Looking at related cases, this would not work. The ME uses mutable firmware, the HAP bit not working as intended would likely be classified a simple bug and and a firmware update issued with no real consequences to Intel. The one exception to this would be if Intel signed a contract that specified the behavior of the ME in HAP mode, then they might be in breach of contract. No one outside of Intel and its intended customer(s) for HAP would know the exact language, though, or even if such contracts exist in the first place, and certainly a random person using the HAP bit would not be able to bring a lawsuit and actually win since they modified the operation of the ME in unauthorized ways.

For what it's worth, this is one of the problems with mutable, vendor-controlled firmware in high security positions. The vendor has no real responsibility for damage caused by bugs in the firmware components, and is normally able to issue an update as the sole remedy (if the product is even still supported at the point of discovery, if not, there may be no responsibility for a remedy at all).

The kernel is still running, though. Does anyone know for certain that there isn't a "HAP attention sequence" that wakes it back up? Fundamentally what you have is a dormant highly privileged CPU, waiting for a potential exploit to silently take control and resume operation.

In the end if you feel better about using a "cleaned" Intel machine, that's your choice. Just don't be surprised if an exploit against the HAP-set ME is found in the future.

Any passive, single PCIe to M.2 NVMe adapter will work.

Something like this is in the works. We're waiting for required upstream kernel changes to propagate to the distributions first.

Not yet. October is when the full reveal happens.

It's not a POWER limitation, it's that Glamor should not be enabled on 2D-only graphics like the ASpeed devices. If we could get them to blacklist Glamor by default on the ASpeed devices, that would be great. For now, it's an Xorg.conf edit to set "AccelMethod" "none".

Correct. SATA != SAS.

madscientist159
thank you for the reply, i'm really curious to see this product, i will buy it if the price will be more friendly than other product because seems what i was waiting for, and your answers helped me to understood if i can use it without too much problems for my needs

as debian user, i saw there is the ppc64le, but is not a livecd, are you in touch with debian developer or do you make a debian live cd by yourself? i think is important when the system have problems, live cd and other tools like clonezilla are a must have, is it planned to have them available for this platform?

how can i know when the firmware update tool will be available? i see this page https://www.raptorcs.com/content/base/software.html but is empty now, this tool and other usefull things, like livecd or some recovery tool like clonezilla, will be there when available? or where should i look?

as i understood from you and the amd engineer the microcode inside power is placed by IBM is closed source is it right? what do this microcode does?

We actually have a working live CD internally. This has not been released yet because we are still working on integrating the Debian installer.

Most of the system software is actually accessible from the Wiki at https://wiki.raptorcs.com/wiki/Talos_II#See_also A category reserved for software will also be created at some point to make it easier to find.

The microcode isn't so much closed source (implying mutable, compileable code running on a CPU) as it is part of the closed HDL describing the functionality of the processor. HDL is the literal description of how the processor should behave at a hardware level. Essentially, the microcode is part of the CPU silicon design; unlike x86 where this is able to be updated and changed by specific third parties after manufacture (thus introducing legal, security, and ownership uncertainty), on both POWER and (most) ARM processors the microcode in question is a series of wires and transistors inside the processor itself. It is part of the fixed hardware comprising the CPU alongside the instruction decoder, ALU, and I/O blocks, unlike modern x86 designs.

madscientist159
it look awesome, thanks for your work

i have a last question about ddr4
i saw your compatibility list, how can i know if i found a ddr4 ecc reg that is not on list if it works? shound't be a kind of standard? the incompatibility is about a model or a kind of specification? when looking for the memory what else should i looking for other than ddr4 ecc reg?

Most DDR4 ECC registered RAM will work fine. The HCL is just a list of known-working modules that have been tested by Raptor and/or the community. We do recommend that you stay away from early Hynix modules as they did not meet the full DDR4 standard, as well as LR-DIMM since firmware support is not yet available for LR-DIMM modules.

madscientist159
watching the compatibility list, i saw also the soundcards section, i don't have special needs, but it pop me up a question i hope you can share, the product you will present in october, do have an integrated audio or do i need an external sound card?
thank you

I can't share anything more other than to note that integrated sound is available.

Fair enough.

Citation, please? Everything I've read gave the impression that me_cleaner is applying a second mitigation, entirely separate from the HAP bit, which involves exploiting a convenience for the Intel developers to carve out bits the BUP firmware didn't expect to ever be missing and exploiting the fact that there's a window in which the ME can crash without the reset watchdog being enabled yet. (An impression reinforced by the kinds of error messages that UEFI tends to give if the "carve out bits of the firmware" mitigation is enabled without also enabling the "set HAP bit" mitigation.)

It gets tricky, partly because one is relying on undocumented behaviour from the ME components. Apparently different "flavors" of the ME react differently to the invalid inputs created by ME Cleaner, but I am not aware of any of them "crashing" the kernel -- only asking nicely for the ME to halt its userspace after bringup (note "asking nicely" versus "forcibly disabling" -- there is a large difference between those two in terms of assurance). There's also some attempt to remove components from the ME firmware image without really understanding what this does -- does the ME fall back to an internal ROM version of the missing data? Does it start listening for a network upload of the missing data?

http://blog.ptsecurity.com/2017/08/d...-intel-me.html has some additional information. I'd like to call out the following, since I think the information you have above may have been a misquote of this section:

Personally, I don't like the sound of TemporaryDisable, it sounds, well, temporary. ;-) Also looks like this hack may only work on certain desktop variants (?). In any case, the ME hardware is still quite active, so for instance this malware injection vector https://www.theregister.co.uk/2018/0...tel_jtag_flaw/ would still work on your "cleaned" Intel box.