[HN Gopher] Disabling the Intel Management Engine ___________________________________________________________________ Disabling the Intel Management Engine Author : metadat Score : 366 points Date : 2022-10-26 15:19 UTC (7 hours ago) (HTM) web link (wiki.gentoo.org) (TXT) w3m dump (wiki.gentoo.org) | FortiDude wrote: | The management engine is a privacy nightmare. | | It's incredibly useful for companies and organizations, | especially when lending computers to their employees, but why the | hell would this tech be put inside consumer devices? It just sits | there as an exposed attack surface without the user even having | the tools to maybe make something out of it. | pwg wrote: | > why the hell would this tech be put inside consumer devices | | Because it is cheaper to make one single CPU chip variant, that | is then sold to both the corporate and consumer channels, than | it is to make two, one with ME for the corporate channel, and | another without ME for the consumer channel. | | Plus, once the ME was required to actually boot the CPU (note, | why it became a requirement is a different argument), it then | became much more expensive to omit for consumer grade CPU's | because a "non-ME consumer grade" CPU would need to be a | completely different chip with some alternate way to "initially | boot up". | throwaway0x7E6 wrote: | Q: | | >but why the hell would this tech be put inside consumer | devices? | | A: | | >It just sits there as an exposed attack surface | washadjeffmad wrote: | > It's incredibly useful for companies and organizations | | Is it? We don't use it for any of the 40k+ desktop or mobile | devices we manage. | jabroni_salad wrote: | It gives you OOB management on every endpoint. These days I | think it is less useful (I like autopilot/intune) but for | some field devices it is nice to solve boot loop scenarios or | similar bare metal problems over the internet instead of | making a dude drive for 6 hours to BFE to find out why your | doodad has ghosted. | GekkePrutser wrote: | Same here with 150k+. Not using it, certainly never asked for | it. | | Same with all the vPro stuff (which is kinda related but not | completely). | | We do use Windows autopilot though but that doesn't depend on | IME. | HideousKojima wrote: | Back when I worked on the sysadmin side of things we used | vPro for out of band management of servers in our | datacenters, but we never used it for our 10k+ laptops and | desktops. | GekkePrutser wrote: | Yeah exactly. We used Dell iDRAC remote management cards | and HP ILO for that mostly. We still use the latter on | the few servers we have left (which is very very few). | But on laptops/desktops never. | | That still doesn't really give it any reason to have it | in workstation chips, in Xeons perhaps... | helpm33 wrote: | If you're using Intel architecture, it needs at least some | SMM: it is used on startup (initial hardware configuration) | and often during power management events (CPU clock scaling, | hibernation, etc). The article mentions that they disable | most but not all of SMM, for those reasons. | [deleted] | rkagerer wrote: | Hey Intel, I'd pay you a premium to buy a CPU with this crap | already disabled. | marcodiego wrote: | Hey AMD, me too. | adrian_b wrote: | Some of the Dell professional laptops, at least many of the | Dell Precision mobile workstations, have a customization option | that allows the buyer to choose "Intel ME disabled". | | I hope that they really do disable it in the laptops sold with | this option. | pm2222 wrote: | EFI, anyone? MBR works perfectly ok for me. | [deleted] | npteljes wrote: | If anyone is interested, it's possible to buy a laptop with ME | already disabled: | | https://puri.sm/products/librem-14/ | | EDIT: there's more at Wikipedia: | | https://en.wikipedia.org/wiki/Intel_Management_Engine#Commer... | jongjong wrote: | The decision to create such an engine is so unwise, it's evil. | no-dr-onboard wrote: | @dang, maybe we should merge this? seems to be a dupe | https://news.ycombinator.com/item?id=33344458 | dang wrote: | There was one relevant comment in that thread. I've moved it | hither. Thanks! | maxchristman wrote: | That post has a broken link, and this one is the resubmission. | NoImmatureAdHom wrote: | Anyone know if me_cleaner etc. work on the new 12th generation | chips? It's not clear from the link. | etiam wrote: | Very nice reference. | | Anybody here got a complementary source to suggest for dealing | with more difficult flash chips? | | ( > If your BIOS flash chip is in a PLCC or WSON package, you | will need specialized equipment to connect to the chip, the | process for which is not currently covered in this guide. ) | | I've got a laptop with BIOS on WSON laying around unused since a | while back because I haven't managed to take the time and dig up | what's a reasonable way to interface with them. ( Bought the | machine with an expectation of just clipping onto SOIC, like it's | been in all my previous encounters. That'll teach me to look up | the specs for the exact model rather than just something similar | in the product