[sf-lug] Intell reveal security problems with the IME, finally.

Rick Moen rick at linuxmafia.com
Wed Nov 22 09:51:54 PST 2017 

Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):

> >On Tue, Nov 21, 2017, at 05:26, Odd H. Sandvik wrote:
> >>https://www.wired.com/story/intel-management-engine-vulnerabilities-pcs-servers-iot/
> >And they have a tool, both for Windows and Linux, to check out your
> >systems:
> >
> >https://downloadcenter.intel.com/download/27150
> 
> Note that the tool has to be run with root privileges.
> and here is my report from the use of the tool.

There's a lot of bad information on this matter.

My understanding from fairly wide reading is that the referenced Intel
Management Engine (ME) firmware is a big problem _if_ it is running
AMT = Active Management Technology code.  But by _no_ means do all Intel
chipsets possessing ME firmware also have AMT code that runs on it --
and how to query your machine to find out if it does.  Most Intel
systems don't have AMT.  Most Intel systems with AMT don't have it
turned on.  It's just a minority of the 'vPRO'-type Intel CPUs that do.

Matthew Garrett's AMT FAQ makes good reading for people wanting to know
more.  https://mjg59.dreamwidth.org/48429.html?thread=1840429

Recently, a firm called Positive Technologies stumbled upon
(http://blog.ptsecurity.com/2017/08/disabling-intel-me.html) a way of
disabling ME version 11 immediately after boot, by poking it and setting
a bit that in the RAM copy of ME called reserve_hap, with
the effect of making ME-mediated processes shut down.  Intel have
confirmed that this truly _does_ disable ME completely during subsequent
runtime.  Note that totally disabling ME so it never functions at all is
not an option, because CPUs that include it rely on ME functionality to
initialise power management, the CPU proper, and other hardware.

Unlike some paranoics, I believe Intel when they say this (that the
Positive Techologies hack fully disables ME firmware code, post-boot.)
The story of why ME firmware is present in all new Intel x86_64 CPUs, as
is the story of why parallel effort AMD Platform Security Processor
(PSP) is present in all that company's new x86_64 CPUs, is credible.
They're not out to 'get' anyone.  It's a (regrettable) technology
intended to facilitate OOB (out of band) system management by firms
running large numbers of computers.  The rationale makes perfect sense,
even if the unintended side-effects are woeful.  (Technically, the real
issue is a software build called Active Management Technology = that
runs atop the ME.  Without AMT, the ME firmware code would be doing
nothing.)

The researchers speculate, by the way, that 'reserve_hap' is a hidden
switch included at the behest of equipment manufacturers intending to
sell equipment through the US government's NSA-administered High
Assurance Platform program, so the manufacturers could answer any
objection of 'What if the ME gets compromised or produces a side-channel
data leak?' by saying 'Don't worry about that.  The ME can be instructed
to shut down immediately after boot.'

More information about the sf-lug mailing list