GrapheneOS from all the answer I got from "team members"? of the project, this seems liike I got misinterpreted as not trusting the reliability of graphene, I don't know how; since it's one of my favorite project I came across in this specific field if not the first one. I am merely asking questions on people who are aware of IME to get more insights into it, nothing more. I also like better grapheneos than laptops in some way; but there's always different usability/situations

User2288 this quite seems like just those 3 letter of IME is quite touchy here. I'm a big fan of graphene, no doubts here, but It doesn't seem like I can have any questionning about it in here with other community members, but I'd rather stop if it's disturbing them, since this is the last thing I wanted to. And I'm also only wishing all the best for this amazing team and its devs that did a work that was never achieved by any others.

  • zzz replied to this.

    GrapheneOS

    So an ARM MacBook with MacOS would be the closest thing to get to GOS from a privacy security and longevity (firmware and security updates) aspect?
    Or is it something lika an old ThinkPad with Libreboot an QubesOS? Or something else entirely?

      krayo

      This line from the official GOS account would be the core answer:

      GrapheneOS You have no way to confirm that an open source chip has hardware matching the chip design. The manufacturing processes are also closed source even for an open source SoC

      Unless we were standing next to the microfabrication line where the chips were manufactured with a microscope, we can't ever 100% know if backdoors / "microcontrollers" / "IME equivalents" are baked into any given chip at the hardware level.

      Like what was posted earlier, we are already placing "full trust" in Intel / ARM by using a digital device, there are very few ways around that:

      GrapheneOS Many people baselessly claim that Intel ME is a backdoor or has a backdoor while ignoring the rest of the CPU which is also proprietary and also places full trust in them.

      • [deleted]

      • Edited

      Many people baselessly claim that Intel ME is a backdoor or has a backdoor while ignoring the rest of the CPU which is also proprietary and also places full trust in them.

      🤷‍♂️ The Intel Management Engine (ME) and AMD Platform Security Processor (PSP) are just small parts of a bigger issue. The entire desktop System-on-Chip (SoC) is built on closed and proprietary technology.

      🤷‍♀️ It's funny that people haven't moved on from this year-old topic, as they seem to ignore the fact that the entire System-on-Chip (SoC) is proprietary, while criticizing the Intel Management Engine (ME).

      sleep_legacy i would lean more towards libreboot with cubesOS. But I think even then you don't have verified boot, do you?

      The thing about intel ME or PSP is that by putting a network monitoring system in front of that PC you could technically "catch" unsolicited traffic in/out of that PC, theoretically. But that's easier said than done. One could also argue that if there was a serious privacy/security backdoor issue with intel ME, then perhaps at least one person would have "cought" it in the act in the past 15 years. Is there any account of this?

      I was so worried about intel ME in the past, but now i don't. I think its only a thread if a sophisticated attacker (gov) wants to directly target you, and that's not everybody. Although if you wanna be more safe, the way to deal with it is to put your system behind an external firewall with white-listed IPs/URLs. I'd think that should do it. No?

      Or just have a more secure system for your critical stuff.

        If its the case that nothing like Intel ME exists on pixels, then it would naturally follow to ask "what COULD be a threat model for the pixel given its hardware structure that should be discussed?"

        I think that's a more relevant question and gets back to the original question of the OP.

        I suppose a base band attack that gains access? What kind of access could that entail? What does the "isolation" actually do?

        I would love to learn about this if anyone has any reading to recommend.

          raccoondad

          There just isn't an answer to the question, other than Intel ME is closed source firmware with most of its functionality unknown. Which is common and constant in most devices

          The entire SoC is closed source hardware and firmware. Intel ME is not a uniquely closed source part of it. It's a misconception.

          raccoondad

          Intel ME is no more closed source than the rest of Intel's SoC.

          User2288 You have misconceptions about Intel ME which were addressed in the thread.

          ARM is dramatically simpler than x86, and Tensor is a particularly simple/clean smartphone SoC implementation. Nearly everything is dramatically simpler. There's no SMM, ACPI, UEFI or countless other things, not just ME. There's no equivalent to them because things are simpler done in a simpler way. Device management is done via apps in the OS granted device management permissions and that's more than good enough for the use case. Those apps can use hardware attestation if they want to verify the device / OS.

          I suppose a base band attack that gains access? What kind of access could that entail? What does the "isolation" actually do?

          This is venturing into similar misconceptions about cellular basebands. It's not different from Wi-Fi/Bluetooth. The isolation is the same: they can only access their own memory and system memory shared with them by the driver which along with the userspace services/libraries are responsible for safely interacting with the component and avoiding vulnerabilities exploitable through the communication. It's little different from any other radio or network card. They're typically not properly isolated in desktops, but they are properly isolated in the devices we support and bypasses for that isolation are considered High severity vulnerabilities similar to comparable privilege escalations within the OS.

