Announcement

Collapse
No announcement yet.

New Lenovo AMD Laptops With Pluton Co-Processor Reportedly Only Boot Windows By Default

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • hsci
    replied
    Thank you stargeizer
    You're right!

    I mixed up myself the various ThinkPad lines:
    Z13, X86_64 AMD:
    https://news.lenovo.com/pressroom/pr...led-materials/
    X13, X86_64 AMD and Intel:
    https://news.lenovo.com/pressroom/pr...s-flexibility/
    X13s, ARM Qualcomm:
    https://news.lenovo.com/pressroom/pr...ry-life-ai-5g/

    I confused the X13s with the Z13

    Leave a comment:


  • stargeizer
    replied
    Originally posted by hsci View Post
    Is here something wrong?

    The Z13 is a laptop with an ARM based Processor from Qualcomm and Qualcomm* is infamous for closed-source hardly maintainable Linux-Kernel modules.
    The X13 is a latop with an X86_64-Processor from AMD and well known for supporting Linux. AMDs includes the open-source code under GPL-License with the kernel. The X13 AMD series is usually certified to be used with Linux by Lenovo.

    Matthew Garret didn't even mentioned the X13 or AMD.
    Would the author of the news please double check?
    Matthew Garret specified the "THINKPAD Z13", and according to THIS , the model is an AMD x86 part (Ryzen 6000U) which happens to have the so called "hardware spyware" known as "Pluton".

    Joe Users probably won't give a flying f**k about it, after all Google and Facebook made lots of money selling Joe's personal data, with these nice phones that tracked'em every second and they didn't care at all, only privacy advocates and Other OS people will probably cry foul about it. Kinda a spit in a ocean, IMHO.

    I think you people should buy those Ryzen 5xxx processors and boards, and those Intel 11xxx and boards and call it a day for x86 machines. ARM and Apple will come with something similar or more sinister down the line, and i don't think RISC-V will ever be popular or cheap enough to be relevant.
    Last edited by stargeizer; 11 July 2022, 10:25 AM.

    Leave a comment:


  • hsci
    replied
    Question?

    // Update
    Text marked in red color is wrong!

    The Z13 is a laptop with an ARM based Processor from Qualcomm and Qualcomm* is infamous for closed-source hardly maintainable Linux-Kernel modules.
    The X13 is a latop with an X86_64-Processor from AMD and well known for supporting Linux. AMDs includes the open-source code under GPL-License with the kernel. The X13 AMD series is usually certified to be used with Linux by Lenovo.

    Matthew Garret didn't even mentioned the X13 or AMD.
    Would the author of the news please double check?





    Other notes:
    I'm thinking SecureBoot is bad implementation. Everything involving CAs is complicated and faulty and I'm afraid Canonical, Red Hat and the FSF failed to act political against SecureBoot. There better ways to protect your device, I recommend an UEFI-Password and hardware based encryption.

    Atheros which builds WiFi-Cards and provides open-source modules for the Linux kernel was bought by Qualcomm years ago. Sadly Qualcomm didn't follow the example of Atheros, regarding Snapdragon.

    // edit
    I confused the X13 (X86_64, AMD or Intel) with the X13s (ARM, Qualcomm) and the Z13 (AMD).
    I'm sorry!
    Last edited by hsci; 12 July 2022, 06:23 AM.

    Leave a comment:


  • thomasdeutsch
    replied
    Brussels won't forgive it(think why win N edition exists and how they make USB-C iPhone possible recently), Beijing won't allow it too(at least before they developed their own advanced PC chip), and XX(maybe the United States) v. Microsoft is also on the way……

    Leave a comment:


  • cj.wijtmans
    replied
    so i need to get a physical firewall now so i can block pluton ? How are they dialing in/out, a specific port and/or IP? So now when i buy an AMD processor i will be giving microsoft money 🤦🏼‍♂️. I was so excited to see AMD get their own bluetooth/wifi chips instead of intels and every CPU with an integrated GPU. But it looks bad. Now when i buy AMD i am still paying intel and microsoft to screw me over.

