Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Rick Moen]

Quoting Alessandro Selli (alessandrose...@linux.com):

> On Fri, 8 Sep 2017 at 00:22:40 -0400 "taii...@gmx.com"
>  wrote:

>> IBM has done a variety of bad things, but that doesn't mean OpenPOWER 
>> isn't a really good one.
>
> * That the presence of a BMC chip on POWER means it has a backdoor

This among other bits was more than a little over the top, Allesandro.  
I respect that you're a passionate free software person, but the
existence in the initial Talos II design of an almost decade-old BMC chip
for which (it has been said) there is not public documentation does not
establish that 'it has a backdoor', and you are doing no favour to
public discourse by so claiming.

As I pointed out, FSF expects to give an extremely rare Respects Your
Freedom certification to the Talos II system (subject to checking the
final design, but they and Raptor Engineering have reportedly been
coordinating closely), so, unless you're prepared to argue that
Alessandro Selli understands free software but FSF does not, you really
ought to reconsider your rhetoric.  Thank you.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Rick Moen]

Quoting Alessandro Selli (alessandrose...@linux.com):

>   No, I just pointed out that the fact that IBM does indeed put hardware
> and software remote-control devices inside it's chips is an established
> and documented truth.
[...]

Noted without comment:

https://www.fsf.org/blogs/licensing/support-the-talos-ii-a-candidate-for-respects-your-freedom-certification-by-pre-ordering-by-september-15

  We've previously supported [link] the work of the folks at Raptor
  Engineering. This time, rather than a crowdfunding effort, we are asking
  you to support their work by pre-ordering the Talos II. [link]
  [...]

  For the future of free computing, we need to build and support systems
  that do not come with such malware [RM: Intel Management Engine,
  propriatary boot firmware, and the like] pre-installed, and the
  Power9-based Talos II promises to be a great example of just such a
  system. Devices like this are the future of computing that Respects Your
  Freedom.

  That is Raptor Engineering's ultimate goal as well, to create a machine
  that can pass RYF certification. They've already been working with us on
  the details, and things are looking good. We'll have to do another
  evaluation once it is actually produced to be sure it meets our
  certification standards, but we have high hopes.

Author Donald Robertson, writing on behalf of FSF, goes on to ask
computer users supporting software freedom to place pre-orders for the
Raptor Engineering Talos II by Sept. 15th, 2017.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Alessandro Selli]

On Fri, 8 Sep 2017 at 23:55:08 -0400
"taii...@gmx.com"  wrote:

> On 09/08/2017 07:18 PM, Alessandro Selli wrote:
>
>> On Fri, 8 Sep 2017 at 00:22:40 -0400
>> "taii...@gmx.com"  wrote:
>>  
>>> On 09/07/2017 02:18 PM, Rick Moen wrote:
>>>  
 Quoting taii...@gmx.com (taii...@gmx.com):

[... space-saving ...]

>>> Mr. Selli has said:
>>> *That IBM's POWER CPU's have a hardware level backdoor and have had
>>> backdoors in the past whilst providing no real evidence to support that
>>> those claims,  
>>I did provide with the evidence:
>> https://lists.dyne.org/lurker/message/20170907.084234.3d39055c.en.html  
> That .pdf you linked is for IBM's x86 products, which they stopped 
> making 7 years ago.
>
> Irregardless that is a BMC not a backdoor - a BMC is a standard server 
> feature

  It's a standard server backdoor.  The BMC chip implements the IPMI
protocol:
https://www.ibm.com/support/knowledgecenter/linuxonibm/liaai.ipmi/liaaiipmi.htm
IPMI is a standardised message-based hardware management
interface. A hardware chip known as the Baseboard Management
Controller (BMC), or Management Controller (MC), implements the
core of IPMI.

  The only good IPMI is the one that isn't there:
https://web.archive.org/web/20170709023319/http://fish2.com/ipmi/itrain-gz.html

An embedded server called the BMC implements IPMI and lives on
server motherboards; it typically run Linux and has its own
little CPU, memory, and storage. The BMC also provides remote
web access along with email capabilities, LDAP support,
emulation of remote CDs and other media, and a host of other
capabilities. The BMC is powerful, and operates and controls the
server at a very low-level. Designed to operate when the bits
hit the fan it runs even when the server is powered off. Anyone
who has control of either the BMC or IPMI (they’re closely
related) enjoys complete control of the server.

> and on POWER9 the code is entirely open source

  Yes, of course, as it's based on Linux it has to be.

> and you can run 
> whatever you please on the BMC chip as there isn't hardware code signing 
> enforcement like with Intel ME/AMD PSP.

  Can I remove it?
  I'd like to know that, because while it's good that "there isn't
hardware code signing enforcement", that could just mean it's not
necessary as it sits in ROM that cannot be removed without tampering the
motherboard hardware.
  So, can I remove the BCM?  Can I have a TALOS system without a
parallel OS running in it's own CPU that has full control of what my OS
does?

>>Why do you write easy to disprove falseness?  Don't you have a minimum
>> of self-respect?  
> Ah the pot calling the kettle black.
>>> he bolstered that argument by stating that IBM's work with
>>> the US military is suspect and thus concludes guilt by association.  
>>No, I just pointed out that the fact that IBM does indeed put hardware
>> and software remote-control devices inside it's chips is an established
>> and documented truth.  
> Again a BMC isn't a backdoor

  It is by it's very nature and definition:
https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface

The Intelligent Platform Management Interface (IPMI) is a set of
computer interface specifications for an autonomous computer
subsystem that provides management and monitoring capabilities
independently of the host system's CPU, firmware (BIOS or UEFI)
and operating system. IPMI defines a set of interfaces used by
system administrators for out-of-band management of computer
systems and monitoring of their operation. For example, IPMI
provides a way to manage a computer that may be powered off or
otherwise unresponsive by using a network connection to the
hardware rather than to an operating system or login shell.

 [... room saving ...]

>>Again, this is a faith-based assumption as only IBM knows what's
>> inside their proprietary hardware.  Anyone who's had experiences on
>> their AS400 and RS600 platforms knows how darned proprietary their
>> hardware is.  You're free to believe they changed and they now value the
>> commoner's freedom more than the interests of the governments they
>> serve, of course.  You are *not* free to write falsity and disparage
>> people who hold different opinions, though.  
> I would say buying TALOS where am IBM backdoor is simply fringe 
> speculation

  It's a matter of fact: it has a BMC chip, which implements IPMI, which
has all the characteristics and properties and functions of a backdoor.

> is much better than a purism where it is an absolute fact.

  Not Purism, rather Intel: what Purism develops, they document and
release as OS.

>>> *That TALOS is proprietary closed source hardware  -  which isn't true -
>>> as not being that is the entire point of it.
>>I repeatedly 

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[taii...@gmx.com]

On 09/08/2017 07:18 PM, Alessandro Selli wrote:


On Fri, 8 Sep 2017 at 00:22:40 -0400
"taii...@gmx.com"  wrote:


On 09/07/2017 02:18 PM, Rick Moen wrote:


Quoting taii...@gmx.com (taii...@gmx.com):


I also find a bit questionable your going around attempting to tarnish
the reputation of someone with a real name, while concealing your own.

Criticism isn't allowed?

This is of course nothing like what I said.


I dislike when people deal with speculation instead of proven facts
when judging technical merits.

Then, _address what you perceive as speculation_.

I apologize - I should have done that in the first place instead of
resorting to name calling.

Mr. Selli has said:
*That IBM's POWER CPU's have a hardware level backdoor and have had
backdoors in the past whilst providing no real evidence to support that
those claims,

   I did provide with the evidence:
https://lists.dyne.org/lurker/message/20170907.084234.3d39055c.en.html
That .pdf you linked is for IBM's x86 products, which they stopped 
making 7 years ago.


Irregardless that is a BMC not a backdoor - a BMC is a standard server 
feature and on POWER9 the code is entirely open source and you can run 
whatever you please on the BMC chip as there isn't hardware code signing 
enforcement like with Intel ME/AMD PSP.


   Why do you write easy to disprove falseness?  Don't you have a minimum
of self-respect?

Ah the pot calling the kettle black.

he bolstered that argument by stating that IBM's work with
the US military is suspect and thus concludes guilt by association.

   No, I just pointed out that the fact that IBM does indeed put hardware
and software remote-control devices inside it's chips is an established
and documented truth.

Again a BMC isn't a backdoor

IBM sells POWER chips to both the the US Military and the Chinese
Military, doing that is largely as to why they are still in business -
as the worlds third maker of high performance computing hardware one
simply can't and shouldn't ignore the worlds two largest consumers.

IBM has done a variety of bad things, but that doesn't mean OpenPOWER
isn't a really good one.

* That the presence of a BMC chip on POWER means it has a backdoor

BMC chips are a common server feature required for remotely
administering a computer without headache, this one is owner controlled
(no hw code signing enforcement) and has full source code available to
the public after POWER9 is released.

   Again, this is a faith-based assumption as only IBM knows what's
inside their proprietary hardware.  Anyone who's had experiences on
their AS400 and RS600 platforms knows how darned proprietary their
hardware is.  You're free to believe they changed and they now value the
commoner's freedom more than the interests of the governments they
serve, of course.  You are *not* free to write falsity and disparage
people who hold different opinions, though.
I would say buying TALOS where am IBM backdoor is simply fringe 
speculation is much better than a purism where it is an absolute fact.

