Re: [coreboot] Intel ME what is it? And when did this dangerous thing get installed?
Hello! Peter thank you for explaining the issue completely and thoroughly. Now that we've reached the issue where we know why the dratted thing is present, it is safe to say that this issue is finished as far as I am concerned. - Gregg C Levine gregg.drw...@gmail.com "This signature fought the Time Wars, time and again." On Tue, Sep 4, 2018 at 7:09 PM, John Keates wrote: > (I cut out the large amount of text to prevent the mail length from growing > to the extreme) > > Basically, if money and time were no issue, you had one real blocking issue > preventing you from just buying an Intel CPU and building a system around > it: legal reasons. > Intel does not give anyone the information needed to completely build a > comparable platform around one of their CPUs. Perhaps you could (since you > could have infinite money) buy Intel or a controlling part of Intel to > influence this, but that’s about it. > Another thing locked by legalese documents would be people that have the > skills and experience to do this. There aren’t a lot of them and almost all > of them work at Intel. > > The x86 platform is not just about some registers, some PCB design and some > code, if that was all there was to it, anyone could build something with the > right information. There is deep knowledge and insight at the implementation > level of the silicon and microcode (and bootrom!) required to build > something around an Intel CPU from scratch. Some legal measures prevent > people at Intel from working at a comparable job in a competitive manner. At > the same time, those people might have status or perks in a non-monetary > fashion that you cannot give them. Short of stealing people, you may simply > not have a way to get access to the people required to build anything. > > So, would it technically be possible to build something from scratch based > on a Intel CPU? Yes. But it is not feasible. Not even with 1000 people and a > billion dollars. Perhaps with 100k people and 100 billion dollars. > > Regards, > John > > On 4 Sep 2018, at 18:16, Peter Stuge wrote: > > [ …] > > > > -- > coreboot mailing list: coreboot@coreboot.org > https://mail.coreboot.org/mailman/listinfo/coreboot -- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot
Re: [coreboot] Intel ME what is it? And when did this dangerous thing get installed?
(I cut out the large amount of text to prevent the mail length from growing to the extreme) Basically, if money and time were no issue, you had one real blocking issue preventing you from just buying an Intel CPU and building a system around it: legal reasons. Intel does not give anyone the information needed to completely build a comparable platform around one of their CPUs. Perhaps you could (since you could have infinite money) buy Intel or a controlling part of Intel to influence this, but that’s about it. Another thing locked by legalese documents would be people that have the skills and experience to do this. There aren’t a lot of them and almost all of them work at Intel. The x86 platform is not just about some registers, some PCB design and some code, if that was all there was to it, anyone could build something with the right information. There is deep knowledge and insight at the implementation level of the silicon and microcode (and bootrom!) required to build something around an Intel CPU from scratch. Some legal measures prevent people at Intel from working at a comparable job in a competitive manner. At the same time, those people might have status or perks in a non-monetary fashion that you cannot give them. Short of stealing people, you may simply not have a way to get access to the people required to build anything. So, would it technically be possible to build something from scratch based on a Intel CPU? Yes. But it is not feasible. Not even with 1000 people and a billion dollars. Perhaps with 100k people and 100 billion dollars. Regards, John > On 4 Sep 2018, at 18:16, Peter Stuge wrote: > > [ …] -- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot
Re: [coreboot] Intel ME what is it? And when did this dangerous thing get installed?
Philipp Stanner wrote: > I might have one: What does stop a motherboard-vendor from just buying > a CPU and implementing it? It just isn't the common case anymore, if it ever was. Platform vendors (Intel and AMD) move away from that use case. No high-end x86 machines are intended to be created that way now, for several reasons; time-to-market, know-how and intellectual property are a few that I can think of right away. Time-to-market and know-how go together; as x86 platforms evolve it becomes increasingly difficult for anyone but the platform vendor to design a reliable system with maximum performance in minimum time. Platform vendors have delivered reference designs (CRBs or Customer Reference Boards) for decades, and always several years before the actual platform ships, so that customers have some time to design their products, so that retail products can be launched at the same time as the platform. Each new platform seems to have a shorter lifetime than the previous, so it becomes increasingly difficult for anyone but the platform vendor themselves to design a reliable system with max performance in that constantly shrinking timeframe between platform freeze and platform launch. And performance requirements/expectations grow that problem exponentially over time. > Which chips, beside the CPU, do you need from Intel in any case to > make the machine work? The relevant concept is "platform" - and a platform is whatever Intel offers, because almost noone has time, knowledge and money to really innovate significantly every 12 or even 6 months. The platform churn is too fast for an OEM to innovate. Google could only realize Chrome machines by taking an ODM role; ie. by creating their own reference designs and building blocks for OEMs to turn into retail products. In those reference designs they could introduce innovative features, like the Chrome EC and verified boot with coreboot, but