    Leave a comment:


  • drhoho
    replied
    The problem with Pluton: https://semiaccurate.com/2022/01/18/...afe-to-deploy/

    From Charlie Demerjian

    "So that’s the good stuff, lets go on to the terrifying parts aka Microsoft’s Pluton ‘security’ block. We call Pluton malware for a reason, it is being sold as ‘security’ with nebulous claims of helping the user but to date every query SemiAccurate has made to multiple companies has not described a single one. They may exist but you should consider this a Pluton security claims a scare tactic because no one can explain any details, it is a big red flag.

    You might recall that SemiAccurate said Qualcomm’s 8cx Gen 3 CPU was “too dangerous to deploy” because it uses the Microsoft Pluton block. We still feel that way so why are we saying AMD’s version _MIGHT_ be safe to deploy? Because you can turn it ‘off’. Sort of. But not really. And there are far to many questions that AMD could not answer to make us even remotely comfortable with the explanation. That said it is ‘better’ than Qualcomm’s unacceptable part but still not good or safe. There are also credible reports that some OEMs will ship devices with Pluton ‘off’ but more on that later.

    So what is Pluton? It is basically a TPM with added functionality to allow updates and ‘secure’ your PC “from the chip to the cloud”. If you are paying attention these things should scare the hell out of you and are unacceptable for a whole host of reasons. That said the tortured bullet points used to sell it are masterfully crafted to both spread fear and drive people to give up their rights for ‘security’. Don’t buy it either metaphorically or literally.

    The first problem with Pluton is the keys. Key management is a problem for every organization, keeping track of keys for all PCs is an untenable nightmare so AMD/Microsoft did something clever here. When you first fire up the chip, it generates it’s own key and burns that into hardware. This is smart because you can’t change it. It is also dumb because you can’t change it. SemiAccurate doesn’t know if there is a mechanism to fuse off a key and generate a new one but we suspect not. At least there isn’t a publicly known single key for all systems, Sony we are looking at you. Among others.

    So the keys are generated correctly and made permanent, and assuming no hacks or ways to pull them, all good. But remember that bit about chip to cloud? Remember the furor that made Intel back down from unique serial numbers for the P4 chips? Now you have a unique serial number for your PC that you can’t see, you can’t change, and since it is the basis for security attestation on the web, at least if Microsoft gets it’s way, anything you do to hide it will lock you out of services. So now we have the return of the unique tracking number that is permanent, hidden, and unblockable. Will this even fly in light of EU cookie/tracking requirements? I have no idea but it is worth digging into.

    That is bad and what’s worse is Microsoft has made no bones about requiring such things for your PC to be ‘secure’ and access services, presumably theirs and others that buy into this evil scheme. Don’t have a Pluton infected PC, the latest version of Windows, a paid subscription to something, and it all turned on with no external blocking? Your purchases may stop, we can see the music and video world loving the abuses this brings. Any shreds of privacy and anonymity you thought you had just went poof.

    Could it get worse? Sure it could, the stuff above is the light an fluffy bits, the real scary stuff lies ahead. Pluton can act as a TPM or as a ‘security processor’, basically a TPM that can do things not exactly laid out which is another problem/red flag. In any case it is the repository for your keys and system keys that some claim nothing secret can come out of.

    Without needing to point out that no such claims, especially publicly undocumented ones, have ever held up to the real world and/or bored 15 year olds, lets look at one big problem. Do you see any difference between a company claiming there is no way, officially, to read/copy/remove keys from Pluton and actual things that can be done?

    You might recall the whole kerfuffle about Spectre/Meltdown and similar sidechannel attacks that ripped holes in everything a few years ago including and not limited to Intel’s ‘impenetrable’ SGX enclave. Those used legal APIs in unintended ways, they didn’t even need to break the rules. Given what is at stake here, the payout for cracking Pluton is incredibly high but luckily you can change compromised keys… Oh wait. But you can prevent a hacked system/technology from being accessed remo… Oh wait. Pluton is insane to deploy, period.

    Then there is the really evil stuff. Remember when Microsoft first started talking about the current Xbox? Remember that little slice of evil where they said you could only install a game once and it was locked to a console, no resale, no lending it to a friend, etc? You may not have know it but that was your first look at Pluton and it was quite obviously meant to ‘enhance your security’. By enhance your security we mean allow Microsoft to screw you in an utterly transparent and abusive manner, circumventing decades of hard won consumer rights in hardware. Luckily that attempt failed but it is back with Pluton, and all PCs will have it in the near future. Any guesses as to what they will use it for, other than ‘security’? Be afraid.

    Luckily for all of this there is the ability to turn it ‘off’ so no problem there right? Well turning it ‘off’ in the BIOS means that turning it on is just a Windows call away. No one SemiAccurate talked to could tell us what ‘off’ meant but there is not official way to turn it on from Windows. At least no publicly documented way. Yet. Anyone want to start a pool on how many minutes it will take for a small app to be written that points of the error of relying on official API calls for security?

    Back to the point, ‘off’ in this case means pretty much absolutely nothing and to the best of SemiAccurate’s knowledge there is no way to physically disable Pluton, only hide it in software/firmware with a button giving you assurance that it is ‘off’. This whole warm feeling about OEMs shipping with Pluton disabled is nothing more than a BIOS setting away or at worst a BIOS update away. Don’t forget, no malware has ever been documented that can update/modify a BIOS, at least none this week that we know of.

    One problem with the OEMs taking the high road here is that Microsoft _REALLY_ wants Pluton on your system and wants it up and running. How long do you think it will take them to start tying Windows certification, and the attendant large monetary discounts and MDF for OEMs, to Pluton being on, enabled, and remove the ability of a user to turn it off? If you think this won’t happen, you haven’t been paying attention to their behavior, automatic updates anyone? If they wanted to be ‘nice’ they could just pester you with popups and disable functionality without Pluton enabled like, oh there are too many to list. Either way it is ‘optional’ now but it won’t be for long.

    Back to the TPM or Security Processor bit, having a TPM in a system can have actual security benefits like secure boot and hardware roots of trust and as long as they are documented and optional, no problem. With Pluton the whole point is that you can, actually you can’t, only Microsoft can, update it with added, or removed, functionality. What can they do? Good question, that isn’t documented anywhere SemiAccurate can find, nor do we expect it to be without an NDA. If you are going to be evil, hide it under the guise of security. Sadly it works well.

    So Microsoft can update your system security processor with any code it wants to on a whim. You have no ability to say no, no ability to know it is happening unless they chose to tell you something, and no ability to test whether or not something bad has been installed on your system by someone else. Since Pluton owns your keys, any encryption like Bitlocker you use is immediately compromised and any 3rd party system that you install will either store keys on the HDD unencrypted or require you to enter a key on every boot.

    The latter is secure, right? Sure unless something is at the base of your hardware root of trust and can scan things like keyboard inputs for ‘security’. This is the long way of saying that Pluton just made disk encryption a moot point, a few lines of code and you are no longer able to keep anything on your machine safe at all, game over. Even remote key repositories or hardware USB keys can be snooped at the levels we are talking about so NOTHING on a PC can be secured with Pluton.

    On a happy note all this scary stuff is only valid if you don’t trust Microsoft. In case you missed it, we don’t but some actually do. If you do, no worries, they have your back, assuming they don’t get hacked. Again. Want the list here or will Solar Winds be enough to start you down that rabbit hole? In any case, Microsoft, a company known for impregnable security has remote control of everything on your system and will keep you utterly safe, trust them, they have slick marketing around Pluton.

