Re: [Trisquel-users] Intel AMT and Free Software

[Adonay Felipe Nogueira]

Also be careful with "UEFI" in general.

Technically, there are two types:

a) Secure Boot: free/libre system distribution friendly, and free/libre
   software friendly. In this scenario the device manufacturer allows
   the user *himself* to manage the trust keys *completely* --- and also
   allows to insert his own/user's trust key --- so that the UEFI can
   only accept the operating system signed with such keys.

b) Restricted Boot: found in most mobile devices, gaming devices and
   some modern computers. Only the manufacturer, or people authorized by
   these, can manage the keys, that is: the user has no way to manage
   these *completely*.

This information was based on [1].

Again, please be careful to talk about UEFI, it's two-fold.

[1] 
.

2017-11-30T08:12:23+0100 vitac...@ruggedinbox.com wrote:
> Also read this:
>
> http://techrights.org/2013/06/24/nsa-and-uefi/
> https://www.csoonline.com/article/3220476/security/researchers-say-now-you-too-can-disable-intel-me-backdoor-thanks-to-the-nsa.html
> https://threatpost.com/intel-confirms-its-much-loathed-me-feature-has-a-kill-switch/127739/
> https://www.extremetech.com/extreme/201722-linuxs-worst-case-scenario-microsoft-makes-secure-boot-mandatory-locks-out-other-operating-systems
>
> be careful with UEFI crap and Intel's ME. Anyway we can nothing to do.
>

-- 
- https://libreplanet.org/wiki/User:Adfeno
- Palestrante e consultor sobre /software/ livre (não confundir com
  gratis).
- "WhatsApp"? Ele não é livre. Por favor, veja formas de se comunicar
  instantaneamente comigo no endereço abaixo.
- Contato: https://libreplanet.org/wiki/User:Adfeno#vCard
- Arquivos comuns aceitos (apenas sem DRM): Corel Draw, Microsoft
  Office, MP3, MP4, WMA, WMV.
- Arquivos comuns aceitos e enviados: CSV, GNU Dia, GNU Emacs Org, GNU
  GIMP, Inkscape SVG, JPG, LibreOffice (padrão ODF), OGG, OPUS, PDF
  (apenas sem DRM), PNG, TXT, WEBM.

Re: [Trisquel-users] Intel AMT and Free Software

[vitacell]

Also read this:

http://techrights.org/2013/06/24/nsa-and-uefi/
https://www.csoonline.com/article/3220476/security/researchers-say-now-you-too-can-disable-intel-me-backdoor-thanks-to-the-nsa.html
https://threatpost.com/intel-confirms-its-much-loathed-me-feature-has-a-kill-switch/127739/
https://www.extremetech.com/extreme/201722-linuxs-worst-case-scenario-microsoft-makes-secure-boot-mandatory-locks-out-other-operating-systems

be careful with UEFI crap and Intel's ME. Anyway we can nothing to do.

Re: [Trisquel-users] Intel AMT and Free Software

[gnugaz77]

Use as much Free Software as possible but an older system, Core 2 Due, works  
great. If you can't get a Libreboot system use as much Free software as you  
can. Use a FULLY free OS, graphics and WIFI, and enjoy. Yes 80% is better  
than 20%. Plenty of laptops out there to be 100%. Just go for it.

Re: [Trisquel-users] Intel AMT and Free Software

[leestrobel]

I agree with calher. Being 80% free is better than being 20% free ... :-)

Re: [Trisquel-users] Intel AMT and Free Software

[Caleb Herbert]

Using free software instead of proprietary software is always better.

It's good to use free programs on a proprietary OS, if the alternative
is using proprietary programs on a proprietary OS.

It's good to use a free OS on a proprietary BIOS, if the alternative is
using a proprietary OS on a proprietary BIOS.

It's good to ADD free software.  It's not good to ADD proprietary
software.

[Trisquel-users] Intel AMT and Free Software

[davidecaramori]

Hello to everyone. I came across a thought.If most computers and mobile  
devices have the latest intel processors (and we know that this is not free  
hardware as Stallman said) how can we consider ourselves more free than those  
who use Windows or Mac? I mean, if someone has newer intel hardware and Free  
Software installed can we consider that person free (as in freedom)? Is still  
worth to install Free Software on a computer that runs iAMT? Or is the same  
as having a computer with proprietary software? 

Re: [Trisquel-users] Intel AMT

[infinityfallen]

>Anyway not every computer has it, because some models don't >have AMT/ME at  
all. In this case Libreboot shouldn't share >inaccurate information,


What you say is correct, but Libreboot never seems to have claimed otherwise.  
Their FAQ, which I presume is what you are referencing, states in bold that  
the ME is "present on all Intel desktop, mobile (laptop), and server systems  
since mid 2006." This assertion does seem accurate.


