Re: [Libreboot] Can libreboot help to escape the Intel AMT/ME nightmare?

[Alexander]

Thank you Marcus!
> Dear Alexander.
>
>> This is a question to help me understand what libreboot can do and
>> what not.
>> First off I want to thank all the contributers and developers for their
>> time and effort
>> and make clear that when I ask about "the limitations of
>> libreboot/coreboot" I am
>> well aware that they are reflect the obstacles put in the way of the
>> developers
>> which do anyway the very very best. Thank you.
>
> I would not declare AMT bad/biased in general. What we would need is a
> transparent free implementation of the protcol and options to switch
> it off, if unneeded.
I accept you understanding. My - hence personal - bias
to think of AMT as highly undesireable ist that
1) it is not necessary for the set of tasks I use my computer for
2) it is according to several sources increasing the attack surface
and some Ring -3 rootkits would. Attacks could take place during
S3 state which is 18h a day of my computer. For me personaly the
trade-off for AMT is bad.

You are of course right that any transparency would at least ease
the worring thought, while not discard completely of the issue. My
interest in libreboot is hence to more reliably being able to disable
this - negative functionality.
Thanks for sharing the insight and also great for your contact with
the Intel developer.

>
> I already tried to get in contact with Ylian, who is a Free Software
> developer at Intel and who did most of the AMT/ME code, but he did not
> reply yet.
>
>  > I am a victim of Intel AMT. I use a Thinkpad x201 (which is a vPro
> iCore
>> system)
>> and by this may very well assume to be hacked by the NSA which can
>> via Intel
>> use the ARC chip in the vPro Intel AMT. This is very sad, moreso that I
>> have just
>> recently become aware of this threat.
>>
>> My question henceforth is that if I made the purchase of a Thinkpad X200
>> (which
>> for some bad luck can only be bought second hand, and makes trust
>> even less
>> as the previous owner can have tampared with the system), can I
>> "clean the
>> system of some of its evil spying and manipulation and criminalization
>> technology?"
>
> I don't get your point here. Why do you think buying a used device
> might make trust even less? Do you really trust the vendor/shipper?

I think you expect me to not trust the vendor,shipper, correct.
Buying second hand, was for me the combination of being tricked
not only by the original vendor/shipper, but also by all those individuals
that had contact/access to the device. The longer the existence of the
device the more mischief I can think of (maybe my mind is a little bit
to "evil")

>
> Besides that, with flashing Libreboot, you will overwrite any existing
> code in the BIOS, so at least this should be Free. That does not mean,
> backdoors could not be included in silicon or any other part of the
> hardware (e.g. this one:
> http://www.golem.de/1405/sp_106690-79290-i_rc.jpg on a MacBook Air).

If I understand your explanation correctly I need to be working with the
hardware part / the chips on the mainboard directly and by this "not via
software, but hardware flashing" I can be more confident to get rid of any
potential previously existing malware BIOS etc.
Please do not feel offended by the assumption that each and every component
might be necessarily being tempered with, I know to be reasonible, merely
I think at the level of understanding of those who attempt to develop and
use libreboot it is clear that the possibility for some evilness insight
of the
BIOS is feasible. Indeed one might easily modify the source as to include
some feature that is undesired, I am certain, the code is there.
>
> In the end, we would need Free Hardware Specifications (including
> chipset/processor), but this is still a long way to go.
>
>> Is there an indication that a flashing the bios with libreboot will
>> allow to disable
>> Intel AMT?
>> If this was so, is there any technical mean (i.e. a multimeter or other
>> technical device,
>> which would allow me to confirm this with some reliability).
>
> As said, Libreboot does not ship AMT at all atm.
What does this mean "not shipping". Does it mean that the software related
to the ATM is kept as it is, or that ATM is effectively disabled.
Reports have been
that on Thinkpads even the "disabled ATM in the BIOS" did not really mean
that it would not be running.
>
>> For good or for bad there is some paranoia. Is there any way to gain
>> some trust
>> to other users? I think no other technical mean would allow to get
>> trust, than to
>> bunch up with other users to get to know each other personnaly well
>> enough and
>> to henceforth trustfully devide the work of auditing.
>
> Yes, a standardised auditing process could be possible/established. As
> far as I know, there is no plan to do so, yet.
>
> Greetings
> Marcus
>
> PS: There is something broken with your line-breaks
>
thanks for the hint. I think I need to switch from Thunderbird.
Viele Dank dir Marcus!