[Replicant] Intel ME on the X60

Denis 'GNUtoo' Carikli GNUtoo at cyberdimension.org
Fri Jun 25 08:30:33 UTC 2021


On Tue, 22 Jun 2021 01:43:06 +0000
"asbw.inc" <asbw.inc at gmail.com> wrote:

> Hi there, I'm trying to reach Denis 'GNUtoo' Carikli. I have been
> researching my next thinkpad and I of course want somthing without ME.
> Ive come across the claim a number of times that the X60 only has AMT
> v1 and it comes disabeled out of the box but I have not been able to
> substantiate this claim unfortunatly.
> this FSF article
> https://www.fsf.org/blogs/sysadmin/the-management-engine-an-attack-on-computer-users-freedom
> by Denis says this "Also, many Intel computers manufactured in 2006
> have the ancestor of the Management Engine which is disabled from the
> start, such as the Lenovo Thinkpads X60, X60s, X60 Tablet and T60,
> and many more.".
> Im wondering if it would be possible to foreward me some more
> information on this, namely in what way is AMT disabled?
The Libreboot project probably has more information on that. Feel free
to ask more information in their mailing list and add me in CC / TO if
you also want me to potentially reply.

Basically the more in depth information can be found in the hardware
documentation, more precisely the documentation of the chipset.

The documentation on the Intel I945 chipset explains that to have AMT on
such hardware you need to partition the BIOS flash chip, and it's
clearly not done with the stock BIOS on the Libreboot compatible
thinkpads with the Intel I945 chipset. There are probably additional
requirements but I didn't look into them. In laptops with an I945 that
are configured to run AMT, as I understand, the processor running it is
in the Ethernet controller. As I understand, with Libreboot the Ethernet
controller doesn't run any firmware.

For most GM45 Thinkpads compatible with Libreboot, with the stock BIOS,
the flash chip is already partitioned and the Management Engine is
enabled even if the laptop doesn't have AMT. Instead, with Libreboot,
the Management Engine is disabled by repartitioning the flash chip in a
way that tells the hardware that the Management Engine is disabled, and
by not adding the Management Engine firmware on the BIOS flash chip.

Denis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20210625/b6a31ea7/attachment.asc>


More information about the Replicant mailing list