Announcement

Collapse
No announcement yet.

AMD laptops without "Platform Security Processor"

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Hello again, bridgman.

    Thank you very much for your added tips and explanations.

    You are right, about it being incorrect for me to put Intel's ME and AMD's PSP in the same bag... I was lead to a mistake, because of having first read about Intel's ME... Because Intel's ME is located in the motherboard itself (in the "Controller Hubs"), when I first read about AMD's (I guess, sort of) equivalent, being the first sentence that describes the "Platform Security Processor (PSP)" in libreboot's website one that says "This is basically AMD’s own version of the Intel Management Engine", when I first read that the PSP is "built onto the main CPU die", I wrongly assumed that the "CPU die" was also a part of the motherboard itself (I thought that it was the part of the CPU socket circuitry that made direct contact with the CPU.) But, I've just checked, and a "CPU die" is a part of the CPU itself... (I'm sorry, I'm not a native English speaker, nor any sort of computer specialist, and should have checked the meaning of "die".) So, as you say, it really is quite a different implementation of the same sort of "principle". (The reason why I "lump PSP and ME together", is because I see them both as very serious security risks, for being "hidden" places where someone can implement Trojan horses and such, that can operate unseen from the operating system.)

    Comment


    • #12
      Hello again, aht0.

      Unfortunately, even if it's now possible to disable AMD's PSP in the BIOS, I can never be sure that this will remain so... Since that, to start with, (1) the UEFI BIOS is a closed-source firmware (and, therefore, I have no guarantees that it's telling me the truth, and that it's actually disabling the PSP upon my request). And, adding to this, (2) even if I can truly disabled it, I have no guarantees that it cannot be again enabled without me knowing about, by some sort of virus that enables it, while making the BIOS continue to say that it's disabled.

      (I'm sorry, but I'm really paranoid, when it comes to security... And, the only way that I can rest assured about all this, is to simply not have a motherboard or CPU with these type of separate controlling engines or processors...)

      I will look for information about the Xeon processors, that you mention. Thank you very much for that.

      And, once I have more time to inform myself better about all this, if I make significant progress in finding out answers to the kind of questions I have, and information I'm looking for, I will post them here, in this thread, so that other people possibly interested in this can also know more about it.

      Comment


      • #13
        Originally posted by Fernando Negro View Post
        You are right, about it being incorrect for me to put Intel's ME and AMD's PSP in the same bag... I was lead to a mistake, because of having first read about Intel's ME... Because Intel's ME is located in the motherboard itself (in the "Controller Hubs"), when I first read about AMD's (I guess, sort of) equivalent, being the first sentence that describes the "Platform Security Processor (PSP)" in libreboot's website one that says "This is basically AMD’s own version of the Intel Management Engine", when I first read that the PSP is "built onto the main CPU die", I wrongly assumed that the "CPU die" was also a part of the motherboard itself (I thought that it was the part of the CPU socket circuitry that made direct contact with the CPU.) But, I've just checked, and a "CPU die" is a part of the CPU itself... (I'm sorry, I'm not a native English speaker, nor any sort of computer specialist, and should have checked the meaning of "die".) So, as you say, it really is quite a different implementation of the same sort of "principle".
        Good point... I had also forgotten that ME was in the chipset, not the CPU. I might have to edit a couple of earlier posts.

        Originally posted by Fernando Negro View Post
        (The reason why I "lump PSP and ME together", is because I see them both as very serious security risks, for being "hidden" places where someone can implement Trojan horses and such, that can operate unseen from the operating system.)
        Yeah, that's the only valid argument for lumping them together... that they are both "scary things" (independent processors). I guess my point is that PSP is a smaller scary thing with considerably smaller scope.

        It probably aligns more closely with blocks on Intel CPUs that nobody has bothered to get excited about yet.
        Last edited by bridgman; 08 December 2017, 10:10 AM.
        Test signature

        Comment


        • #14
          aht0 and all,

          I've also found out that Dell, for example, is now selling laptops with Intel's Management Engine disabled: https://www.pcper.com/news/General-T...e-IME-Disabled (But, again, having it disabled is no guarantee that it can't be enabled by stealth, and without the user knowing about it.)

