[Dev] Management Engine, Was: The Theova Question

Freemor freemor at freemor.ca
Tue Nov 26 12:29:29 GMT 2019 

On Tue, Nov 26, 2019 at 09:15:47AM +0100, Denis 'GNUtoo' Carikli wrote:
> On Mon, 25 Nov 2019 08:21:06 -0400
> Freemor <freemor at freemor.ca> wrote:
[Snip]
> That depends on several things:
> - AMT is typically found on computers for business but not on computers
>   for consumers. The downside of laptops for consumers is that the
>   display is often glossy, which is not fit for spending too much
>   hours in front of it[1]. So many people doing work (including free
>   software work) with computers end up with it.
> - AMT enables to remotely administrate a computer with VNC and through
>   the Internet[2].
> - To work it needs an Internet connection on one of the compatible
>   interfaces such as:
>   - The built-in Intel Ethernet interface
>   - The built-in Intel WiFi card
>   - A compatible cellular network modem[2].

You're right I forgot about the cellular modem. But again removing the blessed
wifi card and cell modem (if not built into the Wifi card) mitigates that
issue.


> 
> So it would be a good idea to check:
> - if the computer is a laptop that has already been configured by a
>   company's sysadmin. That may occur too if the laptop has been bought
>   second hand.
> - if the laptop has a SIM card and/or a cellular network modem.

Yes the second hand thing is an issue as in that case the AMT may be fully
provisioned.


> 
> > A lot has been made of the IME because of its ring -3 ness But any
> > maliciousness is theoretical at best (bugginess has been proven. But
> > no one has found code that would do thing all on its own).
> Beside the fact that it's designed to remove users control over their
> computers, which is enough to be a very serious attack on users
> freedom, I think we should rather shift the narrative on things like
> that: Weather it does or does not have a backdoor is not very
> irrelevant.
> 
> Instead as part of the free software community, we should require from
> the manufacturers and/or software projects like Libreboot or Replicant
> that are dealing with things like that some serious proof or indication
> that it cannot attack users or does not have any backdoors:
> - In the case of Libreboot computers with an Intel GM45 chipset, the
>   Management engine OS has been completely erased[3]. So while it's not
>   perfect, as it has a ROM[3] you still have a way bigger assurance than
>   if there was an OS running in it.
>   In contrast, Intel cannot give us any proof to us that the Management
>   Engine OS has no backdoor: We cannot review the source code and run
>   the version we reviewed.
> - All the smartphones and tablets currently supported by Replicant have
>   either a modem that is isolated, or no modem. Again here it's not
>   perfect as the bootloader is nonfree on all currently supported
>   devices, but we get way better assurances as for instance the
>   microphone is controlled by free software, whereas in some older
>   smartphones like the HTC Dream, the microphone was controlled by
>   nonfree software.

Completely agree. I wasn't trying to say "Pffff.. IME is fine, who cares". I'm
Just trying to keep things in the proper perspective. I think that due to some
bad coverage same people may be more freaked about about the IME then is really
necessary. 

But yes. This crap should not be included in every machine. At best it should
be an add on module that Corporations can have added in if they wanted and
second hand users could then remove if they didn't. 

As for "smart" phones and Tablets I've completely given up on those for the
foreseeable future as they are just a wasteland of non-free and non-freeable
crap. (not to mention way way over priced for the hardware you're actually
getting, non-serviceable, non-replaceable batteries, etc.) People really
need to stop buying that crap so them makers of it get the message

But getting people interested in things like a nice EOMA board is not an easy
sell. 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20191126/ab16f136/attachment-0001.sig>

More information about the Dev mailing list