Starting point

Due to a lack of documentation and possiblities to deactivate these “secure execution environments” those can’t be disabled on our own. If you are interested you can read some more details about Intel ME/iAMT and AMD Platform Secure Processor / AMD Secure Technology.

This article is providing an overview about possible solutions. The order is unintentional.

From todays point of view the best solution is to

  • use a CPU without Intel ME / AMD PSP like the AMD A10-6800K (for custom build systems)
  • use a mainboard which is Libreboot compliant (for custom build systems)
  • buy a Libreboot compliant system from one of the vendors
  • get a free open source single board computer
  • AND use an operating system which is free from proprietary undocumented code

You might want to have a look at the quick overview about how open and secure computing technologies.

Buying an older AMD CPU

AMD PSP / AMD Secure Technology is integrated into all CPUs produced after 2013. On AMD systems with BIOS or UEFI the AMD Generic Encapsulated Software Architecture (AGESA) code is responsible for releasing the CPU from halt state during boot initialization and allowing it to start up and work properly. This is a binary proprietary firmware blob, which is needed for the machine to work. The AGESA documentation states that the macro called “AMD_RESET_ENABLEMENT” initializes fundamental controls which have to be placed as early as possible in the boot sequence. This marco initializes DRAM through PSP. On page 158 of AGESA is written that “Family 16h and Family 15h-Models 60h and later contain a PSP but it does not perform the memory initialization”. Knowing this details we know what for we should look for – anything before Familiy 16h and Familiy 15h Models 60h.

AMD Familiy 15h is called Bulldozer. The architecture order is as follows:

  • AMD Family 14h (name: Bobcat)
  • AMD Family 15h (name: Bulldozer)
  • AMD Family 16h (name: Jaguar)
  • AMD Family 17h (name: Zen)

Within the Familiy 15h there are 4 Generations:

  • 1. generation (Codename: Bulldozer, CPUID 00h – 01h)
  • 2. generation (Codename: Piledriver, CPUID 02h + 10h-1Fh)
  • 3. generation (Codename: Steamroller, CPUID 30h – 3Fh)
  • 4. generation (codename: Excavator, CPUID 60h – 6Fh + 70h – 7Fh)

We start the examination with the latest generation. The BIOS and Kernel Developer’s Guide (BKDG) for AMD Familiy 15h Models 60h -6Fh Processors describes the PSP as an integral part of the System Management Unit SMU (page 159). So this generation class 4 isn’t meeting our requriements.

According to the statement within the AGESA documentation the last CPUs which have no PSP included should be the CPUs with ID 30h to 3Fh. In fact there is not a single word about PSP in the corresponding BKDG for Steamroller. Looks like these CPUs really have no implementation of a Trusted Execusion Environment. Let’s have a look at the official data sheet which tells us about CPU features:

  • support for SSE, SSE2, SSE3, SSE4a, SSE4.1, SSE4.2, SSSE3, ABM, AVX, AVX1.1, AES,
    BMI, XSAVE/XRSTOR, XGETBV/XSETBV, PCLMULQDQ, FMA, FMA4, TBN, XOP, POPCNT,
    F16C, MMX™, OSXSAVE, CMPXCHG8B, CMPXCHG16B, FXSAVE, FXRSTOR CLFLUSH, and
    legacy x86 instructions
  • local APIC on the chip
  • AMD64 technology instruction-set extensions
  • Dedicated 128-bit floating-point unit (FPU)
  • AMD Virtualization™ technology
  • IOMMU v2.0 (documentation)
  • Platform Security Processor

Outch!!! We found the PSP within Family 15h Models 30h – 3Fh! Looks like the AGESA documentation is faulty and misleading us! We decide to trust the official data sheet more than the AGESA docs. OK. Let’s head on to the generation prior to this one.. and finally.. in the product data sheet of Piledriver CPUs (02h + 10h – 1Fh) we really can’t find everything about the PSP. Cool! Looks like we’ve found the holy grail. The feature-set is looking very similar to those features as mentioned above.

Piledriver has two “steppings”/processor core generations; the first one is called “Trinity” and the second one “Richland“. Wikipedia provides a good and short tabular summary which shows us the most important aspects and differences:

After all this research we definitely found the latest AMD CPUs which do not include any PSP functionality. According to a table from CPU World we know now that these CPUs are those we searched for:

Desktop CPUs (Socket FM2):

  • AMD A4-6320
  • AMD A4-6320B
  • AMD A4-7300
  • AMD A4 PRO-7300B
  • AMD A6-6420B
  • AMD A6-6420K
  • AMD A8-6600K
  • AMD A10-6800B
  • AMD A10-6800K
  • AMD Athlon X2 370K
  • AMD Athlon X4 760K
  • AMD FX-670K
  • AMD Sempron X2 250

Notebook CPUs (Socket FP2, FS1):

  • AMD A4-5150M
  • AMD A6-5350M
  • AMD A6-5357M
  • AMD A8-5550M
  • AMD A8-5557M
  • AMD A10-5750M
  • AMD A10-5757M

The fastest one is the AMD A10-6800K and is availabe for around 50-60 $.

