Re: [Libreboot] Can libreboot help to escape the Intel AMT/ME nightmare?

[The Gluglug]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

The ME (and AMT) is deleted in libreboot. Here is the page that
explains it:

http://libreboot.org/docs/hcl/x200_remove_me.html

On 05/02/15 14:14, Alexander wrote:
> 
> 
> Thank you Marcus!
>> Dear Alexander.
>> 
>>> This is a question to help me understand what libreboot can do
>>> and what not. First off I want to thank all the contributers
>>> and developers for their time and effort and make clear that
>>> when I ask about "the limitations of libreboot/coreboot" I am 
>>> well aware that they are reflect the obstacles put in the way
>>> of the developers which do anyway the very very best. Thank
>>> you.
>> 
>> I would not declare AMT bad/biased in general. What we would need
>> is a transparent free implementation of the protcol and options
>> to switch it off, if unneeded.
> I accept you understanding. My - hence personal - bias to think of
> AMT as highly undesireable ist that 1) it is not necessary for the
> set of tasks I use my computer for 2) it is according to several
> sources increasing the attack surface and some Ring -3 rootkits
> would. Attacks could take place during S3 state which is 18h a day
> of my computer. For me personaly the trade-off for AMT is bad.
> 
> You are of course right that any transparency would at least ease 
> the worring thought, while not discard completely of the issue. My 
> interest in libreboot is hence to more reliably being able to
> disable this - negative functionality. Thanks for sharing the
> insight and also great for your contact with the Intel developer.
> 
>> 
>> I already tried to get in contact with Ylian, who is a Free
>> Software developer at Intel and who did most of the AMT/ME code,
>> but he did not reply yet.
>> 
>>> I am a victim of Intel AMT. I use a Thinkpad x201 (which is a
>>> vPro
>> iCore
>>> system) and by this may very well assume to be hacked by the
>>> NSA which can via Intel use the ARC chip in the vPro Intel AMT.
>>> This is very sad, moreso that I have just recently become aware
>>> of this threat.
>>> 
>>> My question henceforth is that if I made the purchase of a
>>> Thinkpad X200 (which for some bad luck can only be bought
>>> second hand, and makes trust even less as the previous owner
>>> can have tampared with the system), can I "clean the system of
>>> some of its evil spying and manipulation and criminalization 
>>> technology?"
>> 
>> I don't get your point here. Why do you think buying a used
>> device might make trust even less? Do you really trust the
>> vendor/shipper?
> 
> I think you expect me to not trust the vendor,shipper, correct. 
> Buying second hand, was for me the combination of being tricked not
> only by the original vendor/shipper, but also by all those
> individuals that had contact/access to the device. The longer the
> existence of the device the more mischief I can think of (maybe my
> mind is a little bit to "evil")
> 
>> 
>> Besides that, with flashing Libreboot, you will overwrite any
>> existing code in the BIOS, so at least this should be Free. That
>> does not mean, backdoors could not be included in silicon or any
>> other part of the hardware (e.g. this one: 
>> http://www.golem.de/1405/sp_106690-79290-i_rc.jpg on a MacBook
>> Air).
> 
> If I understand your explanation correctly I need to be working
> with the hardware part / the chips on the mainboard directly and by
> this "not via software, but hardware flashing" I can be more
> confident to get rid of any potential previously existing malware
> BIOS etc. Please do not feel offended by the assumption that each
> and every component might be necessarily being tempered with, I
> know to be reasonible, merely I think at the level of understanding
> of those who attempt to develop and use libreboot it is clear that
> the possibility for some evilness insight of the BIOS is feasible.
> Indeed one might easily modify the source as to include some
> feature that is undesired, I am certain, the code is there.
>> 
>> In the end, we would need Free Hardware Specifications
>> (including chipset/processor), but this is still a long way to
>> go.
>> 
>>> Is there an indication that a flashing the bios with libreboot
>>> will allow to disable Intel AMT? If this was so, is there any
>>> technical mean (i.e. a multimeter or other technical device, 
>>> which would allow me to confirm this with some reliability).
>> 
>> As said, Libreboot does not ship AMT at all atm.
> What does this mean "not shipping". Does it mean that the software
> related to the ATM is kept as it is, or that ATM is effectively
> disabled. Reports have been that on Thinkpads even the "disabled
> ATM in the BIOS" did not really mean that it would not be running.
>> 
>>> For good or for bad there is some paranoia. Is there any way to
>>> gain some trust to other users? I think no other technical mean
>>> would allow to get trust, than to bunch up with other users to
>>> get to know each other personnaly well enough and to henceforth
>>> trustfully devide the work of auditing.
>> 
>> Yes, a standardised auditing process could be
>> possible/established. As far as I know, there is no plan to do
>> so, yet.
>> 
>> Greetings Marcus
>> 
>> PS: There is something broken with your line-breaks
>> 
> thanks for the hint. I think I need to switch from Thunderbird. 
> Viele Dank dir Marcus!
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJU04BqAAoJEP9Ft0z50c+UTr0H/j2ByuT2znJ9PA2eifA3cBj6
6mLCHXYqjN1q9xeIOW2QdWG2SG3+V/og1T9G1YrxDvxptitpnU1AZWq6henj1+ft
lYaWTzE6m3cTzFXsjQOc3GcmZktZtzYXnCz2Dnih3xxAsI+hYdrB2yFm1TjSGuhi
FeNf6ivKtZyxfrzXCC/XuiaY374gOE7iUQediXGu3q0PhRJehkcUqxmd6h8nmIsT
pbEltMX9Yn8PPjtYJWDZDVpB2WE8fAoy6ffp6nbsvK5qcR2vrYAINJlewW8uh8eO
hbPm1SscHZiq1I9xZawtIN/KyovBzp6XYFMoHOOizpryb4d34jerkjvWPi99/NY=
=28jP
-----END PGP SIGNATURE-----