[AdmiralAsshat]

The short version is that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME (Management Engine) not CPU firmware.

We knew this would happen. We knew that the Management Engine was a backdoor, and we knew it was only a matter of time before someone would figure out how to exploit it. This is exactly the reason why Libreboot exists (https://libreboot.org/faq.html#intel). And now, far from being the tinfoil hat distro that is often portrayed, it will become a bare necessity.

[SEJeff]

This is also what the management engine cleaner project is for:

https://github.com/corna/me_cleaner

[rnhmjoj]

https://github.com/corna/me_cleaner/wiki/How-to-apply-me_cle...

The procedure seems far from trivial and requires special hardware(?). Is there a guide or some resources I could follow as a person with no hardware/low-level technical knowledge?

[milcron]

There is no good solution for Intel chips.

You could sidestep the whole issue by buying a C201 chromebook (quad-core ARM) and putting Linux on it.

[j_s]

You're not kidding!

> Internal flashing with OEM firmware

> --------------------------------------------

> TODO

[frik]

Let's hope one of the other CPU manufacturers (e.g. AMD) starts supporting LibreBoot and allows to officially disable the ME-equivalent hardware feature, so that Intel get's forced by market-pressur to follow.

Intel needs more competition - thanks to AMD latest new 8-core CPU Intel got forced to release a new CPU the had in their basement for years - suddently it's possible for them to release i7 notebook CPUs with more then two cores!! Even back in 2010 it would have been viable to produce 4 core notebook CPUs - but the went away because the had no competition.

[dewyatt]

That was the top request in their March AMA:

https://www.reddit.com/r/Amd/comments/5x4hxu/we_are_amd_crea...

I wouldn't hold my breath, though.

[i336_]

The sad thing with that is that

- releasing the source doesn't tell you what's on the chip.

- PSP is kind of "Ring ∞", so there would be no good outcome from providing general-purpose access to it. So, the keys will never be released.

- it's thusly not possible to map the signed (encrypted) firmware to the source.

- even if the source had a clearly documented "master off" in it, you can never know if the firmware's copy reads "master-except-if-A-and-B-say-C off" :(

[semi-extrinsic]

What are you on about? I had a 4-core i7 in my laptop back in 2013, an i7-3920XM IIRC:

https://ark.intel.com/products/64887/Intel-Core-i7-3920XM-Pr...

[kbenson]

> suddently it's possible for them to release i7 notebook CPUs with more then two cores

I'm not sure what you mean by this. My Dell XPS 15 has a i7-6700HQ which is quad core, and it's not like I just bought the thing.

[inetknght]

> release i7 notebook CPUs with more then two cores

U-series i7s have two cores. HQ-series i7s have four cores. Both are mobile CPUs. Remember though that more cores generally means more power consumption which generally means less wallclock time on battery power.

[Roritharr]

Intel's U-8XXX CPUs are rumored to offer 4 cores with a variable TDP from 18-45W this autumn.

It's my tinfoil hat theory why MS waits for an earnest update on their highend Surfacebook. A high-end quad-core Surfacebook with a 10-series GPU and 32GB LPDDR with real Thunderbolt 3 Ports would make for a 13" dreammachine...

[yread]

first mobile quad cores were sandy bridge released january 2011

[xiphmont]

? Nehalem had mobile quad cores. I'm using one right now.

[wlesieutre]

Specifically the Clarksfield processors from 2009: https://en.wikipedia.org/wiki/Clarksfield_(microprocessor)

Predating the i7 entirely, there were also quad core laptops using Core 2 Quad CPUs (Penryn QC) in 2008.

[xiphmont]

Indeed (have some of those too), but I assumed we'd artificially limited ourselves to talking about i7. I'm not sure why I assumed that, because you're right of course.

[cryptarch]

I'm having fun, I finally have an excuse to dust off my Libreboot X200 (refurbished and modded Thinkpad with Libreboot firmware).

However, I strongly disrecommend buying from Leah Rowe unless you enjoy waiting months for payment confirmation and delivery. The worst webshop experience I've ever had.

I recommend you build/flash your own, contract it out or look for a different vendor.

[axlprose]

Has anybody tried the X200 builds from Libiquity?

https://shop.libiquity.com/product/taurinus-x200

[cryptarch]

I don't own anything by Libiquity but I'd be happy to ask answer any questions about my Libreboot/Minifree X400, which is based off the Lenovo Thinkpad T400, including diagnostics and/or benchmarks if I can get them set up in less than 30 minutes.

[BrainInAJar]

If the verilog to the chip isn't open, you can't trust it. Stallman is dangerously wrong on this point.

[mschuster91]

Somewhere you have to externalize trust. What use is the open HDL code for a chip if you cannot be sure someone down in the manufacturing chain hasn't... modified it?

Certainly this kind of attack is not your average script kiddy but nation-level instead, but I wouldn't put it past the NSA to pull this off.

[BrainInAJar]

Correct, you do need to externalize trust somewhere, but the Richard Stallman level of "chips are ok but firmware is not" is not the correct place for it.

[SkyMarshal]

If only we could checksum the commercial hardware and compare it to a reference implementation checksum.