On Thu, May 11, 2017 at 5:00 AM, coreboot-request@coreboot.org wrote:
Message: 2 Date: Tue, 9 May 2017 17:26:18 -0400 From: "Taiidan@gmx.com" Taiidan@gmx.com To: ron minnich rminnich@gmail.com, coreboot coreboot@coreboot.org Subject: Re: [coreboot] AMT bug Message-ID: 278e53ae-1788-4205-e51b-7f632faa6927@gmx.com Content-Type: text/plain; charset=windows-1252; format=flowed
On 05/08/2017 12:40 AM, ron minnich wrote:
I thought the whole reflash path of AMT was to ask it to reflash itself.
Is
that incorrect? If correct, and the AMT has been exploited via this path, can we really trust any reflash operation? Any thoughts on this from
anyone
who knows?
Yeah its a request, that can be denied or stealth-denied so it can't be trusted. I had a BIOS update on an older intel board go wrong as I had set in the ME OPROM "Firmware Update" to "Deny" it would be very simple to mess with the ME region re-writer programmer to re-add a backdoor to every internal flashed image, and how many corps actually flash externally? (none I assume)
One thing I am still confused about is the relationship between Intel Boot Guard and the regions of flash. My understanding is that Boot Guard only applies to the legacy BIOS region of flash, not the ME/AMT region. Is that correct? So, if that is true, then is it possible to flash the ME/AMT region of flash with any ME code module that has been signed with the Intel signature?
-
Allen Krell