*That TALOS is proprietary closed source hardware  -  which isn't true -
as not being that is the entire point of it.

   I repeatedly asked you if there is anyone who has their chips'
blueprints, which is a prime condition to be able to call their hardware
anything other than proprietary.  You always turned a deaf ear to these
requests.
Uhh no I didn't, as I have stated (and as you would know had you read 
the TALOS2 website) the POWER9 datasheets and HDL's are currently under 
embargo and will be released to the general public when the hardware is 
- the makers of TALOS 2 have them as they are a member of the OpenPOWER 
foundation.

After the release of POWER9 the board and BMC firmware sources will be
provided,

   Ok, so nothing available *now* from IBM is openhardware.  For a
strange reason this is acceptable from IBM/Talos, while it's a disgrace
when Purism does the same thing.  Go figure.
Again, the public will get the spec sheets and HDL's when the hardware 
is released - why do you consider this equivalent to purism? they will 
never be able to get intel to release anything, their hardware has been 
out for many years and they still don't even have a blobbed coreboot.

and both the CPU/board and the BMC are owner controlled due to
the absence of hardware enforced code signing.

   ...that you know of, as the available hardware is proprietary and
closed-source.

No it isn't, which you would know if you read the TALOS2 website.

Full documentation and HDL's will be available for all components

   All right, good.  I'll believe what I will see.


besides the onboard broadcom nics which currently require a firmware
blob

   I wonder why you felt entitled at railing against Purism for having
considered equipping their laptops with Nvidia GPUs while it's perfectly
OK that TALOS uses a NIC from one of the most opensource unfriendly vendors.
A network interface isn't a critical component like a graphics device 
is, it 

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Alessandro Selli]

On Fri, 8 Sep 2017 at 00:22:40 -0400
"taii...@gmx.com"  wrote:

> On 09/07/2017 02:18 PM, Rick Moen wrote:
> 
>> Quoting taii...@gmx.com (taii...@gmx.com):
>>
 I also find a bit questionable your going around attempting to tarnish
 the reputation of someone with a real name, while concealing your own.
>>> Criticism isn't allowed?
>> This is of course nothing like what I said.
>>
>>> I dislike when people deal with speculation instead of proven facts
>>> when judging technical merits.
>> Then, _address what you perceive as speculation_.
> I apologize - I should have done that in the first place instead of 
> resorting to name calling.
> 
> Mr. Selli has said:
> *That IBM's POWER CPU's have a hardware level backdoor and have had 
> backdoors in the past whilst providing no real evidence to support that 
> those claims,

  I did provide with the evidence:
https://lists.dyne.org/lurker/message/20170907.084234.3d39055c.en.html

  Why do you write easy to disprove falseness?  Don't you have a minimum
of self-respect?

> he bolstered that argument by stating that IBM's work with 
> the US military is suspect and thus concludes guilt by association.

  No, I just pointed out that the fact that IBM does indeed put hardware
and software remote-control devices inside it's chips is an established
and documented truth.

> IBM sells POWER chips to both the the US Military and the Chinese 
> Military, doing that is largely as to why they are still in business - 
> as the worlds third maker of high performance computing hardware one 
> simply can't and shouldn't ignore the worlds two largest consumers.
>
> IBM has done a variety of bad things, but that doesn't mean OpenPOWER 
> isn't a really good one.
>
> * That the presence of a BMC chip on POWER means it has a backdoor
>
> BMC chips are a common server feature required for remotely 
> administering a computer without headache, this one is owner controlled 
> (no hw code signing enforcement) and has full source code available to 
> the public after POWER9 is released.

  Again, this is a faith-based assumption as only IBM knows what's
inside their proprietary hardware.  Anyone who's had experiences on
their AS400 and RS600 platforms knows how darned proprietary their
hardware is.  You're free to believe they changed and they now value the
commoner's freedom more than the interests of the governments they
serve, of course.  You are *not* free to write falsity and disparage
people who hold different opinions, though.

> *That TALOS is proprietary closed source hardware  -  which isn't true - 
> as not being that is the entire point of it.

  I repeatedly asked you if there is anyone who has their chips'
blueprints, which is a prime condition to be able to call their hardware
anything other than proprietary.  You always turned a deaf ear to these
requests.

> After the release of POWER9 the board and BMC firmware sources will be 
> provided,

  Ok, so nothing available *now* from IBM is openhardware.  For a
strange reason this is acceptable from IBM/Talos, while it's a disgrace
when Purism does the same thing.  Go figure.

> and both the CPU/board and the BMC are owner controlled due to 
> the absence of hardware enforced code signing.

  ...that you know of, as the available hardware is proprietary and
closed-source.

> Full documentation and HDL's will be available for all components

  All right, good.  I'll believe what I will see.

> besides the onboard broadcom nics which currently require a firmware 
> blob

  I wonder why you felt entitled at railing against Purism for having
considered equipping their laptops with Nvidia GPUs while it's perfectly
OK that TALOS uses a NIC from one of the most opensource unfriendly vendors.

> as there are no open source non-intel gigabit NIC's

  Is not having Intel hardware more important than having opensource
components inside a TALOS workstation?

> - but the FSF 
> says that this minor detail doesn't prevent it from receiving RYF 
> certification as they are behind the POWER-IOMMU and as such are not 
> capable of doing anything malicious.

  Good.

> * That the reason he/purism hasn't made owner controlled hardware is 
> because it is "too expensive"

  I don't remember writing anything like this.  Quote, please?

> Purism's "Librem" 15" laptop is $2,000

  False, again:
https://puri.sm/shop/librem-15/
$1,599.00, now running a rebate to $1,449.00

  Compare with this:
https://secure.raptorcs.com/content/TL2WK2/purchase.html
Talos™ II Secure Workstation$4,750.00

> - in comparison one can have a 
> TALOS-2 DIY build for $2.6K

  Do you realize your "errors" are regularly one-sided, they always play
in favour of TALOS and to the detriment of Purism?  How do you expect to
be trusted as a neutral source of information, given that you also never
provide pointers to third-party documentation to back your claims?

  You're really comparing apples to oranges: Purism sells finished
laptops, TALOS sells 

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Arnt Karlsen]

On Thu, 7 Sep 2017 23:16:08 -0700, Rick wrote in message 
<20170908061608.gc9...@linuxmafia.com>:

> Quoting taii...@gmx.com (taii...@gmx.com):
> 
> > I apologize - I should have done that in the first place instead of
> > resorting to name calling.
> 
> I thank you.
> 
> (In fairness, Mr. Selli then return-volleyed the same thing, which was
> not 'cricket' either but rather amusing in context.)
> 
> Thank you as well for the attempt to hold a serious conversation about
> the obstacles to truly open hardware.
> 
> > No it isn't, I have had 5 separate targeting hacking attacks on me
> > in my 10 years on the internet - one of those people attempted to
> > find my physical location so he could SWAT me which is why I never
> > use my real name nor have any type of social media.
> 
> I can only say that some passive-aggressives in the online community
> have tried to 'get Moen fired', which has been hilarious to watch.  
> I think it rather unnerves them when they notice that my Web site has
> my real street address, real telephone number, and, best of all, my
> exact latitude, longitude, and altitude expressed as 'ICBM
> address'.  ;->

..I used to have a ping target "If it responds, you missed." service 
going. ;o)

-- 
..med vennlig hilsen = with Kind Regards from Arnt Karlsen
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Enrico Weigelt, metux IT consult]

On 08.09.2017 09:53, Erik Christiansen wrote:


No, one of the variety of CPUs implemented on FPGAs, so not so curious
at all. Some FPGAs contain RAM areas, improving the gate efficiency of
e.g. a CPU implementation.


No, that's just boring ;-)

I'm thinking of generating VHDL from fw rules and synthesize that into
an FPGA.

OTOH, for such applications we could also think about different
computer architectures (maybe transputers, etc)

--

mit freundlichen Grüßen
--
Enrico, Sohn von Wilfried, a.d.F. Weigelt,
metux IT consulting
+49-151-27565287
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Erik Christiansen]

On 07.09.17 17:34, Enrico Weigelt, metux IT consult wrote:
> On 07.09.2017 16:12, Erik Christiansen wrote:
> 
> > If the firewall is on a FPGA, then we know what every gate is doing, as
> > we have the VHDL source for it.
> 
> An purely FPGA-based firewall (w/o an cpu in it), specifically
> synthesized for a given ruleset seems an very interesting approach.

No, one of the variety of CPUs implemented on FPGAs, so not so curious
at all. Some FPGAs contain RAM areas, improving the gate efficiency of
e.g. a CPU implementation.

Erik
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Rick Moen]

Quoting taii...@gmx.com (taii...@gmx.com):

> >I also find a bit questionable your going around attempting to tarnish
> >the reputation of someone with a real name, while concealing your own.
> Criticism isn't allowed?

This is of course nothing like what I said.

> I dislike when people deal with speculation instead of proven facts
> when judging technical merits.

Then, _address what you perceive as speculation_.  Instead ttempting
cheap character assassination, from behind cover of anonymity, suggests
you have no real argument.

