[Discussion] Why nobody talks about MS Pluton?

[Hetzer]

Back in 2022 Microsoft, together with AMD, Qualcomm and Intel, put Pluton "chip-to-cloud" (yes, it's seriously called that) out into production. Pluton was announced by MS back in 2020
It's yet another pseudo-security chip which seems to be worse than it's precedessors:

• Introduces "remote attestation", which basically means that yer hardware will regularly call MS mothership to make sure ye run "genuine software" (whatever they mean...)
• Unlike TPM, Pluton has permament identificator which doesn't change on hardware modification (I wonder if it can be used as IMEI counterpart in computers)
• It's designed to be root-of-trust (again, what?) for Azure Sphere IoT anomaly - not gonna lie, totally a must-have on PCs
• Barely anything is known about it, most current articles about it are MS-biased babble about "Xbox-like "security"" for W11

Things that don't differ from precedessors:

• Non-free blackbox
• Enforced into hardware and can't be disabled
• Raises security and privacy concerns

Why there's no word 'bout it anymore? There was some interest back in 2022 and today nobody mentions anything about it anymore - while it's already a real thing baked into Zen4 Ryzens (I can find no information if Intel Core 13/14th generation use Pluton or still ME; As I said, there's no information or I couldn't find anything on that)
I don't know how about ye, but I'm not interested into yet another blackbox which can be even more malicious than previous "security" hardware - for me AMD PSP / Intel ME raise enough controversy and concerns

[Uptorn]

If you mean this forum, then I think it's because most of the activity here is basically crowd-sourced tech support.

And on the other hand, there are those like myself who are perfectly happy to discuss such a thing!

Remote attestation functionality for consumer devices will most likely be used to allow/deny access to certain resources. That sounds vague; imagine one day connecting to Netflix with your l337 Risc-V hacker board computer to watch movies, the page that loads reads something to the affect of:

"Your device is untrusted and, to protect Netflix service and Netflix users, has been blocked from accessing Netflix. For a list of Netflix compatible devices, please visit something.something.netflix.com"

The "compatible devices" being those that possess a Pluton or Pluton-like remote attestation feature. It is one of the last jigsaw pieces maneuvered into place to erect the final DRM wet dream.

This is just one example that comes to mind. "But you don't need to watch Netflix!" one might retort. That's right, and one shouldn't. But what happens if this becomes a requirement to interact with institutions? To pay your taxes or your bills or to attend a remote-only town meeting or jury? To register some form of property? If sites, both commercial and state, begin to enforce remote attestation backed by hardware such as Pluton in order to access their resources?

it's already a real thing baked into Zen4 Ryzens

The time-of-death for freedom supporting AMD chips was back in 2013 when they began to implement user-hostile PSP into all of their CPUs. Pluton is just another nail in the coffin of its decade-old grave.

Why there's no word 'bout it anymore?

For me, I've already written off x86 processors as a loss. The enemy has won that ground. No sense talking about something that I haven't used for years.

What does that mean in the way of solutions?

Well, there's the dead-end solution: Coreboot boards with ME disabled or neutered.

The problem with this solution is that the shores on its island of freedom are slowly being swallowed by the tide. Distributions are gradually beginning to flirt with "x86_64v2"/"x86_64v3" with the eventual prospect of dropping "x86_64v1" (i.e. x86 processors that don't have Intel ME or AMD PSP).

Coreboot along with ME_cleaner find themselves increasingly ceding ground in order to be able to bootstrap newer products. Even the lauded Libreboot has folded and implemented a "blob minimization policy". That's right, Libreboot now implements black box blobs. In my perspective, Intel (and AMD) are eventually going to win the battle to stamp out uncontrolled x86.

Therefore, I invest little effort in building my house on sand. What then, can be an exit strategy? Currently, I only see RISC-V and POWER as viable.

[Hetzer]

If you mean this forum, then I think it's because most of the activity here is basically crowd-sourced tech support.

I meant in general; There's barely anything on it (except mentioned "Xbox-like "security"" babble) and most information on it is 2-years old

But what happens if this becomes a requirement to interact with institutions? To pay your taxes or your bills or to attend a remote-only town meeting or jury? To register some form of property? If sites, both commercial and state, begin to enforce remote attestation backed by hardware such as Pluton in order to access their resources?

