Disabling Thinkpad Security Features

[ThorOfAsgard]

The biggest problem I have with all these security features (Security Chip, AT, Computrace) is there's no source with a concise and clear practical description of what exactly these features do. I did some googling and read over Thinkwiki (http://www.thinkwiki.org/wiki/Embedded_ ... _Subsystem) and have still come away without the slightest clue of whether or not I actually need these features. So I went ahead and disabled all of them in BIOS. I've noticed no change in functionality in how I use my system.

[ThorOfAsgard]

P.S. Is there any disadvantage to setting all of Intel AMT, AT, and Computrace to "Permanently Disabled"? They're all currently just "Disabled". I don't foresee myself needing any of these, but my life choices thus far have shown I'm not good at predicting the future.

[dr_st]

You cannot set AMT to permanently disabled, but you can the other two.

The disadvantage is obvious - you can never enable them again, if you decide you want to. Most home users will never want to.

[ThorOfAsgard]

You cannot set AMT to permanently disabled, but you can the other two.

The disadvantage is obvious - you can never enable them again, if you decide you want to. Most home users will never want to.

There's definitely a BIOS option to permanently disable AMT. Just checked it again to be sure.

In any case, yes, it's obvious permanently disabled means permanently disabled. But I'm sure you're aware, when it comes to computers, there can be unforeseen consequences. For instance, and for a hypothetical example, you may find out through reading and asking, someone who says something like, "No, don't permanently disable X-feature if you have the C-rev chip, because due to a hardware bug, this prevents Y-feature from working properly and the only way to fix Y-feature once you've permanently disabled X-feature is to replace your motherboard."

Unforeseen consequences in computers and hardware...they do happen.

[dr_st]

There's definitely a BIOS option to permanently disable AMT. Just checked it again to be sure.

Really? Which laptop is it? (and which BIOS version to be sure?)

"No, don't permanently disable X-feature if you have the C-rev chip, because due to a hardware bug, this prevents Y-feature from working properly and the only way to fix Y-feature once you've permanently disabled X-feature is to replace your motherboard."

In this case, all I can say is that in all the years Computrace, AT and AMT have been around, I have never heard of a single case where permanently disabling them affected anything else.

[ThorOfAsgard]

I have a pair of T430s laptops, one with BIOS 2.02 and the other with 2.66. Both have the option to permanently disable AMT.

[dr_st]

You are right, I stand corrected. This appears to be an important distinction between the *20 and *30 series.

[shawross]

A lot of these so called security features actually install a backdoor to your OS. Intel AMT was recently found to be a backdoor.

[Ryccardo]

As far as I know:

[Computrace] enabled = rootkit is planted on every boot, disabled (any kind) = it isn't
However, both enabled and non-"permanently" disabled can be changed to semipermanently enabled if an OS subscribed to CT is used on that computer, while "permanently" disabled is safe from this risk (I use quotes because whoever named those options assumed people won't have access to a compatible eeprom programmer)

3-digit Lenovo models actually have such an option, 2-digit IBM/Lenovo transition ones since T42 don't have such an option, only a nag screen in the setup if enabled - it's stuck on plain Disabled and can only be (normally) changed by the CT software itself, which would first need to be installed manually (or enabled accidentally as above)

[Intel AT] is something I'm not too familiar with. Computrace predates Intel ME so it's implemented by a cooperation of firmware only running at boot time and software which actually does the dirty work, I can only assume AT is a spiritual successor that runs on the ME.

[Intel ME] is a coprocessor (first in the chipset, then in the CPU) which runs in the background and can do arbitrary memory editing and code execution not directly detectable by the main cores (SMM dating back to the i386 is almost equivalent, although it ran on the main CPU and its typical usage was of actual benefit to a decent amount of users, like USB keyboard/mouse/floppy/optical to PS2/shugart/IDE emulation)

The ME firmware is controversial because it's closed source but also harder and harder to replace over the years, due to both penalties for passing it code with an invalid signature (power off after 30 minutes or outright not booting as more and more work is delegated to the ME) as well as the ME doing some useful things, like running the fans at all on X201!
However, the newly discovered HAP bit, invented by everyone's favorite American spy agency of all, is an undocumented feature of the ME to stop itself cleanly as soon as possible - leaving "only" the 2nd type of tradeoff above...

AMT is the most controversial feature of ME, but as I've said it's not the only one, which often results in confusion when the 2 terms are mixed up.

[Intel AMT] is a remote control technology built into some ME firmwares (those branded "Centrino Pro" or "Intel Inside - core i# vPro"). It has some novel features not possible with traditional software-only methods, like being OS-independent to a certain extent (you can turn on the computer from a webpage served by itself while off! you can emulate a bootable IDE drive and/or a serial port with who knows what client software, since it's utterly underdocumented!)

Like all remote access solutions, it's not inherently good or bad, it all depends on whether whoever is connecting is the same person who normally uses the PC
Like most software, it was found to have bugs, in particular ones significantly weakening security - which were actually fixed by Intel and distributed by Lenovo at least down to the xx01 generation (and the older generations of AMT, lacking a VNC screen streaming feature, were significantly more niche and therefore unused than the fixed ones in my opinion)......