such innovation is completely foreign to the daily business of an OEM that has to churn out Windows machines in sync with platform vendors' new platforms. > I always thought of the CPU just as a machine executing code, That's accurate up to and including the Pentium, since the Pentium Pro it's not really the case anymore. Up until Pentium, Intel was able to design and ship a CPU building block without serious issues. The Pentium recall was very expensive and Intel would not want to repeat that, so they would have had to change how they did things. Ever since that time, the platform integration is tighter and tighter. And that has its benefits too. More integration = less power consumption and more reliability because there are less things a customer (mainboard designer) can get wrong. > and assumed it's possible to use it just as any microcontroller: No, that hasn't been the case for a long time. Increasing integration has more benefits for platform vendors: If you deliver ever larger macro blocks then you lock out the competition, offer less power hungry products, and also there is no longer any reason to deliver accurate documentation. Accurately documenting a modern x86 system requires tens if not hundreds thousand pages, which would also have to be produced, reviewed for technical correctness and compliance within the short time between freeze and launch. That is of course bound to fail, and as many firmware developers can tell you, register level documentation for x86 systems is absolutely not comparable to that for a microcontroller or GHz SoC. > You can add the ME-Chipset, but you don't have to. Please read the PEST/PSTR book about the ME, published by Intel. http://www.apress.com/9781430265719 >From the book it is clear that Intel considers the ME to be the only trustworthy environment in an x86 machine, it is used to check firmware signatures (BootGuard), store keys (TPM is no longer a chip, but software in the ME), pass DRM content directly to GPU without allowing Windows to ever see the unencrypted data (PAVP), etc. For any of that to work, the ME must neccessarily be inside the CPU, and so it is. The ME isn't a separate chip, never was. Here's my favorite quote from the book, on p. 165: "The owner of a platform is not always the one to protect." //Peter -- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot
Re: [coreboot] Intel ME what is it? And when did this dangerous thing get installed?
> On 3 Sep 2018, at 11:54, Philipp Stanner wrote: > > Am Mittwoch, den 29.08.2018, 04:09 -0400 schrieb Youness Alaoui: >> If there are more specific questions that you have, ask them and I >> might be able to answer them! > > I might have one: What does stop a motherboard-vendor from just buying > a CPU and implementing it? Which chips, beside the CPU, do you need > from Intel in any case to make the machine work? As usual, it boils down to money. You also need data from Intel to make a CPU work (microcode, FSP). Creating a chipset, making RAM work etc. can easily cost you hundreds of millions. On top of that, it’s hard to make money off of it, making it double-bad from a capitalistic-commercial perspective. There is a reason you don’t get to choose a chipset anymore; Nvidia and VIA (and others) once were in the business of making chipsets, but not any more. > I always thought of the CPU just as a machine executing code, and > assumed it's possible to use it just as any microcontroller: You can > add the ME-Chipset, but you don't have to. > Well, yes and no. There are plenty of CPU models out there that require specific Intel code to work, some of them cryptographically locking anyone else out. End-users don’t care, and technical users don’t have enough power to do anything about it on the Intel side of things. > Philipp > > > -- > coreboot mailing list: coreboot@coreboot.org > https://mail.coreboot.org/mailman/listinfo/coreboot Regards, John -- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot
Re: [coreboot] Intel ME what is it? And when did this dangerous thing get installed?
Am Mittwoch, den 29.08.2018, 04:09 -0400 schrieb Youness Alaoui: > If there are more specific questions that you have, ask them and I > might be able to answer them! I might have one: What does stop a motherboard-vendor from just buying a CPU and implementing it? Which chips, beside the CPU, do you need from Intel in any case to make the machine work? I always thought of the CPU just as a machine executing code, and assumed it's possible to use it just as any microcontroller: You can add the ME-Chipset, but you don't have to. Philipp -- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot
Re: [coreboot] Intel ME what is it? And when did this dangerous thing get installed?
I think there's a good explanation of it in the FAQ of the libreboot project here : https://libreboot.org/faq.html#intelme If there are more specific questions that you have, ask them and I might be able to answer them! On Wed, Aug 29, 2018 at 2:36 AM Gregg Levine wrote: > > Hello! > Would one of you, or even any of you please take some time out of your > busy schedule and ponder the subject? And of course try to respond > accordingly? > > Bootguard sadly I am familiar with, but the Intel ME product I confess > I understand a portion about it. And not enough to mention here. > - > Gregg C Levine gregg.drw...@gmail.com > "This signature fought the Time Wars, time and again." > > -- > coreboot mailing list: coreboot@coreboot.org > https://mail.coreboot.org/mailman/listinfo/coreboot -- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot
[coreboot] Intel ME what is it? And when did this dangerous thing get installed?
Hello! Would one of you, or even any of you please take some time out of your busy schedule and ponder the subject? And of course try to respond accordingly? Bootguard sadly I am familiar with, but the Intel ME product I confess I understand a portion about it. And not enough to mention here. - Gregg C Levine gregg.drw...@gmail.com "This signature fought the Time Wars, time and again." -- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot
