I’m juggling with the idea of getting this laptop (Thinkpad X1 Carbon 9) I have privacy concerns, but I also want to get a laptop that will last a long time. That’s why I’m not going to get a Librem 14 right away. The thing that bothers me about this Thinkpad though is the presence of what they calls Absolute BIOS. Impossible to disable that when you buy it. I’m not too keen on the idea of giving remote access to my computer’s BIOS to a company. I don’t know what your opinion is on this. Can I disable this myself? Is there anything to worry about? Do you think that the quality of the Librem 14 is not bad after all, despite what we read about it?
I’ve read plenty of statements from people who love their librem 14s. Then there are an untold number of people who own them but don’t talk about them because they work as expected. I don’t think its fair to assume they won’t last a long time.
As for the bios, if you don’t own your bios you don’t own your computer. I would buy something else.
You are right to be concerned. Proof of Concept exploits are available. (I don’t know whether the implementation has improved since then.)
When not being exploited, it may be that it wouldn’t do anything on some Linux systems. (I don’t think it supports extn filesystems so if you only have them then even though the ‘malware’ will still run, it should ignore the disk. I am not able to test this however.)
Depends on a lot of things, including your level of expertise, your persistence, the persistence of the Absolute ‘malware’ writer. The whole point of this misfunctionality is that it is difficult to disable or remove.
Edit: Actually there is conflicting information online about more recent versions of the Absolute malware and whether it supports Linux, or more specifically which distros and which file systems.
The Absolute malware could also affect resale value if that is something that you will ever do.
There are lots of stories online about people buying second-hand computers that have the Absolute malware and then finding either that they spend a whole heap of time trying to get the malware disabled (some ultimately failing and sending the device back for a refund, if it’s a reputable seller) or indeed that the original (original) owner won’t or can’t release the device.
Thanks for bringing this Absolute BIOS to my attention, since I didn’t know about it until I Googled it. The information about Absolute BIOS makes it sound like an Orwellian nightmare. However, Lenovo says on its forum that it is possible to flash firmware without Absolute, but you should check if a P-version of the BIOS is available for the X1 Carbon Gen 9, and from the comments it sounds like you should install the P BIOS while you still have Windows. There is also an option to disable the Absolute stuff in the BIOS, which I recommend using.
That option will be disabled (greyed out) in BIOS unless you successfully follow a procedure that may fail. The step of permanently disabling the malware using that BIOS setting is at the end of the official process for dealing with this.
Apparently, yes. Updating the firmware includes updating the Absolute malware. So if the vendor provides a firmware version that simply excludes the Absolute malware then that can be an option. Not all vendors necessarily provide such a firmware version (since it is an obvious weakness i.e. way of getting rid of the Absolute malware).
And turning that around the other way … if it does actually disable it, how does it do that? The malware still runs but the first thing that the malware does is check that flag and exit if the flag says that it’s disabled?
And how permanent is “permanent”?
Permanent to me means that the malware erases itself. But you may be taking it on trust that it did that. And the malware might come back if you reflashed the BIOS (which you might have a genuine need to do).
And what happens if (when) your CMOS battery dies or your CMOS settings are otherwise lost or reset? Is any of this dependent on BIOS settings that are in CMOS?
Too many questions to bother with hardware that contains this kind of s**t.
The BIOS is firmware, and it is that easy if your goal is just to disable it.
On my Thinkpad T480s, I enter the BIOS and go to Security > Anti-Theft > Computrace and set it to “Disabled”. I don’t see an option to permanently disable it, but maybe that was added with later Thinkpads models after Lenovo stopped providing P-versions of the BIOS without the Absolute software.
If you set a BIOS password, you can prevent others from changing your BIOS, but don’t lose it, because the only way to reset the password is desolder the chip holding the BIOS and stick it into an external chip programmer to reflash the chip. See: https://www.youtube.com/watch?v=AX_e9jlhbAg