> I don't use my "real" name on the internet for the same reason I
> don't want a computer with ME/PSP.

Once again, you are deflecting and changing the subject.  I said nothing
against being anonymous.  I merely said that slagging reputations of 
real named people with unsupported derogatory allegations, especially
when you refuse to name yourself, is disreputable and bogus.

Of course, you don't actually need to worry about 'taii...@gmx.com'
developing a bad reputation:  At some point, you can just walk away from
that 'nym and be someone else, which is the whole point, isn't it?  It
makes the character assassination ploy a bit transparent.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Adam Borowski]

On Thu, Sep 07, 2017 at 05:25:47PM +0200, Enrico Weigelt, metux IT consult 
wrote:
> IMHO, even this discussion isn't strictly related to devuan

That's why we're talking on dng not on devuan-dev.

The latter is for development of Devuan specifically.
The former came with the slogan "campfire for systemd refugees".

> it's still related to the bigger picture, why FOSS exists at all.

Why would anyone bother to use free software if you have no free hardware to
run it on?  Hardware with merely closed internal workings but well-defined
programmer-facing specs has been so far considered acceptable, but nowadays
we're faced with hardware that actively works against you!  Security is
simply not possible on such gear.

> Actually, I'm very happy w/ the things posted here (*incl* the OTs).

I'd consider a discussion of bind vs nsd, or user questions somewhat OT
(even if usually helpful).  I don't see how talk about direct threats
towards openness of development would be against the spirit of such list --
be that replacing half of the system with an opaque unmodular blob with bugs
unfixable[1] for an outsider, so are backdoors or DRM in the hardware.

> Maybe we could split the list into multiple ones, for several topic
> types. (eg. strictly technical ones, like packages/patches, general
> discussions, etc)

There's probably not enough traffic for separating user-facing stuff yet;
strictly packaging stuff already has a list of its own.

Also, note my sig: it has the swirl rather than the chevron in it.  All of
Devuan development I do migrates through Debian first.  Yet I don't have a
feeling of being unwelcome here.

And, I guess it's up to Jaromil and co to declare what's acceptable here:
they're the owners of this list after all.

I do understand your anger about a spat between someone calling another
poster a Purism shill while the other person derided Talos in turn.  That
was ugly.  But, if you exclude this shout-fest, the rest of the thread was
worth the electrons it came on.


Meow!

[1]. Taking too much effort, for someone with decent general programming
skills but unfamiliar with the system in question, makes such a system
too closed to be allowed to live.  I'm not a kernel dev yet I can fix easy
kernel problems -- no such thing with systemd.
-- 
⢀⣴⠾⠻⢶⣦⠀ 
⣾⠁⢰⠒⠀⣿⡁ Vat kind uf sufficiently advanced technology iz dis!?
⢿⡄⠘⠷⠚⠋⠀ -- Genghis Ht'rok'din
⠈⠳⣄ 
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Enrico Weigelt, metux IT consult]

On 07.09.2017 16:12, Erik Christiansen wrote:


If the firewall is on a FPGA, then we know what every gate is doing, as
we have the VHDL source for it.


An purely FPGA-based firewall (w/o an cpu in it), specifically
synthesized for a given ruleset seems an very interesting approach.

Anyone here w/ some practical vhdl experience ?


--mtx
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Enrico Weigelt, metux IT consult]

On 07.09.2017 16:42, Rowland Penny wrote:

On Thu, 7 Sep 2017 16:32:42 +0200
Adam Borowski  wrote:


On Thu, Sep 07, 2017 at 11:51:46PM +1000, Erik Christiansen wrote:


I have tried asking nicely

WILL YOU SHUTUP!!!


hey, please calm down.

IMHO, even this discussion isn't strictly related to devuan, it's still
related to the bigger picture, why FOSS exists at all.

Actually, I'm very happy w/ the things posted here (*incl* the OTs).

Maybe we could split the list into multiple ones, for several topic
types. (eg. strictly technical ones, like packages/patches, general
discussions, etc)

--mtx
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Edward Bartolo]

Quote: "Please take this discussion somewhere else, it has NOTHING to do with
Devuan"

This discussion has taught me that Intel CPUs from 2008 onwards also
come with GRATIS but QUESTIONABLE functionalities, that many including
myself, frown upon.

If there are non-risky hacks that readers can use to 'harden' their
computer against this unwelcome feature, please go ahead and provide
it, even here. This has to do with Devuan as it has to do with
security.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Rowland Penny]

On Thu, 7 Sep 2017 16:32:42 +0200
Adam Borowski  wrote:

> On Thu, Sep 07, 2017 at 11:51:46PM +1000, Erik Christiansen wrote:

I have tried asking nicely

WILL YOU SHUTUP!!!

I don't care about your drivel, it has nothing directly to do with
Devuan

Rowland

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Adam Borowski]

On Thu, Sep 07, 2017 at 11:51:46PM +1000, Erik Christiansen wrote:
> On 07.09.17 13:32, Adam Borowski wrote:
> > On Thu, Sep 07, 2017 at 09:17:20PM +1000, Erik Christiansen wrote:
> > > If our hosts cannot be trusted not to phone home to folk wearing dark
> > > glasses, then would it not suffice to employ a simple embedded host with
> > > a small die, such as an ARM, e.g. Beaglebone Black, as a firewall?
> > 
> > It's not hard to trigger a backdoor using a higher level protocol, from
> > Javascript, etc.
> 
> But no-one who is awake would enable java or any of that stuff on a firewall.
> Back doors on the LAN can't phone home through a minimal-silicon RISC
> embedded firewall which is just too small to contain any secondary CPU.
> It just needs to run a minimal kernel with packet routing capability.
> Everything else is a door into vacuum.

You don't make a separate TCP connection, you put it into a stream the user
already has.  And no firewall can distinguish a https connection from
another, other that the destination (the black glasses guys won't use a
.nsa.gov server) or perhaps some flow patterns if you tunnel certain
long-lived protocols inside the https connection -- which isn't possible
if they use anything that resembles a typical browsing session.


Meow!
-- 
⢀⣴⠾⠻⢶⣦⠀ 
⣾⠁⢰⠒⠀⣿⡁ Vat kind uf sufficiently advanced technology iz dis!?
⢿⡄⠘⠷⠚⠋⠀ -- Genghis Ht'rok'din
⠈⠳⣄ 
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Rowland Penny]

On Fri, 8 Sep 2017 00:12:02 +1000
Erik Christiansen  wrote:

> On 07.09.17 14:05, Alessandro Selli wrote:
> >   ROMB is the ROM Bypass and that too is builtin the PCH chip:
> 
> Erik

Excuse me, but can you lot not take a hint ???

Please take this discussion somewhere else, it has NOTHING to do with
Devuan

Rowland

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Erik Christiansen]

On 07.09.17 14:05, Alessandro Selli wrote:
>   ROMB is the ROM Bypass and that too is builtin the PCH chip:
> 
>   Loading starts with the ROM program, which is contained in the
>   built-in PCH read-only memory. Unfortunately, no way to read or
>   rewrite this memory is known to the general public. However, one can
>   find pre-release versions of ME firmware on the Internet containing
>   the ROMB (ROM BYPASS) section which, as we can assume, duplicates the
>   functionality of ROM.

Many thanks Alessandro for elucidating that. I'm experiencing some
culture shock on reading it.

I have not made a survey of the open source CPU cores implemented on
FPGAs, but a quick "fpga linux board" google shows multiple candidates.
Running a minimal kernel with little more than packet routing filtering
and a local management interface - console only if we're paranoid, means
we _are_ in full control of all network traffic in and out of out LAN.
(I do not plan to use wlan.)

Presumably all externally initiated connections are already blocked.
Then if we only allow outgoing connections to whitelisted IPs, we're
beginning to make things more difficult for snoops. Vulnerabilities on
our hardware-compromised hosts are less exploitable if they can't be
reached, I figure.

If the firewall is on a FPGA, then we know what every gate is doing, as
we have the VHDL source for it.

Erik
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Erik Christiansen]

On 07.09.17 13:32, Adam Borowski wrote:
> On Thu, Sep 07, 2017 at 09:17:20PM +1000, Erik Christiansen wrote:
> > If our hosts cannot be trusted not to phone home to folk wearing dark
> > glasses, then would it not suffice to employ a simple embedded host with
> > a small die, such as an ARM, e.g. Beaglebone Black, as a firewall?
> 
> It's not hard to trigger a backdoor using a higher level protocol, from
> Javascript, etc.

But no-one who is awake would enable java or any of that stuff on a firewall.
Back doors on the LAN can't phone home through a minimal-silicon RISC
embedded firewall which is just too small to contain any secondary CPU.
It just needs to run a minimal kernel with packet routing capability.
Everything else is a door into vacuum.

Erik
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Alessandro Selli]

On Thu, 7 Sep 2017 at 13:41:25 +0200
Alessandro Selli  wrote:

> On Thu, 7 Sep 2017 at 21:17:20 +1000
> Erik Christiansen  wrote:
> 
> > The notion of an extra embedded CPU or two on big Intel chips is not
> > difficult to credit, but where is the postulated entire minix OS loaded
> > from?
> 
>   It's in the report by the Positive Technologies team:
> http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
> 
>   We see increasing interest in Intel ME internals from researchers
>   all over the world. One of the reasons is the transition of this
>   subsystem to new hardware (x86) and software (modified MINIX as an
>   operating system). The x86 platform allows researchers to make use
>   of the full power of binary code analysis tools. Previously, firmware
>   analysis was difficult because earlier versions of ME were based on
>   an ARCompact microcontroller with an unfamiliar set of instructions.