          If these computer-selling companies were really worried about the security and privacy of their users, they would simply sell motherboards and CPUs without such controlling capabilities - since that, people could already manage their computers very well, before this news implementations appeared.

          (But, because very few people worry about these issues, there's no market that justifies making products only for these people... Look at the Replicant project, for example. Despite the amount of people using smartphones nowadays, there are only funds to maintain one single person working full-time on the project. And, even this one, only solves the software component of the problem: https://www.replicant.us/freedom-pri...ity-issues.php)

          Comment


          • #15
            Your only solution then seems to be Core 2 era laptops or whatever are AMD equivalents, without UEFI and running OpenBSD, not Linux - unless it's Tails or similar paranoid distro. OpenBSD is throughly security oriented and is much less likely to be infected by some governmental spyware. First, it's much less used by people than Linux, second it's development paradigm is heavily focused on software auditing and security as opposed to pushing out new cool features (Linux)

            Thinkpad X200 for example should work just fine with openbsd, including peripherals, suspend/resume.
            Last edited by aht0; 08 December 2017, 04:46 PM.

            Comment


            • #16
              Yes. I was already able to figure out that, when it comes to Intel-based laptops, the ones with "Core 2 Duo" processors were the last ones that came with old BIOSes - and, presumably, without Intel's Management Engine. What I'm trying to figure out now, is what are their AMD-based equivalents...

              Concerning the OS, I keep away from the BSD family of distros, because of it being more difficult to find drivers to make all the components of a laptop work. And, I also want my OSes to be as complete as possible...

              There's no need to move away from GNU/Linux, if you want privacy and security. There are GNU/Linux distros for which the source-code is completely available - like the FSF-recommended ones, or Debian (if you don't activate other repositories, besides the main one) ever since its Linux kernel is completely free.

              (Of course, I know that 100% security is never possible, when you have a computer connected to the Internet and installing/updating software from it. I just want to make whatever I can, on my side, to make my computers as secure as possible - mostly, as a matter of conscience and principle.)

              Comment


              • #17
                Originally posted by Fernando Negro View Post
                Concerning the OS, I keep away from the BSD family of distros, because of it being more difficult to find drivers to make all the components of a laptop work. And, I also want my OSes to be as complete as possible...
                The last sentence made me laugh. Man, BSDs are complete. They are developed as a single entity. Linux is a Frankenstein monster where kernel and all prospctive componets are developed separately and it remains to be distributors job to put together the Lego.
                About hardware support - I pointed you model which would work fully and not have Intel ME.
                (X220, X230, X240, X250 would also work, for that matter - It's a line of models OpenBSD devs seem to prefer for their work. Yes they develop on OpenBSD for OpenBSD)
                Originally posted by Fernando Negro View Post
                There's no need to move away from GNU/Linux, if you want privacy and security. There are GNU/Linux distros for which the source-code is completely available - like the FSF-recommended ones, or Debian (if you don't activate other repositories, besides the main one) ever since its Linux kernel is completely free.
                Source code availability alone does not quarantee a thing. Someone would have to audit it persistently. More of it you have, harder it gets. With Linux everybody seems to think somebody else is doing the auditing and bad security practices in code are not primary concern. Nor second or even third. Getting in new features and fixing obvious bugs are. So you can have serious security holes in some component for years. History has shown, decades in some cases. Average GNU Linux distro has so many millions of lines of code that you'd go gray before you could work through it. Hundreds of thousansds LOC keep changing only in the kernel between releases. Yeah, often somebody finds a hole and it gets fixed -
                question to figure out for you - how many bugs would find organization paying its people for finding new bugs from Linux but not for publishing/fixing but for acquiring new attack vectors against given OS. Linux is probably like Swiss Cheese here.
                OpenBSD codebase is far smaller and code audit is a standard practise. They have a history of finding and fixing holes in software in advance of other open software OSes. For example they bitched long before HeartBleed that OpenSSL is untrustworthy mess of a code. They got also rid of Linux emulation they used to have - stating that it was simply too insecure and has to go.
                Xorg implementation they have, is their own custom rewritten version.

