I'm tired of the CPU "management engine" etc. built-in malware/spyware situation. Someone needs to do something. Can Qubes spearhead a new movement?

I’m talking about being able to use the latest 16-Core CPUs without a malware/spyware inside it.

What better community than Qubes to start something to solve this? Ask for donations, kickstarter, whatever.

Rough goal idea: If not build a our own x86_64 CPU (I guess that’s too expensive?) then accumulate bounties (if needed on the gray market / cryptocurrency) paid to people who successfully disable spyware/malware on newer CPUs.

Those are just two ideas and they might be lame. But something needs to be done and someone here might have far better ideas. Please share.

Without doing something, we’ll fall behind.

1 Like

I think you greatly underestimate the development cost of a new CPU, and the idea that you can money launder an amount equal to the development costs using stolen crypto is just completely unrealistic.

The FidelisGuard is Qubes certified, uses a 12th gen intel CPU, and has a bios option to disable ME.

3 Likes

I certainly share your frustration on this topic. Goddamit I just want to be able to do computing without any third party (potentially) surveilling my activities. Is this something too much to ask for?!

However, developing a new CPU is very very very difficult, in fact, only a handful of companies can do so (not counting the single board computer CPU stuff; think only the desktop/laptop CPUs).

However, I do share your hope about future possible avenues opening with gray market + cryptocurrency (especially, Monero) initiatives. Many many people have an incentive to mind their own computational privacy, and Monero + internet networks can provide these geographically dispersed people effective ways of organization and cooperation.

Until then, our best options are:

  • coreboot’ed Thinkpad X230 with i7 CPU
  • system76 laptops
  • librem laptops

Are you sure System76 are solid? The used to write “Disabled ME” on most of their laptop specifications, but they no longer do (on most of the models at least). I think System76 gave up on the idea years ago IIRC. Very dubious IMO.

Also why did they only offer this for laptops? Why didn’t they for their desktop machines?

However, creating a crypto fund for a bounty to disable ME on various CPUs… that’s ought to be very realistic. (BTW I’m not shilling crypto here… only suggesting it in case the jailbreaker wants to be anonymous).

If only they’d start offering the higher end Intels too. (12-core, 16-core, 24-core ones) Do you know what’s stopping them?

1 Like

It is also not needed, you can use HAP to disable ME on all intel CPUs, the information on doing this is publicly available.

They probably picked the i5 to make it affordable, but you can build a system with the same motherboard and use the 16 core i9, it should also be possible to use 13th gen up to 24 cores.

2 Likes

I’m talking about being able to use the latest 16-Core CPUs without a malware/spyware inside it.

Intel processors are not consideredSpyware or malware”. If you want to use the latest Intel CPU with Qubes Os feel free to do so.

What better community than Qubes to start something to solve this? Ask for donations, kickstarter, whatever.

Well, it is much more complicated than that.

The process of creating a computer processor is highly complex. Here a some general steps :

  • Create the logic and instruction set for the CPU, including the control unit, ALU, and registers.
  • Decide on the basic design and functionality of the CPU, including the instruction set architecture (ISA), microarchitecture, and data path.
  • Produce the CPU using a semiconductor manufacturing process, such as lithography, etching, and doping

    That will require significant amount of time, fund, specialized equipment and software and more importantly dedicated semiconductor manufacturing experts.

paid to people who successfully disable spyware/malware on newer CPUs.

What do you consider a “spyware/malware” ?

Are you talking about the Intel ME ?

The fear of PSP/ME is completely illogical. ME was originally developed has a remote PC management solution for sysadmin.
Just because something is proprietary does not mean it’s a backdoor, malware. On the other hand, just because something is open source does not mean it’s “safe”. History has shown us that.
Just because a program is not open source does not mean you can’t audit it. (The ME has been audited, and you actually can audit it yourself if you have the correct knowledge, time and tools.

I don’t like the idea of Security by obscurity, but every security expert knows that it can be required for critical pieces of software. Just in case you aren’t aware, Qubes Os is not 100% open source.

Should you disable the ME ? Yes, probably. On ME versions from 11.x (From Sky lake microarchitecture) you can disable it by setting the HAP bit.

I love Dasharo teams because they’re honest, they know their stuff, they actually help open source projects like Coreboot and most importantly they don’t make false marketing campaigns.

If you want to support their awesome work, you can buy the new Qubes OS Certified Desktop.
It is possible to buy only the motherboard if you want to use different components, MSI PRO Z690-A DDR4 motherboard with Dasharo.
Or you can directly install dasharo on a compatible motherboard, open source dasharo firmware.

Keep in mind that installing an open source Bios or disabling the ME “spyware” will not make your processor open source. We know that the Intel Management Engine is there because intel wanted us to know that it exists.

Do you really think that if intel wanted to implement a built-in “spyware” they’ll have taken the time to advertise it ? I don’t think so.

Currently, there’s no processor completely open source. Even RISC-V/POWER9 are still considered proprietary.

I can fully understand your frustration, but you should be aware that in the Security field we trust.

If you don’t then simply don’t use a computer.

2 Likes

While the FSP binaries for 13th gen intel processors RaptorLakeFspBinPkghave just been released, 13th gen is still not officialy supported by Dasharo. :+1: :wave:

1 Like

You are right, it got removed from the v1.1.1 release, but raptor lake support should be ready for v1.2.0

2 Likes