Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Intel Privacy Hardware Your Rights Online

FSF-Endorsed Libreboot X200 Laptop Comes With Intel's AMT Removed 179

gnujoshua (540710) writes "The Free Software Foundation has announced its endorsement of the Libreboot X200, a refurbished Lenovo ThinkPad X200 sold by Gluglug. The laptop ships with 100% free software and firmware, including the FSF's endorsed Trisquel GNU/Linux and Libreboot. One of the biggest challenges overcome in achieving FSF's Respects Your Freedom certification was the complete removal of Intel's ME and AMT firmware. The AMT is a controversial proprietary backdoor technology that allows remote access to a machine even when it is powered off. Quoting from the press release: "The ME and its extension, AMT, are serious security issues on modern Intel hardware and one of the main obstacles preventing most Intel based systems from being liberated by users. On most systems, it is extremely difficult to remove, and nearly impossible to replace. Libreboot X200 is the first system where it has actually been removed, permanently," said Gluglug Founder and CEO, Francis Rowe."
This discussion has been archived. No new comments can be posted.

FSF-Endorsed Libreboot X200 Laptop Comes With Intel's AMT Removed

Comments Filter:
  • AMT has remote power up capability but if the system is off ... it is OFF (no idle or standby).
    • Re: (Score:2, Informative)

      by Anonymous Coward

      AMT has remote power up capability but if the system is off ... it is OFF (no idle or standby).

      Yes. "Almost all AMT features are available even if PC powered is off, the OS is crashed, the software agent is missing, or hardware (such as a hard drive or memory) has failed" declares Wikipedia. http://en.wikipedia.org/wiki/Intel_Active_Management_Technology

      • by kav2k ( 1545689 )

        Quoting the same article

        For wireless notebooks on battery power, OOB communication is available when the system is awake and connected to the corporate network, even if the OS is down.

        So no magical "I'll maintain that WiFi connection even when asleep"

      • Presumably "off" does not mean "powered down with no obvious source of energy"? A laptop has a battery but a desktop does not.
        What if a laptop disables wifi (I always do this), will the bios power it up against my will?

    • by fuzzyfuzzyfungus ( 1223518 ) on Thursday January 29, 2015 @05:59PM (#48935555) Journal
      That may differ between laptops and desktops, or between AMT versions. On the desktops I've seen the AMT stuff is active if the PC is plugged in, regardless of its power state. Some of the capabilities of the AMT system cannot be used if the host PC is off; but the system itself runs on a separate processor and only turns off if the PSU is unpowered. Laptops may need to be more conservative, for the sake of retaining battery life while inactive.
      • That may differ between laptops and desktops, or between AMT versions. On the desktops I've seen the AMT stuff is active if the PC is plugged in, regardless of its power state. Some of the capabilities of the AMT system cannot be used if the host PC is off; but the system itself runs on a separate processor and only turns off if the PSU is unpowered. Laptops may need to be more conservative, for the sake of retaining battery life while inactive.

        On the desktop, when the system is powered off, it is not truly off. The powersupply is on, and other power, however minimal, is obtained from the router or the hub connection. The powersupply is often sustained to keep the RAM alive, and some reboot info.

        Want it off, disconnect it from the router. If it has wifi built-in (as some desktops do), use the powerswitch on the back of the computer to fully poweroff the system.

    • by Zitchas ( 713512 )

      I kind of suspect that is the point: Low level functionality that allows them to actually turn on the computer, not just wake it up from standby or hibernation. It also grants access for BIOS updating, erasing and reinstalling hard drives, and other access like that.

      I suspect that the only "Off" that would actually block its activity would be the more absolute "the power bar is turned off" type security. Which is probably a good idea anyway, these days.

    • by Anonymous Coward

      Not true. It can power on systems remotely.

      http://www.radmin.com/radmin/intel_amt_features.php [radmin.com] ...really really scary.

      • Assuming you haven't disabled it in the bios.

    • I work with AMT systems. AMT systems can be powered up from being completely off (not in standby, etc.). This is accomplished because AMT processors contain an entirely separate little computer that itself never turns off, even when the rest of the system (including the CPU) is.

      • Old school systems that had a physical Big Red Switch (including the original IBM PC, XT, and AT) really were completely off when they were off. But pretty much every computer these days has a soft switch, and depends on some part of the circuitry getting a bit of power to monitor the switch so it can turn the rest of the system on.
  • by roc97007 ( 608802 ) on Thursday January 29, 2015 @05:51PM (#48935471) Journal

    Are privacy and security issues the leverage that finally puts Linux in people's hands in significant numbers?"

