-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/08/2017 08:40 AM, Alberto Bursi wrote:
On 12/08/2017 02:59 PM, Timothy Pearson wrote:
That's just the HAP bit. The ME is limited but NOT disabled, and the remaining stubs are still hackable [1].
Neither the ME or the PSP can ever be removed from their respective systems. They can both be limited to some extent, but to call either of them "disabled" is rather far from the truth.
Hacking them requires being able to write in the SPI flash, or to have buggy UEFI firmware. Which means most systems are still vulnerable.
But it is also true that if someone can hack UEFI he pwns you anyway, even without ME.
So imho ME with the HAP bit can be called "disabled", although the fight isn't over as ME isn't the only thing that was a threat anyway.
I guess I still disagree with the use of the word "disabled". If the ME wasn't required for boot, and was actually disabled within a few cycles of its CPU starting, the remaining attack surface simply wouldn't exist. This is not what happens though, and AFAIK even the ME kernel continues to run since the ME needs to continue handling platform power events. If this many holes are present in even the ROM code, then having the ME kernel running remains a massive security problem.
Pretty much every computing platform, with the exception of some of the ARM SBCs with key fuses or Talos with FlexVer, are vulnerable to attack via Flash reprogramming, so I agree that this in and of itself should not be a disqualifier for many use cases. I simply take issue with calling the ME "disabled" when the reality is very different.
- -- Timothy Pearson Raptor Engineering +1 (415) 727-8645 (direct line) +1 (512) 690-0200 (switchboard) https://www.raptorengineering.com
I guess I still disagree with the use of the word "disabled". If the ME wasn't required for boot, and was actually disabled within a few cycles of its CPU starting, the remaining attack surface simply wouldn't exist. This is not what happens though, and AFAIK even the ME kernel continues to run since the ME needs to continue handling platform power events. If this many holes are present in even the ROM code, then having the ME kernel running remains a massive security problem.
I'm just going to answer the bit about the use of the term "disabled". I've explained it in my blog post before (here if you missed it : https://puri.sm/posts/deep-dive-into-intel-me-disablement/) but I do believe the ME is in this case Disabled. What you are thinking about is what I called "Removed". The reason it's called disabled is because the ME stops running, it's not actively doing anything, it doesn't respond to HECI, it doesn't even boot into the kernel. You said that "the ME kernel continues to run", but that's not the case. The entire ME core stops execution during the bring-up phase, so it's technically disabled because it stops itself at some point after boot. Having the ME *removed* would be interesting because that would mean that even the bring up phase wouldn't get executed and we could remove the entire ME firmware from the flash. But that still wouldn't mean that nothing runs on the ME core because there is still some small code embeded in the ROM. Anyways, that's my justification on why using the term "disabled" is valid in this case when HAP is enabled. You are free to disagree if that didn't convince you.
-
Timothy Pearson -
Youness Alaoui