[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Libreboot] AMT replacement, Was: Intel ME opensource replacement
|
From: |
Denis 'GNUtoo' Carikli |
|
Subject: |
Re: [Libreboot] AMT replacement, Was: Intel ME opensource replacement |
|
Date: |
Tue, 28 Jun 2016 17:24:14 +0200 |
On Mon, 27 Jun 2016 17:00:49 +0200
Daniel Tarrero <address@hidden> wrote:
> Hola Denis and people around!
Hi,
[...]
> > This is rather an attempt to document the management engine, I
> > guess in the hope of running free software on it (or to disable it).
> >
> > If successful, that can enable libreboot to run on more recent Intel
> > hardware.
>
> hmmmm, i cant see where it is a problem to libreboot, maybe it has
> something to do with UEFI stuff?
>
> Can be the boot loader's signing keys being stored there??
>
> If so, burning the chip as i was planning can be really bad ^^
This has nothing to do with UEFI nor the UEFI signing keys(That you
can change).
The ME is a processor that initialize some hardware, and, on recent
Intel hardware, this is now required to be able to execute on your x86
processor. Its firmware is signed.
Then once code can execute on the x86 CPU,
The boot fimrware(Like the BIOS, UEFI, Coreboot, Libreboot), is the
first software that on that x86 CPU.
It initialize enough hardware to be able to load and run an operating
system (like your GNU/Linux distribution) on that same CPU.
Long time ago, the management engine didn't exist.
Even if coreboot does support some devices with a management engine
that is running its original firmware, Libreboot doesn't.
This is a choice made to protect its users: That firmware is non-free.
> > Replacing AMT:
> > --------------
> > AMT is just an application, running on the ME, that provides out of
> > band management of the computer.
As I said, AMT is one of the applications the Management engine can run:
Beside initializing the hardware, the Management engine can also run
applications like AMT, ASF, an application implementing a TPM, and
many more.
> > Such out of the band management functionalities can be very handy
> > when you administrate a (home) server.
Some of the Management engine firmwares contain the AMT application.
This application permit you to remotely manage the device it runs on.
While most users would prefer not to have such chip, in some context,
the functionalities it offers can be handy, like for instance in the
case of a home server.
If you're not always at home, it can be handy to have a method to
administrate it out of the band.
> so you suggest not to disable ME but override it with a SBC, isnt
> it?
> wow, that can be a powerfull addon, as much as my fears around ME, but
> which belongs to us and we can read and build the sources =)
No, I suggest to disable the management engine, or buy hardware without
one.
Since the features offered by one of its applications (AMT) could be
useful in some cases, I addressed its most common use case by
describing a more trustworthy setup that can offer even better
features.
The advantage of such setup is that:
- It is more trustworthy: users are aware of it since they are expected
to buy and install extra hardware by themselves. If they don't wish
to have out of the band management, they would not buy and install
the extra hardware required to do it.
- It's way more flexible and can use the software you're used to (100%
free GNU/Linux distributions).
For laptops such features makes way less sense: most users probably
don't want nor need them.
But when they do there are still very compact external hardware running
GNU/Linux that can provide many of such features.
Again, since the users have to buy, install, and plug such extra
hardware, they would be aware of it.
Denis.
pgphvVCXB6C7w.pgp
Description: OpenPGP digital signature