    (Are there enough people who *care* about these issues?)

    • by TWX ( 665546 ) on Thursday January 29, 2015 @06:01PM (#48935565)

      (Are there enough people who *care* about these issues?)

      Not for $700+ for an obsolete laptop, there aren't.

      I've seen some niche things, but DAMN, this is takes the cake.

      We have an X301 at home. It was a great computer when we bought it new, but the battery life is terrible by modern standards, the Centrino processor is slow, and the screen is dim and low-res. The weight, presence of an optical drive (though just DVD) and keyboard are the plusses. We just bought a replacement for it; I may still upgrade the RAM to 8GB from the 2GB that it has now so that it's a nice around-the-house lappy, but it's never going to be the primary computer ever again.

      If they'd managed to do this treatment to a Thinkpad X1 Carbon or something else that's modern then I expect a lot more people would be interested, but somethis this old? For this kind of money?

      • Not for $700+ for an obsolete laptop, there aren't.

        It would be a decent one for a CA, to keep in the safe.

      • by AmiMoJo ( 196126 ) *

        Actually it seems quite reasonable for the money, assuming that the battery is new (re refurbed quality replacement cells). It's no screamer but a Core 2 Duo is plenty for most desktop stuff. The 1280x800 resolution is fine for a 12" display on an ultra-portable. 8GB of RAM max, and with an SSD it should be pretty quick. Even the GPU isn't bad.

        Plus you get a nice Thinkpad keyboard, still pretty hard to beat, and Thinkpad build quality. If you want a secure laptop for business or general desktop stuff I'd sa

      • by caseih ( 160668 )

        I have an X200 and specwise it's hardly any different from the current X220. Same processor (i5), same speed, same memory options. I bought it only last year specifically because it had a real keyboard. So, no the X200 is still a great laptop. And $700 is a good price, about par with used X200s.

        When I got the X200, I wiped it and put Linux on it. Now months later, I was fiddling with the BIOS and discovered that the Lojack stuff is activated, and cannot be deactivated (fortunately it does nothing on L

        • by caseih ( 160668 )

          My bad. The X200 is a much older laptop. The X220 is what I have and it's practically identical to the X230, which is the latest shipping version that has the chicklet keyboard that I can't stand.

      • by MagicFab ( 7234 )

        I agree it's absurd to pay such a price for something Intel could be doing. Why is Intel's problematic setup the default in the first place?

        The higher-than-ebay cost for this machine basically covers maintaining a proper commercial operation for existing formware/BIOS modification, distributing and seliing the system, including:

        * Upgraded with an 802.11n wireless card (Atheros AR5B95, AR9285 chipset), ensuring full compatibility with free drivers in Trisquel GNU/Linux-libre.
        * The Gluglug ships to USA, Canad

      • Not for $700+ for an obsolete laptop, there aren't.

        I got one of their previous offerings - an X60 with 3GB ram and a 320GB hard drive which I promptly replaced with a TB one I already had - for IIRC £220, and after a bit over a year I've had to spend another £20 to put a bigger battery into it. I dont' know what that translates into in dollars, whichever dollar you're using.

        Everything works properly, and without hassles.

        In contrast I spent half as much again on a brand new piece o

        • Coming soon (in a future libreboot update):

          ProteanOS BusyBox/Linux-libre operating system pre-installed directly in the SPI flash chip, alongside Libreboot. This will mean that the user has a full operating system available at all times (as part of the boot firmware) as a boot menu option for recovery or any other purpose such as updating libreboot, even if the HDD or SSD is removed from the machine. Those who order today will receive this as a software update when available, with installation instructions

    • by future assassin ( 639396 ) on Thursday January 29, 2015 @06:06PM (#48935611)

      Untill they classify it as a tool for promoting terrorism.

    • by Gr8Apes ( 679165 )

      Are privacy and security issues the leverage that finally puts Linux in people's hands in significant numbers?"

      (Are there enough people who *care* about these issues?)

      Nah, BSD will be on the desktop before Linux makes it. Wait, it already has...

  • by ArmoredDragon ( 3450605 ) on Thursday January 29, 2015 @05:55PM (#48935509)

    I've always found AMT useful. It's turned off by default, so I'm not sure how it's a security risk. What I like about it is the following:

    - Allows you to remotely manage client PCs in a work environment, up to and including re-formatting the HDD with a new OS, including being able to remotely mount a local ISO image to install the OS.
    - Works even when some of the most critical system components don't work, such as CPU, RAM, etc, as it's an independent subsystem. Even if you don't want the remote management features, this is a huge deal when you have a seemingly dead system and aren't sure exactly how to fix it. AMT helps you figure out the EXACT problem FAST, and you don't even have to have the computer in your hands to do so.
    - Integrates with LDAP (including Active Directory, Samba, etc)
    - Provides the ability to power on and remotely wipe the laptop if it was stolen and contains sensitive data.

