Hi Paul,
I noticed that you select hardware with Intel chipsets in your Start9 server builds.
What are your thoughts about AMD chipsets in regards to security concerns like the Intel AMT issue?
I built a barebones Minis Forum UM890 pro from parts that I found on Amazon.
(The UN1265 was not available, and the Start9 servers were all sold out.)
The UM890 Pro comes with the AMD Ryzen 9 8945HS (8C/16T, up to 5.2GHz)
I thought I might avoid the whole Intel AMT issue by going with an AMD chip.
But, the more I research online it seems that AMD has their own version of Intel AMT.
When I look up the specs of the AMD Ryzen 9 8945HS
It says: AMD PRO Technologies = No
So, I am crossing my fingers and hoping that It is secure.
But, how could I check an AMD chipset?
Maybe I should build a second server like the UN1265 to put Bitcoin/Lightning/Mission Critical things on? Then just use the UM890 for something like NextCloud to store photos from my cellphone on?
What is really at risk with Intel AMT anyway?
Somebody could steal your Sats off of your Lightning node?
One of the 3Letter agencies or Putin could log in and power down your nodes?
How much paranoia is healthy?
The primary risk would be an exploit in the remote control logic (I know this has been exploited at least once before). I also would not put it past the 3 letter agencies to have agreements with the chip manufacturers to put in back doors in their code. I am working on a video for how to install CoreBoot and disable IME alltogether like Start9 did with the Server Pure. The two devices I acquired for this are Intel, though (I really should get some more experience with AMD)
This Video will be “Solid Gold” in my opinion!
I will be anxiously awaiting its release.
You did an in depth job in your video “Start 9 Server Pure, but Half the Price” of showing how to identify if a computer has Intel AMT on it.
My next question was going to be… “Where can I learn how to turn it off when I find it?”
AMD got its own equivalent called PSP. Fun stuff. As far as Coreboot on old machines, it sounds great if you can pull it off, but you may brick it if something goes bad.
If you buy one that is pre-installed with Coreboot/Libreboot, is it possible to verify that it is indeed a legit installation and they did not put something funny?
There’s also the issue of no microcode updates on old computers. However you have to consider what is a bigger risk, no microcode updates, or microcode updates which may or not introduce backdoors… so yeah, your turn. At this point, I would rather know what is going on in the code.
I’m not sure on the Coreboot installation verification. I’ll look into it to see if they use signatures or anything like that which could be verified.
