[coreboot] Disabling Intel ME 11 via undocumented mode
alberto.bursi at outlook.it
Fri Dec 8 15:40:15 CET 2017
On 12/08/2017 02:59 PM, Timothy Pearson wrote:
> That's just the HAP bit. The ME is limited but NOT disabled, and the
> remaining stubs are still hackable .
> Neither the ME or the PSP can ever be removed from their respective
> systems. They can both be limited to some extent, but to call either of
> them "disabled" is rather far from the truth.
Hacking them requires being able to write in the SPI flash, or to have
buggy UEFI firmware. Which means most systems are still vulnerable.
But it is also true that if someone can hack UEFI he pwns you anyway,
even without ME.
So imho ME with the HAP bit can be called "disabled", although the fight
isn't over as ME isn't the only thing that was a threat anyway.
There is still need to secure the UEFI firmware (which is needed even if
ME didn't exist), and doing a hardware mod to have a hardware switch to
turn the SPI chip read-only at the hardware level (also needed
regardless of ME).
I think many SPI chips only need some pin pulled high/low to go in
read-only mode, and I frankly trust a dumb switch many orders of
magnitude more than Boot Guard or anything software-based.
More information about the coreboot