Fascinating!!
----- Mail d'origine ----- De: Thomas Heijligen src@posteo.de À: coreboot@coreboot.org Envoyé: Fri, 08 Dec 2017 16:16:30 +0100 (CET) Objet: Re: [coreboot] Disabling Intel ME 11 via undocumented mode
For those who are interested in the Intel ME, the slides and white papers from the Black Hat Europe are public.
https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-T... https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-T... https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME-Flash-... https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME-Flash-...
In the conclusion they say "[...]. Such a vulnerability has the potential to jeopardize a number of technologies, including [...] Intel Boot Guard [...].
Maybe it's possible to deactivate Boot Guard permanently or inject custom keys to run own firmware.
On 08.12.2017 15:40, Alberto Bursi wrote:
On 12/08/2017 02:59 PM, Timothy Pearson wrote:
That's just the HAP bit. The ME is limited but NOT disabled, and the remaining stubs are still hackable [1].
Neither the ME or the PSP can ever be removed from their respective systems. They can both be limited to some extent, but to call either of them "disabled" is rather far from the truth.
Hacking them requires being able to write in the SPI flash, or to have buggy UEFI firmware. Which means most systems are still vulnerable.
But it is also true that if someone can hack UEFI he pwns you anyway, even without ME.
So imho ME with the HAP bit can be called "disabled", although the fight isn't over as ME isn't the only thing that was a threat anyway.
There is still need to secure the UEFI firmware (which is needed even if ME didn't exist), and doing a hardware mod to have a hardware switch to turn the SPI chip read-only at the hardware level (also needed regardless of ME).
I think many SPI chips only need some pin pulled high/low to go in read-only mode, and I frankly trust a dumb switch many orders of magnitude more than Boot Guard or anything software-based.
-Alberto