Slashdot Mirror

← Back to Stories (view on slashdot.org)

FSF-Endorsed Libreboot X200 Laptop Comes With Intel's AMT Removed

Posted by timothy on from the if-thine-eye-offends-thee dept.

gnujoshua (540710) writes "The Free Software Foundation has announced its endorsement of the Libreboot X200, a refurbished Lenovo ThinkPad X200 sold by Gluglug. The laptop ships with 100% free software and firmware, including the FSF's endorsed Trisquel GNU/Linux and Libreboot. One of the biggest challenges overcome in achieving FSF's Respects Your Freedom certification was the complete removal of Intel's ME and AMT firmware. The AMT is a controversial proprietary backdoor technology that allows remote access to a machine even when it is powered off. Quoting from the press release: "The ME and its extension, AMT, are serious security issues on modern Intel hardware and one of the main obstacles preventing most Intel based systems from being liberated by users. On most systems, it is extremely difficult to remove, and nearly impossible to replace. Libreboot X200 is the first system where it has actually been removed, permanently," said Gluglug Founder and CEO, Francis Rowe."

23 of 179 comments (clear)

  1. The year of Linux? by roc97007 · · Score: 2

    Are privacy and security issues the leverage that finally puts Linux in people's hands in significant numbers?"

    (Are there enough people who *care* about these issues?)

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
    1. Re:The year of Linux? by TWX · · Score: 3, Insightful

      (Are there enough people who *care* about these issues?)

      Not for $700+ for an obsolete laptop, there aren't.

      I've seen some niche things, but DAMN, this is takes the cake.

      We have an X301 at home. It was a great computer when we bought it new, but the battery life is terrible by modern standards, the Centrino processor is slow, and the screen is dim and low-res. The weight, presence of an optical drive (though just DVD) and keyboard are the plusses. We just bought a replacement for it; I may still upgrade the RAM to 8GB from the 2GB that it has now so that it's a nice around-the-house lappy, but it's never going to be the primary computer ever again.

      If they'd managed to do this treatment to a Thinkpad X1 Carbon or something else that's modern then I expect a lot more people would be interested, but somethis this old? For this kind of money?

      --
      Do not look into laser with remaining eye.
    2. Re:The year of Linux? by future+assassin · · Score: 3, Insightful

      Untill they classify it as a tool for promoting terrorism.

      --
      by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
    3. Re:The year of Linux? by CODiNE · · Score: 3, Insightful

      Let's not forget back in the day when Linux and the GPL was "communist".

      --
      Cwm, fjord-bank glyphs vext quiz
  2. Since when is AMT controversial? by ArmoredDragon · · Score: 5, Interesting

    I've always found AMT useful. It's turned off by default, so I'm not sure how it's a security risk. What I like about it is the following:

    - Allows you to remotely manage client PCs in a work environment, up to and including re-formatting the HDD with a new OS, including being able to remotely mount a local ISO image to install the OS.
    - Works even when some of the most critical system components don't work, such as CPU, RAM, etc, as it's an independent subsystem. Even if you don't want the remote management features, this is a huge deal when you have a seemingly dead system and aren't sure exactly how to fix it. AMT helps you figure out the EXACT problem FAST, and you don't even have to have the computer in your hands to do so.
    - Integrates with LDAP (including Active Directory, Samba, etc)
    - Provides the ability to power on and remotely wipe the laptop if it was stolen and contains sensitive data.

    So what's so controversial about it?

    1. Re:Since when is AMT controversial? by Anonymous Coward · · Score: 5, Insightful

      God fucking christ dammit.

      How can you trust any hardware unless you audit the design and the machinery used to implement that design on silicon?

      The fact is that you can't.

      There are almost certainly undocumented Intel instructions or I/O ports which will enable software to bypass OS level protections. I imagine they are used almost never, but when they're used, you can be damn sure it makes a huge difference to the party with the privilege to know them. What can we do about it? Sweet fuck all until we get over the idea of trusting big business/government contractor (but I repeat myself) and develop and implement hardware the way we develop software. Won't the start-up cost be prohibitive? Eventually no.

