LinuxCNC on non-backdoored hardware - what are the options?

Hello, 
I would like to install LinuxCNC on multiple machines for a secure project.

We cannot use backdoored CPUs. Therefore, all Intel and AMD processors post-2005 are unusable for our manufacturing project. This is on account of the chip-on-chip surveillance engines present in almost all post-2005 CPU hardware (IME on Intel / PSP on AMD).

Because of this problem, we have plans to design our CNC-router and robot-arm control systems based on PowerPC970 chips. We can repurpose these from G5 PowerMacs. I have now been tasked with researching different software we can use on these secure CPUs, rather than writing our own from scratch.

I like the look of LinuxCNC.

I understand that LinuxCNC runs using the RTAI (Realtime Application Interface) patch. I can see on the RTAI site that older versions of RTAI supported PowerPC. Does anyone here know what the latest version of RTAI to support PowerPC / secure CPUs was?

Is anyone here running LinuxCNC on secure hardware, or are most LinuxCNC systems based on these newer backdoored-chip architectures?

Alternatively, I'm also considering reverting to m68k processors, as they are also secure, and were supported by RTAI. We would prefer, however, to use the PowerPC970x series, as these are the fastest available chips currently available in volume (on the second-hand market) for those who wish to build a secure manufacturing system without surveillance backdoors.

Obviously, we could air-gap our manufacturing systems and just use the compromised post-2005 hardware, but we would like our manufacturing systems to be operable remotely.

I'd love to hear from anyone who has bulit a secure LinuxCNC system using PowerPC or m68k hardware. Thanks!

I'm not an expert on hardware security, but Purism appears to offer an IME-disabled computer:

puri.sm/products/librem-mini/


A quick internet search revealed a few other vendors as well.  You may not be stuck with old hardware.

 

Thank you for this suggestion. I looked into Purism and had a short conversation with them. The problem is that Purism have yet to offer a non-backdoored system, as their roadmap is incomplete.

Purism are working backwards to fix compromised hardware.
We'd like to begin secure.

To use a metaphor: We want to build a safe LinuxCNC-based 'swimming pool' for our engineers to 'swim in' as they work. Purism offer the (yet-to-be-reached) goal of muzzling the 'shark' (IME / PSP) in the water. But we'd prefer a pool which never had a 'shark' in to begin with 

Hope this makes sense.

It may be simpler to use a RT-Preempt kernel than RTAI

Thanks for the suggestion to look at an a RT-Preempt kernel.
I will investigate this option.

I really don't see using a obsolete CPU is a viable alternative. I know the problems of that chip after using an imagesetter in the printing industry. This was a film recorder capable of 4800 dpi. The demise of that chip series basically obsoleted  the Mac based RIP software driving the device as it was written for that chip set. My experience was before 2005 so why would it be a viable option now?

And what about RPi4?
It works well. Whether with Mesa or with EtherCAT, for example.

And isn't it enough just to get rid of the possibility of communication to the world? Even if there is some coprocessor spying, the information will never leave the PC.

are you designing new boards or using existing?

We'd like to use existing boards.

by 68k you mean 68000 Motorola processors?

Yes, they are non-backdoored and (later chips) are capable, but we'd prefer to use something more modern.

how about using pre 2005 Xeon workstations?

I'll look into this. Do you happen to know the best Intel-based industrial workstation from 2005? Or some idea of the reliable manufacturers who were producing off-the-shelf machines for this purpose around this time? It's hard to determine this through searches.

We're also looking at AMD options, since AMD did not backdoor their CPUs until several years after Intel. I have found a list here of non-backdoored AMD CPUs. Again, however, I am finding it difficult to determine precisely which manufacturers and workstations from this era are advisable to use for industrial applications.

Obviously, I can just build custom systems from these older, secure components. But, I wondered if anyone knew of any good off-the-shelf complete-workstations using these non-backdoored AMD CPUs?

Thanks again for everyone's help on this topic!

And what about RPi4?

Sadly, this solution is also backdoored . We looked into the modern single-board options,like the RPi4, but there appears to be a problem with secure computing across the industry today. The only viable option seems to either air-gap a modern, backdoored, surveillance system CPU, or use a processor manufactured from 2005 or prior (Intel) or 2012 or prior (AMD).

Since we don't want to air-gap, or support surveillance-based CPU manufacturers, it looks like the way forward is to retrace the 'evolution' of computing to the point before CPUs were backdoored, and for us to choose a system that can be trusted.