Hello, First I apologize in advance for introducing some "off topic" noise in the coreboot mailing list, but I would like to point to you a story which was posted on slashdot 4 days ago : https://hardware.slashdot.org/story/17/12/03/2113220/dell-begins-offering-la... . So I have some questions to the coreboot community regarding this story (if you have the time and if you bother to read it..) : - I know that the aim of the coreboot project is to produce a fully open-source firmware alternative (and I fully subscript to this noble aim!..), but if we put ourselves in the place of a (corporate?) end-user, who NEEDS the security of a system with "features" like ME or PSP DISABLED, isn't "buying" the option "ME disabled" straight from the vendor a viable solution?.. Or in other words (I hope that I will avoid getting sued for this.. ;-)) : do you think that "buying" this advertised "option" is as reliable as say .. using open source tools like me_cleaner (DIY approach)?.. - And a more "politically sensitive" question (you can simply ignore it if it is too dangerous to answer..): do you think that Intel is somewhat .. "collaborative" (or at least indifferent..) to this new initiative of Dell or System76?.. Thanks in advance for your answers, Florentin Demetrescu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
While dell has not gone into detail on this offering, from what has been described it is highly likely that they were setting the HAP bit. Unfortunately Dell has been billing this as a "inactive" ME when the truth is something else: apparently the ME is still vulnerable even with the HAP bit set [1], for instance.
In general there is a lot of confusion as to the ME and what me_cleaner / the HAP bit can do. To clear it up:
* Intel does not offer ME-free hardware to _anyone_, ever. The closest they ever came was the HAP bit.
* A ME with me_cleaner applied and the HAP bit set is _not_ disabled. It is limited compared to a stock ME but most definitely active and involved with system boot and possibly runtime, and it remains a serious security threat.
[1] https://twitter.com/rootkovska/status/938458875522666497
On 12/07/2017 03:29 PM, echelon@free.fr wrote:
Hello, First I apologize in advance for introducing some "off topic" noise in the coreboot mailing list, but I would like to point to you a story which was posted on slashdot 4 days ago : https://hardware.slashdot.org/story/17/12/03/2113220/dell-begins-offering-la... . So I have some questions to the coreboot community regarding this story (if you have the time and if you bother to read it..) :
- I know that the aim of the coreboot project is to produce a fully open-source firmware alternative (and I fully subscript to this noble aim!..), but if we put ourselves in the place of a (corporate?) end-user, who NEEDS the security of a system with "features" like ME or PSP DISABLED, isn't "buying" the option "ME disabled" straight from the vendor a viable solution?.. Or in other words (I hope that I will avoid getting sued for this.. ;-)) : do you think that "buying" this advertised "option" is as reliable as say .. using open source tools like me_cleaner (DIY approach)?..
- And a more "politically sensitive" question (you can simply ignore it if it is too dangerous to answer..): do you think that Intel is somewhat .. "collaborative" (or at least indifferent..) to this new initiative of Dell or System76?..
Thanks in advance for your answers, Florentin Demetrescu
- -- Timothy Pearson Raptor Engineering +1 (415) 727-8645 (direct line) +1 (512) 690-0200 (switchboard) https://www.raptorengineering.com
On Thu, 07 Dec 2017 16:22:48 -0600 Timothy Pearson tpearson@raptorengineering.com wrote:
While dell has not gone into detail on this offering, from what has been described it is highly likely that they were setting the HAP bit.
I would guess that too, especially since Dell was already part of the High Assurance Program (HAP)[1].
However do we have more concrete information on it, did people run intelmetool or dumped the flash to understand if me_cleaner was used on it or not.
Reference: ---------- [1]http://fm.csl.sri.com/LAW/2009/dobry-law09-HAP-Challenges.pdf
Denis.
Companies such as dell and purism that purport to offer a "safe" "disabled" ME/PSP are being dishonest - there is no way to disable something so integral by design to the boot process of modern x86-64 platforms.
If for once there is an organization that cares about security they can buy a pre-PSP AMD system, select ARM systems and of course POWER - if they have truly valuable IP the cost for an owner controlled POWER system such as the TALOS 2 that lasts a decade and doesn't have "surprises" is a great deal.
There are already boards that have "fully open source firmware" you just aren't hearing about them, excluding development boards - the TALOS 2, Novena and KCMA-D8/KGPE-D16 systems fit in to this category (I play modern games on my D16, so one isn't stuck with chintzy ARM PC's)
Considering the level of IT waste in the average company there is always more than enough money to buy real security it just isn't allocated properly.
