Disabling Thinkpad Security Features

General Questions, Rumors, Real news & More
Post Reply
Message
Author
ThorOfAsgard
Posts: 41
Joined: Sun Jan 10, 2016 5:23 am
Location: Atlanta, GA

Disabling Thinkpad Security Features

#1 Post by ThorOfAsgard » Fri May 19, 2017 6:43 am

The biggest problem I have with all these security features (Security Chip, AT, Computrace) is there's no source with a concise and clear practical description of what exactly these features do. I did some googling and read over Thinkwiki (http://www.thinkwiki.org/wiki/Embedded_ ... _Subsystem) and have still come away without the slightest clue of whether or not I actually need these features. So I went ahead and disabled all of them in BIOS. I've noticed no change in functionality in how I use my system.

ThorOfAsgard
Posts: 41
Joined: Sun Jan 10, 2016 5:23 am
Location: Atlanta, GA

Re: Disabling Thinkpad Security Features

#2 Post by ThorOfAsgard » Fri May 19, 2017 7:28 am

P.S. Is there any disadvantage to setting all of Intel AMT, AT, and Computrace to "Permanently Disabled"? They're all currently just "Disabled". I don't foresee myself needing any of these, but my life choices thus far have shown I'm not good at predicting the future.

dr_st
Senior ThinkPadder
Senior ThinkPadder
Posts: 6836
Joined: Sat Oct 29, 2005 6:20 am

Re: Disabling Thinkpad Security Features

#3 Post by dr_st » Fri May 19, 2017 7:44 am

You cannot set AMT to permanently disabled, but you can the other two.

The disadvantage is obvious - you can never enable them again, if you decide you want to. Most home users will never want to.
Current: X220 4291-4BG, T410 2537-R46, T60 1952-F76, T60 2007-QPG, T42 2373-F7G
Collectibles: T430s (IPS FHD + Classic Keyboard), X32 (IPS Screen)
Retired: X61 7673-V2V, A31p w/ Ultrabay Numpad
Past: Z61t 9440-A23, T60 2623-D3U, X32 2884-M5U

ThorOfAsgard
Posts: 41
Joined: Sun Jan 10, 2016 5:23 am
Location: Atlanta, GA

Re: Disabling Thinkpad Security Features

#4 Post by ThorOfAsgard » Fri May 19, 2017 7:51 am

dr_st wrote:
Fri May 19, 2017 7:44 am
You cannot set AMT to permanently disabled, but you can the other two.

The disadvantage is obvious - you can never enable them again, if you decide you want to. Most home users will never want to.
There's definitely a BIOS option to permanently disable AMT. Just checked it again to be sure.

In any case, yes, it's obvious permanently disabled means permanently disabled. But I'm sure you're aware, when it comes to computers, there can be unforeseen consequences. For instance, and for a hypothetical example, you may find out through reading and asking, someone who says something like, "No, don't permanently disable X-feature if you have the C-rev chip, because due to a hardware bug, this prevents Y-feature from working properly and the only way to fix Y-feature once you've permanently disabled X-feature is to replace your motherboard."

Unforeseen consequences in computers and hardware...they do happen.

dr_st
Senior ThinkPadder
Senior ThinkPadder
Posts: 6836
Joined: Sat Oct 29, 2005 6:20 am

Re: Disabling Thinkpad Security Features

#5 Post by dr_st » Fri May 19, 2017 8:08 am

ThorOfAsgard wrote:
Fri May 19, 2017 7:51 am
There's definitely a BIOS option to permanently disable AMT. Just checked it again to be sure.
Really? Which laptop is it? (and which BIOS version to be sure?)
ThorOfAsgard wrote:
Fri May 19, 2017 7:51 am
"No, don't permanently disable X-feature if you have the C-rev chip, because due to a hardware bug, this prevents Y-feature from working properly and the only way to fix Y-feature once you've permanently disabled X-feature is to replace your motherboard."
In this case, all I can say is that in all the years Computrace, AT and AMT have been around, I have never heard of a single case where permanently disabling them affected anything else.
Current: X220 4291-4BG, T410 2537-R46, T60 1952-F76, T60 2007-QPG, T42 2373-F7G
Collectibles: T430s (IPS FHD + Classic Keyboard), X32 (IPS Screen)
Retired: X61 7673-V2V, A31p w/ Ultrabay Numpad
Past: Z61t 9440-A23, T60 2623-D3U, X32 2884-M5U

ThorOfAsgard
Posts: 41
Joined: Sun Jan 10, 2016 5:23 am
Location: Atlanta, GA

Re: Disabling Thinkpad Security Features

#6 Post by ThorOfAsgard » Fri May 19, 2017 8:14 am

I have a pair of T430s laptops, one with BIOS 2.02 and the other with 2.66. Both have the option to permanently disable AMT.

