[coreboot] Disabling Intel ME 11 via undocumented mode

Thomas Heijligen src at posteo.de
Fri Dec 8 16:16:30 CET 2017 

For those who are interested in the Intel ME, the slides and white 
papers
from the Black Hat Europe are public.

https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine.pdf
https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine-wp.pdf
https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME-Flash-File-System-Explained.pdf
https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME-Flash-File-System-Explained-wp.pdf

In the conclusion they say "[...]. Such a vulnerability has  the  
potential  to
jeopardize a number  of  technologies,  including [...] Intel Boot Guard 
[...].

Maybe it's possible to deactivate Boot Guard permanently or inject 
custom
keys to run own firmware.


On 08.12.2017 15:40, Alberto Bursi wrote:
> On 12/08/2017 02:59 PM, Timothy Pearson wrote:
>> 
>> That's just the HAP bit.  The ME is limited but NOT disabled, and the
>> remaining stubs are still hackable [1].
>> 
>> Neither the ME or the PSP can ever be removed from their respective
>> systems.  They can both be limited to some extent, but to call either 
>> of
>> them "disabled" is rather far from the truth.
>> 
>> 
> 
> Hacking them requires being able to write in the SPI flash, or to have
> buggy UEFI firmware. Which means most systems are still vulnerable.
> 
> But it is also true that if someone can hack UEFI he pwns you anyway,
> even without ME.
> 
> So imho ME with the HAP bit can be called "disabled", although the 
> fight
> isn't over as ME isn't the only thing that was a threat anyway.
> 
> There is still need to secure the UEFI firmware (which is needed even 
> if
> ME didn't exist), and doing a hardware mod to have a hardware switch to
> turn the SPI chip read-only at the hardware level (also needed
> regardless of ME).
> 
> I think many SPI chips only need some pin pulled high/low to go in
> read-only mode, and I frankly trust a dumb switch many orders of
> magnitude more than Boot Guard or anything software-based.
> 
> -Alberto

More information about the coreboot mailing list