[coreboot] Disabling Intel ME 11 via undocumented mode

Gregg Levine gregg.drwho8 at gmail.com
Fri Dec 15 17:14:52 CET 2017 

Hello!
(I'm working from the office today on a library computer...)
My regular laptop might be wearing one of those dratted things. But
before we start confusing people further, perhaps one of the group
needs to reiterate exactly what that contraption is, and why it was
necessary. Oh and what the cleaner is supposed to do, and why machines
who were cleaned of it, may not work correctly, or even may.

I've got an interesting idea that I do know what it does, and why, but
there must be a few people there who're confused about what the IME is
and isn't.
-----
Gregg C Levine gregg.drwho8 at gmail.com
"This signature fought the Time Wars, time and again."


On Fri, Dec 15, 2017 at 10:00 AM, Philipp Stanner <stanner at posteo.de> wrote:
> Thanks.
>
> They didn't seriously include a Java Runtime Environment into the IME??
> I can't believe what's going on with this company.
>
> Am Freitag, den 08.12.2017, 16:16 +0100 schrieb Thomas Heijligen:
>> For those who are interested in the Intel ME, the slides and white
>> papers
>> from the Black Hat Europe are public.
>>
>> https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-H
>> ack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-
>> Management-Engine.pdf
>> https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-H
>> ack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-
>> Management-Engine-wp.pdf
>> https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME
>> -Flash-File-System-Explained.pdf
>> https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME
>> -Flash-File-System-Explained-wp.pdf
>>
>> In the conclusion they say "[...]. Such a vulnerability has  the
>> potential  to
>> jeopardize a number  of  technologies,  including [...] Intel Boot
>> Guard
>> [...].
>>
>> Maybe it's possible to deactivate Boot Guard permanently or inject
>> custom
>> keys to run own firmware.
>>
>>
>> On 08.12.2017 15:40, Alberto Bursi wrote:
>> > On 12/08/2017 02:59 PM, Timothy Pearson wrote:
>> > >
>> > > That's just the HAP bit.  The ME is limited but NOT disabled, and
>> > > the
>> > > remaining stubs are still hackable [1].
>> > >
>> > > Neither the ME or the PSP can ever be removed from their
>> > > respective
>> > > systems.  They can both be limited to some extent, but to call
>> > > either
>> > > of
>> > > them "disabled" is rather far from the truth.
>> > >
>> > >
>> >
>> > Hacking them requires being able to write in the SPI flash, or to
>> > have
>> > buggy UEFI firmware. Which means most systems are still vulnerable.
>> >
>> > But it is also true that if someone can hack UEFI he pwns you
>> > anyway,
>> > even without ME.
>> >
>> > So imho ME with the HAP bit can be called "disabled", although the
>> > fight
>> > isn't over as ME isn't the only thing that was a threat anyway.
>> >
>> > There is still need to secure the UEFI firmware (which is needed
>> > even
>> > if
>> > ME didn't exist), and doing a hardware mod to have a hardware
>> > switch to
>> > turn the SPI chip read-only at the hardware level (also needed
>> > regardless of ME).
>> >
>> > I think many SPI chips only need some pin pulled high/low to go in
>> > read-only mode, and I frankly trust a dumb switch many orders of
>> > magnitude more than Boot Guard or anything software-based.
>> >
>> > -Alberto
>>
>>
>
> --
> coreboot mailing list: coreboot at coreboot.org
> https://mail.coreboot.org/mailman/listinfo/coreboot

More information about the coreboot mailing list