  Sorry, i think I misinterpreted your question.  Did you ask where in the
Intel hardware is the Minix OS loaded from?  In the above report I read that:

Similarly, we are sure that the ROM integrated into the PCH is
practically the same as ROMB, which also does not contain any code
allowing an exit from HAP mode.

  PCH is the Platform Controller Hub:

Intel Management Engine is a proprietary technology that consists of
a microcontroller integrated into the Platform Controller Hub (PCH)
chip and a set of built-in peripherals. The PCH carries almost all
communication between the processor and external devices; therefore
Intel ME has access to almost all data on the computer.

  The "set of built-in peripherals" most notably include the ethernet and the
WiFi controllers, depending on the specific chips involved.
  ROMB is the ROM Bypass and that too is builtin the PCH chip:

Loading starts with the ROM program, which is contained in the
built-in PCH read-only memory. Unfortunately, no way to read or
rewrite this memory is known to the general public. However, one can
find pre-release versions of ME firmware on the Internet containing
the ROMB (ROM BYPASS) section which, as we can assume, duplicates the
functionality of ROM.


  Bye,


-- 
Alessandro Selli http://alessandro.route-add.net
VOIP SIP: dhatarat...@ekiga.net
Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Didier Kryn]

Le 07/09/2017 à 10:48, taii...@gmx.com a écrit :

On 09/07/2017 04:30 AM, Alessandro Selli wrote:


On Wed, 6 Sep 2017 at 17:12:27 -0400
zap  wrote:


Agreed! Talos is at least *LIBRE!*

   No, it ain't:
https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/

"BMCs and the IPMI Protocol

Baseboard Management Controllers (BMCs) are a type of embedded
computer used to provide out-of-band monitoring for desktops and
servers. These products are sold under many brand names, 
including HP

iLO, Dell DRAC, Sun ILOM, Fujitsu iRMC, *IBM IMM*, and Supermicro
IPMI."

   IBM stuff is plagued by embedded controlware, too. 



Alessandro, I've read that thread with great interest and I think 
you forgot a "detail": BMC software is open on IBM Power, meaning you 
can replace it by your own, or patch the existant if you prefer.


Wether there is yet another backdoor is only a supposition and it 
applies to everything you can buy, not specifically IBM. At least, if 
there is one, it is known only to the manufacturer and the 3-letter 
agencies, not to the general hacker. And I'm optimistic because of the 
following law: the time of life of a secret decreases when the number of 
persons who share it increases, and in this case there must be a number 
of engineers.


Didier


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Alessandro Selli]

On Thu, 7 Sep 2017 at 21:17:20 +1000
Erik Christiansen  wrote:

> The notion of an extra embedded CPU or two on big Intel chips is not
> difficult to credit, but where is the postulated entire minix OS loaded
> from?

  It's in the report by the Positive Technologies team:
http://blog.ptsecurity.com/2017/08/disabling-intel-me.html

We see increasing interest in Intel ME internals from researchers all
over the world. One of the reasons is the transition of this
subsystem to new hardware (x86) and software (modified MINIX as an
operating system). The x86 platform allows researchers to make use of
the full power of binary code analysis tools. Previously, firmware
analysis was difficult because earlier versions of ME were based on
an ARCompact microcontroller with an unfamiliar set of instructions.


> If our hosts cannot be trusted not to phone home to folk wearing dark
> glasses,

  They do not just that they phone home, the worst part is that they pick up
the phone, your phone!

> then would it not suffice to employ a simple embedded host with
> a small die, such as an ARM, e.g. Beaglebone Black, as a firewall?

  Maybe, but it's difficult to know exactly what triggers the numerous ME
modules and functions of a running system - it's best disabling everything
at boot time. You are supposed to filter both incoming and outgoing traffic,
which is not very easy when you do not know what you need to block. Plus, I
do not remember where I read it, but there are functions in WiFi AP/DSL
modems that were found to have backdoors that are triggered by a precise
sequence of IP packets the unit receives where both headers and payload
matter, which makes for a complicated deep packet inspection firewall that
you need to set up.

  What we actually need is Openhardware products ready to supplant current
off-the-shelf proprietary chips and controllers.


-- 
Alessandro Selli http://alessandro.route-add.net
VOIP SIP: dhatarat...@ekiga.net
Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Adam Borowski]

On Thu, Sep 07, 2017 at 09:17:20PM +1000, Erik Christiansen wrote:
> If our hosts cannot be trusted not to phone home to folk wearing dark
> glasses, then would it not suffice to employ a simple embedded host with
> a small die, such as an ARM, e.g. Beaglebone Black, as a firewall?

It's not hard to trigger a backdoor using a higher level protocol, from
Javascript, etc.

-- 
⢀⣴⠾⠻⢶⣦⠀ 
⣾⠁⢰⠒⠀⣿⡁ Vat kind uf sufficiently advanced technology iz dis!?
⢿⡄⠘⠷⠚⠋⠀ -- Genghis Ht'rok'din
⠈⠳⣄ 
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Erik Christiansen]

The notion of an extra embedded CPU or two on big Intel chips is not
difficult to credit, but where is the postulated entire minix OS loaded
from?

If our hosts cannot be trusted not to phone home to folk wearing dark
glasses, then would it not suffice to employ a simple embedded host with
a small die, such as an ARM, e.g. Beaglebone Black, as a firewall?
Buy two, take the lid off the chip on one, to confirm that there's only
enough silicon complexity to provide one RISC CPU, and paranoia might be
able to be reigned in. With a microscope, purely optical or USB, it is
not that hard to identify recognisable structures such as ALU,
registers, ROM, etc. Any second CPU capable of running a TCP stack would
show up.

If that's not enough, then an ethernet sniffer running on unsubvertible
low level 16 bit embedded hardware, running a low level RTOS, could
monitor traffic to the firewall, logging all destination IPs, protocol,
etc., revealing unwarranted traffic.

Conspiracy theories are lotsa fun, but if there's a problem with
substance, then restoring user control needn't be that hard, I figure.

Erik
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Alessandro Selli]

On Thu, 7 Sep 2017 at 06:29:59 -0400
"taii...@gmx.com"  wrote:

> On 09/07/2017 05:01 AM, Rick Moen wrote:
>
>> Quoting taii...@gmx.com (taii...@gmx.com):
>>
>> [speaking to Alessandro Selli]
>>
>>> You are constantly defending them and snubbing your nose at superior
>>> products so it is obvious you work for purism.
>> Can I ask for a bit more civility, please?  Mr. Selli is a fairly
>> passionate free software person, more than adequately accounting for his
>> views, which I respect even though we have sometimes disagreed rather
>> strongly.  There is zero justification for attributing ulterior motives
>> to him.
>>
>> I also find a bit questionable your going around attempting to tarnish
>> the reputation of someone with a real name, while concealing your own.
> Criticism isn't allowed? I dislike when people deal with speculation 
> instead of proven facts when judging technical merits.

  I provided links and quotes to back what I wrote.  Of course I could
still be wrong, but your criticism was not based on anything factual - at
least you did not provide facts to back your claims.

> Could POWER have an undocumented backdoor? Of course - anything is 
> possible when it comes to something that complex.
> Do modern x86 processors have one that is impossible to remove? That is 
> a proven fact.

  * Does POWER have an undocumented backdoor? Of course, that is a proven
fact.
  * Could they be disabled or at least partially removed?  No one knows.
  * Do modern x86 processors have undocumented backdoor? Of course, that is a
proven fact.
 * Could they be disabled or at least partially removed?  Yes, as Rick Moen
   reported on Thu, 31 Aug 2017 21:46:39 -0700 documenting his claims and
   quoting the works of the Positive Technologies team.

> I don't use my "real" name on the internet for the same reason I don't 
> want a computer with ME/PSP.

  No one can hack your brain remotely because they know your real name.
Concealing it just makes whatever you claim dubious and unverifiable without
third-party documentation - that you *always* fail producing.


  Greetings,


-- 
Alessandro Selli http://alessandro.route-add.net
VOIP SIP: dhatarat...@ekiga.net
Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[taii...@gmx.com]

On 09/07/2017 05:01 AM, Rick Moen wrote:


Quoting taii...@gmx.com (taii...@gmx.com):

[speaking to Alessandro Selli]


You are constantly defending them and snubbing your nose at superior
products so it is obvious you work for purism.

Can I ask for a bit more civility, please?  Mr. Selli is a fairly
passionate free software person, more than adequately accounting for his
views, which I respect even though we have sometimes disagreed rather
strongly.  There is zero justification for attributing ulterior motives
to him.

I also find a bit questionable your going around attempting to tarnish
the reputation of someone with a real name, while concealing your own.
Criticism isn't allowed? I dislike when people deal with speculation 
instead of proven facts when judging technical merits.