line I guess.) | LeifCarrotson wrote: | There are two ways to do this: | | One is to buy an expensive, specialized test socket with pogo | pins and a clamshell, from eg | https://www.loranger.com/loranger_edc2/html/index.php or | similar manufacturers. This is what you'd do if you wanted to | do a burn-in test of some exotic amplifier or sensor, or to set | up a small-scale assembly line and custom-program hundreds (not | 1, not thousands) of these chips, and could write off a $100 | standard socket or $10,000 custom socket as a cost of doing | business. | | The other way is to just use a hot-air gun to desolder the WSON | from the motherboard, use some Chip Quik to temporarily solder | it (or an identical chip you bought for $0.50 from Digikey) to | a breakout board, program that, desolder it, then reattach it | to the motherboard. | | Of course, the third way is to have the manufacturer or the | distributor do this for you. | laweijfmvo wrote: | How does something like this access my network? Like if I'm | connected to WiFi, what's the stack look like for this chip | getting access to that without the OS cooperating? | kevin_thibedeau wrote: | It has an enhanced 486 running Minix and unrestricted access to | everything on the system bus. | mmis1000 wrote: | Because the intel me 'is' a standalone system. So it can do | anything on its own. Of course it won't connect to your WiFi | because it didn't know the password. But lan connections don't | need password so it can connect and listen to it in that case. | erik_seaberg wrote: | There is a standard for LAN authentication, though I think | only high-end network hardware enforces it. | | https://en.wikipedia.org/wiki/IEEE_802.1X | laweijfmvo wrote: | Most laptops don't even have an RJ-45 anymore | wmf wrote: | WPA Enterprise is basically 802.1x over Wi-Fi and yes, | the ME has drivers for Intel Wi-Fi cards. | snuxoll wrote: | Depends on your definition of "high-end", while I | personally stick with Mikrotik and Juniper gear a TP-Link | TL-SG2008 is only $70 and gives you 8x1GbE ports and | support for 802.1x just fine. For wireless you'd use WPA- | Enterprise, which is pretty common on most consumer grade | routers (for some reason), readily accessible on anything | you can install OpenWRT on, and then on prosumer stuff like | Ubiquiti AP's. | wmf wrote: | It requires an Intel NIC which connects to both the main CPU | and the ME at the same time. The ME has drivers for Intel NICs | and a full TCP/IP stack. From the docs: | https://software.intel.com/sites/manageability/AMT_Implement... | | "The Intel 82566 Gigabit Network Connection identifies out-of- | band (OOB) network traffic (traffic targeted to Intel AMT) and | routes it to the Intel ME instead of to the CPU. Intel AMT | traffic is identified by dedicated IANA-registered port | numbers. The [southbridge] holds the filter definitions that | are applied to incoming and outgoing in-band network traffic | (the message traffic to and from the CPU). These include both | internally-defined filters and the application filters..." | ridgered4 wrote: | Does this mean if your motherboard lacks an Intel NIC (or if | you use an add on card instead) that it cannot communicate? | wmf wrote: | Yes, that is my interpretation. | jrmg wrote: | How common are these Intel NICs? | wmf wrote: | 100% of business PCs have Intel NICs because it's required | for vPro. In the consumer market Intel NICs are generally | considered (marginally) higher quality than Realtek. Intel | Wi-Fi is also very common. | thrillgore wrote: | Unfortunately it lost me at the risk to brick my computer. Intel | needs to be brought to court to stop enabling IME, not with | hacks. If i have to use IME, the system I use will be considered | insufficient for secure purposes and i'll just use another system | for secure matters. | radicalcentrist wrote: | The risk of bricking isn't so bad as long as you keep a copy of | the original firmware. If the patched firmware doesn't boot, | you can always revert back. | Razengan wrote: | Good thing there's nothing in like that in the Apple chips... or | is there? :think: | gjsman-1000 wrote: | There is - it's called the "Secure Enclave." However, it is | just another block on the processor and isn't this always- | running ghost system underneath you. It cannot be shut down | once started without a reboot - but it is completely up to you | whether to start it in the first place. So, if you don't start | the Secure Enclave and load its Apple-signed firmware, it will | just sit there dark and unused. | warner25 wrote: | Usually when I'm reminded about IME (and whatever the equivalent | is in AMD chips), it's in the context of some strong claims about | it being "game over" for security and privacy against mass | surveillance, engineered / funded by nation-state intelligence | agencies, and rendering all other technical efforts moot. They | make it sound plausible, and I think "why isn't this talked about | or investigated more?" The section of the Wikipedia page that | discusses the "backdoor" claim is frustratingly thin. I just | don't