-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
The ME (and AMT) is deleted in libreboot. Here is the page that explains it: http://libreboot.org/docs/hcl/x200_remove_me.html On 05/02/15 14:14, Alexander wrote: > > > Thank you Marcus! >> Dear Alexander. >> >>> This is a question to help me understand what libreboot can do >>> and what not. First off I want to thank all the contributers >>> and developers for their time and effort and make clear that >>> when I ask about "the limitations of libreboot/coreboot" I am >>> well aware that they are reflect the obstacles put in the way >>> of the developers which do anyway the very very best. Thank >>> you. >> >> I would not declare AMT bad/biased in general. What we would need >> is a transparent free implementation of the protcol and options >> to switch it off, if unneeded. > I accept you understanding. My - hence personal - bias to think of > AMT as highly undesireable ist that 1) it is not necessary for the > set of tasks I use my computer for 2) it is according to several > sources increasing the attack surface and some Ring -3 rootkits > would. Attacks could take place during S3 state which is 18h a day > of my computer. For me personaly the trade-off for AMT is bad. > > You are of course right that any transparency would at least ease > the worring thought, while not discard completely of the issue. My > interest in libreboot is hence to more reliably being able to > disable this - negative functionality. Thanks for sharing the > insight and also great for your contact with the Intel developer. > >> >> I already tried to get in contact with Ylian, who is a Free >> Software developer at Intel and who did most of the AMT/ME code, >> but he did not reply yet. >> >>> I am a victim of Intel AMT. I use a Thinkpad x201 (which is a >>> vPro >> iCore >>> system) and by this may very well assume to be hacked by the >>> NSA which can via Intel use the ARC chip in the vPro Intel AMT. >>> This is very sad, moreso that I have just recently become aware >>> of this threat. >>> >>> My question henceforth is that if I made the purchase of a >>> Thinkpad X200 (which for some bad luck can only be bought >>> second hand, and makes trust even less as the previous owner >>> can have tampared with the system), can I "clean the system of >>> some of its evil spying and manipulation and criminalization >>> technology?" >> >> I don't get your point here. Why do you think buying a used >> device might make trust even less? Do you really trust the >> vendor/shipper? > > I think you expect me to not trust the vendor,shipper, correct. > Buying second hand, was for me the combination of being tricked not > only by the original vendor/shipper, but also by all those > individuals that had contact/access to the device. The longer the > existence of the device the more mischief I can think of (maybe my > mind is a little bit to "evil") > >> >> Besides that, with flashing Libreboot, you will overwrite any >> existing code in the BIOS, so at least this should be Free. That >> does not mean, backdoors could not be included in silicon or any >> other part of the hardware (e.g. this one: >> http://www.golem.de/1405/sp_106690-79290-i_rc.jpg on a MacBook >> Air). > > If I understand your explanation correctly I need to be working > with the hardware part / the chips on the mainboard directly and by > this "not via software, but hardware flashing" I can be more > confident to get rid of any potential previously existing malware > BIOS etc. Please do not feel offended by the assumption that each > and every component might be necessarily being tempered with, I > know to be reasonible, merely I think at the level of understanding > of those who attempt to develop and use libreboot it is clear that > the possibility for some evilness insight of the BIOS is feasible. > Indeed one might easily modify the source as to include some > feature that is undesired, I am certain, the code is there. >> >> In the end, we would need Free Hardware Specifications >> (including chipset/processor), but this is still a long way to >> go. >> >>> Is there an indication that a flashing the bios with libreboot >>> will allow to disable Intel AMT? If this was so, is there any >>> technical mean (i.e. a multimeter or other technical device, >>> which would allow me to confirm this with some reliability). >> >> As said, Libreboot does not ship AMT at all atm. > What does this mean "not shipping". Does it mean that the software > related to the ATM is kept as it is, or that ATM is effectively > disabled. Reports have been that on Thinkpads even the "disabled > ATM in the BIOS" did not really mean that it would not be running. >> >>> For good or for bad there is some paranoia. Is there any way to >>> gain some trust to other users? I think no other technical mean >>> would allow to get trust, than to bunch up with other users to >>> get to know each other personnaly well enough and to henceforth >>> trustfully devide the work of auditing. >> >> Yes, a standardised auditing process could be >> possible/established. As far as I know, there is no plan to do >> so, yet. >> >> Greetings Marcus >> >> PS: There is something broken with your line-breaks >> > thanks for the hint. I think I need to switch from Thunderbird. > Viele Dank dir Marcus! > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJU04BqAAoJEP9Ft0z50c+UTr0H/j2ByuT2znJ9PA2eifA3cBj6 6mLCHXYqjN1q9xeIOW2QdWG2SG3+V/og1T9G1YrxDvxptitpnU1AZWq6henj1+ft lYaWTzE6m3cTzFXsjQOc3GcmZktZtzYXnCz2Dnih3xxAsI+hYdrB2yFm1TjSGuhi FeNf6ivKtZyxfrzXCC/XuiaY374gOE7iUQediXGu3q0PhRJehkcUqxmd6h8nmIsT pbEltMX9Yn8PPjtYJWDZDVpB2WE8fAoy6ffp6nbsvK5qcR2vrYAINJlewW8uh8eO hbPm1SscHZiq1I9xZawtIN/KyovBzp6XYFMoHOOizpryb4d34jerkjvWPi99/NY= =28jP -----END PGP SIGNATURE-----
