FSF-Endorsed Libreboot X200 Laptop Comes With Intel's AMT Removed

gnujoshua (540710) writes "The Free Software Foundation has announced its endorsement of the Libreboot X200, a refurbished Lenovo ThinkPad X200 sold by Gluglug. The laptop ships with 100% free software and firmware, including the FSF's endorsed Trisquel GNU/Linux and Libreboot. One of the biggest challenges overcome in achieving FSF's Respects Your Freedom certification was the complete removal of Intel's ME and AMT firmware. The AMT is a controversial proprietary backdoor technology that allows remote access to a machine even when it is powered off. Quoting from the press release: "The ME and its extension, AMT, are serious security issues on modern Intel hardware and one of the main obstacles preventing most Intel based systems from being liberated by users. On most systems, it is extremely difficult to remove, and nearly impossible to replace. Libreboot X200 is the first system where it has actually been removed, permanently," said Gluglug Founder and CEO, Francis Rowe."

Re:even when it is powered off.

AMT has remote power up capability but if the system is off ... it is OFF (no idle or standby).

Yes. "Almost all AMT features are available even if PC powered is off, the OS is crashed, the software agent is missing, or hardware (such as a hard drive or memory) has failed" declares Wikipedia. http://en.wikipedia.org/wiki/Intel_Active_Management_Technology

Re:even when it is powered off.

[fuzzyfuzzyfungus]

That may differ between laptops and desktops, or between AMT versions. On the desktops I've seen the AMT stuff is active if the PC is plugged in, regardless of its power state. Some of the capabilities of the AMT system cannot be used if the host PC is off; but the system itself runs on a separate processor and only turns off if the PSU is unpowered. Laptops may need to be more conservative, for the sake of retaining battery life while inactive.

Re:Since when is AMT controversial?

[Obfuscant]

It's not controversial. it's just it's another computer in your computer that's running Non-Free Software(tm). So they get rid of it and thus they have a computer that is Completely Free Of Proprietary Software.

And also Completely Free Of Full Remote Management capabilities.

I have a bunch of servers that all have iDrac or other management connections, and it sure is a lot easier to talk to a malfunctioning system when there is a dedicated remote console server. I've had people go wild using memory resources on some compute servers to the point that memory management is killing parts of the operating system. Parts that are required to remotely log in. Dedicated remote management means I can get a console to at least identify the problem (scrolling "killed" reports, e.g.) and then reset the system, without having to go find the physical system I need to poke.

I can't recall a single laptop I've had that has an active network connection when it is off, so how would someone use this AMT on a Lenovo laptop to turn one back on to do anything to it? If you don't want remote access to a laptop that's turned off, unplug the network cable. Set a password on the remote access. End of problem. I call FUD on this fear.

Re:Since when is AMT controversial?

[fuzzyfuzzyfungus]

A mixture of both. The AMT system includes a dedicated ARC cpu, which runs its own OS and functions independently of the host to a large degree; but also can see into, and sometimes make use of, some of the hardware visible to the host system(details depend on version). For communication, for instance, the AMT system has access to the wired NIC below the OS's view(wireless NICs are more complex, I think AMT can do a direct connection to a trusted AP if configured to do so; but can't do VPN without piggybacking on the host OS), and it also has enough hooks into the various peripherals that it can do remote KVM in hardware, by emulating HID devices and snooping the framebuffer, mount an .iso as though it were a connected SATA device, and access some storage and memory locations that are also accessible to the host OS or programs, in order to gather data on system health, software versions, etc.

I'm not exactly sure how the BIOS/UEFI flash and the flash that stores the AMT firmware are related to one another. On computers with AMT, a 'bios update' will often flash both; but I don't know if that's because they are just different areas of the same SPI flash chip, or whether it's just a convenience bundling of two nearly unrelated updaters.