Could POWER have an undocumented backdoor? Of course - anything is 
possible when it comes to something that complex.
Do modern x86 processors have one that is impossible to remove? That is 
a proven fact.


I don't use my "real" name on the internet for the same reason I don't 
want a computer with ME/PSP.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Alessandro Selli]

On Thu, 7 Sep 2017 at 04:48:43 -0400
"taii...@gmx.com"  wrote:

> On 09/07/2017 04:30 AM, Alessandro Selli wrote:
>
>> On Wed, 6 Sep 2017 at 17:12:27 -0400
>> zap  wrote:
>>
>>> Agreed! Talos is at least *LIBRE!*
>>No, it ain't:
>> https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/
>>
>>  "BMCs and the IPMI Protocol
>>
>>  Baseboard Management Controllers (BMCs) are a type of embedded
>>  computer used to provide out-of-band monitoring for desktops and
>>  servers. These products are sold under many brand names,
>> including HP iLO, Dell DRAC, Sun ILOM, Fujitsu iRMC, *IBM IMM*, and
>> Supermicro IPMI."
>>
>>IBM stuff is plagued by embedded controlware, too.
>
> Uhh no it is

  Yes it is.

> There is a major difference between ME/PSP and IBM's POWER-BMC - One is 
> open source and owner controlled the other two aren't.

  Anything from IBM and Power-related is proprietary.  Again, could you show
us blueprints of the CPU and the Remote Supervisor Adapter present in IBm's
chipsets?

> On 09/06/2017 07:18 PM, Alessandro Selli wrote:
>
>> On 06/09/2017 at 19:15, taii...@gmx.com wrote:
>>> On 09/06/2017 06:36 AM, Alessandro Selli wrote:
>>>
 The steep price.

>>> Uhh the laptops you guys are selling now cost just as much as TALOS...
>>"you" whom?  I am not a seller.
> You are constantly defending

  No, I reported of what they are doing, providing quotations.

> them and snubbing your nose at superior 
> products

  No, I am only pointing out anything you wrote about the supposed
superiority of TALOS is faith-based.

> so it is obvious you work for purism.

  You are constantly defending TALOS and their products based on proprietary,
closed-source hardware from a single producer that has decades-log strong
relationships with the US military and is known to put remote-control
hardware and software in their products that cannot be disabled AFAIK.  So,
it is obvious you work for TALOS.

>>> only they aren't owner controlled.
>>That you know of.  I remember IBM has always been one of the top USA
>> military's purveyors:
>>
>> http://newspaperarchives.vassar.edu/cgi-bin/vassar?a=d=miscellany19700206-01.2.13
>>
>> "In fiscal 1909, IBM contracted for $257,000,000.00 worth of its
>> products with the United States Department of Defense. 4 The importance
>> of IBM's military role has grown with the computerization of the
>> American war effort in Vietnam." (1909 is probably an OCR error, there
>> are many in the piece; it could be 1969).
>>
>>I very doubt material from IBM can be thought of being
>> freedom-and-liberty loving and exempt from any governmental-friendly
>> "features".  They just don't put it in their public spec sheets like
>> Intel does.
> Ahh oh well shucks looks like I had better buy a purism right? at least 
> then I know for a fact that there is a hardware level backdoor and can 
> act accordingly!

  You could buy a costlier product from TALOS and get yourself a system with
hardware backdoors that, differently from Intel's, cannot be disabled (at
least no one knows how to do it).

  Enjoy your golden privacy- and freedom-denying cage by Big Blue.


-- 
Alessandro Selli http://alessandro.route-add.net
VOIP SIP: dhatarat...@ekiga.net
Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Rick Moen]

Quoting taii...@gmx.com (taii...@gmx.com):

[speaking to Alessandro Selli]

> You are constantly defending them and snubbing your nose at superior
> products so it is obvious you work for purism.

Can I ask for a bit more civility, please?  Mr. Selli is a fairly
passionate free software person, more than adequately accounting for his
views, which I respect even though we have sometimes disagreed rather
strongly.  There is zero justification for attributing ulterior motives
to him.

I also find a bit questionable your going around attempting to tarnish
the reputation of someone with a real name, while concealing your own.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[taii...@gmx.com]

On 09/07/2017 04:30 AM, Alessandro Selli wrote:


On Wed, 6 Sep 2017 at 17:12:27 -0400
zap  wrote:


Agreed! Talos is at least *LIBRE!*

   No, it ain't:
https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/

"BMCs and the IPMI Protocol

Baseboard Management Controllers (BMCs) are a type of embedded
computer used to provide out-of-band monitoring for desktops and
servers. These products are sold under many brand names, including HP
iLO, Dell DRAC, Sun ILOM, Fujitsu iRMC, *IBM IMM*, and Supermicro
IPMI."

   IBM stuff is plagued by embedded controlware, too.

Uhh no it is
There is a major difference between ME/PSP and IBM's POWER-BMC - One is 
open source and owner controlled the other two aren't.


On 09/06/2017 07:18 PM, Alessandro Selli wrote:


On 06/09/2017 at 19:15, taii...@gmx.com wrote:

On 09/06/2017 06:36 AM, Alessandro Selli wrote:


The steep price.


Uhh the laptops you guys are selling now cost just as much as TALOS...

   "you" whom?  I am not a seller.
You are constantly defending them and snubbing your nose at superior 
products so it is obvious you work for purism.

only they aren't owner controlled.

   That you know of.  I remember IBM has always been one of the top USA
military's purveyors:

http://newspaperarchives.vassar.edu/cgi-bin/vassar?a=d=miscellany19700206-01.2.13

"In fiscal 1909, IBM contracted for $257,000,000.00 worth of its
products with the United States Department of Defense. 4 The importance
of IBM's military role has grown with the computerization of the
American war effort in Vietnam." (1909 is probably an OCR error, there
are many in the piece; it could be 1969).

   I very doubt material from IBM can be thought of being
freedom-and-liberty loving and exempt from any governmental-friendly
"features".  They just don't put it in their public spec sheets like
Intel does.
Ahh oh well shucks looks like I had better buy a purism right? at least 
then I know for a fact that there is a hardware level backdoor and can 
act accordingly!

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Alessandro Selli]

On Thu, 7 Sep 2017 at 10:30:39 +0200
Alessandro Selli  wrote:

> On Wed, 6 Sep 2017 at 17:12:27 -0400
> zap  wrote:
> 
> > Agreed! Talos is at least *LIBRE!*
> 
>   No, it ain't:
> https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/
> 
>   "BMCs and the IPMI Protocol
> 
>   Baseboard Management Controllers (BMCs) are a type of embedded
>   computer used to provide out-of-band monitoring for desktops and
>   servers. These products are sold under many brand names, including
> HP iLO, Dell DRAC, Sun ILOM, Fujitsu iRMC, *IBM IMM*, and Supermicro
>   IPMI."
> 
>   IBM stuff is plagued by embedded controlware, too.

  More info:

https://www.ibm.com/support/knowledgecenter/STAV45/com.ibm.sonas.doc/imm_users_guide_60y1465.pdf


IMM features
 The IMM provides the following functions:
 ° Around-the-clock remote access and management of your server
 ° Remote management independent of the status of the managed
server
 ° Remote control of hardware and operating systems
 ° Web-based management with standard Web browsers


  So much for the idea such a thing as a a freedom-loving and people's rights
and privacy respectfull technocorporation could exist.


  Greetings,


-- 
Alessandro Selli http://alessandro.route-add.net
VOIP SIP: dhatarat...@ekiga.net
Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Alessandro Selli]

On Wed, 6 Sep 2017 at 17:12:27 -0400
zap  wrote:

> Agreed! Talos is at least *LIBRE!*

  No, it ain't:
https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/

"BMCs and the IPMI Protocol

Baseboard Management Controllers (BMCs) are a type of embedded
computer used to provide out-of-band monitoring for desktops and
servers. These products are sold under many brand names, including HP
iLO, Dell DRAC, Sun ILOM, Fujitsu iRMC, *IBM IMM*, and Supermicro
IPMI."

  IBM stuff is plagued by embedded controlware, too.


-- 
Alessandro Selli http://alessandro.route-add.net
VOIP SIP: dhatarat...@ekiga.net
Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Alessandro Selli]

On 06/09/2017 at 19:15, taii...@gmx.com wrote:
> On 09/06/2017 06:36 AM, Alessandro Selli wrote:
>
>>The steep price.
>>
> Uhh the laptops you guys are selling now cost just as much as TALOS...

  "you" whom?  I am not a seller.

> only they aren't owner controlled.


  That you know of.  I remember IBM has always been one of the top USA
military's purveyors:

http://newspaperarchives.vassar.edu/cgi-bin/vassar?a=d=miscellany19700206-01.2.13

"In fiscal 1909, IBM contracted for $257,000,000.00 worth of its
products with the United States Department of Defense. 4 The importance
of IBM's military role has grown with the computerization of the
American war effort in Vietnam." (1909 is probably an OCR error, there
are many in the piece; it could be 1969).

  I very doubt material from IBM can be thought of being
freedom-and-liberty loving and exempt from any governmental-friendly
"features".  They just don't put it in their public spec sheets like
Intel does.



