Who is This Post For?
Anybody with the following abstract goals:
Seeks ME-neutralised hardware / without AMD PSP or Intel ME entirely.
Seeks secure, moddable, firmware
Seeks a hackable &/ upgradable laptop (that preferably only they can hack)
A laptop that works well with qubes (see here for ‘just works’)
Given the above, this post ought to serve as a quick-hub ‘filter’ for individuals to find the right balance between new/old, moddable/shiny, etc.
I will refine this as people criticise and give feedback, for now it’s quite high-level: But I hope somebody finds it useful.
This post is intended to be the ‘go-to’ place on the forum for all questions about Intel-inside laptops for qubes - relating strictly to layers 0,-2, -3 and -4 (explained below).
To prevent this becoming wikipedia, I will reference relevant links; much reading ahoy.
Firmware/Hardware/Software Layer Abstraction Codes
|-4||Physics (design, upgradability, etc)|
Keeping the list Slim
To keep the list slim, at each layer, (excluding layer -1), will be requirements. As this post is criticised and others give feedback, I will update the requirements accordingly.
Current List (keep checking)
If, (you know of any open-source projects that document how to neutralise AMD-PSP, (and know of any heads equivs, etc)): I will revise this.
Why would anybody worry about Intel ME as a threat?
We all have different Threat Models - Defense in Depth is always better than none.
Why have you only mentioned coreboot & heads?
I am not aware of any ‘stable’ equivs. that satisfy the other requirements.
Why 16gb ram min, 32gb preferred?
To tame R4.1 && most use-cases 16gb is required min. 32gb is preferred for long-term support.
Why TXE removable preferred?
Because me_cleaner now supports this, and it is DiD at little added cost.
Why 4 core-option minimum?
Because some of us like to pin CPU0 to dom0 for security.
Why <= 5th gen intel-core?
Because only that year’s TXE has been confirmed removable.
Every additional generation is more complex hardware, not just Intel ME but the mobo, firmware etc, and I do not have a holistic understanding of all the extra complexity - so I deem it an unacceptable risk.
How can I pin cores?
Guide coming soon.
Credits (not possible without):
@Sven for the HCL & Community-Recommended List
@deeplow for keeping it tidy
All the core-team, mod and admin team.
All those who took the time to read, and everyone who is signed-up to the forum
Everybody on the osfw slack
Work in Progress
There is currently on-going discussion regarding me_cleaner and the security of gen >5. It is highly likely this will be revised ‘soon’.
Intel ME 11.x is the last ME publicly known, (to best of my knowledge), to be ‘cleanable’, rather than simply ‘ask nicely to disable*’(*aka HAP Bit). Hence, for now, this list will not go beyond Intel ME 11.x, so that is intel-core gen 7/8.
I may, (probably), have misinterpreted Intel ME vs TXE meaning. I am awaiting clarification on this.
Until somebody can prove otherwise, <=5th gen mandate is remaining in place. As although first 64gb-ram support for consumer-available laptop CPU is 6th gen - I am not aware of any instance where FSP etc (coreboot requires for >3rd gen, (thanks @airelemental for the tip-off)) and extra-new cr$p/firm-ware is neutralised.
The only exception I am likely to make is to 6th/7th gen - so we can get a 64GB ram laptop with intel ME partially nuked//neutralised onto the list.
If anybody is aware of progress R/E W530 & heads, please let us know.