    So what's so controversial about it?

    • by Anonymous Coward

      It's not possible to turn it off. Among other things it handles the "Protected Video Path" on Intel GPUs (aka it implements DRM).

      • It's off by default. What have you been smoking?

    • by tlhIngan ( 30335 )

      So what's so controversial about it?

      It's not controversial. it's just it's another computer in your computer that's running Non-Free Software(tm). So they get rid of it and thus they have a computer that is Completely Free Of Proprietary Software.

      • Re: (Score:2, Informative)

        by Obfuscant ( 592200 )

        It's not controversial. it's just it's another computer in your computer that's running Non-Free Software(tm). So they get rid of it and thus they have a computer that is Completely Free Of Proprietary Software.

        And also Completely Free Of Full Remote Management capabilities.

        I have a bunch of servers that all have iDrac or other management connections, and it sure is a lot easier to talk to a malfunctioning system when there is a dedicated remote console server. I've had people go wild using memory resources on some compute servers to the point that memory management is killing parts of the operating system. Parts that are required to remotely log in. Dedicated remote management means I can get a console to at le

        • by AK Marc ( 707885 )

          I can't recall a single laptop I've had that has an active network connection when it is off,

          So because you've never had a computer with AMT, AMT doesn't exist? That's some weird logic you have. If your computer has WoL (most do) it has an "Active" network connection (as in a passive listening connection), even when you disable WoL, it's still listening, it just doesn't do anything. You don't have to electrically light your "transmit" wires to hear what's on the receive wires.

          so how would someone use this AMT on a Lenovo laptop to turn one back on to do anything to it?

          http://lmgtfy.com/?q=wake+on+l... [lmgtfy.com]

          • So because you've never had a computer with AMT, AMT doesn't exist? That's some weird logic you have.

            Didn't say that. I said I can't recall ever seeing it. Sorry the difference escapes you.

            If your computer has WoL (most do) it has an "Active" network connection (as in a passive listening connection), even when you disable WoL, it's still listening, it just doesn't do anything.

            It's hard to listen on an interface that has been shut off. Or on one that has been unplugged, which if you recall was what I suggested to deal with an always-on laptop network connection. Seems like I admitted they existed, which contradicts the words you tried putting in my mouth earlier.

            I know what "wake on lan" is, and I also know that it is a BIOS setting to enable and disable it. Still, you can't "wake on lan"

        • So the whole point is to avoid walking to the client's desk? I remember when that used to be the majority of my social life...

          • by tepples ( 727027 )

            So the whole point is to avoid walking to the client's desk?

            Perhaps the point is to avoid flying to the client's desk in another country.

        • And also Completely Free Of Full Remote Management capabilities.

          I have a bunch of servers that all have iDrac or other management connections,

          I suspect that you're not the target audience for this system.

          I have an 18-wheler truck for sale. Would that be good for your daily commute to the building with the underground par park?

    • by Rennt ( 582550 ) on Thursday January 29, 2015 @06:25PM (#48935763)

      However you slice it, AMT is a backdoor. If you control the backdoor on your own equipment then you can do some cool tricks, but implementing a backdoor massively increases the attack surface of the system.

      The question is whether the cool tricks are worth the risk. For managed corporate drone PCs the answer is probably yes. For everyone else it is definitely no. For a personal laptop it's an emphatic FUCK NO.

      Badly written Hollywood movies used to give crackers stupid computer-superpowers. Now that AMT is here those kind of fantasies become reality.

    • Any remote management tool would be a 'backdoor', except that it is put in place by the owner for their convenience and with their consent.

      AMT is a particularly powerful, and somewhat opaque, management tool. Anyone who suspects the possibility that(deliberately, or by mistake) those very, very, useful capabilities might be available to others under some circumstances would naturally be suspicious of it.