      In the meanwhile, un-Clippered encryption will be outlawed, and hardware licensed to require backdoors.

    2. Re:Since when is AMT controversial? by Rennt · · Score: 5, Insightful

      However you slice it, AMT is a backdoor. If you control the backdoor on your own equipment then you can do some cool tricks, but implementing a backdoor massively increases the attack surface of the system.

      The question is whether the cool tricks are worth the risk. For managed corporate drone PCs the answer is probably yes. For everyone else it is definitely no. For a personal laptop it's an emphatic FUCK NO.

      Badly written Hollywood movies used to give crackers stupid computer-superpowers. Now that AMT is here those kind of fantasies become reality.

    3. Re:Since when is AMT controversial? by fuzzyfuzzyfungus · · Score: 2

      Any remote management tool would be a 'backdoor', except that it is put in place by the owner for their convenience and with their consent.

      AMT is a particularly powerful, and somewhat opaque, management tool. Anyone who suspects the possibility that(deliberately, or by mistake) those very, very, useful capabilities might be available to others under some circumstances would naturally be suspicious of it.

      And, for the FSF and those who share their concerns, the fact that it is a wholly proprietary(and tricky to remove or replace) blob embedded in the brainstem of their computer is not something that would make them happy.

    4. Re:Since when is AMT controversial? by halivar · · Score: 3, Funny

      Oh, I can see it now. Some Linux enthusiast (wait, no, a GNU/Linux enthusiast; run-of-the-mill Linux enthusiasts are too corrupted by pragmatism) poring over hundreds of giant sheets of chip diagrams, nodding sagely at incomprehensible engineering spaghetti he doesn't even understand. "Hmmm... yes... this all seems to be in order..."

    5. Re:Since when is AMT controversial? by Obfuscant · · Score: 2

      So because you've never had a computer with AMT, AMT doesn't exist? That's some weird logic you have.

      Didn't say that. I said I can't recall ever seeing it. Sorry the difference escapes you.

      If your computer has WoL (most do) it has an "Active" network connection (as in a passive listening connection), even when you disable WoL, it's still listening, it just doesn't do anything.

      It's hard to listen on an interface that has been shut off. Or on one that has been unplugged, which if you recall was what I suggested to deal with an always-on laptop network connection. Seems like I admitted they existed, which contradicts the words you tried putting in my mouth earlier.

      I know what "wake on lan" is, and I also know that it is a BIOS setting to enable and disable it. Still, you can't "wake on lan" a system that isn't connected to a lan, now can you? That seems like a simpler solution if you are scared of the boogeyman turning your powered-down laptop back on. It's not like you have to crawl under the desk to get to the network connection when you unplug a laptop.

      But using the simple solution doesn't allow for an "oh noes, the gov'mint can turn my laptop back on and monitor me, must buy a special laptop to be safe!" FUD campaign.

    6. Re:Since when is AMT controversial? by TechyImmigrant · · Score: 2

      It's off by default. What have you been smoking?

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    7. Re:Since when is AMT controversial? by fuzzyfuzzyfungus · · Score: 4, Informative

      A mixture of both. The AMT system includes a dedicated ARC cpu, which runs its own OS and functions independently of the host to a large degree; but also can see into, and sometimes make use of, some of the hardware visible to the host system(details depend on version). For communication, for instance, the AMT system has access to the wired NIC below the OS's view(wireless NICs are more complex, I think AMT can do a direct connection to a trusted AP if configured to do so; but can't do VPN without piggybacking on the host OS), and it also has enough hooks into the various peripherals that it can do remote KVM in hardware, by emulating HID devices and snooping the framebuffer, mount an .iso as though it were a connected SATA device, and access some storage and memory locations that are also accessible to the host OS or programs, in order to gather data on system health, software versions, etc.

      I'm not exactly sure how the BIOS/UEFI flash and the flash that stores the AMT firmware are related to one another. On computers with AMT, a 'bios update' will often flash both; but I don't know if that's because they are just different areas of the same SPI flash chip, or whether it's just a convenience bundling of two nearly unrelated updaters.

