Has there been any development in the server space with respect to Coreboot/Libreboot capable
hardware? Either AMD or Intel with neutered/disabled IntelME/PSP?
1 Like
(made the title a bit more specific)
1 Like
ah ok is this new?
is it even possible to remove IntelME on Intel Xeon?
That page says
our fully-auditable secure boot process that replaces the existing BIOS with coreboot, neutralizes and disables the Intel Management Engine
but I didn’t verify it myself. It was introduced in December 2019.
Technical details would be great.
I thought only pre-2006 Intel you could successfully neuter the ROM modules necessary.
necessary to both boot and disable/neuter Intel ME
The pre-2006 CPUs can fully remove ME, the post-2006 CPUs can only partly remove ME.
Removing everything except what is needed to use the CPU is what is known as neutralizing ME. Disabling ME is using HAP to have ME disable itself, which doesn’t remove any code from ME.
Neutralizing stopped working around 8th/10th gen, but HAP disable works on all Intel CPUs.
3 Likes
Some technical details (but not for Intel Xeon): Deep dive into Intel Management Engine disablement – Purism.
1 Like
Do you guys trust the HAP bit method is sufficient?
Sufficient for what (rhetorical 
). No I don’t consider HAP requests (please kindly enable those high assurance platform capabilities) sufficient. But that’s just my uninformed opinion. I’m often confused but this seems to make sense to me
HAP protects against vulnerabilities present in all modules except RBE, KERNEL, SYSLIB, ROM, and BUP. However, unfortunately this mode does not protect against exploitation of errors at earlier stages.
source
I’m sure other more informed community members can give you a better assessment (hopefully with less FUD).
- Best
Post can’t be empty
The latest AMD-without-PSP is significantly more powerful than the latest Intel-without-ME - and there are AMD platforms supported by the opensource coreboot BIOS. Actually, we have been discussing one of them - Lenovo G505S - here: Lenovo G505s - #5 by mike_banon . Quad-core CPU, 16GB RAM, no PSP, works fine with Qubes (i.e. because IOMMU is functional with coreboot), and thanks to coreboot you can be sure there are no backdoors in BIOS.
G505S laptop (as well as A88XM-E and AM1I-A amd-based desktops which I also have, and KGPE-D16 server) - is a stable coreboot platform, and without any PSP at all 
So, there are no hardware backdoors that have to be neutered (and theoretically could somehow recover from this) , and nothing to worry about 
To answer your question - no, there are no new additions to that coreboot/libreboot-capable no-ME/no-PSP list. Moreover, the situation has slightly deteriorated, by that these no-PSP AMD boards got dropped from coreboot master and now we are forced to use the slightly outdated coreboot from November 2022 if I remember it right (that’s until we come up with a list of git reverts, to be applied on top of coreboot master, to restore the support for our boards and still enjoy the latest coreboot)