      And, for the FSF and those who share their concerns, the fact that it is a wholly proprietary(and t
      • So is AMT hardcoded into the silicon - is it a part of the CPU, or is it something that's a part of the firmware in the flash, but in the boot section, thereby making it unremovable?
        • by fuzzyfuzzyfungus ( 1223518 ) on Thursday January 29, 2015 @07:35PM (#48936245) Journal
          A mixture of both. The AMT system includes a dedicated ARC cpu [wikipedia.org], which runs its own OS and functions independently of the host to a large degree; but also can see into, and sometimes make use of, some of the hardware visible to the host system(details depend on version). For communication, for instance, the AMT system has access to the wired NIC below the OS's view(wireless NICs are more complex, I think AMT can do a direct connection to a trusted AP if configured to do so; but can't do VPN without piggybacking on the host OS), and it also has enough hooks into the various peripherals that it can do remote KVM in hardware, by emulating HID devices and snooping the framebuffer, mount an .iso as though it were a connected SATA device, and access some storage and memory locations that are also accessible to the host OS or programs, in order to gather data on system health, software versions, etc.

          I'm not exactly sure how the BIOS/UEFI flash and the flash that stores the AMT firmware are related to one another. On computers with AMT, a 'bios update' will often flash both; but I don't know if that's because they are just different areas of the same SPI flash chip, or whether it's just a convenience bundling of two nearly unrelated updaters.
        • As I understand it, at the bare-metal hardware level, AMT is basically a networked JTAG programmer grafted onto the ethernet controller that can do things like read & write values into RAM, stuff values into the CPU's registers, update the BIOS NVRAM, and override the normal boot process as long as you have physical ethernet access to the same network as the target computer & can present AMT with credentials it's satisfied with. It basically starts with the foundation provided by Wake-on-Lan & P

    • The problem is that it is a too powerful tool that if used for evil can cause impressive havoc and no one would know until too late. And a too powerful tool where you are not sure if you have the control you should have. Usefull, yes, but a too big security risk for my taste.
    • by jhantin ( 252660 )

      Exactly. How is this materially different from an integrated remote-access card and baseboard management controller? I'm at a loss why Intel used an Argonaut core for it, though. I'd have expected a lightweight x86, or maybe an ARM. However, all that is beside the point.

      The main reason for all the hullabaloo is that the Intel firmware that normally runs on this coprocessor is delivered as a closed-source blob, which raises trust issues given how pervasive its access to the machine is. It's also had its

    • May I direct you to the other closed-source firmware story of the day about DLink routers having remote DNS admin capabilities without password? You can't trust remote admin features on hardware when you can't see or have someone you trust see the software its running.

    • by Troed ( 102527 )

      What's controversial?

      Heard of humanity's latest hero - Snowden?

      On my personal computer there's no IT department that needs any of the things you mentioned. Thus it should be configurable.

      It's not.

    • @ArmoredDragon: "I've always found AMT useful. It's turned off by default, so I'm not sure how it's a security risk."

      Either by accident or design, it allows for a backdoor into the system. I wouldn't be suprised it it didn't come with its own backdoor ref [gov1.info].
    • by gl4ss ( 559668 )

      that's like saying that crotchless pants are great for easy access when traveling on the subway

  • by Anonymous Coward on Thursday January 29, 2015 @06:00PM (#48935561)

    Can we put it all back, under our control?

    I want a computer that secureboot's my signed bootloader that boots my signed kernel that executes my signed init and starts a signed console with a signed login and logs me into a signed bash.

    I want the promise fulfilled: that I know with cryptographic certainty that as long as my key is secure, "They" have not tampered with my persistent environment.

    A far cry from what it has become: the MAFIAA knowing with cryptographic certainty that I have not tampered with my environment.

    • by Anonymous Coward

      "They" are the ones manufacturing the computers. Like the one you used to post that crap, for example.

      Secure Boot was only ever meant to do two things, neither of which involve security or booting:

      1) Make it more difficult for anything other than Windows to run without minor to major headaches on a PC.
      2) Give Microsoft a means of providing a license key per copy of Windows in an area that the end-user can't get at. It's an extension of the "no used games" idea they had for the XBONE that people freaked the

      • by yuhong ( 1378501 )

        This is full of errors. For one thing, the way the Win8 license key is stored in the ROM has nothing to do with Secure Boot. I think it uses ACPI.

  • by Qzukk ( 229616 ) on Thursday January 29, 2015 @06:01PM (#48935567) Journal

    But does it run Windows?

  • AMD (Score:4, Interesting)

    by Atmchicago ( 555403 ) on Thursday January 29, 2015 @06:09PM (#48935645)
    Would it be easier to go with an AMD laptop? Do they have similar firmwmare concerns?
  • by Chas ( 5144 )

    $550-750 for a 6 year old, low-resolution, low memory laptop?

    I mean, if I absolutely HAD to have something FSF-compliant without the possible security risk of AMT...

