1513 sats \ 6 replies \ @final 25 Jun 2023 \ on: Help me choose a Linux laptop tech
Use the ThinkPad or System76, if you wont use anything else and just Linux then go for that. They stock quite well unlike some of the others. I have never been able to get a Librem, judging by people's complaints I probably wouldn't. If the System76 uses Coreboot then it is a plus, you get open-source BIOS firmware.
(Most of what I found dates from 2017-18 and I would have to dive into the bootloader rabbit hole to really understand if it's even possible – anyone know?)
Do not worry about the Intel ME / bootloader stuff. An open-source BIOS fixes the issue enough, which System76 does have. Most of what is written about it is horseshit made to advertise, you can find mainstream providers like Dell sell laptops without it:
https://www.dell.com/en-us/shop/dell-laptops/latitude-5430-laptop/spd/latitude-5430-laptop/s149l5430usvp
Only Intel vPro (a variant with features for enterprise) processors do anything substantial based on Intel Active Management Technology (AMT) - which did have known vulnerabilities. All known exploits for AMT are only functional with access to the PC of the target and/or require credentials. Non-vPro processors don't have this.
Intel vPro processors also aren't widespread and you can find variants of laptops without it. You have to explicitly use Intel Wi-Fi hardware and contact Intel to get special management software that allows remote access of the PC. When they say ME can be exploited remotely, the CVE descriptions always mention you need the valid administrator credentials provided aka. non-existent for someone who isn't using AMT in an enterprise.
Example: https://www.intel.com/content/www/us/en/support/articles/000025619/software.html
Avoid a vPro and Intel networking card combined and the minimal risk is averted, this is Librem's exact approach - their old No ME marketing was just horseshit made to sell to those people:
https://web.archive.org/web/20170607022409/https://puri.sm/learn/avoiding-intel-amt/
Note that they stopped advertising or mentioning Intel ME anywhere now:
https://puri.sm/products/librem-14/
Need to manually find this page hidden in the cracks, which has the same talking points I've said: https://puri.sm/learn/intel-me/
The ME Cleaner is basically a hack job of replacing that section of firmware with 0xff. But if you don't trust Intel ME, why trust every other piece of proprietary firmware in your processor or any other PC component? Threat actors can put malicious firmware in motherboards, and even your hard drive:
https://www.f-secure.com/weblog/archives/00002791.html
Local device management is also common on every major processor i.e. AMD PSP and even a phone forensics tool uses a Qualcomm processor feature for forensic analysis.
write
preview
20 sats \ 1 reply \ @franzap OP 25 Jun 2023
Appreciate your insight very much. I know little about security and I have a hard time telling if the Intel ME scare is horseshit or not.
Agree that any non-open firmware has to be trusted. What I really don't get is why they insist on pushing that "remote management" technology to ALL their chips when it would only make sense in a few enterprise settings.
Ok no vPro so this rules out the X1.
What are your thoughts on Apple M series SoC from a security standpoint? I really like their hardware but I'm fed up of their software.
reply
42 sats \ 0 replies \ @final 25 Jun 2023
Apple devices are extremely secure with well designed hardware and have a lockdown mode which was made to combat sophisticated threats after the whole Pegasus situation with iPhones. Big issue is that you have to basically use their services and there's no avoiding it.
reply
10 sats \ 3 replies \ @franzap OP 25 Jun 2023
Interesting. Intel with me_cleaner vs Apple silicon: Which is less likely to have backdoors?
https://reddit.com/r/privacy/comments/wdb0je/intel_with_me_cleaner_vs_apple_silicon_which_is/iiprkgu/?context=3
reply
22 sats \ 2 replies \ @final 26 Jun 2023
It's really up to who you trust more for your Linux usage
I use Intel but if you trust Apple then go Apple all the way because I don't doubt they are built extremely well. I prefer trusting less on online services though.
For the sake of reference I am very Windows-focused so I use this: https://uk.dynabook.com/laptops/portege/portege-x30l/
This is mainly due to me being able to configure Windows myself and being able to see what it can't do. I only rely on Microsoft for security updates and Office. They are Secured-Core PC's, so they are Microsoft validated to run all security features including an exclusive System Management Mode Protection which is meant to counteract threats from the processor's management mode i.e. Intel ME. Secured-Core PC's often don't include OEM-specific bloat either.
Never used Linux on these so I cannot validate how good of an experience it is, nor how to get one, but they have fingerprint unlock, smart card and pretty good I/O. Good battery life and build quality too.
reply
15 sats \ 1 reply \ @franzap OP 26 Jun 2023
trusting less on online services
Do you mean because of OIK? But if it's regarding MacOS I have some plans to harden it and mitigate all those online services, while I wait for Asahi to mature
By the way found this: https://github.com/ubuntuAsahi/ubuntu-asahi/ . Very cool, running Ubuntu on Apple bare metal.
reply
22 sats \ 0 replies \ @final 26 Jun 2023
Not at all, I just am not a fan with how integrated Apple services are to the entire OS. I prefer them to be a bit more distant like with Windows 11 when configured properly to do so. I imagine MacOS is perfectly fine for people if they trust Apple enough.
reply