Re: vPro and secure Debian systems
On 08/02/2017 10:24 AM, Daniel Pocock wrote:
No, OS can't prevent hardware hack that is already in place. That said,
it can lock things down to some degree (like iomem restriction in newer
kernels that prevent you from flashing BIOS for example, though it can
still be disabled via iomem=relaxed kernel option).
There is a page about AMT / vPro on the wiki, it doesn't mention any
of the security concerns about this technology.
Is there anything that Debian can do as an OS (e.g. default settings,
check during installation) to protect users from risks associated with vPro?
For people who have a computer or laptop with vPro capabilities, can it
be made secure or are they better off getting rid of that system?
vPro is not issue per se. Entire combination of vPro, ME Enterprise and
Intel Wi-Fi makes the AMT which can be issue. That said, for most
systems with that combination, AMT is disabled (unless specially
requested I don't think there are laptops that have it enabled by default).
So the attitude here should be "I need combination of hardware and OS to
make things more secure" - which comes to things such as open schematics
based on open standards (hopefully for some awesome future RISC-V based
motherboard), coreboot, Heads (for measured boot), learn and use TPM,
hardware key to unlock boot process, full disk encryption of OS,
"toryfing" apps that go to network (via torsocks for example), flatpaks
(general containerization/sandboxing of apps) etc etc
A lot of new Intel-based laptops, e.g. Thinkpads, offer a choice to buy
with or without vPro. Does deselecting vPro during the customization
process actually make any difference from a security perspective, or is
the same stuff still present in the system anyway?