                I do not claim that OpenBSD does not have bugs one could build attack software based on. I claim there are far less exploitable bugs and unless you are sufficiently high priority, good chances are that government of yours does not bother getting malware developed just to watch few people with it.
                Originally posted by Fernando Negro View Post
                (Of course, I know that 100% security is never possible, when you have a computer connected to the Internet and installing/updating software from it. I just want to make whatever I can, on my side, to make my computers as secure as possible - mostly, as a matter of conscience and principle.)
                Well. Do you want it or do you want it not Because at one time you claim it then back off? Unless you are going to use Tails, you are not getting comparable security when just using some 'generic' distro.
                Bunch of recent leaks show, that GNU Linux is not safe of governmental spyware. You might even get smaller security/privacy because you would not have antimalware programs available which Windows does have. So, if you'd still get hit by, for example, FinFisher, on Linux you have no fucking way to know - while on Windows - plenty of different security software would indeed detect it's presence.

                Want really security. You have to find balance of what is acceptably securish and not too life-breaking.

                Start by migrating to a source code update based security-oriented OS and get a compatible machine for it. It's an easy step, once done, you don't have to bother yourself with it no more. And it's a step further than having quite easily infectable OS with widespread malware support from government arsenals.

                For example what real paranoiac would recommend but I would call life-breaking if applied summarily..
                -Shield the fuck out of your machine. Check the principle of Faraday cage and it's applications for computers. So it would not be left remotely readable. It is not too uncommon, for example banks do it.
                -Throw away all wireless keyboards/mouses etc.
                -Stop using USB sticks/mediums in particular. Want to transfer some data using physical medium - use blank CD or DVD.
                -Shield the room you are working from. There are special shielding paints (copper based, expensive as hell and I am not sure how available for consumer market) if you are unwilling to fully tear down the room and rebuild it inside multiple layers of grounded metal mesh cage. Get good steel door with good locks (Abloy ain't it) so that nobody can easily enter while you are away and bug it. You are sufficiently done when you lack cellular connection, cant get AM/FM/citizen band radio signal etc.
                -Get fountain or fireplace into room you work from. Random noises from either can mask noises you do and make harder hearing you.
                -Lose the window. One method of bugging involves bouncing invisible laser off your window and measuring sound-induced vibrations. It also loses chances of remote lipreading (some people do move lips even while reading,not only while talking) and of simply fotographing whatever documents you may have lying around.
                -Each time leaving home, leave some tell-tale mark only you could 'see'. There are special sprays leaving invisible coating on a details- if somebody touched/scratched it, it would show under UV lamp. Or go more subtle and leave some hard-to-notice tell-tale between the door.
                -Change the routes to/from home daily.
                -Buy prepaid cellular cards, buy new cheap cellular phones. Dump pairs after use. They could still be monitored if you keep calling same specific numbers but they cant be used for tracking you. Just having Replicant phone does not help you that much, GSM is utterly insecure, 3G/LTE well within government capabilities. Tracking/watching you, using fake base stations pretty trivial.
                -Build small EMP device. When you have called visitors and plan on calling them in your working room, ask them to put away their electronics they care about into metal box. Apply that EMP device on them. It kills off any 'extra' electronics they might carry. Do not discuss anything sensitive outside your 'secure room'.
                - Put your clothes trough regular EMP. You never know what you might get attached to yourself while using public transport.

                I could also keep going and going and you still would not be able to be quite sure if you were watched. Not if government really-really wants to watch you. As you apply measures - they compensate by piling on resources. Theirs are bigger than yours.

                Going back non-paranoiac now:
                Getting Intel ME-free laptop and installing a Debian on it does not make you noticeably more secure. Considering Linux's general development focus - which is features, not security. Any security hole could literally mean malware in your machine. Intel ME is just ONE particular attack vector.
                And Linux ain't that hardcore in applying more secure approaches because it tends to make user's life less comfortable. Security, like I said, isn't about comfort however.
                Last edited by aht0; 09 December 2017, 05:42 AM.

                Comment


                • #18
                  Hello again, aht0.

                  I now realize that I didn't express myself right... (I'm sorry about that. It was because now - with GNU/Linux - since both the OS itself and the programs come from the same repository, I've made the mistake of calling everything in the repository the "OS".)