know what to make of it. Hyperbole about a crappy thing, | like the bloatware pre-installed on most new laptops and phones | by the vendor? An open secret, with discussion about it | suppressed? | TheNewsIsHere wrote: | This is offered very much in a "take it for what you will but | for obvious reasons I am not going to give many more details" | spirit. I worked for a major player in cybersecurity back when | they were really trying to get everyone onboard with SGX. Our | CISO was a technical guy, and worked closely with a peer who | had a hybrid academic and professional background in | cryptography. They both had strong credentials in mathematics | and one was a practicing mathematician at one point. | | After a thorough review, all of the stakeholders who reviewed | it told the executive leadership not to touch it because their | opinion was that it couldn't offer anything meaningful beyond | what we already had in place using the Windows API and it's | interface with the TPM, and they had concerns about what they | felt were insufficiencies in the SGX design. | | That experience was a bit more in-depth than I've detailed | here, but the takeaway for me was that Blue was desperately | trying to justify a technology that wasn't what it was hyped up | to be. | | I've often thought IME is the same thing, "different day". | | Edit: typo | VictorPath wrote: | Before looking at IME, let's review other topics. Printer | machine identification codes were secretly inserted into | printers some time between the 1980s and 2004. Our | communications are being monitored in a host of ways. One last | refuge was our CPU, but now that is under foreign control as | well. | | Then there's older US government operations like Minaret, | Shamrock, Cointelpro etc. to surveil US domestic political | activities, from black civil rights, to Vietnam doves, to a | very extensive surveillance of feminist groups. Cointelpro also | involved US intelligence disrupting political movements, | writing poison pen letters (a database admin and 60s peacenik I | knew had one sent to his boss, a lawsuit later revealed the FBI | sent it). | | Nowadays this is PRISM, Xkeyscore etc. interacting with the | telco monopolies and FAANG, to spy on Angela Merkel's phone | calls (along with BND turned by the CIA), disrupt Airbus | contracts in favor of US aerospace etc. | npteljes wrote: | I think we frankly don't know how much of a problem it is, yet. | Since there's no widely applicable remote exploit for it, as | far as the mainstream is concerned, all we're left to do is | speculate on the risk. If someone operates a server, it's best | practice not to have any extra services running on top of | what's needed to run the original service. This is because | every extra open port, software or complexity increases the | attack surface. Same with Intel ME, people don't understand why | it needs to be there, if nobody seems to even use it. | | Preinstalls are not hyperbole though, there were some nasty | stuff over the years. Lenovo, for one, bundled Superfish, which | man-in-the-middled all HTTPS browser communication[0]. Similar | effort from Dell[1]. | | I think ME's situation is similar to Stallman's attitude toward | proprietary software. Proprietary is not evil by itself, but | it's very easy to corrupt it to be so, and then the end user is | powerless. And because the end user can't decide when this | change happens, they are powerless to begin with. Therefore the | thing shouldn't exist in the first place. | | [0] | https://en.wikipedia.org/wiki/Superfish#Lenovo_security_inci... | | [1] https://en.wikipedia.org/wiki/Dell#Self- | signed_root_certific... | midislack wrote: | It's a backdoor for sure. I think the extensive online campaign | which desperately tries to prove its not, proves it is. Who can | afford to police EVERY forum, social media platform, and web | site only to call people mentally ill for suspecting it is? | It's a pattern which only fits certain players. | CyberDildonics wrote: | > the extensive online campaign which desperately tries to | prove its not, proves it is | | That's like saying the extensive campaign to prove the earth | is a sphere proves it's flat. That isn't how logic works. | Spooky23 wrote: | That's what they want you to think. | | First they make you drink fluoridated dihydrogen monoxide, | then when you get a job in enterprise IT, the extra ions in | your teeth make you pay extra for vPro. | pkulak wrote: | It's just too old for people to be outraged about still. | anonym29 wrote: | By this logic, should we not be outraged by 19th and 20th | century genocide? | charcircuit wrote: | Yes, as someone born in the 21st century all of that is | just stuff in some history book that I was forced to learn | to pass some test. | Alupis wrote: | > By this logic, should we not be outraged by 19th and 20th | century genocide? | | Well, no. I don't think you will actually find a real | person living today that matches a real definition of | "outrage" for genocides in the 19th and 20th centuries. | | Discarding performative theatrics, you will find