    Better yet, they are an American company which is subject to the once ironclad rules preventing government intrusion into your data. We will ignore the point that nothing precludes Microsoft from selling access to your keys or access to your system to a third party like they do for so many other things right now, we will just focus on governmental threats for the time being.

    So MS will protect you and the laws preclude the government from asking them to compromise you. Start here. In the past if the government wanted to access a properly secured system they would have to have a backdoor, zero day hack, or a court order coupled to a cooperating individual with the keys/passwords. If none of those things were available, the government could not get your data without your help. In most cases an individual has a right to say no to this request albeit with consequences. With Pluton, they can just ask Microsoft to compromise your system and you are lost, there is nothing you can do. Laws protect you, rarely, but there are easy ways around that, just ask Cisco. (No I won’t expand on that point here.)

    So on paper you have some measure of safety from Pluton in the US, great right? Sure those paper barriers are in full force for US citizens but you might be aware there is something called ‘the rest of the world’. Those places have no such protection from, well, anyone, much less the US government. If you work for a company that competes with and has better technology than a US rival who’s CEO is major campaign donor to the guy who just won the presidency….

    Luckily you can turn Pluton off and be safe from this, rig… oh we covered that. Well you can use disk encr… damn. But you will know if anyone pulls… nope. But the current firmware for Pluton doesn’t have that… aw shucks. Basically if you have Pluton on your system you are screwed, there is literally no way to protect your data from anyone with access or money. There is also no SKU from AMD that has Pluton physically and irrevocably disabled, only ‘off’ in the BIOS and/or some firmware not loaded, a major impediment to hackers, just ask Intel about vPro.

    So looping this back to AMD and the Ryzen 6000 line of CPUs, it is better than Qualcomm but only on a technicality. There is currently no publicly known way to exploit the flaws we talked about above, and Microsoft will ‘secure’ your system for you, trust them. As long as you are a US citizen and no foreign government has the keys/access to Pluton, all good. Then again why would any sane non-US government allow this to be deployed in their country without the keys and access being handed over? They aren’t stupid. But you can turn it off on paper. For now. Maybe."

    Leave a comment:


  • ermo
    replied
    Originally posted by leo_sk View Post
    VS code solely exists in my view as a freeware so as to habituate developers to its workflow and promote Microsoft's visual studio. But yeah, it can be considered in better light than most other contributions of MS
    (emphasis mine)

    That was the point I was implying.

    Leave a comment:


  • Mike Frett
    replied
    Originally posted by skeevy420 View Post

    To me that doesn't seem that bad at all
    Until the next Microsoft lock-in scam comes along. And the next one...and the next one...

    Leave a comment:


  • justinkb
    replied
    literally half the users on this website talk nonsense in every post, it's embarassing. you can just use your own certificates if you want. it's as simple as linux vendors distributing the certificate along with the iso and providing some instructions to users to "enroll" them. is it a bit annoying? sure. is it a conspiracy to kill off linux? no. if I had to guess, microsoft is pissed off so many efi images they have signed in the past needed to be blacklisted because of security flaws and they don't want to be on the hook for that any longer

    Leave a comment:


  • arQon
    replied
    Originally posted by skeevy420 View Post
    It's not like it's a forced thing like pregnancy in America. Kind of hard to be all that outraged over yet another proprietary option when the Linux option is tappy tap tap away.
    Except that it isn't, because MS is requiring "Secure" Boot now, so your "tappy tap tap" becomes something that needs to be done *every* time you want to boot into a different OS.

    This wasn't the whole point of Secure Boot, but it was certainly a "helpful" side-effect of it that made MS happy. The moment the entire PC industry shifted to accepting a standard that literally meant that *only* MS-approved OSes could run on the hardware you'd bought, the writing on the wall was clear for anyone to see. Fast-forward a few more years to the release of W12, and only an idiot will be surprised to see that the BIOS option no longer exists on most mobos because "Windows has required it since W11".

    Leave a comment:

Working...
X