System alternatives without Intel ME / iAMT and AMD PSP / Secure Technology

Tags: computer system without intel me, amd psp
Last update: Jan 2021

Due to a lack of documentation and possiblities to deactivate these “secure execution environments” those can’t be disabled on our own. If you are interested you can read some more details about Intel ME/iAMT and AMD Platform Secure Processor / AMD Secure Technology. This article is providing an overview about possible solutions. From today’s point of view there a several options and we’ll discuss every of them:

  • Option 1: Getting compatible hardware and flashing Libreboot on your own
  • Option 2: Buying an already flashed device with Libreboot
  • Option 3: Getting compatible hardware and flashing Coreboot on your own
  • Option 4: Buying an already Coreboot-compatible modern Notebook
  • Option 5: Get an opensource SoC / single board computer
  • Mandatory: Use an operating system which is free from proprietary undocumented code

So let’s get started 😉

Option 1: Getting compatible hardware and flashing Libreboot on your own

Libreboot is a free BIOS/UEFI replacement which aims to completely omit any proprietary binary blobs within the firmware. If you are a hardliner and accept only free and blob-free solutions, then you should try to stick to Libreboot first. Unfortunately there is so few rather old compatible hardware, that in most cases you’ll find it insufficient. Please check their website for more details. To make it short: In my opinion the most promising candidates are:

Desktop and Server boards

  • Gigabyte GA-G41M-ES2L desktop board
  • Asus KCMA-D8 server board + AMD Opteron 4200 series CPU
  • Asus KGPE-D16 server board + AMD Opteron 6200 series CPU

Notebooks

  • Lenovo ThinkPad X60 / X60s / T60 / T60 Tablet
  • Lenovo ThinkPad X200 / X200s / X200 Tablet / R400 / T400 / T400s / T500 / W500
  • Apple MacBook 2,1

Option 2: Buying an already flashed device with Libreboot

If you don’t want to take the risk of a possibly broken device there are suppliers who are selling some of the above mentioned, just already flashed for you:

Option 3: Getting compatible hardware and flashing Coreboot on your own

Coreboot is a firmware for mainboards where most of the proprietary code has been removed, but not all of it. Especially in quite modern computers there are some (closed and non-free) parts needed, to boot up the computer. All other parts or the system are opensource and can be viewed publicly. Currently as I write those letters there is a bunch of supported mainboards which work with Coreboot. Among the official mainboard-specific documentation list there are for instance:

Mainboards

  • ASRock H81M-HDS (Intel Socket 1150)
  • ASRock H110M-DVS (Intel Socket 1151)
  • Asus F2A85-M (AMD Socket FM2)
  • Asus P5Q (Intel Socket 775)
  • Asus P8H61-M LX (Intel Socket 1155)
  • Asus P8H61-M Pro (Intel Socket 1155)
  • Asus P8Z77-M Pro (Intel Socket 1155)
  • Gigabyte GA-H61M-S2PV (Intel Socket 1155)
  • Intel DG43GT (Intel Socket 775)
  • MSI MS-7707 (Intel Socket 1155)

Systems

  • Dell Optiplex 9010 SFF
  • HP Compaq 8200 Elite SFF
  • HP Z220 Workstation SFF
  • HP EliteBook 2560p
  • HP EliteBook 8760w
  • Purism Librem Mini
  • System76 Lemur Pro

Tutorial available

I have build up my own custom system based on an Asus F2A85-M mainboard together with an AMD A10-5800K APU. If this way is suitable for you, you can follow the tutorial and build up a system on your own. If you are not satisfied with my choice of the processor, you can check out the elaboration on AMD Processors without AMD PSP / Secure Technology.

Option 4: Buying an already Coreboot-compatible modern Notebook

With an awareness of increased security new manufacturers emerge selling specialized notebooks. For instance:

Option 5: Get an open source SoC / single board computer

Alternatively to the classical x86/x64 world there is also the possibility of using an ARM based system on a chip (SoC). Please find some of the common used boards below and feel free to search for new ones. Especially the quite performant boards by Olimex are certified by the Open Source Hardware Association. I recommend to get rid of the trusted execution environment (TEE) by using Crust: a libre firmware for Allwinner SoCs.

Vendor / ModelSoC architectureLinux / FreeBSD?Execution Environment free?Notes
Libre Computer Board
ALL-H3-CC (Tritium)
Allwinner H3
(ARM Cortex A7 or A53)
yes / yesprobably noOnly open schematics available.
Beagle Board BlackSitara AM335
(ARM Cortex A8)
yes / yesyesImplementation of TrustZone is limited by TI to high-volume customers. Documentation available.
OLIMEX Ltd
OLinuXino
Allwinner A20, A64
(ARM Cortex A7 or A53)
yes / yesA20: yes
A64: possible
All A20 and A64 boards are open source hardware. Documentation available.
Table: tiny overview about available SoC computer

Mandatory: Use an operating system which is free from proprietary undocumented code

The openest hardware isn’t good enough if you use an operating system which isn’t free. You might want to have a quick look on the pinetree of open and secure computing to get a short idea about the relevance of open hard- and software. In the following table you’ll find free and available operating systems. Futher operating systems can be found at gnu.org.

NameFree (as in freedom)?Project active?Available ArchNotes
Parabolayesyesx64, i686, ARMv7based on Arch
PureOSyesyesx64based on Debian
Trisquelyesyesx64based on Ubuntu
Urukyesyesx64based on Trisquel/Ubuntu
Guixyesyesx64, i686, ARMv7, AArch64advanced GNU OS
Table: overview about free operating systems

Sources

3 replies
  1. Damon says:

    How about the Pinebook Pro for Option 5? It seems significant because it’s a laptop form as opposed to a stationary SBC, though Pine64 makes those too.

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *