[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Libreboot] Can libreboot help to escape the Intel AMT/ME nightmare?
From: |
The Gluglug |
Subject: |
Re: [Libreboot] Can libreboot help to escape the Intel AMT/ME nightmare? |
Date: |
Thu, 05 Feb 2015 14:39:59 +0000 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.3.0 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hold on to your X201. That is also a candidate for libreboot (work is
already underway to remove the ME there as well, but it's a harder
task on this machine)
On 05/02/15 14:38, The Gluglug wrote:
> Hi,
>
> The ME (and AMT) is deleted in libreboot. Here is the page that
> explains it:
>
> http://libreboot.org/docs/hcl/x200_remove_me.html
>
> On 05/02/15 14:14, Alexander wrote:
>
>
>> Thank you Marcus!
>>> Dear Alexander.
>>>
>>>> This is a question to help me understand what libreboot can
>>>> do and what not. First off I want to thank all the
>>>> contributers and developers for their time and effort and
>>>> make clear that when I ask about "the limitations of
>>>> libreboot/coreboot" I am well aware that they are reflect the
>>>> obstacles put in the way of the developers which do anyway
>>>> the very very best. Thank you.
>>>
>>> I would not declare AMT bad/biased in general. What we would
>>> need is a transparent free implementation of the protcol and
>>> options to switch it off, if unneeded.
>> I accept you understanding. My - hence personal - bias to think
>> of AMT as highly undesireable ist that 1) it is not necessary for
>> the set of tasks I use my computer for 2) it is according to
>> several sources increasing the attack surface and some Ring -3
>> rootkits would. Attacks could take place during S3 state which is
>> 18h a day of my computer. For me personaly the trade-off for AMT
>> is bad.
>
>> You are of course right that any transparency would at least ease
>> the worring thought, while not discard completely of the issue.
>> My interest in libreboot is hence to more reliably being able to
>> disable this - negative functionality. Thanks for sharing the
>> insight and also great for your contact with the Intel
>> developer.
>
>>>
>>> I already tried to get in contact with Ylian, who is a Free
>>> Software developer at Intel and who did most of the AMT/ME
>>> code, but he did not reply yet.
>>>
>>>> I am a victim of Intel AMT. I use a Thinkpad x201 (which is
>>>> a vPro
>>> iCore
>>>> system) and by this may very well assume to be hacked by the
>>>> NSA which can via Intel use the ARC chip in the vPro Intel
>>>> AMT. This is very sad, moreso that I have just recently
>>>> become aware of this threat.
>>>>
>>>> My question henceforth is that if I made the purchase of a
>>>> Thinkpad X200 (which for some bad luck can only be bought
>>>> second hand, and makes trust even less as the previous owner
>>>> can have tampared with the system), can I "clean the system
>>>> of some of its evil spying and manipulation and
>>>> criminalization technology?"
>>>
>>> I don't get your point here. Why do you think buying a used
>>> device might make trust even less? Do you really trust the
>>> vendor/shipper?
>
>> I think you expect me to not trust the vendor,shipper, correct.
>> Buying second hand, was for me the combination of being tricked
>> not only by the original vendor/shipper, but also by all those
>> individuals that had contact/access to the device. The longer
>> the existence of the device the more mischief I can think of
>> (maybe my mind is a little bit to "evil")
>
>>>
>>> Besides that, with flashing Libreboot, you will overwrite any
>>> existing code in the BIOS, so at least this should be Free.
>>> That does not mean, backdoors could not be included in silicon
>>> or any other part of the hardware (e.g. this one:
>>> http://www.golem.de/1405/sp_106690-79290-i_rc.jpg on a MacBook
>>> Air).
>
>> If I understand your explanation correctly I need to be working
>> with the hardware part / the chips on the mainboard directly and
>> by this "not via software, but hardware flashing" I can be more
>> confident to get rid of any potential previously existing
>> malware BIOS etc. Please do not feel offended by the assumption
>> that each and every component might be necessarily being tempered
>> with, I know to be reasonible, merely I think at the level of
>> understanding of those who attempt to develop and use libreboot
>> it is clear that the possibility for some evilness insight of the
>> BIOS is feasible. Indeed one might easily modify the source as to
>> include some feature that is undesired, I am certain, the code is
>> there.
>>>
>>> In the end, we would need Free Hardware Specifications
>>> (including chipset/processor), but this is still a long way to
>>> go.
>>>
>>>> Is there an indication that a flashing the bios with
>>>> libreboot will allow to disable Intel AMT? If this was so, is
>>>> there any technical mean (i.e. a multimeter or other
>>>> technical device, which would allow me to confirm this with
>>>> some reliability).
>>>
>>> As said, Libreboot does not ship AMT at all atm.
>> What does this mean "not shipping". Does it mean that the
>> software related to the ATM is kept as it is, or that ATM is
>> effectively disabled. Reports have been that on Thinkpads even
>> the "disabled ATM in the BIOS" did not really mean that it would
>> not be running.
>>>
>>>> For good or for bad there is some paranoia. Is there any way
>>>> to gain some trust to other users? I think no other technical
>>>> mean would allow to get trust, than to bunch up with other
>>>> users to get to know each other personnaly well enough and to
>>>> henceforth trustfully devide the work of auditing.
>>>
>>> Yes, a standardised auditing process could be
>>> possible/established. As far as I know, there is no plan to do
>>> so, yet.
>>>
>>> Greetings Marcus
>>>
>>> PS: There is something broken with your line-breaks
>>>
>> thanks for the hint. I think I need to switch from Thunderbird.
>> Viele Dank dir Marcus!
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJU04C/AAoJEP9Ft0z50c+UQtIH/irYZz3uhyUKV7s9h/+Sw3tQ
qc0j2fSADsCA5traNDCs6JFlVLRmxTRtvVXUz5YllUUEb1IwWjh7WvwYOrSw6/3N
3MZzmeIbrgb40t+1Gw9mDgK+6BLVgU+JBd/CzwerX7YLe4qVO+WDTx4efuH9dPL2
BzqLD3Z8cQlmdV+LDxAFrrLC412TCJ1f3HtsDf3WDOHXoMyfcN7581jnm4UNxGcE
dsTPLbwi/iJZrRP5dSbgZv8mLfEVbTCXHRQuW3cI5M13e7mcw/QXq8jDgp+8W2Rm
HNZ0fwoZs0URrWqbNxOqLsp3nhDmxVjVYpcK2t3W1zTZR3VJumyc0SVbRygOeTI=
=RMLC
-----END PGP SIGNATURE-----
[Libreboot] Audit Was: Can libreboot help to escape the Intel AMT/ME nightmare?, Denis 'GNUtoo' Carikli, 2015/02/09