Hello. While reading the Qubes site and forum, I noticed that most people use Intel computers inside, and the Qubes site says that Intel support in Qubes is better than support for the rest of the hardware.
So, I would be glad to hear your point of view on this matter, and possibly hear the reason for your preference.
As for Intel, a fairly large number of vulnerabilities are found in it, one Meltdown and Specter is worth it.
According to my observations, this is less common in Amd, in addition, many experts note that the Amd infrastructure is better than Intel. Plus Zen 3, from Amd, is incredible security.
One can in principle disable and neutralize the Intel ME (which looks like a backdoor), whereas there is no such possibility for AMD PSP, which is similar.
1 Like
I read intel Me and intel AMT .
Intel AMT is inside Intel Me, and Intel AMT is the one that can do remote access to Intel Laptop.
AMT runs on the ME, but is only available on processors with vPro. AMT gives device owners remote administration of their computer, such as powering it on or off, and reinstalling the operating system.
do you think that the assumed backdoor is actually Intel AMT, and not entire Intel ME ?
can we assume that by using processors without vPro,
then actually we are already able to mitigate from this threat ?
how about unplugging the wifi card from our Laptop ?
can it prevent the adversary from accessing the NSA-tier ?
or maybe Intel ME is able to establish internet connection by itself without wifi card ?
AMT is definitely worse from this point of view, but ME still has infinite privileges in the system, including reading/writing RAM and AFAIK managing the network (links in Wikipedia have more details). You decrease the attack surface by avoiding the AMT, but it’s still not ideal.
The best solution is probably using a different architecture without suspicious proprietary blobs: Port Qubes to ppc64 [3 bitcoin bounty] · Issue #4318 · QubesOS/qubes-issues · GitHub.
1 Like
You decrease the attack surface by avoiding the AMT, but it’s still not ideal.
yes, correct
that different architecture is product from raptor computing system.
the price quite high, the motherboard only even more expensive than laptop.
I’m tired of intel, so I chose the amd side.
Amd’s non-AMD PSP processors are fairly newer than non-ME Intel processors.
I recommend you me_cleaner, it removes everything possibly related to ME, and cleans everything that it cannot remove so that it does not start.
I prefer AMD until the PowerPC is completely comfortable to use on a daily basis.
are there AMD, with non-AMD PSP processors ?
do we need me_cleaner after using AMD ?
can we ensure that, AMD with non-AMD PSP processors, contain no backdoor ?
Related to my issue , i have just checked BIOS and the Intel sticker, actually I don’t find any vPro, usually the Intel vPro will be written at the Intel sticker logo on Laptop. So the assumed backdoor exists without vPro.
I only know lenovo g505s, it is the only one that supports Coreboot for AMD processors. (I also know that there is a porting of Heads for the g505s)
You don’t need Me_Cleaner.
No one can guarantee you the absence of backdoors, they are both in Intel and AMD, I chose AMD because its processors without PSP are more powerful than processors without ME.
I think you should check the vPro for your processor on the Intel website.
1 Like
What do you mean? I read that it’s known that PSP is not in g505s. Is that not a fact?
And there should be no difference between having the default bios and firmware, or coreboot then am i right or wrong?
What do you mean there is no guarantee? Where are the full guarantee no disrespectful hardware back-doors in laptops then, if this is not included in that list?
Is it not what the laptop is known for? Just be honest, no bullshit.
There’s got to be laptops out there without back-doors. I thought this one was it, but your post confuses.
i have studied and read a lot of research papers and blogs and conference talks about this , i want to try summarize all the findings and points and discuss them here - please correct me in anything if i am wrong - i hope security professionals will give some of their knowledge and wisdom in this subject.
As i understood, when it comes to backdoors there are 3 ways that they could be implemented
1- Intel-ME or AMD-PSP (low level processors that works all the time) some can be neutered or soft disabled.
2- undocumented cpu gateways or registers (closed source ISA) to execute a payload when a - trigger event - happens. # there is no way to compat this on x86.
3- hardware spyware embedded on different chips on the motherboard done by manufacturers or in the fap. # hard to discover, cannot beat that either.
now for the 2nd and 3rd cases , in the end they cannot be secure we have to go back to trusting trust.
but we should do what can we do anyways. so i have the following questions and scenarios i want to discuss
about the first case (Intel_ME and AMD-PSP):
1- how can such an attack happen when i am behind a NAT connection , having an openwrt router with uboot compiled from source code
the default openwrt firewall doesn’t allow incoming connections. So how can they talk to the Intel_ME ?
imgur.com/a/R8SHb8x
Researchers Christian Werling, Alexander Eichner and Robert Buhren came to the conclusion that the AMD-PSP doesn’t have a network stack included and therefore no direct communication to the internet and that its just there for memory init and SEV(Secure Encrypted Virtualization)
system76 engineer Jeremy Soller who worked on coreboot for amd laptop says the same thing too
Does that make AMD better than a neutered Intel-ME device ?! i mean if that’s 100% true , why not everybody uses AMD and make coreboot for them ? in the end after a neutered Intel-ME ,
they are both vulnerable to CPU-gateways spyware and embedded hardware spyware anyway, but at least AMD-PSP doesn’t have the network stack in the first place.
what am i missing ?
2- what if the laptop is connected to torified router , how can they connect to the ME through the torified connection that changes every 10 mins ?
speaking of tor , if they can communicate through NAT and firewall , how can we trust any tor relay or server , they would have passive access to all tor nodes, which will make it meaningless.
3- is there any logical proof that the HAP bit method or HECI message method actually work for disablement of Intel-ME , since the network stack blob is still there,
and because coreboot can’t see the ME device it shouldn’t mean its actually disabled , maybe its a mode that gives specific control for our glowy friends or am i completely wrong about this ,
i wouldn’t trust anything but libreboot with libgfxinit , where the network stack blob is actually removed.
i hope someone can shed light on these things.
Moderation note: This conversation is, again, off-topic in this category because there is nothing specific to Qubes OS in it.
@overuser29 You’ve been explained the rules of the forum, and I ask you know to stop posting duplicate of this content until your account reaches the “member” trust level and you can post in “All around qubes”.
You account hasn’t reached that trust level yet, so moving the topic to the adequate category would make it inaccessible to you.
Because that’s pointless, the policy in that case is to close the topic.What does this mean concretely:
- there are likely other forums where your research is on-topic
- you are welcome to ask for the topic to be re-opened once you have participated in this forum enough to reach the “member” trust level. When that happens, the topic will be moved to the “All around qubes” category and re-opened. You’ll also be able to access the other threads on that topic in that category.
This is an official warning.
See also:
1 Like