people who | all agree it was bad... but they won't be literally | outraged. The passing of time, and generations, has that | affect. | kragen wrote: | Pretty sure Holocaust survivors and their immediate | families, not to mention the scarcer immediate family | members of Holocaust non-survivors, are still outraged | about the Holocaust. I don't think that's performative | theatrics. | Spooky23 wrote: | Performative theatrics is attempting in any way to | contrast Intel vPro with the Holocaust. | kragen wrote: | Intel vPro and similar systems centralize power over | communication and record-keeping in a way that has | historically been both necessary and sufficient to cause | atrocities like the Holocaust, the Great Leap Forward, | GULAG, and so on. | | But, because of newly pervasive computer mediation of | day-to-day interactions, these spyware systems | potentially provide a degree of centralized social | control that Stalin or Mao could never have dreamed of. | Recent infringements on human rights in XUAR provide a | preview of the resulting future. Essentialist | explanations that attribute them to some unique depravity | of the Chinese race are utterly implausible; they are due | to the lack of effective checks and balances on state | power. | | Consequently we can expect the atrocities resulting from | systems like vPro to be far worse than the Holocaust or | any other historical events. | Alupis wrote: | I cannot tell if you are arguing in good faith or if this | is some very clever wit. | | Comparing vPro to Stalin, Mao, the Holocaust and more is | really not serving to forward your argument... | particularly while you have an iPhone or Android device | in your pocket, watch curated TV content on your Smart | TV, and drive your modern car into the office where you | use your Windows or OSX computer and ISP provided DNS. | | This would definitely count in the "performative | theatrics" category of any normal book. Why is this age | so sensationalized? Words are becoming meaningless due to | overuse, abuse and re-definition to fit convenient | arguments... | anonym29 wrote: | I'm in no way conflating the impact of the two, I'm | pointing out that the implication of the original comment | "It's just too old for people to be outraged about | still", is that people shouldn't be outraged at evil | things solely because those evil things happened a long | time ago. | | The implication itself is ridiculous. Time does not make | evil things less evil. | | To suggest that I'm contrasting the impact of ME (not the | same as vPro) with the holocaust is either blatantly | missing the point or a deliberate, bad faith strawman. | Alupis wrote: | The word "outrage" is problematic. It implies, by it's | very definition, that the mere mention of these things | brings people into a furry of uncontrollable anger. | | I would wager people are abusing the word and changing | it's meaning to sensationally signal displeasure or | disappointment with historical events. Those are not the | same. | | Outrage has an emotional immediacy to it. It's really | hard to be actually outraged by events that transpired 40 | years ago, 100 year ago, centuries ago or more. | | I assert there is no human alive today that is actually, | really outraged by the Holocaust or any of the other | atrocities mankind has perpetuated over it's history. Who | would they be outraged with? Hitler - who has been dead | for 77 years? The Nazi party that has not existed for 77 | years? | | It would be quite emotionally immature to be literally | outraged with any of this in a modern context... | pkulak wrote: | I'm not telling you what emotions to have, just observing | the world around me. | hsbauauvhabzb wrote: | Those two things have disproportionate direct impact and | can't really be compared on the same level. But apples for | apples, school educates students about genocide and not | about the privacy considerations of backdoor chips. | anonym29 wrote: | I'm in no way conflating the impact of the two, I'm | pointing out that the implication of the original comment | "It's just too old for people to be outraged about | still", is that people shouldn't be outraged at evil | things solely because those evil things happened a long | time ago. The implication itself is ridiculous. Time does | not make evil things less evil. | | To suggest that I'm contrasting the impact of ME (not the | same as vPro) with the holocaust is either blatantly | missing my point (that the implication of the original | comment is obviously completely false) or a deliberate, | bad faith strawman. | michaelt wrote: | _> Hyperbole about a crappy thing, like the bloatware pre- | installed on most new laptops and phones by the vendor? An open | secret, with discussion about it suppressed?