-- 
Alessandro Selli 
Tel. 3701355486
VOIP SIP: dhatarat...@ekiga.net
Chiave PGP/GPG key: B7FD89FD

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[zap]

On 09/06/2017 01:15 PM, taii...@gmx.com wrote:
> On 09/06/2017 06:36 AM, Alessandro Selli wrote:
>
>>    The steep price.
>>
> Uhh the laptops you guys are selling now cost just as much as
> TALOS...only they aren't owner controlled.
> ___
Agreed! Talos is at least *LIBRE!*
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

<>___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[taii...@gmx.com]

On 09/06/2017 06:36 AM, Alessandro Selli wrote:


   The steep price.

Uhh the laptops you guys are selling now cost just as much as 
TALOS...only they aren't owner controlled.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Alessandro Selli]

On Wed, 6 Sep 2017 at 15:58:17 +0100
Arnt Gulbrandsen  wrote:

> Alessandro Selli writes:
> >   What makes you think IBM is more trustable than Intel?  Who, other than
> > IBM, produces Power8 CPUs?  Are the blueprints publicly available?
>
> You're just raising the bar to the point where noone can possibly build an 
> acceptable product. 

  I'm raising the hardware bar to the same level of free/opensource software.
  If you find acceptable using proprietary hardware, then you could as well
use proprietary software.  If you trust FOSS because it's auditable (at least
in principle), then I expect you not to place your blind trust to
prioprietary hardware because auditing it is too hard.

  In the past this was not too big an issue, as CPUs were simple enought
that undocumented instructions or registers were discovered the sooner or the
later.  Today it's a whole different matter, and hardware now weights almost
(?) as much as software as far as freedom and privacy matter.

  The only CPU that comes somewhat close to meet the open hardware criteria
that I know of is the Opensparc cpu.  Strangely, no devices of mass production
are based on that platform.

Alessandro
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Arnt Gulbrandsen]

Alessandro Selli writes:

  What makes you think IBM is more trustable than Intel?  Who, other than
IBM, produces Power8 CPUs?  Are the blueprints publicly available?


You're just raising the bar to the point where noone can possibly build an 
acceptable product. (Not just you, Alessandro, most people who post to this 
thread.)


Suppose the blueprints are available. Then you could scrutinise them. But 
how big is the chance that you would notice a single gate out of place? Or 
worse, a single gate that has a legitimate purpose but could be subverted 
by a fab-time attacker?


We already know that a single-gate attack is possible: "In this paper, we 
show how a fabrication-time attacker can leverage analog circuits to create 
a hardware attack that is small (i.e., requires as little as one gate) and 
stealthy (i.e., requires an unlikely trigger sequence before effecting a 
chip’s functionality)." Google and read it if you want, the paper makes for 
sad reading. Or you can make a decision about what to guard against and 
stop worrying about the rest.


Arnt

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Hendrik Boom]

On Wed, Sep 06, 2017 at 12:36:59PM +0200, Alessandro Selli wrote:
> On Tue, 5 Sep 2017 at 11:53:46 -0400
> "taii...@gmx.com"  wrote:
> > 
> > I take it you work for purismraptor has made a legitimately owner 
> > controlled computer - whats stopping you?
> 
>   The steep price.

Ditto.  It's far more capacity than I need.  Currently using a 
ten-year-old 64-bit AMD processor and it's working fine -- except 
nonessential components (such as USB) are starting to fail, and I 
occasionally replace a disk drive in the software RAID.

Have not replaced it with a modern system out of security concerns.

Want to replace it out of long-term availability cocncerns.

-- hendrik
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Alessandro Selli]

On Tue, 5 Sep 2017 at 20:14:04 +0200
mdn  wrote:

> Hello,
> To make some precisions:
> -The "High Assurance Platform" belongs to a trusted platform program
> linked to the U.S. National Security Agency (NSA). A graphics-rich
> presentation describing the program can be found here.
> http://fm.csl.sri.com/LAW/2009/dobry-law09-HAP-Challenges.pdf

  It's available at the Internet Archive's Wayback machine:
https://web.archive.org/web/20121211162830/http://fm.csl.sri.com/LAW/2009/dobry-law09-HAP-Challenges.pdf

> note: the link is dead but I have a backup of the pdf.
> If someone needs it just ask.
> 
> -More parts of the ME can be removed thanks to this discovery.
> 
> -The removed part makes the ME go into "TemporaryDisable mode" which is
> undocumented, like a lot of of undocumented instructions
> https://github.com/xoreaxeaxeax/sandsifter/raw/master/references/domas_breaking_the_x86_isa_wp.pdf.
> 
> -This "TemporaryDisable mode" allows the CPU to initialize without the
> ME activated.
>
> -This hack doesn't work on Apollo Lake platforms.
>
> So it doesn't remove the ME it "neutralises" it and for what remains we
> can only hope that nothing reinitialise it afterwards since the
> instruction is called Temporary Disable mode.

  There are many things that can be removed, as stated in the same
provided URL:

 Setting the HAP bit
The aforementioned facts help to reveal the second method of disabling Intel
 ME:

1. Set the HAP bit.
2. In the CPD section of the FTPR, remove or damage all modules except
those required by BUP for startup:

RBE

KERNEL

SYSLIB

dBUP

3. Fix the checksum of the CPD header (for more details on the structure
of ME firmware, see this paper).

> Imo seeing the awful state of X86 platforms, POWER is our only hope to
> own what we buy.

  Not the only one.  We also have ARM from a number of producers and Chinese
and Russian RISC CPUS.


-- 
Alessandro Selli http://alessandro.route-add.net
VOIP SIP: dhatarat...@ekiga.net
Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Alessandro Selli]

On Tue, 5 Sep 2017 at 11:53:46 -0400
"taii...@gmx.com"  wrote:

> On 09/05/2017 06:34 AM, Alessandro Selli wrote:
> 
>> On Sun, 3 Sep 2017 at 07:32:10 -0400
>> zap  wrote:
>>
>>> On 09/03/2017 05:26 AM, Alessandro Selli wrote:
 On 01/09/2017 at 20:36, zap wrote:
>> I doubt it will be owner controlled, as their laptops aren't - they
>> still haven't even gotten a blobbed version of coreboot working
>> (blobbed init code + ME enabled as they insisted on a crappy intel
>> soc) Purism isn't a trustworthy company.
> Gee, I thought purism was a trustworthy company, I mean they claim you
> can get the latest and the greatest without intel me
This is *not* what they claim:

 https://puri.sm/learn/intel-me/

 "Freeing the ME is a challenge, but not impossible"

 "By working with Intel, motherboard design developers, as well as our
 coreboot developers, Purism has put in motion a solid approach on how to
>>> run a freed Intel ME *in the future*."
>>> Sorry, but have you talked to libreboot or coreboot about this? and
>>> also, not even google with all their money can convince intel to give
>>> their secrets to them. That for me is a solid reason why I said this.
>>The secret is no more a secret:
>>
>> http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
>>
>> August 28, 2017
>> Disabling Intel ME 11 via undocumented mode
>>
>> "Our team of Positive Technologies researchers has delved deep into the
>> internal architecture of Intel Management Engine (ME) 11, revealing a
>> mechanism that can disable Intel ME after hardware is initialized and the
>> main processor starts. In this article, we describe how we discovered this
>> undocumented mode and how it is connected with the U.S. government's High
>> Assurance Platform (HAP) program."
> That isn't disabling it, it is still involved in the boot process and 
> you are simply again trusting intels word that everything is fine with 
> zero verification.
> 
> I take it you work for purismraptor has made a legitimately owner 
> controlled computer - whats stopping you?

  The steep price.

> (besides obsession over intel
> x86) It is possible to make a POWER laptop with todays lower wattage POWER
> cpu's.

  What makes you think IBM is more trustable than Intel?  Who, other than
IBM, produces Power8 CPUs?  Are the blueprints publicly available?


-- 
Alessandro Selli http://alessandro.route-add.net
VOIP SIP: dhatarat...@ekiga.net
Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Alessandro Selli]

On Tue, 5 Sep 2017 at 16:05:21 +0200
Edward Bartolo  wrote:

> So, it means, without my knowledge as a computer user, I have a HIDDEN
> OPERATING SYSTEM running under my nose.

  It's much more than that: in the CPU and PCH chip you have 3 (THREE!) cpus
derived from vintage 486 plus a few modern opcodes (probably related to
hardware cryptography) and an OS derived from Minix that implement ME and
related subsystems.

> Securitiwise, it is like
> running MS Windows notwithstanding I am running Devuan ASCII!
>
> With all this, a tinfoil hat is completely useless. I need an armoured
> hat with the same thickness like a war tank, but will it help?

  The whole harness is supposed to be disabled as described in the link to
the Positive Technologies team.

> Hiding a complete OS integrated on the main processor's silicon die,
> and to add insult to injury, complete with a dedicated processor,
> filesystem and all!

  Yep, that's it!  Three cores that run their own OS separated from the main
CPU.  Scary!



-- 
Alessandro Selli http://alessandro.route-add.net
VOIP SIP: dhatarat...@ekiga.net
Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Enrico Weigelt, metux IT consult]

On 06.09.2017 03:14, mdn wrote:


If I understood it correctly, they managed to boot an modified firmware
on that ME core, so it theoretically should be possible to run an
entirely own firmware on it. Maybe barebox or plan9.

