Re: vPro and secure Debian systems

To: debian-project@lists.debian.org
Subject: Re: vPro and secure Debian systems
From: Daniel Pocock <daniel@pocock.pro>
Date: Thu, 3 Aug 2017 10:00:58 +0100
Message-id: <[🔎] a91e76be-034c-d379-3050-f1161addab0e@pocock.pro>
In-reply-to: <[🔎] ae92bd06-c64e-a101-5d5b-d28b028ac5a9@riseup.net>
References: <[🔎] 794d9562-7274-6447-db50-4f8cc780925a@pocock.pro> <[🔎] ae92bd06-c64e-a101-5d5b-d28b028ac5a9@riseup.net>

On 02/08/17 21:41, Zlatan Todoric wrote:
>
>
> On 08/02/2017 10:24 AM, Daniel Pocock wrote:
>> Hi all,
>>
>> There is a page[1] about AMT / vPro on the wiki, it doesn't mention any
>> of the security concerns[2] about this technology.
>>
>> Is there anything that Debian can do as an OS (e.g. default settings,
>> check during installation) to protect users from risks associated
>> with vPro?
> No, OS can't prevent hardware hack that is already in place. That
> said, it can lock things down to some degree (like iomem restriction
> in newer kernels that prevent you from flashing BIOS for example,
> though it can still be disabled via iomem=relaxed kernel option).
>
>>
>> For people who have a computer or laptop with vPro capabilities, can it
>> be made secure or are they better off getting rid of that system?
>
> vPro is not issue per se. Entire combination of vPro, ME Enterprise
> and Intel Wi-Fi makes the AMT which can be issue. That said, for most
> systems with that combination, AMT is disabled (unless specially
> requested I don't think there are laptops that have it enabled by
> default).
>

Looking at the ME_Cleaner wiki page[1] about Intel Boot Guard, it seems
to imply that if you buy a laptop with the "vPro" sticker or whatever,
you are more likely to be stuck with Intel Boot Guard too.  So while
vPro may not be the issue itself, it is to be avoided because Boot Guard
is a pain.

>>
>> A lot of new Intel-based laptops, e.g. Thinkpads, offer a choice to buy
>> with or without vPro.  Does deselecting vPro during the customization
>> process actually make any difference from a security perspective, or is
>> the same stuff still present in the system anyway?
>>
>> Regards,
>>
>> Daniel
>>
>>
>> 1. https://wiki.debian.org/AMT
>> 2.
>> https://security.stackexchange.com/questions/128619/what-are-the-privacy-and-security-risks-associated-with-intels-management-engin
>>
>>
>>
>>
> So the attitude here should be "I need combination of hardware and OS
> to make things more secure" - which comes to things such as open
> schematics based on open standards (hopefully for some awesome future
> RISC-V based motherboard), coreboot, Heads (for measured boot), learn
> and use TPM, hardware key to unlock boot process, full disk encryption
> of OS, "toryfing" apps that go to network (via torsocks for example),
> flatpaks (general containerization/sandboxing of apps) etc etc
>
and then the user browses to www.facebook.com and all your effort was wasted

Regards,

Daniel


1. https://github.com/corna/me_cleaner/wiki/Intel-Boot-Guard

Reply to:

Follow-Ups:
- Re: vPro and secure Debian systems
  - From: Zlatan Todoric <zlatan@riseup.net>

References:
- vPro and secure Debian systems
  - From: Daniel Pocock <daniel@pocock.pro>
- Re: vPro and secure Debian systems
  - From: Zlatan Todoric <zlatan@riseup.net>

Prev by Date: Re: rm ~/.gnupg/secring NOW!
Next by Date: Re: wanted: educate us please on key dongles
Previous by thread: Re: vPro and secure Debian systems
Next by thread: Re: vPro and secure Debian systems
Index(es):
- Date
- Thread