Last update: Jan 2021
Due to a lack of documentation and possiblities to deactivate these “secure execution environments” those can’t be disabled on our own. If you are interested you can read some more details about Intel ME/iAMT and AMD Platform Secure Processor / AMD Secure Technology. This article is providing an overview about possible solutions. From today’s point of view there a several options and we’ll discuss every of them:
- Option 1: Getting compatible hardware and flashing Libreboot on your own
- Option 2: Buying an already flashed device with Libreboot
- Option 3: Getting compatible hardware and flashing Coreboot on your own
- Option 4: Buying an already Coreboot-compatible modern Notebook
- Option 5: Get an opensource SoC / single board computer
- Mandatory: Use an operating system which is free from proprietary undocumented code
So let’s get started 😉
Option 1: Getting compatible hardware and flashing Libreboot on your own
Libreboot is a free BIOS/UEFI replacement which aims to completely omit any proprietary binary blobs within the firmware. If you are a hardliner and accept only free and blob-free solutions, then you should try to stick to Libreboot first. Unfortunately there is so few rather old compatible hardware, that in most cases you’ll find it insufficient. Please check their website for more details. To make it short: In my opinion the most promising candidates are:
Desktop and Server boards
- Gigabyte GA-G41M-ES2L desktop board
- Asus KCMA-D8 server board + AMD Opteron 4200 series CPU
- Asus KGPE-D16 server board + AMD Opteron 6200 series CPU
Notebooks
- Lenovo ThinkPad X60 / X60s / T60 / T60 Tablet
- Lenovo ThinkPad X200 / X200s / X200 Tablet / R400 / T400 / T400s / T500 / W500
- Apple MacBook 2,1
Option 2: Buying an already flashed device with Libreboot
If you don’t want to take the risk of a possibly broken device there are suppliers who are selling some of the above mentioned, just already flashed for you:
- https://www.flashedtech.com
- https://shop.libiquity.com
- https://tehnoetic.com
- https://store.vikings.net
Option 3: Getting compatible hardware and flashing Coreboot on your own
Coreboot is a firmware for mainboards where most of the proprietary code has been removed, but not all of it. Especially in quite modern computers there are some (closed and non-free) parts needed, to boot up the computer. All other parts or the system are opensource and can be viewed publicly. Currently as I write those letters there is a bunch of supported mainboards which work with Coreboot. Among the official mainboard-specific documentation list there are for instance:
Mainboards
- ASRock H81M-HDS (Intel Socket 1150)
- ASRock H110M-DVS (Intel Socket 1151)
- Asus F2A85-M (AMD Socket FM2)
- Asus P5Q (Intel Socket 775)
- Asus P8H61-M LX (Intel Socket 1155)
- Asus P8H61-M Pro (Intel Socket 1155)
- Asus P8Z77-M Pro (Intel Socket 1155)
- Gigabyte GA-H61M-S2PV (Intel Socket 1155)
- Intel DG43GT (Intel Socket 775)
- MSI MS-7707 (Intel Socket 1155)
Systems
- Dell Optiplex 9010 SFF
- HP Compaq 8200 Elite SFF
- HP Z220 Workstation SFF
- HP EliteBook 2560p
- HP EliteBook 8760w
- Purism Librem Mini
- System76 Lemur Pro
Tutorial available
I have build up my own custom system based on an Asus F2A85-M mainboard together with an AMD A10-5800K APU. If this way is suitable for you, you can >follow the tutorial and build up a system on your own. If you are not satisfied with my choice of the processor, you can check out the elaboration on AMD Processors without AMD PSP / Secure Technology.
Option 4: Buying an already Coreboot-compatible modern Notebook
With an awareness of increased security new manufacturers emerge selling specialized notebooks. For instance:
- Purism Librem 14
- Purism Librem 15
- System76 Galago Pro, Lemur Pro and others
Option 5: Get an open source SoC / single board computer
Alternatively to the classical x86/x64 world there is also the possibility of using an ARM based system on a chip (SoC). Please find some of the common used boards below and feel free to search for new ones. Especially the quite performant boards by Olimex are certified by the Open Source Hardware Association. I recommend to get rid of the trusted execution environment (TEE) by using Crust: a libre firmware for Allwinner SoCs.
Vendor / Model | SoC architecture | Linux / FreeBSD? | Execution Environment free? | Notes |
Libre Computer Board ALL-H3-CC (Tritium) | Allwinner H3 (ARM Cortex A7 or A53) | yes / yes | probably no | Only open schematics available. |
Beagle Board Black | Sitara AM335 (ARM Cortex A8) | yes / yes | yes | Implementation of TrustZone is limited by TI to high-volume customers. Documentation available. |
OLIMEX Ltd OLinuXino | Allwinner A20, A64 (ARM Cortex A7 or A53) | yes / yes | A20: yes A64: possible | All A20 and A64 boards are open source hardware. Documentation available. |
Mandatory: Use an operating system which is free from proprietary undocumented code
The openest hardware isn’t good enough if you use an operating system which isn’t free. You might want to have a quick look on the >pinetree of open and secure computing to get a short idea about the relevance of open hard- and software. In the following table you’ll find free and available operating systems. Futher operating systems can be found at gnu.org.
Name | Free (as in freedom) | Project active? | Available arch | Notes |
Parabola | yes | yes | x64, i686, ARMv7 | based on Arch |
PureOS | yes | yes | x64 | based on Debian |
Trisquel | yes | yes | x64 | based on Ubuntu |
Uruk | yes | yes | x64 | based on Trisquel/Ubuntu |
Guix | yes | yes | x64, i686, ARMv7, AArch64 | advanced GNU OS |