Thinkpad T450 hardware attack / TPM protection

[thinkofit]

Dear all,

This is my first post on the forum, so I would like to thank you for the hard work and nice information.

I am planning to purchase a Thinkpad T430 or T440 (with a preference for the T440).
I will be running GNU/Linux only, probably with a custom static kernel.

1) My first question is as regards hardware attack, especially firmware replacement.
How is Thinkpad protected against firmware replacement on hardware: keyboard, sound, hard drive, display, network, etc... ?

I am aware that UEFI secure boot should provide a minimal protection.
Can a low-privilege user run a firmware replacement tool and bypass the TPM?
In other words, is firmware protected by the TPM?

2) After purchasing a ThinkPad, can I query firmware versions to make sure these are "genuine" ?

Kind regards,
ThinkOfIt

[thinkofit]

Finally, I will probably buy a T450 a it is more recent.
How is firmware protected on the T450?

Thank you.

[BillMorrow]

hello thinkofit..
good user name you chose..

and welcome to the forum..

i must admit that yours is the first i have ever heard of a firmware attack on ANY computer..

BUT it seems i have been hibernating too much..
so googling found THIS articla in infoworld magazine:
http://www.infoworld.com/article/261811 ... tacks.html

it seems such things are possible but might have to be aimed at a particular bit of hardware rather than the general population of computers..

so, your inquiry is interesting and lets see what other forum members think about this issue..

[RealBlackStuff]

Intel's dirty tactics with VPro and ME are definitely an attack on/via hardware.
They allow access to your hardware from outside, even if it is switched off!

https://semiaccurate.com/2012/05/15/int ... nightmare/
https://hardware.slashdot.org/story/16/ ... t-audit-it
http://hackaday.com/2016/01/22/the-trou ... nt-engine/

[thinkofit]

Thanks for all these information that I was not aware of.

I am quite surprised that the vPro extension might be an embedded system able to take control of the computer.
If this is confirmed, large companies (ex : in Energy, Banking, Automation, etc ...) are not going to like it.

We have to admit that in our world nothing is really secret for governments.
A probem arises if Chinese and Russian governments have access to these technologies.
With an electronic microscope and proper software, you can probably disassemble the code and understand how it works.

There may come a time when China and Russia may be able to break in our computers (Western I mean) in the US, France, U.-K., Germany, etc ...
Well-played Intel. This is all a mess ...

Secure platforms probably require a very limited system, using simple boards or embedded platforms.
Everything else is NOT secure.

[CASPER]

Security issues on newer Intel platforms are now widely known. Basically everything with ME (Management Engine), AMT (Advanced Management Technology) allows access to the computer when it is switched off. And it isn't BIOS that allows that, but those features use embedded controllers with own memory. The only way to have "safe" computer (in that sense) is to remove software from these controllers, also replacing BIOS. There are couple projects that focus on security, Coreboot and it's derivative - Libreboot. The latter has rather non-compromise approach as it allows only 100% free software and system (approved by FSF - Free Software Foundation). You probably can run with this Debian or Ubuntu but you will definitely not run Windows or Mac OS. Also they have some specific requirements for WiFi cards - accepted are only those which doesn't require any proprietary software.
Coreboot gives more choice with software, although I don't know if you would run Windows or Mac OS with it either.
You can read more about Libreboot project here - https://libreboot.org/

Also on current threats on Intel platforms - https://libreboot.org/faq.html#intel

Be aware that AMD isn't saint too - https://libreboot.org/faq.html#amd

If you are really afraid of these security issues you should stick with older Thinkpads - X60(s), X200, T60, T400, T500 - they are supported by Libreboot. Few newer models can work also under Coreboot - eg. X220, X230, etc.

EDIT: Forgot to add. With Coreboot or Libreboot you get boot loader installed into EC (Embedded Controller) so you don't need to install one into MBR. That allows you to have real full disk encryption, including boot folder. This should prevent your computer from MBR directed attacks (eg. rootkits) and increase safety of data (especially when they are fragile).