_ | | Personally, I worry about things like IME based on an entirely | hypothetical theory: I think many of the big tech companies are | riddled with spies from a variety of nations. | | My rationale for this is simply that if I was in charge of a | spy agency's offensive cybersecurity group, my top priority | would be placing agents in Microsoft, Apple, Google, | Cloudflare, Juniper, Cisco and so on. They'd have orders be | careless in undetectably subtle ways - nobody's imprisoning a | guy just because he added log4j to the codebase in 2010. To me | this seems well within the capabilities of a spy agency with a | multi-billion-dollar budget and tens of thousands of employees. | | Even with code reviews, I doubt anyone could deliver a project | like IME with no security bugs, if five of their peers were | compromised by different nations' spy agencies. | | If you think that's completely believable and what else would | spy agencies be doing in the modern age, you'd be very | suspicious of IME. But if you think that's an undisprovable | conspiracy theory with no solid evidence whatsoever, you might | think IME sounds just fine. | warner25 wrote: | > my top priority would be placing agents in Microsoft, | Apple, Google, Cloudflare, Juniper, Cisco | | Interesting thought. Or more likely, I'd guess, spy agencies | might recruit existing Big Tech company employees who have | access to sensitive and desirable things. That's usually how | it happens, reportedly, when American security clearance | holders get caught doing bad things: they aren't deep cover | agents who spent years working their way into position, they | approached or got approached by foreign agents because of | their position. | myself248 wrote: | Before Snowden, I think absence of evidence could often be | construed as evidence of absence. | | But I think that ship has well and truly sailed. | | We now know that, behind closed doors in classified places, | every bad thing we imagined might be happening, _was_ | happening, and then some, beyond the scale of the wildest | imaginations of the most paranoid activists. And then some, and | then some. | | The fact that we don't have proof of _this_ particular bad | thing, which is entirely possible and downright trivial and | could actually be the entire purpose for which the | functionality was designed, should in no way suggest that the | capability isn't being used. | | Ten years ago, I could see that being a reasonable argument. | Now it just rings as blindingly naive. | charcircuit wrote: | It's not talked about more because it's a crazy conspiracy | theory that has no merit. After all these years of scrutiny the | worst vulnerability required physical access and disassembly in | order to preform a hardware attack. | | The people who believe this conspiracy theory, like many | others, peddle misinformation to prove their point. No matter | how much you try and debunk it you can't change their mind. | warner25 wrote: | Yeah, see that's the other side of the story that doesn't | seem to be told much either, and I'm interested in that too. | It does seem like some researcher or journalist should have | blown the case open by now if this thing were systematically | providing telemetry from everyone's "powered off" (but still | plugged in) machines to an intelligence agency. Can you point | to an article or paper that thoroughly debunks the claims as | crazy conspiracy theories? | pencilguin wrote: | gjsman-1000 wrote: | It doesn't necessarily need to be a backdoor. Look up Remote | Attestation, which is getting easier every year. With that, you | can run whatever software you want on your device - but other | servers do not need to talk to your device if they detect that | you are. | | It's coming up in Android more with SafetyNet. If your device | is rooted, you fail SafetyNet. If you fail SafetyNet, almost | all banking app servers will refuse to talk to you, rendering | their apps useless. SafetyNet could be spoofed historically, | but SafetyNet is moving into hardware instead of software since | ~2020, so the spoofing has gotten way, way harder and may cross | into downright impossible. | | It's also coming to Windows with the Windows 11 TPM 2.0 | requirement. See the video game Valorant, for example. If you | are on Windows 11, it will mandate that you have a TPM 2.0 | enabled and Secure Boot enabled. It has exceptions for VMs and | Windows 10 and earlier right now - but they can literally close | that door, at any time, and immediately remotely lock all | machines to that requirement. No amount of game patching will | bypass it - the multiplayer servers won't talk to you unless | your hardware cryptographically reports that you've passed | Secure Boot checks. | LinuxBender wrote: | _If you fail SafetyNet, almost all banking app servers will | refuse to talk to you_ | | This is probably unique to me but I see that as a bonus | security feature. All I want to use the phone for is voice, | text, mumble, irc and ssh/sftp, only things hosted by me. Im | still trying to find a non-google rom that is well supported | for my model of android. If I could get a vendor unlocked CAT | I would turn the droid into a dedicated mp3 player. | denton-scratch wrote: | > It's also coming to Windows with the Windows 11 TPM 2.0 | requirement. | | My Lenovo L430 is apparently incapable of running Win11 for | that reason. Win10 will soon be out of support, so