Highly Secure Processors (Addressing Intel ME & AMD PSP)

Suggested category/tag: Hardware

I wanted to create a thread collecting ideas/knowledge about highly secure processors. I’ve been reading about the management engines (MEs) Intel and AMD have been adding to their processors and how much control these have over the computers and have been trying to find hardware that mitigates this risk.

NOTE: I know there are a lot more impactful things we can do with changes to our habits and the software we use. I also know a community taking basics steps might be a pre-requisite to being able to address deeper issues. However, we can change our software and even change our habits much quicker than we can change our hardware. Given what private companies are doing “in compliance with governments” to the Russians, I think this topic is worth having.

General:

  • Older processors don’t have management engines (MEs)?
  • Certain types (i.e. ARM) don’t have MEs
  • Intel MEs can be disabled by deleting the firmware (at the risk to some to total loss of functionality)
  • Intel MEs can be disabled with a disable bit (if this can be found for a given processor)
  • Intel MEs can be disabled with a signal (same as above? also, seems like the ME still has the potential to refuse)

Laptiops:

  • Intel does not official support disabling ME so Dell, Lenovo, etc. won’t do it
  • Purism - Librem 14 looks like a good solution, but I have seen mixed reviews and it’s expensive
  • System 76 - no longer disables MEs on 11th gen Intel processors (however, they offer firmware you can flash yourself for the Galago and Lemur models at the cost of sleep power throttle here: WIP: disable ME on galp5 and lemp10 by jackpot51 · Pull Request #217 · system76/firmware-open · GitHub)
  • StarLabs - they do disable the Intel ME on 11th gen processors - I think with a signal
  • PineBook - ARM processor laptop which is sweet, but lower end performance

Desktops/Servers:

  • Custom builds are the best option, but I don’t have time to research all the devices especially because I am prone to analysis paralysis
  • System 76 - doesn’t mention disabling MEs on their Thelios
  • Purism - seems expensive, but definitely seem viable
  • I haven’t spent as much time looking, but I don’t see many pre-built options (maybe because of custom builds

RAID Controllers

  • Raspberry Pi - DIY which is cool, but might not be very performant?
  • Synology systems - I can’t tell what processors they use so I don’t know if they have MEs

I’m looking for a desktop/server and a RAID system myself so if anyone has ideas or suggestions for me, I would appreciate them!

I will try to edit this post with more information I find or I see in the comments so it can be a resource as well as my question. I’m also open to ideas for narrowing or breaking up this topic if discussing all 3 of these systems in one place is too much. Or if there is a more exhaustive discussion somewhere else, I can move my work here.

2 Likes

I believe Coreboot and Libreboot removes the Intel ME. They are FOSS replacements for BIOS/UEFI. There are a limited amount of motherboards that can be flashed with them.

Here is a list of boards supported by Coreboot: status report for coreboot boards

I have the Thelio with an intel processor, according to what I can find, they have done a firmware update that disables the IME via that route, hopefully on the Thelio as well since this article, my guess would be yes based on what the company seems to be about, this is a topic I’ve also been interested in knowing more about.