"Surrender or death" - Either one will surrender to our beloved multinationals (GAFAM) or he/she'll resist it and "live under a rock" (like I do right now), being isolated from anyone else since nobody else cares 'bout corporations doing whatever-they-want with people

Distributions are gradually beginning to flirt with "x86_64v2"/"x86_64v3" with the eventual prospect of dropping "x86_64v1" (i.e. x86 processors that don't have Intel ME or AMD PSP).

Please elaborate on that. Ye mean making that "security" hardware a mandatory, artificial "X or newer only" hardware restricting? Or something else?

That's right, Libreboot now implements black box blobs

If they want to support anything newer, there's no other solution. "The enemy has won that ground"
x86 is ruled by our "beloved" trio: Intel, AMD and Microsoft. If they want to enroll a thing, they will. If they want to sabotage other systems, they will.^PDF We have no power there, especially when there's barely anyone to oppress them (as most end-users simply won't care)
As ye suggest, it's better to just leave it that way and let it burn itself out

No sense talking about something that I haven't used for years.

What kind of hardware do you use? I'm fed up of x86 garbage as well and I'd like to finally use something that's doesn't suffer from "mainstream" cancer

[Uptorn]

Ubuntu, Redhat and OpenSuse have already openly discussed building packages for x86_64v2/v3 while maintaining "pathways" for users on "legacy" hardware. The problem is that software compiled for v2+ fundamentally cannot be run on v1. It is not backward compatible.

Serpent OS is already charging ahead with dropping x86_64v1. They're not even waiting around.

In their new blog post they also confirmed that Serpent OS will make the x86-64-v2 micro-architecture feature level its baseline for support while x86-64-v3 packages will continue to be built and used by systems that have the necessary support. Going to x86-64-v3 mandates AVX/AVX2 processor support and various other newer extensions.

So all those on Librebooted and Corebooted pre-ME/PSP era laptops and desktops are going to find an ever shrinking pool of available Linux distributions that support their hardware. They will most certainly be told by outsiders "Just maintain your own distro fork!" or "Just upgrade your hardware, sheesh!" without any awareness as to why somebody would opt to run Coreboot/Libreboot x86 devices.

This whole x86_64 feature level is aside from the very natural fact that the newest, fastest x86 chips that one can obtain which are not encumbered by ME/PSP/Pluton are already over a decade old. It will eventually become impractical to run those liberated systems just on the basis of performance.

I have a mixed bag of devices with different CPU architectures, as I want to cast a wide net. There is no guarantee that any one non-x86 architecture is going to succeed or remain viable.

Inexhaustive list:

• Old pre-ME/PSP era x86 desktops & laptops, some with Coreboot, others just with IPMI/BMC disabled
• Olimex open source ARM-based devices (however, ARM remains encumbered with "Trustzone", the ARM equivalent of PSP and in fact the basis of AMD's PSP)
• At least two functional devices from Raptor Computing Systems
• Looking to obtain RISC-V boards, once SiFive's graduate from being "development" products

This is not to despair! It is rather exciting that we have several off ramps to choose from. Development in the other ISAs is active and growing, as best I can tell, with Debian now officially supporting both RISC-V and POWER. And while I speak very tepidly about coreboot and me_cleaner, I think that the work those guys are doing has been commendable and a crucial stepping stone for those of us seeking to divorce from where x86 is headed.

Indeed we've lost a few "battles", but the "conflict" at hand is only just escalating and we have several great allies right out of the gate.

[pizza-rat]

Why there's no word 'bout it anymore?

Maybe I'm just in the dark here, but I get the sense that the "privacy community" or whatever you'd like to call it is quite scattered and has a constant influx of both new topics and new users asking about the same old topics that have already been answered before (because a lot of these communities are on modern disposable social media platforms rather than on something better structured like a real forum).

Does anybody know of a good website/resource for keeping up with this stuff in a sane way? I don't use social media.

