With the recent push of ARM processors and ARM laptops, I haven’t seen much discussion in privacy communities regarding the security of the ARM architecture in comparison to x86. Does anyone have any resources they could link to this or have any knowledge in this area?
Following.
The ISA (arm64) itself has virtually no impact on security or privacy. The differences will come down to the specific features of each individual processor.
It’s not comparable to Intel because ARM processors aren’t the same. Arm the company makes Cortex cores that other companies (like MediaTek for example) can buy off the shelf as-is, so that’s one type of ARM processor.
Companies like Apple, Qualcomm (maybe), and Samsung have a different agreement with Arm called an architecture license, which basically means they’re buying the rights to use Arm’s trademarks and the ARM architecture. But otherwise the design and features of each CPU is entirely up to the designing company without Arm’s involvement.
Basically all these processors like ARM Cortex, Apple Silicon, and Qualcomm Snapdragon have basically nothing to do with each other, other than that they all implement the full ARM instruction set at minimum.
So if the question is “ARM vs x86” the answer is that there is no security benefit or cost in either case, but that doesn’t give you a good idea of the actual products you’re buying.
There are many differences between the real world products that use ARM or x86, but the question you’d have to ask is “Apple Silicon vs Intel” (or “Snapdragon X Elite vs Intel”, etc.), picking a specific implementation of ARM and x86 to compare.
If I told you about the security benefits of Apple Silicon, that would tell you nothing about the security benefits of Snapdragon, even though they’re both ARM.
Ultimately it doesn’t matter too much though, because consumers and the industry as a whole have decided that performance is more important than security. This is why we’re still finding things like speculative execution attacks in Apple and Qualcomm chips 6 years after Spectre/Meltdown were originally discovered.
The main security benefit of most ARM chips for now is that they don’t have garbage like an entire networked OS running in Intel ME or AMD PSP yet. Nothing about the architecture would prevent a chip designer from doing that though, so it isn’t inherently ARM-related. It’s just because Apple/Qualcomm seem to be more competent than Intel these days.
Thank you for your detailed answers. All very informative.
About this, there are two things to note : @duck
-
Intel ME helps manage some security features such as Boot Guard iirc, so it might be actually useful
-
x86_64 CPUs can support encrypted memory, which afaik no ARM based platform has ever supported.
Well that has nothing to do with what I said. A security feature implemented in an insecure manner (in Intel ME’s case) might be better than nothing, but is obviously worse than an equivalent feature that isn’t implemented on top of an insecure platform. It could make sense to argue that Intel ME is good if you’re comparing “an Intel CPU with Intel ME” to “an Intel CPU without Intel ME” I suppose, but that doesn’t matter if you’re comparing to most (all?) of the consumer ARM platforms we’re talking about here.
This is an interesting discussion. How risky is the Intel ME? I hear about the problem for years. I mean, millions of people uses Intel CPUs today, what are they exposed to? How critical is the flaw? Is it really meaningful to make one decide to choose an AMD CPU because of this single criteria? Are there things to be made by the product owners to mitigate the risks?
Well, AMD is not better. Arguably a lot worse. Kind of off topic here though since we have other discussions about Intel ME already where I’ve explained all these things in detail:
The TL;DR is that there are many real-world risks and vulnerabilities which have already been exploited, so not just theoretical, but whether you’re going to be affected… I couldn’t tell you. It’s pretty much only going to be against very at-risk individuals or orgs, typical users probably shouldn’t worry.
Although there are options to reduce your attack surface for current Intel owners, it’s debatable whether you should. I’d never generally recommend disabling Intel ME, which is why that topic isn’t on our site
The only great way to mitigate the risk is simply to avoid it entirely. Personally, I’ll never buy (and will rarely recommend) an Intel or AMD computer again though. Qualcomm X Elite ARM laptops will be out pretty soon with first-party native Linux support, so I think that’ll probably be the go-to for many people interested in privacy within the next few years. If you’re a Windows or especially macOS user there are already good ARM solutions, so it’s good that Linux is catching up.
I would imagine avoiding Intel and buying ARM will almost certainly be in our hardware recommendations within the next 5 years max, but there simply aren’t really good Linux options today to do so. Obviously we’ll have to test and see if Qualcomm’s solution is actually good when they’re released, I’m just hopeful it will be. If you’re buying a new computer now, I probably wouldn’t sweat it tbh.