    8. Re:Since when is AMT controversial? by jhantin · · Score: 2

      Exactly. How is this materially different from an integrated remote-access card and baseboard management controller? I'm at a loss why Intel used an Argonaut core for it, though. I'd have expected a lightweight x86, or maybe an ARM. However, all that is beside the point.

      The main reason for all the hullabaloo is that the Intel firmware that normally runs on this coprocessor is delivered as a closed-source blob, which raises trust issues given how pervasive its access to the machine is. It's also had its share of bugs and exploits, some of which work even if AMT is turned off in the BIOS, since the coprocessor may still be doing mundane baseboard tasks like fan control.

      --
      ...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
    9. Re:Since when is AMT controversial? by Darinbob · · Score: 2

      But the instructor at the certificate course assured me that it was safe!

    10. Re:Since when is AMT controversial? by PopeRatzo · · Score: 3, Insightful

      At some point, you have to start trusting people/organizations/companies.

      What you're really saying is, "You don't have a choice, so just suck it up, princess. Privacy is so 20th century."

      No, you don't have to trust people/organizations/companies who have not earned your trust. You are the one paying. Use the power you have as a consumer. Weaponize your purchasing power.

      And always, always reserve the right to just say "Nope, I don't need it, I don't want it, and I'll find another way."

      --
      You are welcome on my lawn.
    11. Re:Since when is AMT controversial? by PopeRatzo · · Score: 2

      There are reasons beyond the "4 GNU freedoms" to oppose these devices being installed into all new computers.

      I'll bet your not so sanguine about having a device installed in your car that allows for remote shutoff, location reporting and monitoring of your driving habits.

      Because the real question is not "what is so controversial?" but rather "how secure are these systems?" It's not about what a sysadmin can do with the power to remotely turn on your computer, but what some miscreant can do with that power when he inevitably gets his hands on it. And the computer in question is not the one on your desktop at work or your business laptop (that your company paid for anyway), but the one you have at home for your taxes/banking/personal communications.

      --
      You are welcome on my lawn.
    12. Re:Since when is AMT controversial? by tepples · · Score: 2

      So the whole point is to avoid walking to the client's desk?

      Perhaps the point is to avoid flying to the client's desk in another country.

  3. Re:even when it is powered off. by Anonymous Coward · · Score: 2, Informative

    AMT has remote power up capability but if the system is off ... it is OFF (no idle or standby).

    Yes. "Almost all AMT features are available even if PC powered is off, the OS is crashed, the software agent is missing, or hardware (such as a hard drive or memory) has failed" declares Wikipedia. http://en.wikipedia.org/wiki/Intel_Active_Management_Technology

  4. Re:even when it is powered off. by fuzzyfuzzyfungus · · Score: 4, Informative

    That may differ between laptops and desktops, or between AMT versions. On the desktops I've seen the AMT stuff is active if the PC is plugged in, regardless of its power state. Some of the capabilities of the AMT system cannot be used if the host PC is off; but the system itself runs on a separate processor and only turns off if the PSU is unpowered. Laptops may need to be more conservative, for the sake of retaining battery life while inactive.

  5. Now that all the secure everything is gone... by Anonymous Coward · · Score: 4, Insightful

    Can we put it all back, under our control?

    I want a computer that secureboot's my signed bootloader that boots my signed kernel that executes my signed init and starts a signed console with a signed login and logs me into a signed bash.

    I want the promise fulfilled: that I know with cryptographic certainty that as long as my key is secure, "They" have not tampered with my persistent environment.

    A far cry from what it has become: the MAFIAA knowing with cryptographic certainty that I have not tampered with my environment.

  6. Inquiring minds want to know by Qzukk · · Score: 3, Funny

    But does it run Windows?

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  7. AMD by Atmchicago · · Score: 3, Interesting

    Would it be easier to go with an AMD laptop? Do they have similar firmwmare concerns?

    --

    You can lead a horse to water, but you can't make it dissolve.

  8. What about CPU microcode? by Balial · · Score: 2

    If you're going to drop the Intel ME, Intel could still put something together in the CPU microcode patches. Or, you know, just in the silicon itself.

    This product is a sham. "Only free software -- until it's not".