>and also what does it mean that you can't turn it off?
>Because on Lenovo x220 you can disable AMT,

These are separate issues. The AMT can be turned off or not present at all  
(presuming Intel/OEMs are honest- see below), as is exemplified in a number  
of devices if I remember correctly. The ME, however, is a different kettle of  
colored horses. Their *are* no BIOS switches for this little beast, and only  
in the earliest models (pre-X220 for sure) can it be switched off or removed.  
Later models have a hard-coded check, which will switch off the device after  
30 minutes if the ME is not found. It also performs some hardware-init stuff,  
I think, although that's only required at boot.


>but is it totally or partially disabled and how can you
>affirm that (anyone knows how hardware really works?)?

For the ME, I'm pretty sure the standard way to check is by removing all  
traces of the code from the flash chip- if the ME is still required, then it  
wouldn't work. For the AMT, I'm not quite so certain about the method- I'd  
imagine the best you can do is check if the AMT stops offering the services  
one would expect to (remote shutdown etc.). That said, this is just a total  
guess- the only one I can tell you about is the ME.


As regards how the hardware works, the basic idea is that the ME is a little  
chip embedded inside the main processor, which then has full control over the  
main processor. It reads from a flash chip, which is writable (the ME can  
update its OS). That's awfully vague, and probably about the extent of my  
knowledge, but it's the basic concept nonetheless.


>Libreboot and also other sites should specify these issues,
>otherwise is not an objective information, is an useless
>alarm that seems useful only to sell Libreboot computers

"Libreboot" doesn't make *any* profit from Libreboot computers to the best of  
my knowledge; Leah, the lead developer, does, but that is a secondary issue  
nonetheless. The primary concern is whether the description is accurate. In  
that regard, it is an excellent and comprehensive description of how the ME  
has developed as an obstruction to free computing over time. Your facts cited  
above are equally correct, certainly, but they're about the AMT. This is  
*not* the same as the ME, in that it can be avoided, often disabled (albeit  
through a proprietary BIOS) and perhaps might be considered a piece of  
software in its own right rather than just complex firmware.

Re: [Trisquel-users] Intel AMT

[legimet . calc]

It is impossible for all of the modern Intel processors. The ME is  
cryptographically signed, so there is no way to remove or replace it.

Re: [Trisquel-users] Intel AMT

[davidecaramori]

Anyway not every computer has it, because some models don't have AMT/ME at  
all. In this case Libreboot shouldn't  share inaccurate information, and also  
what does it mean that you can't turn it off? Because on Lenovo x220 you can  
disable AMT, but is it totally or partially disabled and how can you affirm  
that (anyone knows how hardware really works?)? Libreboot and also other  
sites should specify these issues, otherwise is not an objective information,  
is an useless alarm that seems useful only to sell Libreboot computers (on  
the other hand is true that not every BIOS is free, but this is another  
point). 

Re: [Trisquel-users] Intel AMT

[richardmillea]

That is not what I asked. I am aware of performance differeces.

I am asking, with specific regard to Libreboot, if there is likely to be  
variation in compatibility between the processor designs. 

Re: [Trisquel-users] Intel AMT

[vitacell]

i5-i7 CPUs are much powerful, cooler than Core2duo-Core2quad PCUs. So, yes  
i5-i7 worth the upgrade. Also these CPUs comes with decent integrated graphic  
chip, not shitty 4500mhd or 950gma.

Re: [Trisquel-users] Intel AMT

[richardmillea]

With these more modern processors, is there a difference between the i3/5/7  
in terms of bringing Libreboot to the X220? Will all the processors likely be  
suitable? Apologies if that is a daft question - I'm not particularly  
knowledgeable about processors. 

Re: [Trisquel-users] Intel AMT

[legimet . calc]

nfortunately, ME can't be completely removed starting with Nehalem  
(2008/2009) unless you're OK with the computer shutting off after 30 minutes.  
But you can use a script called me_cleaner to remove as much of the ME as  
possible. I'm not brave enough to try it.

Re: [Trisquel-users] Intel AMT

[vitacell]

It is easy, look. Coreboot or Libreboot, removes Intel's crap, ME/AMT. So,  
you get something blobless. On computers with intel's "i" series, AMT/ME can  
not to be removed (at least at this moment), but it can be neutralized. So  
yes you can run Coreboot on x220, but still the small non-free blob it is  
still on your computer running code, but neutralized. No, you can not disable  
AMT/ME from proprietary BIOS. So sinse Intel's "i" series CPUs, you can not  
remove AMT/ME while having fully working computer (at this moment). You can  
not know what really does proprietary firmware.

[Trisquel-users] Intel AMT

[davidecaramori]

Hello everyone, I'm trying to learn more informations about "Intel Active  
Management Technology". On Libreboot.org I found that this AMT is present on  
every computer from 2006 and no one can shut it off. On web I found different  
informations. In fact there is a method that can check if a computer has AMT  
and if it's activated. For exemple on lenovo x220 you can disable AMT through  
the BIOS (but I don't know if it's really disabled), and some other laptops  
don't even have AMT. Who can I trust?