[coreboot] Re : Re: Disabling Intel ME 11 via undocumented mode

echelon at free.fr echelon at free.fr
Fri Dec 8 21:34:57 CET 2017


----- Mail d'origine -----
De: Thomas Heijligen <src at posteo.de>
À: coreboot at coreboot.org
Envoyé: Fri, 08 Dec 2017 16:16:30 +0100 (CET)
Objet: Re: [coreboot] Disabling Intel ME 11 via undocumented mode

For those who are interested in the Intel ME, the slides and white 
from the Black Hat Europe are public.


In the conclusion they say "[...]. Such a vulnerability has  the  
potential  to
jeopardize a number  of  technologies,  including [...] Intel Boot Guard 

Maybe it's possible to deactivate Boot Guard permanently or inject 
keys to run own firmware.

On 08.12.2017 15:40, Alberto Bursi wrote:
> On 12/08/2017 02:59 PM, Timothy Pearson wrote:
>> That's just the HAP bit.  The ME is limited but NOT disabled, and the
>> remaining stubs are still hackable [1].
>> Neither the ME or the PSP can ever be removed from their respective
>> systems.  They can both be limited to some extent, but to call either 
>> of
>> them "disabled" is rather far from the truth.
> Hacking them requires being able to write in the SPI flash, or to have
> buggy UEFI firmware. Which means most systems are still vulnerable.
> But it is also true that if someone can hack UEFI he pwns you anyway,
> even without ME.
> So imho ME with the HAP bit can be called "disabled", although the 
> fight
> isn't over as ME isn't the only thing that was a threat anyway.
> There is still need to secure the UEFI firmware (which is needed even 
> if
> ME didn't exist), and doing a hardware mod to have a hardware switch to
> turn the SPI chip read-only at the hardware level (also needed
> regardless of ME).
> I think many SPI chips only need some pin pulled high/low to go in
> read-only mode, and I frankly trust a dumb switch many orders of
> magnitude more than Boot Guard or anything software-based.
> -Alberto

coreboot mailing list: coreboot at coreboot.org

More information about the coreboot mailing list