They did manage to boot a modified firmware but there's still components
that aren't yet removed.
--it also removes all the modules from the images except RBE, KERNEL,
SYSLIB, and BUP--
So the modules RBE, KERNEL, SYSLIB and BUP are still their and if you
read correctly
--It should be noted that ROM, RBE, and KERNEL are executed at the zero
privilege level (in ring-0) of the MIA kernel.--


The interesting question here is whether these parts could be replaced.

If I understood it correctly, they didn't remove these parts yet, as
they're still needed to bring up the main cpu. I'd guess it's only a
matter of time until they found out how to do it on their own.


But has I see things it would be faster to go on POWER and besides
faster we are 100% sure that there isn't anything in the background that
we don't know about.


Assuming there'll be suitable and affordable boards in near future.


What about ARM ?

They began to implement similar ME/PSP functions I unfortunately don't
remember the name of it so if someone knows please post it.


I'm only aware of the TrustZone stuff. But that's not enabled by default
(more precisely: on poweron, the cpu is in "secure" mode, until
explicitly switched down to "normal mode"). For a complete lock-down,
you'd need a soc w/ internal boot flash (most of the socs boot from
external media) and burn the fuses. The CPUs you can buy are usually
open (and only closed-down by board vendors, if done at all) - anything
else wouldn't work well in embedded world. Completely custom boards
are the usual standard here.


There's also the GPU problem, there is zero effort from allwinner to
free their MALI GPU and worse they persecute those who try to reverse
engineer it (see the LIMA driver developer) that's why no 100% free
driver is available.


Just dont buy that crap. There're other options, eg. vivante is already
opened. (nobody who still has a piece of sanity ever uses proprietary
drivers)


--mtx

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[mdn]

Le 06/09/2017 04:13, Enrico Weigelt, metux IT consult a écrit :
> On 05.09.2017 18:14, mdn wrote:
> 
> 
> 
> If I understood it correctly, they managed to boot an modified firmware
> on that ME core, so it theoretically should be possible to run an
> entirely own firmware on it. Maybe barebox or plan9.
They did manage to boot a modified firmware but there's still components
that aren't yet removed.
--it also removes all the modules from the images except RBE, KERNEL,
SYSLIB, and BUP--
So the modules RBE, KERNEL, SYSLIB and BUP are still their and if you
read correctly
--It should be noted that ROM, RBE, and KERNEL are executed at the zero
privilege level (in ring-0) of the MIA kernel.--
Has for the theoretical completely free firmware, only the future will
tell us.
But has I see things it would be faster to go on POWER and besides
faster we are 100% sure that there isn't anything in the background that
we don't know about.
Because has time goes on the X86 exploration we found surprise after
surprise.

> 
> Having a serial console (maybe via some free gpios ?) would be a really
> cool things.
> 
>> Imo seeing the awful state of X86 platforms, POWER is our only hope to
>> own what we buy.
> 
> What about ARM ?
They began to implement similar ME/PSP functions I unfortunately don't
remember the name of it so if someone knows please post it.
There's also the GPU problem, there is zero effort from allwinner to
free their MALI GPU and worse they persecute those who try to reverse
engineer it (see the LIMA driver developer) that's why no 100% free
driver is available.
But still recently there has been people who tries to do something about it.
http://lists.phcomp.co.uk/pipermail/arm-netbook/2017-May/013845.html
https://people.freedesktop.org/~cbrill/dri-log/?channel=lima=2017-06-23
I hope they'll be ok.

If you are interested in ARM I suggest that you go on the ARM-netbook
mailing list.
http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook
> 
> 
> --mtx
> 




signature.asc
Description: OpenPGP digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Enrico Weigelt, metux IT consult]

On 05.09.2017 18:14, mdn wrote:



If I understood it correctly, they managed to boot an modified firmware
on that ME core, so it theoretically should be possible to run an
entirely own firmware on it. Maybe barebox or plan9.

Having a serial console (maybe via some free gpios ?) would be a really
cool things.


Imo seeing the awful state of X86 platforms, POWER is our only hope to
own what we buy.


What about ARM ?


--mtx

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[taii...@gmx.com]

On 09/05/2017 03:00 PM, Hendrik Boom wrote:


so it looks as it that legitimately owner-controlled computer
project
based on the POWER processor has died.

Anyone know better?  Is is still continuing in some form?


That was TALOS 1 (POWER8), the new hotness is TALOS 2 (POWER9).

They are waiting for IBM to release POWER9 CPU's to the public, so it is 
a real ready to ship product not a crowd-funding campaign - and by my 
cynical standards it is simply incredible.
As a reminder it is $2.1K for the board and CPU, so quite affordable by 
server hardware pricing standards (you would pay more for less if you 
went with the closed source x86 for that many threads) and one can buy 
it with bitcoin too which is pretty sick.


Raptor is a great company that has also made the libre firmware and 
OpenBMC port for various pre-PSP AMD x86 motherboards such as the 
KGPE-D16 and KCMA-D8 both of which work nicely, they have a proven track 
record and are a member of IBM's OpenPOWER foundation.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[mdn]

Le 05/09/2017 21:00, Hendrik Boom a écrit :
> On Tue, Sep 05, 2017 at 11:53:46AM -0400, taii...@gmx.com wrote:
>>
>> I take it you work for purismraptor has made a legitimately owner
>> controlled computer - whats stopping you? (besides obsession over intel x86)
>> It is possible to make a POWER laptop with todays lower wattage POWER cpu's.
> 
> on 
> https://www.crowdsupply.com/raptor-computing-systems/talos-secure-workstation/updates/the-state-of-owner-controlled-computing-as-talos-winds-down
>
This is old, here's the new one
https://www.raptorcs.com/TALOSII/
Here's the archive.org
https://web.archive.org/web/20170904050410/https://www.raptorcs.com/TALOSII/
The website was accessible a few days ago I don't know why it's not
accessible right now.

> I read
> 
> : Raptor Engineering is grateful to have had the opportunity to run 
> : this campaign, and would like to thank the community for all of the 
> : support we received during this nearly year-long endeavor. We will 
> : not be receiving any of the pledged funds from the crowdfunding 
> : campaign. If you’ve already placed a pre-order for a POWER8 CPU via 
> : Crowd Supply, you will be fully refunded. If you placed a 
> : crowdfunding pledge for a Talos™ product, you have not yet been and 
> : will not be charged.
> : 
> : We will not be continuing development of the Talos™ systems, however 
> : we are willing to license parts of the Talos™ technology, such as 
> : FlexVer™, to other manufacturers.
> 
> so it looks as it that legitimately owner-controlled computer 
> project 
> based on the POWER processor has died.
> 
> Anyone know better?  Is is still continuing in some form?
> 
> -- hendrik
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
> 

-- 
Librement
BERNARD

FR: Veuillez s'il vous plaît utiliser GPG pour nos futures conversations:
https://emailselfdefense.fsf.org/fr/
Si c'est email n'est pas signer, il ne vient pas de moi.

ENG: Please be kind enough to use GPG for our future conversations:
https://emailselfdefense.fsf.org/en/
If this email isn't PGP signed then it isn't mine.

-If you can't compile it dump it.



signature.asc
Description: OpenPGP digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Hendrik Boom]

On Tue, Sep 05, 2017 at 11:53:46AM -0400, taii...@gmx.com wrote:
> 
> I take it you work for purismraptor has made a legitimately owner
> controlled computer - whats stopping you? (besides obsession over intel x86)
> It is possible to make a POWER laptop with todays lower wattage POWER cpu's.

on 
https://www.crowdsupply.com/raptor-computing-systems/talos-secure-workstation/updates/the-state-of-owner-controlled-computing-as-talos-winds-down

I read

: Raptor Engineering is grateful to have had the opportunity to run 
: this campaign, and would like to thank the community for all of the 
: support we received during this nearly year-long endeavor. We will 
: not be receiving any of the pledged funds from the crowdfunding 
: campaign. If you’ve already placed a pre-order for a POWER8 CPU via 
: Crowd Supply, you will be fully refunded. If you placed a 
: crowdfunding pledge for a Talos™ product, you have not yet been and 
: will not be charged.
: 
: We will not be continuing development of the Talos™ systems, however 
: we are willing to license parts of the Talos™ technology, such as 
: FlexVer™, to other manufacturers.

so it looks as it that legitimately owner-controlled computer 
project 
based on the POWER processor has died.

Anyone know better?  Is is still continuing in some form?

-- hendrik
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[mdn]

Hello,
To make some precisions:
-The "High Assurance Platform" belongs to a trusted platform program
linked to the U.S. National Security Agency (NSA). A graphics-rich
presentation describing the program can be found here.
http://fm.csl.sri.com/LAW/2009/dobry-law09-HAP-Challenges.pdf
note: the link is dead but I have a backup of the pdf.
If someone needs it just ask.

-More parts of the ME can be removed thanks to this discovery.

-The removed part makes the ME go into "TemporaryDisable mode" which is
undocumented, like a lot of of undocumented instructions
https://github.com/xoreaxeaxeax/sandsifter/raw/master/references/domas_breaking_the_x86_isa_wp.pdf.

-This "TemporaryDisable mode" allows the CPU to initialize without the
ME activated.

