Hopefully this is being asked in the appropriate place.
Actually, I’m not sure if I’m even asking the question in a sensible manner! I’ll try…
I need to buy a new computer, desktop or laptop. Computers pre-installed with Microsoft appear to be less expensive and there are some good ones at Costco. However, I’ll wipe anything with Windows on first boot, or even pull the drive and put my own in.
I have heard people talk about how MS has embedded their stuff on a chip to any computer pre-installed with Windows. Is this true, and what are the privacy risks? Would such an arrangement have telemetry that remains even after wiping the OS?
Hopefully this doesn’t come across as weird. I don’t have a high threat model, but I’m still well aware of privacy risks regardless of security risks. It’s just a personal preference, I try to remain MS (and other) free.
If you are at this level of distrust, I’d say it would be better to get a device from a Linux manufacturer instead. There’s Slimbook, System76, Tuxedo, Purism, and Framework.
Someone can include the others I don’t know about.
For me, I am split between Slimbook, System 76 and Framework, though I won’t need a new laptop for probably another 5 years as I have a Lenovo workstation.
But I’m not at your level of distrust, though I kinda feel like I should be now
So this would mean proprietary MS tech is actually a part of every CPU even for those like System76 who manufacture their own computers, but rely on Intel or AMD CPU’s.
The Pluton design removes the potential for that communication channel to be attacked by building security directly into the CPU.
In other words, perhaps it doesn’t matter what rig you purchase, so buy what makes the most sense and run whatever OS you desire.
I’m thankful, then, that I do not have a real threat model and just personal preference and convictions around privacy!
You can use some old ThinkPad or if you brave enough to RISC-V in it’s raw state yet…which is not wise just yet
It’s really hard to find decent laptop with CPU before Pluton right now, unless it’s refurbished or used.
Deadly mistake btw, coz when it comes to privacy / security - everyone has real threat model…just not YET
Actually i was thinking about Framework…meaning obtaining latest one and changing it’s board, but nobody sells their motherboards + CPUs so far
@Kelltech
Pluton can be turned off in UEFI Bios settings. Not sure if this feature is available on all manufacturers hardware but i know of many that it is.
Edit: As a further note it is my understanding that commercial products from Lenovo and Dell come with this feature disabled in the bios.
It can be disabled as well as privacy toggles in Windoze 10
It’s true that they claim to do so, but in a trust-me-bro fashion.
User nobody can prove or verify it unfortunately, because it’s literal black box inside CPU.
So far Libreboot, Coreboot and most importantly Qubes OS are silent on that…So i wouldn’t hold my breath, it seems like not something to be controlled via firmware / software.
No, because 5000 doesn’t have Pluton at all, at least those that were out before 17 November 2020, if you can find a laptop that have it of course…
It’s best to go desktop, if you can.
All those systems will boot on Linux no problem i’m sure…except the problem of having M$ Pluton
I specifically just finished building my PC with the best Ryzen 5000 series chip ever made (Ryzen 9 5950x) as it may be the last computer I have for many many years.
Yes. Every single processor. No matter the final destination.
If freedom and privacy are things you value, look older than brand new.
AMD supports Ryzen PRO 6000 processors with Linux, including partnering with select Linux distribution vendors on certifications for OEM products. The pluton security co-processor built into our Ryzen 6000 processors does not prohibit platforms from running Linux. Some OEM systems initially shipped with Windows may need to reconfigure their systems to boot Linux. To enable booting Linux on a platform that was shipped with Windows, a user can either:
Enable the Microsoft 3rd Party UEFI CA in the UEFI secure boot database.
Disable UEFI secure boot
Some OEMs have provided guidance for their specific platforms. A document from Lenovo is posted here.
