The Intel Management Engine (ME) is a separate computer within all modern Intel processors (CPUs). The ME acts as the master controller for your CPU and has extensive access to your computer (system memory, display, keyboard, network). Intel controls the ME code, and serious vulnerabilities have already been found in the ME that allow local and remote attacks. Therefore, the ME can be considered a backdoor and should be disabled.
More about Coreboot: https://www.coreboot.org
Wiki: https://doc.coreboot.org/index.html
Coreboot status list: https://coreboot.org/status/board-status.html
WHAT IS A PSP, ANYWAY?
The AMD Platform Security Processor is the company's functional equivalent of the Intel Management Engine (ME), which we discussed earlier. AMD describes it as a subsystem "responsible for creating, monitoring, and maintaining the security environment." It consists of an ARM microcontroller core integrated into the main CPU die and connected to the main system memory, I/O, and CPU registers.
In short, it's a coprocessor that has access to almost every part of the computer it's in. This makes it a prime target for attacks. Introduced around 2013, it's also completely closed source and exists as an unknown black box in modern AMD CPUs, making security-conscious individuals very cautious. The PSP operates at a low level, completely outside the purview of the main CPU and operating system, and, like the IME, is often considered a potential backdoor into a computer.
CPUs have been equipped with security features for years, including AMD's Secure Memory Encryption and Intel's System Guard Extensions. These subsystems allow memory sections to be partitioned and secured for specific uses. However, these features have also proven vulnerable to vulnerabilities.
The problem with generic PCs, however, is that they ship with locked and undocumented firmware (Intel ME or AMD PSP). This firmware has privileged access to all hardware. In other words, there's a system-wide backdoor in almost every modern computer out there.
Specialized laptops like Purism, StarLabs, NitroKey, and System76 ship with an open-source replacement for this firmware that disables the manufacturer's backdoors. They also offer privacy and security upgrades like mechanical kill switches for cameras, microphones, and wireless; and they come pre-installed with Linux.
On the other hand, these laptops are only available online. Some vendors accept Bitcoin, but you still have to organize a shipping address, pay customs fees, and wait for delivery. Supply chain constraints are another challenge. These niche vendors have repeatedly been out of stock in recent years, resulting in wait times of several months.
The biggest downside to specialized laptops, however, is that they are just that: special. In other words, you stand out.
The more security and privacy measures you take, the less anonymity you have—online and offline. A typical example: specialized laptops have a more unique online signature than standard computers. Purism, for example, runs PureOS, an operating system that's more unique than Windows, macOS, and popular Linux variants.
Instead of relying on high-tech data protection tools, I prefer low-tech measures:
Sure, you can get a special laptop with camera and microphone kill switches. But isn't it more effective (and reliable) to cover the camera and microphone with tape? Or even take it apart yourself and learn a bit about the technology. The best way to disable the ME or PSP yourself would still be to disable it.
Sure, you can use Qubes OS to separate your workloads, but isn't it more effective (and trustworthy) to run your workloads on separate machines?
Coreboot Service
We offer you the option to install Coreboot on your hardware after we have verified the necessary hardware requirements.
If you'd like to perform the core boot yourself, we're happy to assist you with this process. Our core boot consultation and assistance service is a cost-effective alternative if you'd like to perform the process yourself.