[Hetzer]

Legacy x86 is a short-term solution and not economical one as older Intels (Pentium D era, specifically) tend to chew up a lot of power. Early AM3 (~2009) may be the way, but only for basic tasks (I happen to operate one Athlon II X250 machine, which is grandparents' computer). But still, legacy x86 has non-free microcode and, in case of AMD, non-free graphics firmware
And well, there's one more problem with older x86 (and especially with LGA 775 and AM2 ones): They all are reaching literal end-of-life. From every LGA 775 (Pentium D, Core duo, etc.) board I've had - none survived. The last being Asus P5N-D which died just recently
The most durable x86s I've stumbled upon are Compaq d510 SFFs, which are at least 21-year old (!) chariots. And yet, these are IA-32, so it's a dead end as well.

POWER9-based from RCS are way too expensive, especially for east-european like me (5600$ for 4-core desktop with Broadcom NICs doesn't sound convincing)
ARM ain't a solution as well, it's a proprietary architecture encumbered with mentioned TrustZone - It's like switching from Intel ME to AMD PSP or vice-versa

RISC-V, though it's market hasn't yet matured, seems to be way to go, especially with mentioned SciFive or MilkV - Way cheaper and some boards look already superior from x86 (i.e. MilkV Pioneer with it's 2GHz 64-core processor)
Currently won't buy anything as I have no funds for that (and my newest PC is barely month-old), but I think I'm safe to decide that my current daily driver is the last x86 ever bought by me

Ubuntu, Redhat and OpenSuse have already openly discussed building packages for x86_64v2/v3 while maintaining "pathways" for users on "legacy" hardware. The problem is that software compiled for v2+ fundamentally cannot be run on v1. It is not backward compatible.

I believe that Debian won't drop x86_64v1 any soon. And even if it does, we still have *BSD as a last resort

Does anybody know of a good website/resource for keeping up with this stuff in a sane way? I don't use social media.

I don't know any, sadly. I don't use social media as well, and free alternatives don't look promising or free-speech-respecting either
I just scan a lot of forums (especially this forum and FreeBSD's), sometimes mailing lists, and if I find anything I verify it by searching for information on it
And well, sometimes I get to know about something because while browsing that "least evil" non-free marketplace platform of my country, since sellers tend to advertise non-free pseudo-functions as a "features"

Maybe I'm just in the dark here, but I get the sense that the "privacy community" or whatever you'd like to call it is quite scattered and has a constant influx of both new topics and new users asking about the same old topics that have already been answered before (because a lot of these communities are on modern disposable social media platforms rather than on something better structured like a real forum).

True, we need a real forum for that. Maybe it's time to create such?

[Uptorn]

And well, there's one more problem with older x86 (and especially with LGA 775 and AM2 ones): They all are reaching literal end-of-life. From every LGA 775 (Pentium D, Core duo, etc.) board I've had - none survived. The last being Asus P5N-D which died just recently
The most durable x86s I've stumbled upon are Compaq d510 SFFs, which are at least 21-year old (!) chariots. And yet, these are IA-32, so it's a dead end as well.

I am curious how these parts died?

POWER9-based from RCS are way too expensive, especially for east-european like me (5600$ for 4-core desktop with Broadcom NICs doesn't sound convincing)

The broadcom firmware was, for a time, the only component on Raptor systems to contain non-free firmware. But it has since been reverse engineered, correcting Broadcom's poor design choices along the way, and all Raptor boards shipped since then include the improved libre firmware for the broadcom controller.

ARM ain't a solution as well, it's a proprietary architecture encumbered with mentioned TrustZone - It's like switching from Intel ME to AMD PSP or vice-versa

Agree. However, it is a varied landscape, and not all ARM implementations suffer the presence of Trustzone. For example, the Allwinner A20 family chips used in some Olimex products are free of such execution environments.

I believe that Debian won't drop x86_64v1 any soon. And even if it does, we still have *BSD as a last resort

In true Debian fashion, Debian will probably be the last to adopt such a build strategy.

Does anybody know of a good website/resource for keeping up with this stuff in a sane way? I don't use social media.