                  By saying that I want "my OSes to be as complete as possible", I meant that, I like my OSes to be able to run as many programs as possible... I don't doubt that the BSD family of distros are capable of doing everything an OS is supposed to do. What I was thinking about, was in the kind of situations - that I often see - when a program has a Windows, an iOS, and a Linux version - but not a BSD one. That's it. (And, that's why I usually choose Debian as my distro - because of it having the biggest amount of software packages in their repositories.)

                  Thank you very much for your extra clarification about the BSD development philosophy. I was not aware that they were so much focused on security. Your description has sparked my interest in it. And, I think I'm going to try one of those distros, once I have more free time to do so (if the same situation, of not being able to find Wi-Fi drivers, doesn't happen again - as it did, with a laptop that I have).

                  Concerning the Thinkpad models,

                  Yes. I have been long aware that they don't have Intel's ME, and are very good in terms of compatibility with Free Software - having even the added convenience of being able to use the free BIOS "libreboot". But, a review I recently watched, makes me doubt a bit their build quality (https://www.youtube.com/watch?v=y8sOO-8LP4E#t=2m1s), and I would like to first see what are all the options that I have. (As I said, I already know how to find laptop models without Intel's ME. But, would like to now be able to identify what my other options are, in terms of laptops without AMD's PSP.)

                  Concerning my interest in security,

                  I never said I was looking for 100% security. Since, I know that's unobtainable. My philosophy is simply: (1) if I can choose between a motherboard or CPU with places where Trojan horses can be hidden from the OS, and another one that doesn't have such security risks, I choose the second option; (2) if I can choose between a closed-source OS like Windows, and an open-source one like GNU/Linux, I choose the second; and, (3) if I can choose between a completely free distro of GNU/Linux, and one that has proprietary drivers and programs, I choose the first. (Being, as I said, the reasons why I have not yet adopted any BSD distro so far, the fact that it's not always possible to make everything on a laptop work, because of the lack of drivers, and because there are programs for which there is no BSD version - and only a GNU/Linux one.)

                  I don't go through any kind of extra security measures beyond this. And, knowing how the powers-that-be work, by placing traps for those who are trying to escape its surveillance (if you want to know how paranoid I am, you can check what I've said about the Ubuntu GNU/Linux distro: https://micahflee.com/2013/01/why-im...#comment-39171) I always see with great suspicion the kind of distros that say "Hey, you want real privacy? Come here!" (and, that use supposedly private browsing programs, like Tor, that a simple Internet research reveals to have been developed by the US government itself: https://trisquel.info/en/forum/how-u...#comment-26792).

                  (More than half of the NGOs, media outlets, and other organizations that claim to be anti-establishment - I've learned, through the years - once you research about who's funding them, reveal themselves to have been built by the establishment itself - obviously, in order to try to control the people who are anti-establishment (https://twitter.com/BlackFerdyPT/sta...04197772742657 + http://discoverthenetworks.org/ + https://www.activistfacts.com/) And, if this is what I have observed in terms of political activism, I can only deduce that the same thing must be happening within other movements, like the Free Software one.)

                  Thank you for all your security suggestions. But, in my case, those are already "too life-breaking", as you say.

                  And, yes - namely, through the "Heartbleed" bug story - I've learned that "Linux ain't that hardcore in applying more secure approaches", as you say. Being the philosophy of GNU/Linux distros like Debian more of a "freedom-loving" one, of making as much Free Software available to the people as possible.

                  I know that if the establishment really wants to, it can always bypass any security I have. I just want to make whatever I can easily and practically do, on my side, to not offer it my computer data on a platter. (Being this the reason why I don't use Gmail, or any other USA-based mail service, accounts, for example.)

                  Comment


                  • #19
                    [Deleted duplicate post, because I didn't know that posts now had to be "approved"...]
                    Last edited by Fernando Negro; 09 December 2017, 01:37 PM.

                    Comment


                    • #20
                      Originally posted by bridgman View Post
                      Yeah, that's the only valid argument for lumping them together... that they are both "scary things" (independent processors). I guess my point is that PSP is a smaller scary thing with considerably smaller scope.
                      But is there no internal discussion about this @AMD? Don't the officials see that there could be a clear selling point? It's not only FOSS nerds, Google and others are throwing effort at getting rid of this stuff and AMD is ignoring it, establishing the same risks and unwanted anti-features.

                      Comment

                      Working...
                      X