            GrapheneOS thanks for this explanation. It was informative.

            Without question everyone here discussing this subject has misconceptions and lack of knowledge about this. If we didn't we wouldn't be here making posts about it and asking questions. 😌

            Anyway thanks for the info. This explanation of yours was satisfactory enough for me not to worry about the subject any more on pixels.

            User2288

            I don't think a system like that has verified boot, but I don't now.

            Possibly it is not only about the ME, what is about a system with old firmware? As far as I know, no OS can be secure on a device if the firmware is the entry point. And many devices don't get long firmware support.

            So Im curious about a good laptop option in terms of updates (os and firmware) with good security and privacy. And hopefully good to repair.

            I hoped that an old ThinkPad with coreboot/libreboot And QubesOS would be the solution. Quite friendly, they have a good repairability, but unfortunately I don't have enough knowledge about the Intel ME or any possible security concerns in these old devices.

              4 days later
              7 months later

              since the phone processor when powered on problyhas access to the cellular modem, if there is anything like Intel ME built in, the chip if backdoored could request access to the cellular modem, then exfiltrate data through the cellular modem as well as provide a false reading for how much data is being used if OS monitors cellular packets and request that all telcoms do not include any packets going to exf.ilt.rat.e ip address be listed in billing. There would be no way to know. Doesn't it seem likely such a backdoor would be included by design? It would just mean that depending on threat model there could be risk of exfiltration. If threat model is low or mild it wouldnt matter.

              Is this not possible? Intel ME concerns me. I have been hacked on desktop and think it was through ME but do not knows.

                notahuman Please read through the official project account's responses here. There are so many posts where the project account or others have addressed similar worries in other threads too. There just isn't any real reason for Google to hide a backdoor like what you're describing. They'd get caught and there'd be backlash. Google has more than enough access to data via Google Play Services. There's no need for a backdoor.

                I'd also suggest reading a fellow moderator's fantastic response to a similar question here: https://discuss.grapheneos.org/d/10150-not-your-average-why-pixel-thread/7

                  other8026 This makes no sense.

                  The government could have demanded google create a backdoor in the hardware and issued a gag order.

                  Such a backdoor would be useful. Google Play collects and sends data when a user is in the Internet. iIf a user goes into airplane mode the government couldn't track a user easily. If there's a hardware backdoor, they could be able to send a ping to the device to access info about the device even in that mode. There are use cases for it, so why wouldn't the government request? To say it's implausible just seems naive as to how these gag orders work.

                    notahuman Hmmmm... I think you're a CCP spy trying to get people off of Google devices and onto chinese devices which you've backdoored in order to spy on them.

                    ...see how that works?

                    Anybody can make stuff like this up, and we can then debate that made up scenario from there. It is implausible. Pixels are one of the devices with the most security research attention. It sounds like a very silly target for this kind of thing, but even if that's not convincing to you, that's fine, because I don't think anything will really be.

                    The logic of "assume backdoor" can literally apply to anything. It's not about being "naive". It's about being realistic.

                    notahuman The government could have demanded google create a backdoor in the hardware and issued a gag order.

                    In theory, yes... but...

                    In theory there is no difference between theory and practice, while in practice there is.
                    --Benjamin Brewster, Yale Literary Magazine, February 1882

                    The U.S. government could mandate that Google include mass-surveillance backdoors in all of their phones, and could maybe include a gag order. But that sort of argument could cover anything. Way back in 1949 George Orwell wrote a book in which every television was a government surveillance device, which is trivial now (in fact, smart-TV companies have been found doing surveillance for profit). And these days every car could be a surveillance device, and every Wi-Fi access point, and, heck, every automatic paper-towel dispenser in every restroom.

                    The problem with sweeping mass-surveillance conspiracies is that when they're big enough they are disclosed. Google ships new phones every year, so does Samsung, so does Apple... keeping something like that a secret, across all of those design teams, year after year, would be a monumental effort.

                    People are aware of the Crypto AG compromise, but that worked as well as it did because it was one small company. Even before Snowden made his disclosures, people suspected some of those holes. There are multiple mass-surveillance/public-safety infrastructures in China, but they are so big that everybody knows about them.

                    If the NSA, or the FBI, whatever, wants to bug me in particular, and they are willing to spend $50,000 or so, I have to assume they'll be successful. "Retail" (targeted, individual) surveillance generally works. "Wholesale" surveillance can work too, but secret "wholesale" surveillance is a lot harder.

                    I don't think it's "naive" to assume that secret wholesale surveillance would be disclosed. Gag orders can work when they are limited in scope, but I think data support the notion that grand sweeping multi-year multi-company gag orders eventually leak.