[coreboot] Disabling Intel ME 11 via undocumented mode

Fri Dec 15 17:23:18 CET 2017

 IME (I is typo) = ME .

Zoran

On Fri, Dec 15, 2017 at 5:14 PM, Gregg Levine <gregg.drwho8 at gmail.com>
wrote:

> Hello!
> (I'm working from the office today on a library computer...)
> My regular laptop might be wearing one of those dratted things. But
> before we start confusing people further, perhaps one of the group
> needs to reiterate exactly what that contraption is, and why it was
> necessary. Oh and what the cleaner is supposed to do, and why machines
> who were cleaned of it, may not work correctly, or even may.
>
> I've got an interesting idea that I do know what it does, and why, but
> there must be a few people there who're confused about what the IME is
> and isn't.
> -----
> Gregg C Levine gregg.drwho8 at gmail.com
> "This signature fought the Time Wars, time and again."
>
>
> On Fri, Dec 15, 2017 at 10:00 AM, Philipp Stanner <stanner at posteo.de>
> wrote:
> > Thanks.
> >
> > They didn't seriously include a Java Runtime Environment into the IME??
> > I can't believe what's going on with this company.
> >
> > Am Freitag, den 08.12.2017, 16:16 +0100 schrieb Thomas Heijligen:
> >> For those who are interested in the Intel ME, the slides and white
> >> papers
> >> from the Black Hat Europe are public.
> >>
> >> https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-H
> >> ack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-
> >> Management-Engine.pdf
> >> https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-H
> >> ack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-
> >> Management-Engine-wp.pdf
> >> https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME
> >> -Flash-File-System-Explained.pdf
> >> https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME
> >> -Flash-File-System-Explained-wp.pdf
> >>
> >> In the conclusion they say "[...]. Such a vulnerability has  the
> >> potential  to
> >> jeopardize a number  of  technologies,  including [...] Intel Boot
> >> Guard
> >> [...].
> >>
> >> Maybe it's possible to deactivate Boot Guard permanently or inject
> >> custom
> >> keys to run own firmware.
> >>
> >>
> >> On 08.12.2017 15:40, Alberto Bursi wrote:
> >> > On 12/08/2017 02:59 PM, Timothy Pearson wrote:
> >> > >
> >> > > That's just the HAP bit.  The ME is limited but NOT disabled, and
> >> > > the
> >> > > remaining stubs are still hackable [1].
> >> > >
> >> > > Neither the ME or the PSP can ever be removed from their
> >> > > respective
> >> > > systems.  They can both be limited to some extent, but to call
> >> > > either
> >> > > of
> >> > > them "disabled" is rather far from the truth.
> >> > >
> >> > >
> >> >
> >> > Hacking them requires being able to write in the SPI flash, or to
> >> > have
> >> > buggy UEFI firmware. Which means most systems are still vulnerable.
> >> >
> >> > But it is also true that if someone can hack UEFI he pwns you
> >> > anyway,
> >> > even without ME.
> >> >
> >> > So imho ME with the HAP bit can be called "disabled", although the
> >> > fight
> >> > isn't over as ME isn't the only thing that was a threat anyway.
> >> >
> >> > There is still need to secure the UEFI firmware (which is needed
> >> > even
> >> > if
> >> > ME didn't exist), and doing a hardware mod to have a hardware
> >> > switch to
> >> > turn the SPI chip read-only at the hardware level (also needed
> >> > regardless of ME).
> >> >
> >> > I think many SPI chips only need some pin pulled high/low to go in
> >> > read-only mode, and I frankly trust a dumb switch many orders of
> >> > magnitude more than Boot Guard or anything software-based.
> >> >
> >> > -Alberto
> >>
> >>
> >
> > --
> > coreboot mailing list: coreboot at coreboot.org
> > https://mail.coreboot.org/mailman/listinfo/coreboot
>
> --
> coreboot mailing list: coreboot at coreboot.org
> https://mail.coreboot.org/mailman/listinfo/coreboot
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20171215/b08354cd/attachment.html>