You could assemble one for $2.5K which is quite reasonable.
> - in comparison one can have a
> TALOS-2 DIY build for $2.6K
>    Do you realize your "errors" are regularly one-sided, they always play
> in favour of TALOS and to the detriment of Purism?  How do you expect to
> be trusted as a neutral source of information, given that you also never
> provide pointers to third-party documentation to back your claims?

What claims?
>    You're really comparing apples to oranges: Purism sells finished
> laptops, TALOS sells rack servers and workstations or components/DIY
> kits.  Be back with your comparisons when TALOS will produce laptops.

TALOS isn't a company it is a product, and this isn't about laptops or
servers this is about freedom hardware of which both companies claim to
be in the market of - thus I compare them.
I do however imagine that POWER laptops will be produced soon, perhaps
during POWER10 era as it will have even lower power consumption that
POWER9 - of which you can get a CPU that has a 90W TDP.
>
>> * That the HAP mode "disabled" ME and makes a purism laptop somehow
>> equivalent to TALOS when it comes to privacy and security.
>    Again, please quote where I wrote such a thing.  I challenged the idea
> that TALOS products are safe products as privacy and security are
> concerned just because they are made out of IBM parts, and I challenged
> the idea they are free from hardware and software that is designed to
> remotely access the hardware and the OS.

Again an open source BMC chip with full documentation is not a backdoor
and not at all equivalent to ME/PSP
>> ME_Cleaner even with HAP mode doesn't disable ME - a black box
>> supervisor processor is still mandatory for the x86 boot process and is
>> capable of a variety of dirty tricks so even if one can verify that it
>> is actually off (difficult...by using an electron microscope perhaps?)
>    You just put a protocol analyzer on the chip pins as you operate it.

What chip pins? the ME core is entirely integrated in the CPU package.
>> there are various things that it could have done before powering off.
>> ME cleaner is nerfing/cleaning, nothing more.
>    There are various things that IMM/RSA could do at boot time and at
> poweroff, too.  Why I am to believe it does nothing or that it only does
> benign operations?  Because IBM states so?

POWER doesn't have IMM/RSA (that is for IBM's very old x86 hardware), it
has POWER-BMC which is significantly different and open source.
>    I am wary of TALOS not because I know their hardware is bugged, but
> because I cannot understand how can it be that:

>
> 1) a never heard before manufacturer runs a crowdfunding effort to
>     produce a 3,700$ POWER8 workstation;

You haven't heard of them but many others have
Raptor is a major coreboot contractor and has been in the free hardware
community for many years - they have produced libre firmware for many
motherboards and a variety of useful hardware for the embedded devices
community..
> 2) the crowdfunding fails miserably:
> https://www.crowdsupply.com/raptor-computing-systems/talos-secure-workstation
> 14% funded
> 3) shortly after they manage to fund:
>     *) a $4,750 POWER9 Workstation;
>     *) a $5,100 POWER9 Rack Mount Development Platform;
>     *) a $3,950 POWER9 Desktop Development System.

>
>    If they had the money, why run a crowdfunding?

They didn't have corporate backers before, now they do.
>    Why invest so much money to deliver three very costly systems that
> were turned down by the public so little time before?

It wasn't "turned down by the public", many people contributed to the
crowdfunding campaign despite it being poorly promoted and having no
business interest at the time.
>    I smell something fishy here.

Getting corporate backing isn't fishy, IBM wanted to support a POWER
workstation project via the OpenPOWER foundation.
>> * That we should contribute and trust a company that is attempting the
>> sisyphean task of truly disabling ME.
>    Again, you're putting words in my mouth that I never spoke.  Do you
> know what this shows of *you*, not me?

You advertise purism's products time and again and attest that they
respect your privacy and security which they don't, thus I assume that
you desire people to support them.
>> Google has many times attempted to get intel to provide a method to
>> disable ME and remove it from the boot process for their in house
>> computers and the coreboot laptops they sell, they have not been
>> successful - thus if a billion dollar company can't pull it off a small
>> upstart certainly can't.
>    I cannot find references, will you please let me read those you have?

https://libreboot.org/faq.html
There have also been many discussions on the coreboot mailinglist about
this.