Buying an older Intel CPU

If you are playing with the idea to buy old Intel hardware you need something prior to 2006. What you do NOT want is:

  • TXT (Intel Trusted Execution Technology, formerly knows as LaGrande Technology)
  • Intel vPro (umbrella for Hyperthreading, Turbo Boost, VT-x, VT-d, Intel AMT)

You should watch out for the following platforms (2004-2006):

  • Napa
  • Montevina
  • Eagle Lake
  • Lakeport

With those CPUs you should be good to go with:

  • Pentium 4 + Extreme (Prescott 2M)
  • Pentium D (Smithfield + Presler)
  • Pentium Extreme Edition (Smithfield + Presler)
  • Pentium 4 (Cedar Mill)

But because of the lack of performance you should focus on other solutions.

Using Coreboot?

Formerly known as LinuxBIOS this project aims to replace the proprietary BIOS firmware. Users should notice that Coreboot still uses proprietary binary code for initialization as well. In almost every configuration which is listed under supported mainboards there is proprietary code included.

That means in the end parts like Intel ME are still running without limitation so using Coreboot isn’t a real alternative if your aim is to run an system without Intel ME or AMD PSP / Secure Technology.

You should focus on other solutions.

Using Libreboot

Libreboot is a free BIOS and UEFI replacement which aims to completely omit any proprietary binary blobs within the firmware.

Unfortunately you have to deal with flashing the correspondent chip on your own. In all cases you should know that you may brick your device while playing around with your SPI flash chips.

At the present time Libreboot is known to work with the following devices:

Notebooks:

  • Asus Chromebook C201 (ARM)
  • Lenovo ThinkPad X60/X60s
  • Lenovo ThinkPad X60 Tablet
  • Lenovo ThinkPad T60 (with some exceptions)
  • Lenovo ThinkPad X200
  • Lenovo ThinkPad R400
  • Lenovo ThinkPad T400
  • Lenovo ThinkPad T500
  • Apple MacBook1,1
  • Apple MacBook2,1

Desktops:

  • Apple iMac 5,2

Desktop mainboards:

  • Gigabyte GA-G41M-ES2L (mATX, Socket 775, up to Intel Core 2 (Quad) Extreme QX9770)
  • Intel D510MO (mini ITX, passively-cooled, soldered-down Dual-Core Intel Atom)
  • Intel D945GCLF (mini ITX, soldered-down Single-Core Intel Atom 230)

Server/Workstation mainboards:

  • ASUS KGPE-D16 (EEB 12″x13″, Dual Socket G34, up to 2x AMD Opteron 6200 series,
    ~maximum: 2x Opteron 6284 SE@16x 2,7 Ghz)
  • ASUS KCMA-D8 (SSI EEB 3.61, Dual Socket C32, up to 2x AMD Opteron 4200 series,
    ~maximum: 2x Opteron 4284@8x 3,0 Ghz)
  • ASUS KFSN4-DRE [PCB version 1.05G] (SSI EEB 3.61, Dual Socket 1207, up to 2x AMD Opteron 2400 or 8400 series,~maximum: 2x Opteron 2435@6x 2,6 Ghz)

Choosable Single Board Computers

Name / Vendor / ModelSoC / ArchitectureLinux? / FreeBSD?Management engine / TEE free?Notes
Libre Computer Board

ALL-H3-CC (Tritium design)

Allwinner H3 (ARM Cortex A7 or A53)yes / yesno, TrustZoneopen schematics. waiting for vendor’s reply
Orange Pi Pc PlusAllwinner H3 (ARM Cortex A7)yes / yesno, TrustZone
Beagle Board BlackSitara AM3358/9 (ARM Cortex A8)yes / yesno, TrustZone
DreamPlugMarvell Kirkwood 88F6281 (ARM Cortex A9E)yes / yesno, TrustZone
PC Engines APU 2AMD Embedded GX-412TCyes / yesno, PSP
ISEEIGEPv2 (ARM)yespartly
OLIMED LtdOLinuXino (ARM)yesyes
ASUSTinker Board (ARM)nono
UdooX86 (x64)nonoIntel Pentium N3710
Intel Celeron N3160
Intel Atom x5-E8000
Arduinomultiple (RISC)yesyes

Operating systems without using proprietary code

Those distributions of GNU/Linux are typically based on a kernel called Linux-libre which is used by default.

Due to the modularity of Linux distributions this particular alternative kernel (Linux-libre) can be applied to:

  • Fedora, OpenSuSE, urpmi, apt-rpm
  • Arch Linux
  • Gentoo Linux
  • Slackware

If you are not familiar with replacing kernels there are preconfigured distro’s:

NameCompletely free (as in freedom)?Project active?Available architecturesNotes and website
Parabola GNU/Linux-libreyesyesx64, i686, ARMv7
Trisquel GNU/Linuxyesyesx64, i686based on Debian, Ubuntu
Uruk GNU/Linuxyesyesx64, i686based on Debian, Trisquel
Guix System Distributionyesyesx64, i686
PureOS GNU/Linuxyesyesx64based on Debian (Testing)
Ututo ULyesyesx64based on Ubuntu
LibreCMCyesyesembedded binary for routers etc.based on OpenWrt