Vendor guarantees (which here you lack) are bogus and will never hold up in court - contrary to the goals of the bean counters who think they can outsource risk to a vendor ("no we don't need to worry about IT security its all in the cloud and someone elses problem")
If I was an IT manager I would be running me cleaner right now and looking in to non-x86 computers, I wouldn't be that thinking $20 to dell per/pc solves the issue.
Let me try again to state what I stated before, with some new insides, because Tim brought the new equation: HAP into this discussion.
HAP - High Assurance Platform is long known (I know it from 2014), and its purpose, introduced by INTEL ME team was to disable ME as an application in INTEL embedded applications. I am not sure how this reflects The Truth, since no one truly knows in details the PCH (South Bride) design.
From this what I wrote here, DELL, per say, will have NO any Legal Issues,
since they signed agreement with INTEL to use HAP, my best guess. DELL will use NOTHING what Black Hat hackers discovered, just legal means (RSNDA): HAP!
Let me repeat the rest, from the very instructive and perfect link, outlining all what Black Hat hackers did to reveal internals of ME: http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
*"The disappointing fact is that on modern computers, it is impossible to completely disable ME. This is primarily due* *to the fact that this technology is responsible for initialization, power management, and launch of the main processor."*
I will repeat again (in RED). Long before BIOS starts, there are (at least
- very complex phases how the whole platform, by HW
and FW is initialized. There are several components which are interacting with PCH, thus/read ME, BEFORE BIOS starts, These components are the following:
PMIC (Power Management IC, integrated or discrete) EC (Embedded Controller) Some of IO init (HW wise default straps, then ME applied FW straps) ICC (Integrated Clock Controller)
All of which need to be set correctly BEFORE MEI allows BIOS to start. And there are some relationships among these entities in the process of ME driving init of these components.
It is a Rocket Science, after all (IMHO). Not going deeper into these details.
This could NOT be removed, and, in my opinion, do not even try to do that. But one can always try. Good Luck! ;-)
All the rest CAN and SHOULD be removed... Which does NOT guarantee that some hidden processes in ME inside PCH do not run (outside 32MB DDR memory, reserved solely for ME as application, could be blocked).
All said here, IMHO! Zoran
On Fri, Dec 8, 2017 at 3:04 AM, Taiidan@gmx.com Taiidan@gmx.com wrote:
Companies such as dell and purism that purport to offer a "safe" "disabled" ME/PSP are being dishonest - there is no way to disable something so integral by design to the boot process of modern x86-64 platforms.
If for once there is an organization that cares about security they can buy a pre-PSP AMD system, select ARM systems and of course POWER - if they have truly valuable IP the cost for an owner controlled POWER system such as the TALOS 2 that lasts a decade and doesn't have "surprises" is a great deal.
There are already boards that have "fully open source firmware" you just aren't hearing about them, excluding development boards - the TALOS 2, Novena and KCMA-D8/KGPE-D16 systems fit in to this category (I play modern games on my D16, so one isn't stuck with chintzy ARM PC's)
Considering the level of IT waste in the average company there is always more than enough money to buy real security it just isn't allocated properly.
Vendor guarantees (which here you lack) are bogus and will never hold up in court - contrary to the goals of the bean counters who think they can outsource risk to a vendor ("no we don't need to worry about IT security its all in the cloud and someone elses problem")
If I was an IT manager I would be running me cleaner right now and looking in to non-x86 computers, I wouldn't be that thinking $20 to dell per/pc solves the issue.
-- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot
Hi,
On Thu, 7 Dec 2017 22:29:44 +0100 (CET) echelon@free.fr wrote:
[...] to this new initiative of Dell or System76?..
For Intel devices with chipsets more recent than the GM45, so far I know only the following manufacturers that "disables" the Management Engine: - Puri.sm which enables the HAP bit and runs me_cleaner to remove unneeded ME partitions. - System76 which "Disable" the Management Engine (how?). - Dell that "Disables" the Management Engine too (Trough HAP?).
Are there more, and is there more information on how system76 does it.
Denis.
-
Denis 'GNUtoo' Carikli -
echelon@free.fr -
Taiidan@gmx.com -
Timothy Pearson -
Zoran Stojsavljevic