Can anyone confirm whether the Librem 13 v3 has ME disabled + neutralized out of the box?
If not, would it be possible to neutralize with ME cleaner?
Can anyone confirm whether the Librem 13 v3 has ME disabled + neutralized out of the box?
If not, would it be possible to neutralize with ME cleaner?
Verifying the Intel ME is Neutralized
You can confirm the ME condition by utilizing the same cbmem utility as above:
coreboot/util/cbmem$ sudo ./cbmem -c | grep ^ME
it is, and you can verify it via the link provided above
Have you made a table yet displaying what models, versions, years product you made and sold that have said status ? Would be nice to have a lil cheat sheet to refer to, just my .02
what is “said status”?
All Librem 13/15 models have a disabled and neutralized ME.
All Librem Mini and 14 models have a disabled ME only.
You defined it perfectly. thanks.
In detail, ALL 13 / 15 Librem’s are treated the same being disabled and neutralized? Meaning, V1 may not be the same as V3 ? Just curious if there were differences in the removal, disable, neutralizing of Intel ME as you progressed in later revisions of the same model.
I am considering getting a 13 / 15 . . . now that I know my 14 is not both disabled and neutralized. Not that I think its an issue . . . though it may or may not be. You could clarify specific differences for me, if you like, I would love that. (If Any)
Possibly I will make a thread for this
there are differences between the 13v1/15v2 (Broadwell) and 13v2,3,4/15v3,4 (Skylake/Kabylake) due to using different versions of the ME/CSE, but the result is the same for both.
IMO it’s not a big deal. Neither can be reactivated without flashing the firmware.
Perfect! Thanks!
Is there a way for me to detect the status on my machine?
Hypothetically, what if someone did have access to my machine and was intending to install some firmware or “whatever” . . . and say that I confirmed the changes myself (say I did an update at starbucks and left my machine on the desk and went to the bathroom for 15 minutes). When I come out I go to my machine and approve the changes I made, unknowing that someone had time and access to install something. Lets be paranoid and say it was an intelligence agency and they have been following me for 3 years.
No, that is what I would have used to validate the updates I (and the unsuspecting intruder) installed.
I suspect that an Audit would be in order, yes? Is that accurate / possible?
Updates made without your approval would be detected by a Librem Key. It would blink red in such case AFAIK.
Yes I am aware. Reread my post again, Im posting a hypothetical situation where I just installed an update to my PureOs, one that would require a signing with my librem key, but where before signing the update, I went to the bathroom for 15 minutes. During this time, someone had access to install naughty naughty on my computer knowing that I hadn’t yet signed the changes I made ( + the changes they made )
you follow? So its like they sneak in a firware app or keylogger, whatever, before I sign the changes I made. This would sign all changes made by myself and said hostile actor.
Could be a hacker, intel, police, whomever. I am more interested in what I can do to verify every piece of firmware, software, and all hardware is original to manufacturer specification.
I assume this is an audit.
AFAIK there is no secure audit of a compromised system. It can always tell you that everything is fine, when it isn’t. You best bet is to reinstall everything, including the Coreboot.
I will check into this. Is this the only way to rid potential unknown threats?
You know of a how to guide? Share if you do!
Looks like it’s here: https://docs.puri.sm/PureBoot/GettingStarted.html#oem-factory-reset.
Yeah unfortunately this doesn’t work anymore. Only thing that shows up is a few lines starting with MEM.
Do you know what might cause this or does this mean ME is enabled?
Thanks