I don't know any, sadly. I don't use social media as well, and free alternatives don't look promising or free-speech-respecting either
I just scan a lot of forums (especially this forum and FreeBSD's), sometimes mailing lists, and if I find anything I verify it by searching for information on it

The nature of people who care about digital freedom and privacy also means that the online spaces they create tend to be fractured, short-lived and relatively unknown.

Maybe I'm just in the dark here, but I get the sense that the "privacy community" or whatever you'd like to call it is quite scattered and has a constant influx of both new topics and new users asking about the same old topics that have already been answered before (because a lot of these communities are on modern disposable social media platforms rather than on something better structured like a real forum).

True, we need a real forum for that. Maybe it's time to create such?

I see the most promise in federated social networking leveraging the ActivityPub protocol. This way, smaller instances can live and die, yet the larger network will remain.

[pizza-rat]

I believe that Debian won't drop x86_64v1 any soon. And even if it does, we still have *BSD as a last resort

Perhaps Gentoo as well? Though the compile times could be rough (assuming there aren't binary packages available, binary options have gotten a lot of work on Gentoo lately).

and free alternatives don't look promising or free-speech-respecting either

I wish they would stop focusing on just making "privacy respecting" and "decentralized" versions of Facebook, Twitter and Reddit and instead focus on a format that isn't complete trash.

[Hetzer]

I am curious how these parts died?

One day would just not boot up anymore and give no error beeps / any signs of life but CPU fan whirring at low speed (if present, chassis fans would run on full speed). Board could be even not touched at all yet it still would die one day. In case of mentioned P5N-D it showed bad signs before death (constant resetting, random POST problems etc.), the rest of boards I've had passed away with no prior warnings

The broadcom firmware was, for a time, the only component on Raptor systems to contain non-free firmware. But it has since been reverse engineered, correcting Broadcom's poor design choices along the way, and all Raptor boards shipped since then include the improved libre firmware for the broadcom controller.

Nice to hear that it got freed (But I think they should go with other brand instead as they support Broadcom's doings by still buying their hardware)
However I'm still of word that RISC-V is way to get unto as there are already nice options to choose from (which are better in matter of price)

The nature of people who care about digital freedom and privacy also means that the online spaces they create tend to be fractured, short-lived and relatively unknown.

Sadly it's just hard to get even noticed in corporate Web of today, as there are possibly millions of crappy sites, "cloud"-whatever things etc. per one article / site actually worth anything. A little piece o' gold in a huge stack of poisonous needles
And well, I do believe that most who care are introverts (or even asocial), so they ain't fond of writing 'bout anything

Perhaps Gentoo as well? Though the compile times could be rough (assuming there aren't binary packages available, binary options have gotten a lot of work on Gentoo lately).

It may be, why not? De facto anything that cares about older hardware will do the work

I wish they would stop focusing on just making "privacy respecting" and "decentralized" versions of Facebook, Twitter and Reddit and instead focus on a format that isn't complete trash.

So true. We don't need our own twitters, reddits and all of this crap
I see no sense in making 1:1 free alternative to something that's flawed by design

I see the most promise in federated social networking leveraging the ActivityPub protocol. This way, smaller instances can live and die, yet the larger network will remain.

I think that for anything "better structured" it's better to make a traditional forum instead and maintain (but not by same person) a remote 1-to-1 copies (so in case of downtime it'll still be there)
(Again, I think) It'd be hard to keep everything and everyone organized when there's no "sheperd" which would take care of it. Unlike social media / messengers, forums or anything that'd work as "news aggregator" need solid moderation

[Uptorn]

I wish they would stop focusing on just making "privacy respecting" and "decentralized" versions of Facebook, Twitter and Reddit and instead focus on a format that isn't complete trash.

I am not enthusiastic about lemmy or mastodon, but it is encouraging even to see the crappy formats attain some success.

One day would just not boot up anymore and give no error beeps / any signs of life but CPU fan whirring at low speed (if present, chassis fans would run on full speed). Board could be even not touched at all yet it still would die one day. In case of mentioned P5N-D it showed bad signs before death (constant resetting, random POST problems etc.), the rest of boards I've had passed away with no prior warnings

Could be a matter of bad capacitors. Especially from that era of Pentium D when everything was running the cheap soft capacitors.