dr_st
Senior ThinkPadder
Senior ThinkPadder
Posts: 6836
Joined: Sat Oct 29, 2005 6:20 am

Re: Disabling Thinkpad Security Features

#7 Post by dr_st » Fri May 19, 2017 8:56 am

You are right, I stand corrected. This appears to be an important distinction between the *20 and *30 series.
Current: X220 4291-4BG, T410 2537-R46, T60 1952-F76, T60 2007-QPG, T42 2373-F7G
Collectibles: T430s (IPS FHD + Classic Keyboard), X32 (IPS Screen)
Retired: X61 7673-V2V, A31p w/ Ultrabay Numpad
Past: Z61t 9440-A23, T60 2623-D3U, X32 2884-M5U

shawross
Junior Member
Junior Member
Posts: 330
Joined: Mon Oct 28, 2013 5:48 am
Location: Perth Aus / Thailand

Re: Disabling Thinkpad Security Features

#8 Post by shawross » Fri May 19, 2017 6:51 pm

A lot of these so called security features actually install a backdoor to your OS. Intel AMT was recently found to be a backdoor.
Active --- Love the X series
X301 SU9400 IDA Mod - W 7 / X201 540M - W 7 / X220 2520 - W7

Nostalgia
X61 T7500 / T43's / T42

Rogue daily driver - Samsung RV511 15.6 " Screen - W 7

Ryccardo
Posts: 10
Joined: Thu Sep 28, 2017 11:54 am
Location: Imola, Emilia Romagna, Italy

Re: Disabling Thinkpad Security Features

#9 Post by Ryccardo » Tue Oct 10, 2017 1:59 pm

As far as I know:

[Computrace] enabled = rootkit is planted on every boot, disabled (any kind) = it isn't
However, both enabled and non-"permanently" disabled can be changed to semipermanently enabled if an OS subscribed to CT is used on that computer, while "permanently" disabled is safe from this risk (I use quotes because whoever named those options assumed people won't have access to a compatible eeprom programmer)

3-digit Lenovo models actually have such an option, 2-digit IBM/Lenovo transition ones since T42 don't have such an option, only a nag screen in the setup if enabled - it's stuck on plain Disabled and can only be (normally) changed by the CT software itself, which would first need to be installed manually (or enabled accidentally as above)

[Intel AT] is something I'm not too familiar with. Computrace predates Intel ME so it's implemented by a cooperation of firmware only running at boot time and software which actually does the dirty work, I can only assume AT is a spiritual successor that runs on the ME.

[Intel ME] is a coprocessor (first in the chipset, then in the CPU) which runs in the background and can do arbitrary memory editing and code execution not directly detectable by the main cores (SMM dating back to the i386 is almost equivalent, although it ran on the main CPU and its typical usage was of actual benefit to a decent amount of users, like USB keyboard/mouse/floppy/optical to PS2/shugart/IDE emulation)

The ME firmware is controversial because it's closed source but also harder and harder to replace over the years, due to both penalties for passing it code with an invalid signature (power off after 30 minutes or outright not booting as more and more work is delegated to the ME) as well as the ME doing some useful things, like running the fans at all on X201!
However, the newly discovered HAP bit, invented by everyone's favorite American spy agency of all, is an undocumented feature of the ME to stop itself cleanly as soon as possible - leaving "only" the 2nd type of tradeoff above...

AMT is the most controversial feature of ME, but as I've said it's not the only one, which often results in confusion when the 2 terms are mixed up.

[Intel AMT] is a remote control technology built into some ME firmwares (those branded "Centrino Pro" or "Intel Inside - core i# vPro"). It has some novel features not possible with traditional software-only methods, like being OS-independent to a certain extent (you can turn on the computer from a webpage served by itself while off! you can emulate a bootable IDE drive and/or a serial port with who knows what client software, since it's utterly underdocumented!)

Like all remote access solutions, it's not inherently good or bad, it all depends on whether whoever is connecting is the same person who normally uses the PC :)
Like most software, it was found to have bugs, in particular ones significantly weakening security - which were actually fixed by Intel and distributed by Lenovo at least down to the xx01 generation (and the older generations of AMT, lacking a VNC screen streaming feature, were significantly more niche and therefore unused than the fixed ones in my opinion)......
X201 (i5, 8GB, 480GB)
T61 + Advanced Mini Dock

Post Reply
  • Similar Topics
    Replies
    Views
    Last post

Return to “GENERAL ThinkPad News/Comments & Questions”

Who is online

Users browsing this forum: No registered users and 4 guests