    But, honestly, that same amount of money will get you a MUCH better NEW laptop and there are ways to secure a system around AMT.

    • by TWX ( 665546 )

      ...if I absolutely HAD to have something FSF-compliant...

      Such requirements are only self-imposed requirements. Even defense contractors like Boeing use stock computers from large OEMs like Dell.

      I can't think of a single instance when something being FSF-compliant matters at all, except maybe if you want to work for Richard Stallman. If Wikipedia is to be believed then there are exactly twelve people in the world affected.

      • I can't think of a single instance when something being FSF-compliant matters at all

        Except for ones own piece of mind, of course. Which I guess doesn't matter.

        • by Chas ( 5144 )

          This is where the whole notion of risk management comes into play.

          Now, if you're a world famous nuclear scientist working on spurting-edge fusion power experiments, a stupid-rich CEO of an unpopular company or a politician with even more dirty laundry than your AVERAGE political hack, you're probably a FAR bigger target than "Joe Familyguy".

          I'm not saying "don't secure your shit.

          But at some point, the risk/return equation simply becomes unacceptable for most people.

          Technically, if you disassembled your mach

      • Even defense contractors like Boeing use stock computers from large OEMs like Dell.

        I don't know about defence contractors, but I'll be in the offices of an oil major tomorrow lunch time because they wipe the hard drives of all their OEM laptops and re-image them with a heavily customised version of XP, Vista or Win7 with all sorts of weird different networky things. Pain in the arse, but that costs them money - I go into their office for a videoconference meeting (because their laptop won't work on anyone

    • by AHuxley ( 892839 )
      Re: "But, honestly, that same amount of money will get you a MUCH better NEW laptop and there are ways to secure a system around AMT."
      The issues with the newer systems is the remote low level access thats part of the "NEW laptop" or computer system.
      If a person is seen and tracked outside away from their networked computer that would give time to access that networked computer.
      Some of the needed tools are are built into the hardware as sold and powered waiting for the remote commands.
      After a system is a
    • I make it a smidgin under $400, since I've got bigger hard drives already available. Assuming you're talking about US dollars.

      Say you wanted to spend $750 on a newer laptop, then needed to spend 10 hours researching it and working out how to disable all remote management things and remove proprietary blobs from the firmware. Oh, and add in a modern WIFI chip too. That would be implying that you value your time at ~$35/hour.

      If you value your time more highly than that ... well, it may become worthwhile to

  • If you're going to drop the Intel ME, Intel could still put something together in the CPU microcode patches. Or, you know, just in the silicon itself.

    This product is a sham. "Only free software -- until it's not".

    • Except that the Intel Microcode on the CPU has been wiped no Intel Microcode patches or updates are applied to the CPU on the Libreboot X200. So "it is free software and it continues to be free software?"
      • by The Finn ( 1547 )

        CPU microcode still exists even if the blobs aren't included. You're just limited to the version that's included with the stepping of your CPU. I believe the management engine (ME) on the chipset is the same way. (On the server side, at least, the chipset won't allow the CPUs to boot without an ME blob.)

        Just because your software doesn't include any blobs doesn't mean that there aren't any blobs on the hardware.

    • by yuhong ( 1378501 )

      Microcode don't run when the computer is powered off and can't connect to a network directly.

  • If I understand it correctly, I would be able to power on, fix or reimage my home desktops/laptops while at work or away on a trip. Or fix my moms crashed computer from half way around the globe. And, since all communication is authenticated with a TLS certificate, there is little danger of other taking over my hardware.

    I understand people's right to be paranoid or want 100% open systems, and hope that appropriate choices remain available. But even for most Linux kernel developers a failsafe way to repair a

    • by gnupun ( 752725 )

      If I understand it correctly, I would be able to power on, fix or reimage my home desktops/laptops while at work or away on a trip. Or fix my moms crashed computer from half way around the globe.

      And govt agencies and hackers would also be able to do this and we don't want that. As far as fixing your mom's computer, a simple video chat using some mobile phone can be used to fix the computer, without the invasive spyware.

      • by iamacat ( 583406 )

        Have you ever actually tried to fix an unbootable computer over "simple video chat" with a non-technical person? Hehe.

        I would install a pre-shared key and not give it "govt agencies and hackers". If they have a secret backdoor into TLS or intel hardware, I am screwed anyway.

  • " Intel Active Management Technology [wikipedia.org]: Known Vulnerabilities and Exploits"

    What is needed is another OOB security-sub-system to protect the Intel Active Management Technology from getting compromised :)

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...