[coreboot] Intel ME Question

Taiidan at gmx.com Taiidan at gmx.com
Sat Dec 24 20:00:32 CET 2016 

On 12/23/2016 03:13 PM, bancfc at openmailbox.org wrote:

> Seeing that many of you know a lot about Intel's ME I wanted to ask a 
> couple of things if its ok.
>
> * Is the ME network accessible on all Intel chips or only the vPro 
> ones with AMT?
>
> * I saw an interesting take on this in the link below, instead of the 
> usual FUD surrounding this topic whenever its mentioned. What is your 
> take on what he says?

- Every intel system from around 2008 on has ME. vPro is a module loaded 
in to ME to provide various corporate manageability features but every 
chipset is technically network accessible. I don't really deal with 
desktop hardware anymore but AFAIK on intel's consumer chipset (not Q/B) 
motherboards there are several network basic manageability features that 
do not require vPro. - I will investigate this and get back to you.

"You value your privacy, so you run on a system with Core 2 Duo, 
complete with all the errata? NX-disabling bugs, cache-attacks that work 
from JavaScript, no SMEP, probably no VT-d, so say goodbye to DMAR and 
any chance of DMA attack resistance (or VT-d without interrupt 
remapping, so all but useless even if it is present). You'll also be 
without AES-NI so side-channel attacks will be much easier (AES has huge 
S-boxes), and without RDRAND, so early boot will see crappy entropy 
(please don't bring up the RDRAND is evil myth)."

- I have a KGPE-D16 which has all those great features and 100% libre 
firmware, you can even play the latest games on it with max settings if 
you desire and the 62xx cpu works without microcode.

- There is a world beyond x86 
https://www.crowdsupply.com/raptor-computing-systems/talos-secure-workstation 
or buy a POWER server from IBM and stick in a graphics card - very high 
performance and available now.

* He never figured that maybe AES-NI has some kind of fatal problem and 
that's why "they" let us have it, physical access is FATAL and if you 
are so concerned about side channel attacks you will build some kind of 
shielding; besides any good crypto libs have obfuscation.
* An elite hacker.....who wastes time posting on public forums (If I had 
the level of skill he claims to have I sure as shit wouldn't be writing 
this email) and who uses machines that have ME, sure sure but he uses 
version 11 so it is OK.
* ME has the technical ability to be used to access your data remotely, 
without a BMC addon (has he never heard of AMT iKVM? or the remote ISO 
loading tools?)
* He assumes that when he dumps and dis-assembles the firmware he is 
receiving an honest version and not a "special" version with the 
backdoor removed which could easily be done on a subverted system.

"Intel wouldn't do this because it would be bad for optics"
Every criminal thinks that they're going to get away with it.

-----------
ME isn't a backdoor directly (remotebackdoor.exe), it is simply a great 
framework for a backdoor.
The idea is that either you can simply use a one time exploit in the 
operating system to root ME and gain an undetectable perma rootkit, even 
if we assume intel has out best intentions at heart it is still a 
massive vulnerability, or that there is a secret exploit (intentional or 
unintentional) in ME to activate it via network and load a special 
module, OR that with physical access you already have a great backdoor 
hardware ready to go all you need is to re-write the firmware.

Paranoia:
I believe that there is a "magic" network accessible ME backdoor 
intentional or otherwise as it is a silver bullet for any intel agency 
or criminal organization so it makes sense for them to try to do it even 
if it isn't there by default there isn't anything stopping a well funded 
group from subverting an OEM and adding an incredibly subtle flaw in the 
networking controllers for special customers such as the logistics 
division of a foreign military (no fuel + no food = no army)
Having ME onboard makes it much easier to do that, instead of having to 
create from scratch a remote access ability you simply subvert ME.

Some other will chime in and elaborate on this but bottom line - it is 
dangerous to have on your computer, it exists to take away control from 
the user for DRM (PAVP) and someday soon intel will patch the nerfing 
ability.
By the way AMD ZEN/FM2 has PSP and some ARM has TrustZone.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.coreboot.org/pipermail/coreboot/attachments/20161224/1c413711/attachment.html>

More information about the coreboot mailing list