[coreboot] Disabling Intel ME 11 via undocumented mode

Denis 'GNUtoo' Carikli GNUtoo at no-log.org
Tue Dec 12 18:11:03 CET 2017 

On Fri, 8 Dec 2017 21:34:57 +0100 (CET)
echelon at free.fr wrote:

> For those who are interested in the Intel ME, the slides and white 
> papers
> from the Black Hat Europe are public.
> 
> https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine.pdf
> https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine-wp.pdf
> https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME-Flash-File-System-Explained.pdf
> https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME-Flash-File-System-Explained-wp.pdf
I read the documents above and in:
> https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine-wp.pdf
we have:
> The file /home/bup/ct
> was unsigned, enabling us to slip a modified version into the ME
> firmware with the help of Flash Image Tool.
> Now we were able to cause a buffer overflow inside the
> BUP process with the help of a large BUP initialization file.
[...]
> By exploiting the vulnerability that we found in the bup module, we
> were able to turn on a mechanism, PCH red unlock, that opens full
> access to all PCH devices for their use via the DFx chain—in other
> words, using JTAG. One such device is the x86 ME processor itself,
> and so we obtained access to its internal JTAG interface. With such
> access, we could debug code executed on ME, read memory of all
> processes and the kernel, and manage all devices inside the PCH. We
> found a total of about 50 internal devices to which only ME has full
> access, while the main processor has access only to a very limited
> subset of them.
As I understand, this by itself isn't sufficient yet to boot a post-GM45
Intel with free software, however it gives a lot of insight on how
things work and enables all researchers to understand better the
Management Engine and recent Intel systems to, maybe one day, make free
software booting possible on such platforms.

I hope that one day someone would find and publish a way to do that,
like for instance by finding a bit in the flash descriptor that would
enable "PCH red unlock".

As I understand enabling DCI is already possible trough some flash
descriptor bits.

Thanks a lot for all the research that was done!

Denis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20171212/fd355bf4/attachment.sig>

More information about the coreboot mailing list