[coreboot] Disabling Intel ME 11 via undocumented mode

Philipp Stanner stanner at posteo.de
Fri Dec 15 16:00:34 CET 2017 

Thanks.

They didn't seriously include a Java Runtime Environment into the IME??
I can't believe what's going on with this company.

Am Freitag, den 08.12.2017, 16:16 +0100 schrieb Thomas Heijligen:
> For those who are interested in the Intel ME, the slides and white 
> papers
> from the Black Hat Europe are public.
> 
> https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-H
> ack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-
> Management-Engine.pdf
> https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-H
> ack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-
> Management-Engine-wp.pdf
> https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME
> -Flash-File-System-Explained.pdf
> https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME
> -Flash-File-System-Explained-wp.pdf
> 
> In the conclusion they say "[...]. Such a vulnerability has  the  
> potential  to
> jeopardize a number  of  technologies,  including [...] Intel Boot
> Guard 
> [...].
> 
> Maybe it's possible to deactivate Boot Guard permanently or inject 
> custom
> keys to run own firmware.
> 
> 
> On 08.12.2017 15:40, Alberto Bursi wrote:
> > On 12/08/2017 02:59 PM, Timothy Pearson wrote:
> > > 
> > > That's just the HAP bit.  The ME is limited but NOT disabled, and
> > > the
> > > remaining stubs are still hackable [1].
> > > 
> > > Neither the ME or the PSP can ever be removed from their
> > > respective
> > > systems.  They can both be limited to some extent, but to call
> > > either 
> > > of
> > > them "disabled" is rather far from the truth.
> > > 
> > > 
> > 
> > Hacking them requires being able to write in the SPI flash, or to
> > have
> > buggy UEFI firmware. Which means most systems are still vulnerable.
> > 
> > But it is also true that if someone can hack UEFI he pwns you
> > anyway,
> > even without ME.
> > 
> > So imho ME with the HAP bit can be called "disabled", although the 
> > fight
> > isn't over as ME isn't the only thing that was a threat anyway.
> > 
> > There is still need to secure the UEFI firmware (which is needed
> > even 
> > if
> > ME didn't exist), and doing a hardware mod to have a hardware
> > switch to
> > turn the SPI chip read-only at the hardware level (also needed
> > regardless of ME).
> > 
> > I think many SPI chips only need some pin pulled high/low to go in
> > read-only mode, and I frankly trust a dumb switch many orders of
> > magnitude more than Boot Guard or anything software-based.
> > 
> > -Alberto
> 
>

More information about the coreboot mailing list