Every software has vulnerabilities and so does most hardware.
No it shouldn’t, since it will make important security features unavailable. The only thing which should be deactivated is remote functionality, which is deactivated in non-enterprise environments anyway by default.
It increases attack surface, due to having less security features, which outweigh the downsides.
Running modern Linux doesn’t mitigate missing hardware security features, lack of good firmware or lack of firmware updates in any meaningful way.
It is probably true that hardware vulnerabilities like IME are not a threat to me but there is something near my core that is fairly bothered by IME and PSP and the access they potentially have.
Would like to expand the discussion to AMD PSP, if possible. I read this recently over at anonymousplanet.org:
“we recommend the use of AMD CPUs instead of Intel CPUs.”
“AMD laptops could be more interesting as some provide the ability to disable AMD PSP (the AMD equivalent of Intel IME) from the BIOS/UEFI settings by default. And, because AFAIK, AMD PSP was audited and contrary to IME was not found to have any “evil” functionalities306”
“AMD PSP does not provide any remote management capabilities contrary to Intel IME.”
Does anyone agree with this? Would you recommend AMD over Intel?
Does anyone have knowledge of laptops that allow disabling PSP in BIOS? Can it be confirmed to be disabled?
Can anyone confirm that PSP dose not have remote management capabilities?
Anonymous planet isn’t really a good source of anything. They come up with arbitrary reasons for a lot of things based on hearsay. They’ve also got a tendency to have a very confused threat model “one minute not protect you from NSA”, next minute “do this thing to make you NSA proof”, depending on the frame of mind of the writer and which contributor it was.
Which again shows how little they know about it. That’s a part of AMT and not available in non vPro CPUs. The fact is Ryzen Pro is in very few laptops, so doubtful anyone has checked those units, but they certainly advertise a similar feature in their professional CPUs.
The problem is people in privacy communities hear remote management and lose their shit. This is not a privacy issue, the “remote management” would be managed by you, as you are the owner 100%. It’s not some special magical backdoor for employees at Intel/AMD. It is designed for an IT management team which might be managing 500 of these laptops for an enterprise. Anyone who has managed an enterprise server will be aware of things like iLO, DRAC, MegaRAC (or more generally known by it’s non-brand name as IPMI).
That is what the feature is for, and why it is only in “professional CPU” like vPro and Ryzen Pro, which are only in some business grade models eg: Thinkpad workstations, Latitudes, Precisions etc.
That is however the kind of CPU you need if you want to reach the higher HSI levels - like HSI 4.
Not particularly, anything that could happen with Intel is just as equally possible with AMD.
Cannot be done. In any case things like MEcleaner are ancient anyway and not really applicable to any modern cpu beyond 8th gen intel.
When I was shopping for one a year ago, I found “Laptops with Linux” to be the best, considering customization, price and reliable reviews. I have since found their laptop and customer service to be perfect. No issues.
I highly, highly recommend. Not only to the standard user, but to the privacy extremist who wants their laptop shipped with the removed camera/mic and wifi/bluetooth module, with Kali pre-installed.
They have a deal with Mullvad if you want to get a subscription voucher.
I genuinely felt injustice on their behalf… seeing that nobody has yet mentioned them.
I currently use an Asus laptop. This is the list that Arch wiki says what works and what wont. There are lists for other manufacturers as well.
They install Linux well.
The non-Nvidia GPUs work great out of the box for Fedora.
My current laptop’s fingerprint sensor doesnt work with Linux. There is another list for what parts work and what doesnt. I was not aware of the site before my purchase.
Alternatively, the Steam Deck is a capable Linux device and you can exit into Arch.
The optics of having a Steam Deck for a portable computer looks bad for work though. Valve does good work with Linux but isnt really privacy centric.
Im thinking the GPD small laptop devices should also work fine?
Unless you need x86 applications you should consider buying a tablet with a keyboard and thus essentially turning it into laptop. Maybe buy a mouse too. iPad’s generally have great security, but so does a Pixel Tab with GrapheneOS installed. Just some food for thought. There may be drawbacks for your workflow if you rely on desktop software like the Adobe suite, Office, though you may be able substitue them with alternative or web-based apps.
That is also good. Didn’t know there were multiple guides.
But even then, the fact that this is not working by default is concerning, this particular tester found that the default Fedora battery usage is extraordinarily high compared to other distros in his tests: https://youtu.be/S4Dr8qVHDmc
Also this is really subjective but I would rather have an easily repairable versatile IO that is not changable than their current implementation. Most other things are fine.
what about using power-profiles-daemon? i don’t have framework/system76 laptops but on my laptop power-profiles-daemon’s battery saver does seem to work and reduce power usage
The big thing that helped me get better battery life was throttling the GPU and CPU, disabling boost, and setting the CPU battery mode to superpowersaver (or something along those lines). Id be interested in knowing if power profile daemon allows one to configure these settings.
also, another nice thing about Framework is that you can cap the charge amount in the bios (I have it capped at 90% to help preserve the battery a little longer).
i’m not sure if i can cap my battery level in BIOS but on my laptop KDE powerdevil has an option to cap charge (however the cap is reset after every reboot).
For Framework Laptop 13 AMD Ryzen™ 7040 Series configurations, you will absolutely want to use power-profiles-daemon for the absolute best experience. Do NOT use TLP. Without getting too detailed, there are things happening behind the scenes that require PPD for the best experience for our Linux customers.
I think my tl;dr (just read the first and last few posts) is that:
“a contact on AMD’s side has expressed that TLP will likely interfere with AMD’s suspend”
some users are nevertheless reporting better battery life with tlp
someone (Mario Limonciello) has patched power-profiles-daemon with optimizations specifically for the Framework laptop, his pull requests have now been accepted and should be part of the next release (v0.14) of ppd.
