[coreboot] how effective is neutralizing Intel ME/AMT/vPro?

[ron minnich]

On Wed, Aug 2, 2017 at 11:48 AM Daniel Pocock <daniel at pocock.pro> wrote:

> I understand that with LibreBoot and one of their supported laptops it
> is possible to completely eliminate the risk by removing 100% of
> proprietary/hidden code.
>

I'm glad they did this but ... you need to understand that the laptop in
that case is 10 years old (or is there a newer one I missed?). There is a
core set of functionality the ME provides on newer chipsets that as far as
we know, can not be removed :-(



>
> However, for people who choose Coreboot, ME_Cleaner, a Purism laptop or
> some other compromise, leaving in place around 90kb of the Intel code,
> is there a concise way to explain the attack vectors that they eliminate
> and the attack vectors that remain?
>

well, as purism has pointed out, due to a bug, they only check signing on
1/4 of that ME code (IIRC). So, if you want, you could embed your exploits
in the other 3/4. That's about 65K.

What could you do? I am guessing a lot.

And, further, if such exploits can be done, and have been possible for at
least 10 years, it's reasonably to assume they HAVE been done and are out
there now. Bummer.


>
> For example, I've read that Purism doesn't use vPro-compatible wifi
> hardware, so my impression is they eliminate random attacks coming in
> through the network and spontaneously activating Intel ME, but if
> malicious code does get into Intel ME by some other means (such as a
> malicious email attachment) it may still be able to hide there
> indefinitely and use any network device on the machine to call home?
>
>
> Can it get in via malicious email attachment? What's the path for that?
Seems hard but I'm willing to believe anything nowadays after reading about
all these sideband attacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20170802/a7162db2/attachment.html>