[R0b0t1]

Disabling is not removing. People have found motherboards that should ostensibly not support vPro (e.g. Asus gaming motherboards) that do report vPro ME functionality.

There is no reason to believe the software switch is working, especially when even a system integrator can accidentally enable the features. If someone wants them on they turn on.

Purism sells snakeoil. Presenting their offerings as FOSS-compatible would be honest. Claiming additional security is not.

[fmajid]

I am wary of Purism because of this:

https://www.phoronix.com/scan.php?page=news_item&px=Zlatan-T...

[tenebrisalietum]

It's not possible to remove, or at least account for all behavior of, the ME entirely until the BUP part is reverse engineered. You can't take that part out yet and have a working CPU as far as I understand.

I'm surprised you didn't mention the FSP which is a binary blob from Intel required to be run by any boot firmware (UEFI, Coreboot, or whatever) very early in the platform initialization process (to my understanding, basically as soon as possible after the reset vector, in the PEI phase) before anything is useable.

Baby steps. Don't let perfect be the enemy of good. Success here could indicate to CPU vendors there are people who care about these things.

[R0b0t1]

I know it isn't possible. Half measures are attractive short term but can serve to normalize failure, as is currently happening. Most people I know view Purism favorably and think it has actually made ME irrelevant. It hasn't, all the hardware is still there and can be enabled. You still are not the de facto owner of the machine.

[kelnos]

> but can serve to normalize failure

I agree, but it's not like they've given up. They're still working on it, and hope to find a way to permanently remove all the software that enables it, and run their own software instead. Whether or not they'll eventually be successful is of course an open question.

The alternative, at least right now, is that Purism doesn't sell any hardware at all, goes out of business, and then there's no one working credibly on this. That would be an even worse failure, IMO.

[zatop]

That's why for the long term they mention:

" We released a petition for, and continue to work with Intel to free it entirely (what Intel is calling a “ME-less” design). "

Do you have a better solution that trying to neutralise it + starting a petition + talking with Intel to remove it ?

If you to want to criticize brands for selling privacy snakeoil, and not making you "the de facto owner of the machine" then we should address your criticism at Apple, not Purism

[tenebrisalietum]

> It hasn't, all the hardware is still there and can be enabled.

Can it be enabled by Intel?

A system that has ME installed with a NIC the ME can't access (non-Intel) seems like it makes the ME irrelevant via suffocation.

I'm not sure of the technical details of this board or if the ME can access non-Intel NICs.

[wizzwizz4]

Well, if ME was activated by the byte sequence PLEASE_ENABLE_ME_42 being present in RAM, which caused it to look for the Firefox / Chrome network stack in memory and use that to send passwords to Intel…

Unlikely? Amazingly so. Technically possible? Yes.

[boring_twenties]

> Success here could indicate to CPU vendors there are people who care about these things.

If the Libreboot FAQ[1] is to be believed, then we are well past this stage. It states:

> Even Google, which sells millions of chromebooks (coreboot preinstalled) have been unable to persuade them.

[1] https://libreboot.org/faq.html

[fsflover]

Even though it`s true that ME is not 100% removed, most of it is.

https://puri.sm/learn/software-freedom-in-perspective/

[boring_twenties]

The part that can't be removed still has had critical security vulnerabilities, though.

[floatboth]

But how would anyone interact with that part?

If it has no NIC access and the OS doesn't have access to it because it's not hanging on PCIe anymore, so if it's only there for system bringup, it's essentially sealed off from the world.

[boring_twenties]

It might require physical access, as with https://www.intel.com/content/www/us/en/security-center/advi... but that's still pretty bad as it allows for rootkits completely undetectable from the OS environment.

[R0b0t1]

ME hasn't been removed at all. The hardware is still on the machine.

[teddyh]

That’s a useless definition of “removed”; using that definition, ME can never be “removed” at all! But that’s not what we’re talking about here. A more useful definition would be to use “removed” as in “not a security problem anymore”.

[R0b0t1]

> using that definition, ME can never be “removed” at all!

This is my point. It can't be removed. It will always remain a security problem.

[dongvsascript]

that's like saying having a flimsy house door lock lying in your kitchen drawer is a security problem.

you have hardware on the cpu no longer accessible by software. you have a mellanox network card the me can't talk to. it's there, in the kitchen drawer. it's no longer in the door -so not a security problem.

the 'issue' requires physical access to the machine, and for you to be logged in with an admin account. if someone is physically sitting next to your server and logged in as root, you have no security anymore. they don't need to break into anything, the can just run what they want already.

someone is in your car with keys in the ignition. you're saying they can steal your car by hacking the entertainment system because it's insecure.

[R0b0t1]

No, this is more akin to having a flimsy plywood door with a plastic lock right next to your real one but acting like you've solved the issue by taping a "please don't use" sign over it.

Intel ME is still there. It is still potentially remotely configurable and remotely updateable. That those features are not advertised is irrelevant, they can be assumed to be there or easily added.

[boring_twenties]

That definition doesn't change much, because the part that can't be removed can and will leave your system vulnerable to exploits like this one: https://www.intel.com/content/www/us/en/security-center/advi...

[zatop]

Even if they are not yet 100% sure, it's still far better than any other laptop from any other brand who don't even bother trying to do anything about it

[m463]

I'm glad someone is trying.