Debian uses its own version of the Linux kernel with proprietary parts removed; however, if you want to install it on a machine that does have hardware for which there are no free drivers (which is to say almost any machine out there in the market), you’ll have to install proprietary parts; in the last version, Debian 12, system does that by default.
Intel Management Engine is a CPU-level microprogram that runs with highest priority and does not have open code, so essentially every PC with Intel CPU runs some arbitrary code we cannot verify. Same for AMD Platform Security Processor by the way, so there is no simple escape.
Oh and BIOS is proprietary too, and only a few select machines can have a fully libre BIOS successfully installed on them.
Thereby even if you go to essentially libre version of Linux, there will, almost universally, be pieces of obfuscated code with no disclosure on what they’re doing there.
IME is even worse than that. It runs on a supervisor processor in the chipset that has privileged access to the memory, peripherals, and CPU, and can run when the rest of the system is powered off. IME is how Intel AMT can serve as a KVM-over-IP, and just because you don’t have a CPU with Vpro doesn’t mean all the components aren’t there for an exploited or backdoored ME firmware to remotely log your console or inject keystrokes.
Context?
Debian uses its own version of the Linux kernel with proprietary parts removed; however, if you want to install it on a machine that does have hardware for which there are no free drivers (which is to say almost any machine out there in the market), you’ll have to install proprietary parts; in the last version, Debian 12, system does that by default.
Intel Management Engine is a CPU-level microprogram that runs with highest priority and does not have open code, so essentially every PC with Intel CPU runs some arbitrary code we cannot verify. Same for AMD Platform Security Processor by the way, so there is no simple escape.
Oh and BIOS is proprietary too, and only a few select machines can have a fully libre BIOS successfully installed on them.
Thereby even if you go to essentially libre version of Linux, there will, almost universally, be pieces of obfuscated code with no disclosure on what they’re doing there.
IME is even worse than that. It runs on a supervisor processor in the chipset that has privileged access to the memory, peripherals, and CPU, and can run when the rest of the system is powered off. IME is how Intel AMT can serve as a KVM-over-IP, and just because you don’t have a CPU with Vpro doesn’t mean all the components aren’t there for an exploited or backdoored ME firmware to remotely log your console or inject keystrokes.