[sf-lug] Meeting notes for Sunday, 3 September 2017

Mon Sep 4 01:42:15 PDT 2017

Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):

> 12:35 PM Jim Stockford arrived, for a nice snack and some
> discussion.   I raised the question of the Intel Management Engine
> shut off command recently discovered.  I had heard (rumors which I did
> not really believe) of this clever device earlier but turning it off
> sounds good. Subverting it to use as a anti-intrusion, anti-malware
> device for  Linux and even the Microsoft program launcher would be a
> very good idea.

Intel Management Engine (present in all Intel chipsets with BMC =
baseboard management controller circuitry) since 2008 is present in
order to allow enterprise customers to provision any computer remotely,
and perform reboots, BIOS edits, and nearly any other change, overriding
the system itself and manipulating it from behind the scenes, invisibly
to the system's software.  (The potential risks, whether intended or
not, should be obvious.)

It consists of a microcontroller integrated into the Intel Platform
Controller Hub (PCH) chip and a set of built-in peripherals.  The reason
that's a critical place for the ME to do its operations is that that's
where almost all communication between the CPU and external devices
occurs.  The problem, of course, is that Intel designed the ME as a
proprietary black box despite many warnings from the open source
community that this would be a terrible idea and fundamentally cripple
the ability of anyone, particularly open source people, to trust the
security of hardware that includes it.

The recent trick, use of an undocumented addressing mode for ME version
11 circuitry that shuts it down _after_ system initialisation, was
published by a team of Positive Technologies researchers.  Of course,
they discovered this addressing mode with zero cooperation from Intel,
and there's no reason to think it'll continue to work on future Intel
hardware.  It's also vital that this disabling operation can be caused
to take place immediately _after_ all hardware initialisation, because
Intel's 2008-and-later designs give the ME a key role in initialisation
of hardware compoents, power management, and launch of the main CPU, so 
it would be destructive to simply zero out the ME completely without
_somehow_ coding open source replacements for the key hardware
management functions it carries out -- which is a tall order, indeed.

So, in short, the larger problem is that Intel's post-2008 hardware
designs preclude simply shooting the ME in the head completely, because
it's been assigned key functions that cannot be easily performed without
it.

And AMD, since around the same time, has included in systems a similarly
problematic subsystem called the Platform Security Processor -- putting
system security in doubt for much the same reason.

To get away from that, at present, requires either using pre-2008
hardware -- not palatable -- or stepping sideways to different, non-x86
CPU architectures like ARM or IBM Power.  Not a happy situation.