Two ways of "true" security.

[mr....@gmail.com]

This text was written using Google translate.
As we know, there are two potentially dangerous technology Hardware Trojan: Intel ME and AMD PSP
I have not seen AMD, so I decided to make the maximum performance and security system based on intel. First, I began to choose the chipset. After reading about the technology intel amt my choice fell on the p965 and n790i. I needed a chipset meets the following conditions:
1). No intel amt.
2). maximum capacity
3) not less than FSB 1333 for the installation of fast xeon
4). DDR3

The chipsets p965 not natively support 1333 FSB CPUs, but there is a development from the company gigabyte allowing the use of this frequency on these chipsets. This is possible on the board (the last revision ONLY):
GA-965P-DQ6;
GA-965P-DS4;
GA-965P-DS3P;
GA-965P-DS3;
GA-965P-S3.
Unfortunately, these boards do not support DDR3.

But the chipset nForce 790i decide my problems! 1600 MHz FSB, DDR3 2000 MHz! Ideally! Plus, the Intel Xeon E5472 support.
It seemed, would have found a solution ... But there is no support EPT, and VT-d, required for qubes rel.4.

Based on the above, there are two ways:
1). Use Qubes Release 4.x, and be subject to the influence of Hardware Trojan Intel (AMD?).
2). Use Qubes Release 3.x and be subject to the influence of XSA 148 types of errors.

Which path to choose?

[Tim W]

There are bios hardware flash that will disable/uninstall all but 2 packages of Intel ME IIRC removing 5 packages. This is so far the best I have seen for getting as close as we can with limiting what amounts to a intel low level OS which tech has the power to circumvent anything we do at the user OS level. No longer does the baremetal term apply as it use to in the past. The CPU and chipset manf as wanting and taking more and more control away from the primary OS thus locking us down more and more and increasing their control of the entire PC.

[Connor Page]

I have successfully castrated ME firmware on 2 Haswell laptops so I'd go for something more recent but well supported by Linux, reflash and put a non-Intel network card for peace of mind.
ideally a free BIOS would be desirable but that restricts the selection to quite old generations of chips where another problem exists - they all have errors that Intel either can't or won't fix...

[mr....@gmail.com]

четверг, 2 февраля 2017 г., 17:33:46 UTC+5 пользователь Connor Page написал:

> I have successfully castrated ME firmware on 2 Haswell laptops so I'd go for something more recent but well supported by Linux, reflash and put a non-Intel network card for peace of mind.
> ideally a free BIOS would be desirable but that restricts the selection to quite old generations of chips where another problem exists - they all have errors that Intel either can't or won't fix...

Could you show the instructions and write here your chipset?

[mr....@gmail.com]

I decided to look for information on AMD. And he found a much better version of the performance, which is suitable in general for all the requirements rel.4.
From https://libreboot.org/faq/#compatibility
"The Platform Security Processor (PSP) is built in on all Family 16h + systems (basically anything post-2013)"

https://en.wikipedia.org/wiki/Steamroller_(microarchitecture) It says
"Integrated custom ARM Cortex-A5 co-processor[22] with TrustZone Security Extensions[23]"

But there is no such
https://en.wikipedia.org/wiki/Piledriver_(microarchitecture)
Everything Is AMD Piledriver Family 15h safe?????
Please help me!

[Rusty Bird]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

mr....@gmail.com:

> четверг, 2 февраля 2017 г., 17:33:46 UTC+5 пользователь Connor Page написал:
> > I have successfully castrated ME firmware on 2 Haswell laptops so I'd go for something more recent but well supported by Linux, reflash and put a non-Intel network card for peace of mind.
>

> Could you show the instructions and write here your chipset?

He's probably referring to https://github.com/corna/me_cleaner

Rusty
-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJYlctFXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfKUUP/iV5kCJrQ24NqB/jGfegqmoI
8dpvkVx3uZALlHjuVYOJK8mMkBbeSsyd85/WigvI/rcvHmwN5+F5aPMiXovVBt0n
WSGFvJb/Mhyv7dkeItW8hn5QdXHbDqXhTDXifd83ZL0VL9JlNkaW/Zp+NwfYeINO
Yl5kH4/3hxviTEhumcjBD1CyqP1Vf+m42+6pJca+jxU/55ulImH+0sOvqAAm1Q8Z
a4z26qhbubXTDdFNYoE7NPZbXr4h3h0IVJX9221llxAHGvaALkaBwL2svRqWyEBU
bHau2msYc2fEjcY79YGA09Aw/NKK/ywPLMGpJlg/kSPWmvK3x4lkNswKafoHxTyd
RLLRTAKKAtXdc/qdZF2C9pSrmI6ikd1DVFRNgrAF4u0ZEdQdJlyBKHPw7bCHKSRq
hs703uIORu6N3dGiOZ5X4WnK1grv/8ZoksEXIbR46ncUFnBAN2jNBj8Nkgmh15wo
UOuumSUqlVQIBfxrr05aYhz0nEfqB4ZRK+ipfbloijioX/NUVp2CKnSOoTcpY+86
/SNFdN3/ux7IsSajS6MhD01Ibh7t9Yi0inDCYOP3A9XmQZRv6Tprz+0yikP+Ps5B
B+MxsSrNJ3evvCkLkCS02ntzIhYPMRUY0bG8FOIKjdXYM+f3QJj4LU+x/EknnTap
RkdeK6HKhXKXcRYpYlqU
=Eht6
-----END PGP SIGNATURE-----

[Oleg Artemiev]

Hi

On Sat, Feb 4, 2017 at 3:38 PM, Rusty Bird <rust...@openmailbox.org> wrote:
>> > I have successfully castrated ME firmware on 2 Haswell laptops so I'd go for something more recent but well supported by Linux, reflash and put a non-Intel network card for peace of mind.
>> Could you show the instructions and write here your chipset?
> He's probably referring to https://github.com/corna/me_cleaner

Thanks for link!

Is it possible to make unusable USB-JTAG bridge I've heared about in
modern computers w/ this utility?

I 'd be glad to get rid of intel independent chip abitilty to get
periferal interface access w/o my pemission, especially network and
usb.

Interesting has anyone made such a surgery operation on asus n56vz w/o
bricking it?

--
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C 9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/