-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hold on to your X201. That is also a candidate for libreboot (work is already underway to remove the ME there as well, but it's a harder task on this machine)
On 05/02/15 14:38, The Gluglug wrote: > Hi, > > The ME (and AMT) is deleted in libreboot. Here is the page that > explains it: > > http://libreboot.org/docs/hcl/x200_remove_me.html > > On 05/02/15 14:14, Alexander wrote: > > >> Thank you Marcus! >>> Dear Alexander. >>> >>>> This is a question to help me understand what libreboot can >>>> do and what not. First off I want to thank all the >>>> contributers and developers for their time and effort and >>>> make clear that when I ask about "the limitations of >>>> libreboot/coreboot" I am well aware that they are reflect the >>>> obstacles put in the way of the developers which do anyway >>>> the very very best. Thank you. >>> >>> I would not declare AMT bad/biased in general. What we would >>> need is a transparent free implementation of the protcol and >>> options to switch it off, if unneeded. >> I accept you understanding. My - hence personal - bias to think >> of AMT as highly undesireable ist that 1) it is not necessary for >> the set of tasks I use my computer for 2) it is according to >> several sources increasing the attack surface and some Ring -3 >> rootkits would. Attacks could take place during S3 state which is >> 18h a day of my computer. For me personaly the trade-off for AMT >> is bad. > >> You are of course right that any transparency would at least ease >> the worring thought, while not discard completely of the issue. >> My interest in libreboot is hence to more reliably being able to >> disable this - negative functionality. Thanks for sharing the >> insight and also great for your contact with the Intel >> developer. > >>> >>> I already tried to get in contact with Ylian, who is a Free >>> Software developer at Intel and who did most of the AMT/ME >>> code, but he did not reply yet. >>> >>>> I am a victim of Intel AMT. I use a Thinkpad x201 (which is >>>> a vPro >>> iCore >>>> system) and by this may very well assume to be hacked by the >>>> NSA which can via Intel use the ARC chip in the vPro Intel >>>> AMT. This is very sad, moreso that I have just recently >>>> become aware of this threat. >>>> >>>> My question henceforth is that if I made the purchase of a >>>> Thinkpad X200 (which for some bad luck can only be bought >>>> second hand, and makes trust even less as the previous owner >>>> can have tampared with the system), can I "clean the system >>>> of some of its evil spying and manipulation and >>>> criminalization technology?" >>> >>> I don't get your point here. Why do you think buying a used >>> device might make trust even less? Do you really trust the >>> vendor/shipper? > >> I think you expect me to not trust the vendor,shipper, correct. >> Buying second hand, was for me the combination of being tricked >> not only by the original vendor/shipper, but also by all those >> individuals that had contact/access to the device. The longer >> the existence of the device the more mischief I can think of >> (maybe my mind is a little bit to "evil") > >>> >>> Besides that, with flashing Libreboot, you will overwrite any >>> existing code in the BIOS, so at least this should be Free. >>> That does not mean, backdoors could not be included in silicon >>> or any other part of the hardware (e.g. this one: >>> http://www.golem.de/1405/sp_106690-79290-i_rc.jpg on a MacBook >>> Air). > >> If I understand your explanation correctly I need to be working >> with the hardware part / the chips on the mainboard directly and >> by this "not via software, but hardware flashing" I can be more >> confident to get rid of any potential previously existing >> malware BIOS etc. Please do not feel offended by the assumption >> that each and every component might be necessarily being tempered >> with, I know to be reasonible, merely I think at the level of >> understanding of those who attempt to develop and use libreboot >> it is clear that the possibility for some evilness insight of the >> BIOS is feasible. Indeed one might easily modify the source as to >> include some feature that is undesired, I am certain, the code is >> there. >>> >>> In the end, we would need Free Hardware Specifications >>> (including chipset/processor), but this is still a long way to >>> go. >>> >>>> Is there an indication that a flashing the bios with >>>> libreboot will allow to disable Intel AMT? If this was so, is >>>> there any technical mean (i.e. a multimeter or other >>>> technical device, which would allow me to confirm this with >>>> some reliability). >>> >>> As said, Libreboot does not ship AMT at all atm. >> What does this mean "not shipping". Does it mean that the >> software related to the ATM is kept as it is, or that ATM is >> effectively disabled. Reports have been that on Thinkpads even >> the "disabled ATM in the BIOS" did not really mean that it would >> not be running. >>> >>>> For good or for bad there is some paranoia. Is there any way >>>> to gain some trust to other users? I think no other technical >>>> mean would allow to get trust, than to bunch up with other >>>> users to get to know each other personnaly well enough and to >>>> henceforth trustfully devide the work of auditing. >>> >>> Yes, a standardised auditing process could be >>> possible/established. As far as I know, there is no plan to do >>> so, yet. >>> >>> Greetings Marcus >>> >>> PS: There is something broken with your line-breaks >>> >> thanks for the hint. I think I need to switch from Thunderbird. >> Viele Dank dir Marcus! > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJU04C/AAoJEP9Ft0z50c+UQtIH/irYZz3uhyUKV7s9h/+Sw3tQ qc0j2fSADsCA5traNDCs6JFlVLRmxTRtvVXUz5YllUUEb1IwWjh7WvwYOrSw6/3N 3MZzmeIbrgb40t+1Gw9mDgK+6BLVgU+JBd/CzwerX7YLe4qVO+WDTx4efuH9dPL2 BzqLD3Z8cQlmdV+LDxAFrrLC412TCJ1f3HtsDf3WDOHXoMyfcN7581jnm4UNxGcE dsTPLbwi/iJZrRP5dSbgZv8mLfEVbTCXHRQuW3cI5M13e7mcw/QXq8jDgp+8W2Rm HNZ0fwoZs0URrWqbNxOqLsp3nhDmxVjVYpcK2t3W1zTZR3VJumyc0SVbRygOeTI= =RMLC -----END PGP SIGNATURE-----
