me_cleaner
src
Our great sponsors
me_cleaner | src | |
---|---|---|
97 | 745 | |
4,352 | 3,041 | |
- | 1.6% | |
0.0 | 10.0 | |
over 1 year ago | 5 days ago | |
Python | C | |
GNU General Public License v3.0 only | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
me_cleaner
-
Power issue with my X250. Time to upgrade? (more info in comments)
Some times Intel version of Lenovo have a problem with Intel ME , check this out. LINK
-
System76's Coreboot Open Firmware Manages to Disable Intel Me for Raptor Lake
Yes; there are several ways, depending heavily on the version, and ranging from most trustworthy to least trustworthy:
* By patching the ME firmware itself - see the me_cleaner project, and methods documented here: https://puri.sm/posts/deep-dive-into-intel-me-disablement/ . This is Pretty Reliable; the runtime code has been deleted from flash.
* By setting a bit in the flash configuration, assumed to be added for the US High Assurance program: https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bi... , https://www.ptsecurity.com/ww-en/analytics/disabling-intel-m... . This is Mostly Reliable; the mechanism has been fairly aggressively reverse engineered and was added for a program with strict requirements.
* By sending an HECI command that says "hey ME, turn off your runtime" https://review.coreboot.org/c/coreboot/+/52800 . This is Somewhat Reliable; the method is well understood and seems to work but I'm not sure someone has done a deep dive audit into whether it could be re-enabled somehow.
-
Modern CPUs have a backstage cast
"...this is interesting is because POWER9 is basically the first time the public got a real view of how sophisticated the backstage cast actually is of a modern server CPU."
Not quite correct; the OpenSPARC T1 and T2 were publicly released and available by 2008.
https://www.oracle.com/servers/technologies/opensparc.html
"Large parts of this process are handled by vendor-supplied mystery firmware blobs, which may as well be boxes with “???” written in them.
The maintainers of the me_cleaner script likely have the clearest view of what is known.
https://github.com/corna/me_cleaner
- What is the most trusted hardware most OpenBSD people would suggest?
-
Let's find our next HW wallet
Your dedicated laptop with disabled Intel ME running OpenBSD might be the gold standard choice for your hardware wallet. Main discussion here.
-
Laptop with deactivated Intel ME running OpenBSD as a hardware wallet for top cryptos
I consider a dedicated laptop with deactivated Intel ME running OpenBSD (maybe from USB flash) can be a much secure alternative to a proprietary hardware wallet connected to your casual multi-purpose laptop.
-
On Intel ME
On a side note, if Intel has made it this hard to disable Intel ME, is the US government happy with this change? It was them who got the HAP bit part working, and I do not see any news suggesting they have another trick to disable Intel ME. Should I just assume that this still works? Has anybody here tried? And does me_cleaner still work (last updated in 2018: https://github.com/corna/me_cleaner)?
-
I ordered my first laptop from System76. I'm so excited
This is incorrect. Intel ME has an internal disablement mechanism: https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit this is the mechanism that it used by S76 and Purism.
- linux and tails compromised? if this is real we lost all privacy. found it on twitter
-
Why I Use Old Hardware
If you are sensitive about the Intel Management Engine, the original Core 2 Duo/Quad systems are the last where it could be fully disabled.
Anything later will forcibly shut down after 30 minutes if (at least a fragment of) Intel's closed & bug-ridden monitoring code is not present.
I ran me_cleaner on a few of these systems, and I do all my finances with them running OpenBSD (usually on q9550s).
Yes, this effort to run old hardware is worth it for me. Below are the bios images that I was able to produce:
https://github.com/corna/me_cleaner/issues/233
src
-
OpenBSD Upgrade 7.3 to 7.4
The OpenBSD project released 7.4 of their OS on 16 Oct 2023 as their 55th release 💫
-
OpenBSD System-Call Pinning
Well since https://www.openbsd.org/ still says
> Only two remote holes in the default install, in a heck of a long time!
I'm assuming not, but I could always be mistaken.
- Project Bluefin: an immutable, developer-focused, Cloud-native Linux
-
From Nand to Tetris: Building a Modern Computer from First Principles
> building a cat from scratch
> That would be an interesting project.
Here is the source code of the OpenBSD implementation of cat:
> https://github.com/openbsd/src/blob/master/bin/cat/cat.c
and here of the GNU coreutils implementation:
> https://github.com/coreutils/coreutils/blob/master/src/cat.c
Thus: I don't think building a cat from scratch or creating a tutorial about that topic is particularly hard (even though the HN audience would likely be interested in it). :-)
-
OpenBSD – pinning all system calls
> I don't know how they define `MAX`, but I'm guessing it's a typical "a>b?a:b"
Indeed: https://github.com/openbsd/src/blob/master/sys/sys/param.h#L...
> Then `SYS_kbind` seems to be a signed int.
It's an untyped #define: https://github.com/openbsd/src/blob/master/sys/sys/syscall.h...
I believe your whole analysis is correct, that running an elf file with an openbsd.syscalls entry with .sysno > INT_MAX will allow an out-of-bounds write.
- Une nouvelle mise à jour de Systemd permettra à Linux de bénéficier de l'infâme "écran bleu de la mort" de Windows, mais la fonctionnalité a reçu un accueil très mitigé
-
tmux causing ANSI color-response garbage on attaching?
I can reproduce it. And this is the commit that causes the issue: https://github.com/openbsd/src/commit/d21788ce70be80e9c4ed0c52c149e01147c4a823
-
Sudo-rs' first security audit
This doesn’t really change your conclusion, but I think that’s the wrong file. This is the real doas afaict: https://github.com/openbsd/src/blob/master/usr.bin/doas/doas...
Still just a tidy 1072 lines in that folder though.
I spent 5 minutes staring at your file trying to understand how on earth it does the things in the man page, but of course it doesn’t.
-
OpenBSD: Removing syscall(2) from libc and kernel
OpenBSD developers are making serious effort to kill off indirect syscalls, the base system is completely clean, take a look at the work Andrew Fresh did to adapt Perl. He write a complete syscall "dispatcher" or emulator for the Perl syscall function so that it calls the libc stubs.
https://github.com/openbsd/src/commit/312e26c80be876012ae979...
The ports tree is also being cleansed of syscall(2) usage, until they're all gone.
msyscall, pinsyscall, recent mandatory IBT/BTI, xonly. OpenBSD is making waves, but people aren't really seeing them yet.
-
"<ESC>[31M"? ANSI Terminal security in 2023 and finding 10 CVEs
Actually, I got it wrong, too many vulnerabilities in flight. They did fix it: https://github.com/openbsd/src/commit/375ccafb2eb77de6cf240e...
What are some alternatives?
firmware-open - System76 Open Firmware
cosmopolitan - build-once run-anywhere c library
thinkpad-firmware-patches - Collection of ThinkPad UEFI patches.
bastille - Bastille is an open-source system for automating deployment and management of containerized applications on FreeBSD.
t430-coreboot - coreboot rom for thinkpad t430
buttersink - Buttersink is like rsync for btrfs snapshots
coreboot - DEPRECATED: coreboot on the w541. See link below.
PHPT - The PHP Interpreter
cadmium - [Moved to: https://github.com/Maccraft123/Cadmium]
Joomla! - Home of the Joomla! Content Management System
thepyphone - Voice and SMS/MMS on a Raspberry Pi 3B+
ctl - The C Template Library