-This hack doesn't work on Apollo Lake platforms.

So it doesn't remove the ME it "neutralises" it and for what remains we
can only hope that nothing reinitialise it afterwards since the
instruction is called Temporary Disable mode.

Imo seeing the awful state of X86 platforms, POWER is our only hope to
own what we buy.

Le 05/09/2017 12:34, Alessandro Selli a écrit :
> On Sun, 3 Sep 2017 at 07:32:10 -0400
> zap  wrote:
> 
>>
>> On 09/03/2017 05:26 AM, Alessandro Selli wrote:
>>> On 01/09/2017 at 20:36, zap wrote:
> I doubt it will be owner controlled, as their laptops aren't - they
> still haven't even gotten a blobbed version of coreboot working
> (blobbed init code + ME enabled as they insisted on a crappy intel soc)
> Purism isn't a trustworthy company.
 Gee, I thought purism was a trustworthy company, I mean they claim you
 can get the latest and the greatest without intel me
>>>   This is *not* what they claim:
>>>
>>> https://puri.sm/learn/intel-me/
>>>
>>> "Freeing the ME is a challenge, but not impossible"
>>>
>>> "By working with Intel, motherboard design developers, as well as our
>>> coreboot developers, Purism has put in motion a solid approach on how to
>>> run a freed Intel ME *in the future*."
>> Sorry, but have you talked to libreboot or coreboot about this? and
>> also, not even google with all their money can convince intel to give
>> their secrets to them. That for me is a solid reason why I said this.
> 
>   The secret is no more a secret:
> 
> http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
> 
> August 28, 2017
> Disabling Intel ME 11 via undocumented mode 
> 
> "Our team of Positive Technologies researchers has delved deep into the
> internal architecture of Intel Management Engine (ME) 11, revealing a
> mechanism that can disable Intel ME after hardware is initialized and the
> main processor starts. In this article, we describe how we discovered this
> undocumented mode and how it is connected with the U.S. government's High
> Assurance Platform (HAP) program."
> 
> 
>   Good hacking! :-)
> 
> 

-- 
Librement
BERNARD

FR: Veuillez s'il vous plaît utiliser GPG pour nos futures conversations:
https://emailselfdefense.fsf.org/fr/
Si c'est email n'est pas signer, il ne vient pas de moi.

ENG: Please be kind enough to use GPG for our future conversations:
https://emailselfdefense.fsf.org/en/
If this email isn't PGP signed then it isn't mine.

-If you can't compile it dump it.



signature.asc
Description: OpenPGP digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Narcis Garcia]

El 05/09/17 a les 16:05, Edward Bartolo ha escrit:
> Hiding a complete OS integrated on the main processor's silicon die,
> and to add insult to injury, complete with a dedicated processor,
> filesystem and all!

This is the point that makes me doubt about those theories.
I'm shure this type of backdoors must be driven with operating system
work (collaboration between hardware and software).
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Arnt Gulbrandsen]

taii...@gmx.com writes:
I take it you work for purismraptor has made a legitimately 
owner controlled computer - whats stopping you?


Is that an actual owner-controlled computer, or is it controlled by whoever 
is at the keyboard? Or is it controlled by all the people who have a 
certain password?


Arnt

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[taii...@gmx.com]

Well gee shows over folks we can go home as the good people at the NSA 
have made a nice little feature to shut off that thing all the kids are 
complaining about.


Hypothetical backdoor team "Aw shucks they got us!" "Damn they're using 
a non-intel NIC - what will we do now?"


If you can't trust some shadowy security research firm who can you trust!
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[taii...@gmx.com]

On 09/05/2017 06:34 AM, Alessandro Selli wrote:


On Sun, 3 Sep 2017 at 07:32:10 -0400
zap  wrote:


On 09/03/2017 05:26 AM, Alessandro Selli wrote:

On 01/09/2017 at 20:36, zap wrote:

I doubt it will be owner controlled, as their laptops aren't - they
still haven't even gotten a blobbed version of coreboot working
(blobbed init code + ME enabled as they insisted on a crappy intel soc)
Purism isn't a trustworthy company.

Gee, I thought purism was a trustworthy company, I mean they claim you
can get the latest and the greatest without intel me

   This is *not* what they claim:

https://puri.sm/learn/intel-me/

"Freeing the ME is a challenge, but not impossible"

"By working with Intel, motherboard design developers, as well as our
coreboot developers, Purism has put in motion a solid approach on how to
run a freed Intel ME *in the future*."

Sorry, but have you talked to libreboot or coreboot about this? and
also, not even google with all their money can convince intel to give
their secrets to them. That for me is a solid reason why I said this.

   The secret is no more a secret:

http://blog.ptsecurity.com/2017/08/disabling-intel-me.html

August 28, 2017
Disabling Intel ME 11 via undocumented mode

"Our team of Positive Technologies researchers has delved deep into the
internal architecture of Intel Management Engine (ME) 11, revealing a
mechanism that can disable Intel ME after hardware is initialized and the
main processor starts. In this article, we describe how we discovered this
undocumented mode and how it is connected with the U.S. government's High
Assurance Platform (HAP) program."
That isn't disabling it, it is still involved in the boot process and 
you are simply again trusting intels word that everything is fine with 
zero verification.


I take it you work for purismraptor has made a legitimately owner 
controlled computer - whats stopping you? (besides obsession over intel x86)

It is possible to make a POWER laptop with todays lower wattage POWER cpu's.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[zap]

On 09/05/2017 11:08 AM, Dr. Nikolaus Klepp wrote:
> Am Dienstag, 5. September 2017 schrieb Edward Bartolo:
>> So, it means, without my knowledge as a computer user, I have a HIDDEN
>> OPERATING SYSTEM running under my nose. Securitiwise, it is like
>> running MS Windows notwithstanding I am running Devuan ASCII!
>>
>> With all this, a tinfoil hat is completely useless. I need an armoured
>> hat with the same thickness like a war tank, but will it help?
>>
>> Hiding a complete OS integrated on the main processor's silicon die,
>> and to add insult to injury, complete with a dedicated processor,
>> filesystem and all!
> Welcome to the land of the free ...
>
> Nik
>
Or what used to be the land of the free...
>

<>___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Dr. Nikolaus Klepp]

Am Dienstag, 5. September 2017 schrieb Edward Bartolo:
> So, it means, without my knowledge as a computer user, I have a HIDDEN
> OPERATING SYSTEM running under my nose. Securitiwise, it is like
> running MS Windows notwithstanding I am running Devuan ASCII!
> 
> With all this, a tinfoil hat is completely useless. I need an armoured
> hat with the same thickness like a war tank, but will it help?
> 
> Hiding a complete OS integrated on the main processor's silicon die,
> and to add insult to injury, complete with a dedicated processor,
> filesystem and all!

Welcome to the land of the free ...

Nik



-- 
Please do not email me anything that you are not comfortable also sharing with 
the NSA, CIA ...
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Edward Bartolo]

So, it means, without my knowledge as a computer user, I have a HIDDEN
OPERATING SYSTEM running under my nose. Securitiwise, it is like
running MS Windows notwithstanding I am running Devuan ASCII!

With all this, a tinfoil hat is completely useless. I need an armoured
hat with the same thickness like a war tank, but will it help?

Hiding a complete OS integrated on the main processor's silicon die,
and to add insult to injury, complete with a dedicated processor,
filesystem and all!
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[DNG] Purism Librem and disabling Intel ME: it can be done [ Re: TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server ]

[Alessandro Selli]

On Sun, 3 Sep 2017 at 07:32:10 -0400
zap  wrote:

> 
> On 09/03/2017 05:26 AM, Alessandro Selli wrote:
>> On 01/09/2017 at 20:36, zap wrote:
 I doubt it will be owner controlled, as their laptops aren't - they
 still haven't even gotten a blobbed version of coreboot working
 (blobbed init code + ME enabled as they insisted on a crappy intel soc)
 Purism isn't a trustworthy company.
>>> Gee, I thought purism was a trustworthy company, I mean they claim you
>>> can get the latest and the greatest without intel me
>>   This is *not* what they claim:
>>
>> https://puri.sm/learn/intel-me/
>>
>> "Freeing the ME is a challenge, but not impossible"
>>
>> "By working with Intel, motherboard design developers, as well as our
>> coreboot developers, Purism has put in motion a solid approach on how to
>> run a freed Intel ME *in the future*."
> Sorry, but have you talked to libreboot or coreboot about this? and
> also, not even google with all their money can convince intel to give
> their secrets to them. That for me is a solid reason why I said this.

  The secret is no more a secret:

http://blog.ptsecurity.com/2017/08/disabling-intel-me.html

August 28, 2017
Disabling Intel ME 11 via undocumented mode 

"Our team of Positive Technologies researchers has delved deep into the
internal architecture of Intel Management Engine (ME) 11, revealing a
mechanism that can disable Intel ME after hardware is initialized and the
main processor starts. In this article, we describe how we discovered this
undocumented mode and how it is connected with the U.S. government's High
Assurance Platform (HAP) program."


  Good hacking! :-)


-- 
Alessandro Selli http://alessandro.route-add.net
VOIP SIP: dhatarat...@ekiga.net
Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng