Take a look at our
ThinkPads.com HOME PAGE
For those who might want to contribute to the blog, start here: Editors Alley Topic
Then contact Bill with a Private Message
ThinkPads.com HOME PAGE
For those who might want to contribute to the blog, start here: Editors Alley Topic
Then contact Bill with a Private Message
Disabling Thinkpad Security Features
-
- Freshman Member
- Posts: 76
- Joined: Sun Jan 10, 2016 5:23 am
- Location: Atlanta, GA
Disabling Thinkpad Security Features
The biggest problem I have with all these security features (Security Chip, AT, Computrace) is there's no source with a concise and clear practical description of what exactly these features do. I did some googling and read over Thinkwiki (http://www.thinkwiki.org/wiki/Embedded_ ... _Subsystem) and have still come away without the slightest clue of whether or not I actually need these features. So I went ahead and disabled all of them in BIOS. I've noticed no change in functionality in how I use my system.
-
- Freshman Member
- Posts: 76
- Joined: Sun Jan 10, 2016 5:23 am
- Location: Atlanta, GA
Re: Disabling Thinkpad Security Features
P.S. Is there any disadvantage to setting all of Intel AMT, AT, and Computrace to "Permanently Disabled"? They're all currently just "Disabled". I don't foresee myself needing any of these, but my life choices thus far have shown I'm not good at predicting the future.
Re: Disabling Thinkpad Security Features
You cannot set AMT to permanently disabled, but you can the other two.
The disadvantage is obvious - you can never enable them again, if you decide you want to. Most home users will never want to.
The disadvantage is obvious - you can never enable them again, if you decide you want to. Most home users will never want to.
Thinkpad 25 (20K7), T490 (20N3), Yoga 14 (20FY), T430s (IPS FHD + Classic Keyboard), X220 4291-4BG
X61 7673-V2V, T60 2007-QPG, T42 2373-F7G, X32 (IPS Screen), A31p w/ Ultrabay Numpad
X61 7673-V2V, T60 2007-QPG, T42 2373-F7G, X32 (IPS Screen), A31p w/ Ultrabay Numpad
-
- Freshman Member
- Posts: 76
- Joined: Sun Jan 10, 2016 5:23 am
- Location: Atlanta, GA
Re: Disabling Thinkpad Security Features
There's definitely a BIOS option to permanently disable AMT. Just checked it again to be sure.
In any case, yes, it's obvious permanently disabled means permanently disabled. But I'm sure you're aware, when it comes to computers, there can be unforeseen consequences. For instance, and for a hypothetical example, you may find out through reading and asking, someone who says something like, "No, don't permanently disable X-feature if you have the C-rev chip, because due to a hardware bug, this prevents Y-feature from working properly and the only way to fix Y-feature once you've permanently disabled X-feature is to replace your motherboard."
Unforeseen consequences in computers and hardware...they do happen.
Re: Disabling Thinkpad Security Features
Really? Which laptop is it? (and which BIOS version to be sure?)ThorOfAsgard wrote: ↑Fri May 19, 2017 7:51 amThere's definitely a BIOS option to permanently disable AMT. Just checked it again to be sure.
In this case, all I can say is that in all the years Computrace, AT and AMT have been around, I have never heard of a single case where permanently disabling them affected anything else.ThorOfAsgard wrote: ↑Fri May 19, 2017 7:51 am"No, don't permanently disable X-feature if you have the C-rev chip, because due to a hardware bug, this prevents Y-feature from working properly and the only way to fix Y-feature once you've permanently disabled X-feature is to replace your motherboard."
Thinkpad 25 (20K7), T490 (20N3), Yoga 14 (20FY), T430s (IPS FHD + Classic Keyboard), X220 4291-4BG
X61 7673-V2V, T60 2007-QPG, T42 2373-F7G, X32 (IPS Screen), A31p w/ Ultrabay Numpad
X61 7673-V2V, T60 2007-QPG, T42 2373-F7G, X32 (IPS Screen), A31p w/ Ultrabay Numpad
-
- Freshman Member
- Posts: 76
- Joined: Sun Jan 10, 2016 5:23 am
- Location: Atlanta, GA
Re: Disabling Thinkpad Security Features
I have a pair of T430s laptops, one with BIOS 2.02 and the other with 2.66. Both have the option to permanently disable AMT.
Re: Disabling Thinkpad Security Features
You are right, I stand corrected. This appears to be an important distinction between the *20 and *30 series.
Thinkpad 25 (20K7), T490 (20N3), Yoga 14 (20FY), T430s (IPS FHD + Classic Keyboard), X220 4291-4BG
X61 7673-V2V, T60 2007-QPG, T42 2373-F7G, X32 (IPS Screen), A31p w/ Ultrabay Numpad
X61 7673-V2V, T60 2007-QPG, T42 2373-F7G, X32 (IPS Screen), A31p w/ Ultrabay Numpad
Re: Disabling Thinkpad Security Features
A lot of these so called security features actually install a backdoor to your OS. Intel AMT was recently found to be a backdoor.
Active --- Love the X series
X301 W 7/Mint | X201 540M L Mint | X220 2520 W7/Mint
Nostalgia
X61 T7500 / T41 T42 T43 / A31
Rogue daily driver - Samsung RV511 15.6 " Screen - W 7
X301 W 7/Mint | X201 540M L Mint | X220 2520 W7/Mint
Nostalgia
X61 T7500 / T41 T42 T43 / A31
Rogue daily driver - Samsung RV511 15.6 " Screen - W 7
Re: Disabling Thinkpad Security Features
As far as I know:
[Computrace] enabled = rootkit is planted on every boot, disabled (any kind) = it isn't
However, both enabled and non-"permanently" disabled can be changed to semipermanently enabled if an OS subscribed to CT is used on that computer, while "permanently" disabled is safe from this risk (I use quotes because whoever named those options assumed people won't have access to a compatible eeprom programmer)
3-digit Lenovo models actually have such an option, 2-digit IBM/Lenovo transition ones since T42 don't have such an option, only a nag screen in the setup if enabled - it's stuck on plain Disabled and can only be (normally) changed by the CT software itself, which would first need to be installed manually (or enabled accidentally as above)
[Intel AT] is something I'm not too familiar with. Computrace predates Intel ME so it's implemented by a cooperation of firmware only running at boot time and software which actually does the dirty work, I can only assume AT is a spiritual successor that runs on the ME.
[Intel ME] is a coprocessor (first in the chipset, then in the CPU) which runs in the background and can do arbitrary memory editing and code execution not directly detectable by the main cores (SMM dating back to the i386 is almost equivalent, although it ran on the main CPU and its typical usage was of actual benefit to a decent amount of users, like USB keyboard/mouse/floppy/optical to PS2/shugart/IDE emulation)
The ME firmware is controversial because it's closed source but also harder and harder to replace over the years, due to both penalties for passing it code with an invalid signature (power off after 30 minutes or outright not booting as more and more work is delegated to the ME) as well as the ME doing some useful things, like running the fans at all on X201!
However, the newly discovered HAP bit, invented by everyone's favorite American spy agency of all, is an undocumented feature of the ME to stop itself cleanly as soon as possible - leaving "only" the 2nd type of tradeoff above...
AMT is the most controversial feature of ME, but as I've said it's not the only one, which often results in confusion when the 2 terms are mixed up.
[Intel AMT] is a remote control technology built into some ME firmwares (those branded "Centrino Pro" or "Intel Inside - core i# vPro"). It has some novel features not possible with traditional software-only methods, like being OS-independent to a certain extent (you can turn on the computer from a webpage served by itself while off! you can emulate a bootable IDE drive and/or a serial port with who knows what client software, since it's utterly underdocumented!)
Like all remote access solutions, it's not inherently good or bad, it all depends on whether whoever is connecting is the same person who normally uses the PC
Like most software, it was found to have bugs, in particular ones significantly weakening security - which were actually fixed by Intel and distributed by Lenovo at least down to the xx01 generation (and the older generations of AMT, lacking a VNC screen streaming feature, were significantly more niche and therefore unused than the fixed ones in my opinion)......
[Computrace] enabled = rootkit is planted on every boot, disabled (any kind) = it isn't
However, both enabled and non-"permanently" disabled can be changed to semipermanently enabled if an OS subscribed to CT is used on that computer, while "permanently" disabled is safe from this risk (I use quotes because whoever named those options assumed people won't have access to a compatible eeprom programmer)
3-digit Lenovo models actually have such an option, 2-digit IBM/Lenovo transition ones since T42 don't have such an option, only a nag screen in the setup if enabled - it's stuck on plain Disabled and can only be (normally) changed by the CT software itself, which would first need to be installed manually (or enabled accidentally as above)
[Intel AT] is something I'm not too familiar with. Computrace predates Intel ME so it's implemented by a cooperation of firmware only running at boot time and software which actually does the dirty work, I can only assume AT is a spiritual successor that runs on the ME.
[Intel ME] is a coprocessor (first in the chipset, then in the CPU) which runs in the background and can do arbitrary memory editing and code execution not directly detectable by the main cores (SMM dating back to the i386 is almost equivalent, although it ran on the main CPU and its typical usage was of actual benefit to a decent amount of users, like USB keyboard/mouse/floppy/optical to PS2/shugart/IDE emulation)
The ME firmware is controversial because it's closed source but also harder and harder to replace over the years, due to both penalties for passing it code with an invalid signature (power off after 30 minutes or outright not booting as more and more work is delegated to the ME) as well as the ME doing some useful things, like running the fans at all on X201!
However, the newly discovered HAP bit, invented by everyone's favorite American spy agency of all, is an undocumented feature of the ME to stop itself cleanly as soon as possible - leaving "only" the 2nd type of tradeoff above...
AMT is the most controversial feature of ME, but as I've said it's not the only one, which often results in confusion when the 2 terms are mixed up.
[Intel AMT] is a remote control technology built into some ME firmwares (those branded "Centrino Pro" or "Intel Inside - core i# vPro"). It has some novel features not possible with traditional software-only methods, like being OS-independent to a certain extent (you can turn on the computer from a webpage served by itself while off! you can emulate a bootable IDE drive and/or a serial port with who knows what client software, since it's utterly underdocumented!)
Like all remote access solutions, it's not inherently good or bad, it all depends on whether whoever is connecting is the same person who normally uses the PC
Like most software, it was found to have bugs, in particular ones significantly weakening security - which were actually fixed by Intel and distributed by Lenovo at least down to the xx01 generation (and the older generations of AMT, lacking a VNC screen streaming feature, were significantly more niche and therefore unused than the fixed ones in my opinion)......
Thinkcentre M73 tiny (i3 4130T, 8GB, 480GB) + Fujitsu E19-5
X201 (i5 520, 4GB, 500GB)
Retired: T61 (T7500, 4GB, 0GB, DVD-RW) + Advanced Mini Dock + tens of dead pixels
X201 (i5 520, 4GB, 500GB)
Retired: T61 (T7500, 4GB, 0GB, DVD-RW) + Advanced Mini Dock + tens of dead pixels
-
- Similar Topics
- Replies
- Views
- Last post
-
-
Thinkpad T490 not powering on
by omonim88 » Mon Oct 23, 2023 5:12 am » in ThinkPad T430-T490 / T530-T590 Series - 2 Replies
- 2435 Views
-
Last post by keithsketchley
Mon Feb 26, 2024 10:17 am
-
-
-
FS: ThinkPad T440p
by PiZzA EnGiNeEr » Tue Oct 31, 2023 3:43 pm » in Marketplace - Forum Members only - 2 Replies
- 1893 Views
-
Last post by PiZzA EnGiNeEr
Sat Nov 04, 2023 2:52 pm
-
-
-
Hello, Im Making ThinkPad War Game
by thinkpadwar » Thu Nov 02, 2023 7:11 am » in GENERAL ThinkPad News/Comments & Questions - 0 Replies
- 1515 Views
-
Last post by thinkpadwar
Thu Nov 02, 2023 7:11 am
-
-
-
Thinkpad P71/Xeon (with ECC memory) - can I use two 32GB SODIMMS?
by wb0gaz_h » Thu Nov 02, 2023 5:05 pm » in ThinkPad P1/P40/P50/P70 and later Series - 0 Replies
- 3357 Views
-
Last post by wb0gaz_h
Thu Nov 02, 2023 5:05 pm
-
Who is online
Users browsing this forum: No registered users and 35 guests