[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: vPro and secure Debian systems

On 08/03/2017 11:00 AM, Daniel Pocock wrote:
On 02/08/17 21:41, Zlatan Todoric wrote:

On 08/02/2017 10:24 AM, Daniel Pocock wrote:
Hi all,

There is a page[1] about AMT / vPro on the wiki, it doesn't mention any
of the security concerns[2] about this technology.

Is there anything that Debian can do as an OS (e.g. default settings,
check during installation) to protect users from risks associated
with vPro?
No, OS can't prevent hardware hack that is already in place. That
said, it can lock things down to some degree (like iomem restriction
in newer kernels that prevent you from flashing BIOS for example,
though it can still be disabled via iomem=relaxed kernel option).

For people who have a computer or laptop with vPro capabilities, can it
be made secure or are they better off getting rid of that system?
vPro is not issue per se. Entire combination of vPro, ME Enterprise
and Intel Wi-Fi makes the AMT which can be issue. That said, for most
systems with that combination, AMT is disabled (unless specially
requested I don't think there are laptops that have it enabled by

Looking at the ME_Cleaner wiki page[1] about Intel Boot Guard, it seems
to imply that if you buy a laptop with the "vPro" sticker or whatever,
you are more likely to be stuck with Intel Boot Guard too.  So while
vPro may not be the issue itself, it is to be avoided because Boot Guard
is a pain.

While really great, me_cleaner is not a magic bullet. Some newer systems can't work with it (none of Kabylake afaik, and many of Skylake can have an issue as non-working WiFi etc). Also one of the issues (but highly debatable) is CPU microcode and its updates.

A lot of new Intel-based laptops, e.g. Thinkpads, offer a choice to buy
with or without vPro.  Does deselecting vPro during the customization
process actually make any difference from a security perspective, or is
the same stuff still present in the system anyway?



1. https://wiki.debian.org/AMT

So the attitude here should be "I need combination of hardware and OS
to make things more secure" - which comes to things such as open
schematics based on open standards (hopefully for some awesome future
RISC-V based motherboard), coreboot, Heads (for measured boot), learn
and use TPM, hardware key to unlock boot process, full disk encryption
of OS, "toryfing" apps that go to network (via torsocks for example),
flatpaks (general containerization/sandboxing of apps) etc etc

and then the user browses to www.facebook.com and all your effort was wasted

So my effort is hardware and software but as (I hope) many are starting to realize, we can't RTFM with our users anymore. We must interact with them and actively engage in their education about such things because it is not only going to random web pages or clicking on random links inside mail - it is becoming everything around us with smart(insertrandomword) things. What if we create a superb hw+sw combo and you're an awesome cautious person regarding your laptop but you forget that your phone is spying on you, or your toaster or maybe neighbor is trying to gain physical access to your devices etc. This was always complex topic but it is becoming more clear how complex when you see entire Google/Apple/Facebook/Microsoft/etc psychological marketing machine (1000 times said lie becomes true; bread and circuses for masses).

1. https://github.com/corna/me_cleaner/wiki/Intel-Boot-Guard


Reply to: