There is no point for that, they can have any number of secret undocumented "god mode" CPU instructions already (as was discovered for some old shit VIA processors), without calling Intel ME into play.

It's literally their own CPU design.

ME is still running on the main CPU. ME stopped using a dedicated ME core when they transitioned to the I3-5-7 processor naming.

Someone needs to carry around all the ME crap too.

I'm pretty sure intentionally enabling any random web page to execute arbitrary code counts as malware.

so only Intel or AMD could do it on modern systems? that's exactly what people are talking about here: Intel potentially backdooring their own microcode. if the only thing stopping any random attacker from doing it is the signature on the microcode update, there's nothing stopping Intel from doing it.

No, that's called "vulnerability".
Malware is a full software that exploits a vulnerability to do something.

Yes. The same applies to GPUs.

Which is why I'm saying it's insanity and paranoia.
Occam Razor applies.
Why the fuck would they need to put the backdoor in the microcode patch.
They design the whole CPU and chipset.
They provide all blobs to put in the board firmware to properly initialize the hardware.
They specifically designed a highly advanced hardware backdoor called Management Engine, and enforced its use in all their hardware. You literally cannot use a system that has no ME on it.

Anything you can do with microcode alone is a vulnerability, AT BEST, and it's harder than just enforcing the use of a tiny OS that has full access to all RAM and can offer rich API to whatever "applications" their customers or other "customers" (ahem) want.

So tell me again, how much sense does it to rail against microcode patch size. You have a whole goddamn OS with ring-3 access in every system you ship.

C'mon, really? Sure, there are things like undocumented registers/instructions (guess: for debugging), flawed integrated security processors, which is bad enough, but both (or, considering ARM, all) vendors have those and actually there's no proof they were implemented broken in the first place just to spy on users. There are easier ways to do that if you have resources available on that scale. Besides, Intel is still one of the biggest Linux contributors. Companies exist to earn money, R&D+QA are expensive, errors are made, simple as that, no tin foil hats required.
I bought AMD CPUs, starting at when they were better and cheaper, continuing because they were cheaper and still good enough, recently because they are better and cheaper again and also because I believe in the necessity of competition to keep progress going and stuff affordable. But yeah, I like open source, transparency and all that.

no it doesn't. you claimed it was impossible. I simply pointed out that it is possible.

you can try to move the goalposts all you want, but it is possible for Intel to put malware in microcode. none of your nonsense will change that.

Really? How do they reconcile that with potential real-time latency requirements from the software running on it. I remember SMM being problematic in that respect.

Do they just say that having both an enabled ME and a real-time OS on the same system is unsupported?

I claimed malware in microcode is impossible, and you still didn't provide any evidence that it is possible.

You only provided evidence that someone can make vulnerable microcode.

The only answer to that is NO DUH. Anything can be made vulnerable. Vulnerabilities are not malware, so my statement is still correct so far.

If you don't know the difference between some words, then it's your own problem.

That's a good point actually. On a second read it seems I got confused, it's still a dedicated core in the chipset.
They just switched from ARC cores to x86 cores, but it's not running on main CPU.

That said, running an IR on it is still kind of nonsensical, also the firmware has been dissected to some degree and there is no module in its firmware that does that.

the fact that it has been done proves that it's possible.