[GLLUG] Linux on Power8

Mike Brodbelt mike at coruscant.org.uk
Thu Jun 23 13:31:05 UTC 2016

On 23/06/16 13:16, dennis--- via GLLUG wrote:

> The reason I ask is that I'm concerned about Intel's so called
> management engine (ME),


And for extra joy, though more directly applicable to servers, there's 

> that can't be
> overridden or disabled by the host OS

Some parts can be diabled in BIOS on some motherboards.

> Am I over reacting?

Are you genuinely worried about attempts to breach your system by state 
level actors? I'd argue that in the absence of host OS driver support, 
the real risk to you here is pretty low. You are however correct in that 
you have an unobservable black box in your CPU, and you have only 
Intel's word as to what its limits are.

Thing is, ME is a specific example of a general problem. Your machine is 
a lot of layers, and security at the upper layers (applications, OS) can 
be bypassed by subverting lower layers - binary driver, firmware, 
BIOS/EFI, silicon. This isn't new - Ken Thompson talked about it a long 
time ago:-


If your question is "Is my machine secure?" - then the answer is clearly 
"No". That's not very useful though, and you should probably be asking 
whether it's secure *enough*. That's a judgement call, and I'd suggest 
to you that simply switching to Power 8 just presents a different attack 

Take a look at what various people have done in this space. I'd suggest 
a look at https://puri.sm/librem-15/ would be educational. Where they've 
tried (and where they've failed) to improve things is instructional. You 
might want to sign their petition to get Intel to release CPUs without 
ME integrated.

If you want freedom all the way down, you're probably going to end up 
having to get a Yeelong Lemote, favoured computer of RMS. That's 
probably as secure as you're likely to manage, but you've traded off 
more convenience than most are prepared to give up in order to get 
there. There are no easy answers.


More information about the GLLUG mailing list