I'm | preparing to blow away my last-ever Windows system, and | become all-Linux. I'm looking forward to it. | fencepost wrote: | Isn't 'soon' 3 years from now? And it'll definitely impact | PCs more than 7-10 years old at that point, but that's kind | of a hard number to get worked up about. If it's that big a | deal, when the deadline gets closer buy a new-to-you 7 year | old machine for a couple hundred dollars. | azalemeth wrote: | This it's all true, and all frankly awful. I refuse to take | part in apps that do this and implore you all to do the same. | arprocter wrote: | The AMD version is | https://en.wikipedia.org/wiki/AMD_Platform_Security_Processo... | | They seem to update it a lot less frequently than Intel | NoImmatureAdHom wrote: | The existence of the High Assurance Platform (HAP) bit makes it | pretty clear that 1) three-letter agencies don't trust the IME, | and strongly implies that 2) they asked for it to be there in | the first place. | | "High Assurance Platform" | https://trademarks.corporationwiki.com/marks/high-assurance-... | warner25 wrote: | Yeah, that's the kind of thing I've seen before, lots of | circumstantial evidence that makes the claims sound | plausible, but then the trail just seems to stop cold. | NoImmatureAdHom wrote: | I mean, it is the NSA. They're probably pretty good at what | they do. I should hope so, tax dollars pay for it. | shrubble wrote: | 'Who benefits?' Seems to be a relevant question. | | Intel has to have spent quite a bit of money to add any | feature that you see; so why would they do that without a | strong market case...? | NoImmatureAdHom wrote: | Yeah, nobody in this topic has copped to actually _using_ | the ME so far. I 've never heard of anyone using it. | AnssiH wrote: | Most do not use it "directly", but instead use features | implemented by it. | | E.g. I've used Intel Platform Trust Technology (PTT) to | implement system security features, and AFAIK that runs | on ME. | boppo1 wrote: | >trail just seems to stop cold. | | There's your evidence. | djbusby wrote: | No, that's the absence of evidence. | NoImmatureAdHom wrote: | Only when your priors are that absence of evidence (in | the sense of the trail going cold) is normal. Your parent | comment's point is that this is a _conspicuous_ absence | of evidence. | salawat wrote: | Abscence of evidence isn't evidence of the abscence | thereof. | | That it runs cold lodges it firmly in the "we are pointedly | not going to talk about it" space, which for me is where | the worry even starts. If my little gray hat wearing mind | can come up with plausible ways to exploit something like | that... | | A) I am not that smart | | And | | B) Someone in a position to pull something like that off | has probably already implemented it. | checkyoursudo wrote: | With regard to the guide itself, please be aware that the guide, | of which this is but a one section, is no longer actively | maintained (since 2020). | | It is a great and useful guide. I have used it to modify my own | Gentoo installation. But, be aware of what you are doing. :) | pkulak wrote: | This is the big benefit of companies like System76 that disable | this for you. | freefal wrote: | "removes the vast majority of the ME's software modules | (including network stack, RTOS and Java VM)" | | There's a Java VM on these things?! | mmis1000 wrote: | Not surprised, Java vm is literally everywhere. From your | credit card to sim, if it is a ic card then there is Java vm. | It is almost universal language for mini embedded system for | some reason I don't understand. | goodpoint wrote: | > It is almost universal language for mini embedded system | for some reason I don't understand. | | Marketing-fueled hype. | smolder wrote: | IIUC, it's because it's easier to rigorously prove the VM | prevents classes of bugs (i.e. memory safety issues) and then | _reuse_ that VM in many places than it is to rigorously prove | that many separate embedded systems _not relying_ on the VM | have independently avoided those bugs. | hedora wrote: | Is there an example of a JVM that has been proven correct | in this sense? | | I haven't heard of one. | [deleted] | dmitrygr wrote: | ME gets a lot of well-deserved hate. And a lot of work goes into | disabling it. But I am surprised that none of the people working | on such projects ever looked at the very peculiar ME payloads | that intel chromebooks carry for hints on how to do it better... | londons_explore wrote: | Why exactly isn't there a setting or jumper to just disable this? | | I don't really see a business reason for Intel to make this hard | to do... | | They _could_ totally have made the machine reset if the ME couldn | 't be initialized. But they didn't. | nullc wrote: | > They could totally have made the machine reset if the ME | couldn't be initialized. But they didn't. | | Hm? That's what they did: if you disable too much of the ME the | computer will reboot after 30 minutes. | w1nst0nsm1th wrote: | Remind me of that secured phone sold by a german company to | governments around the world. | | In practice, the company was indeed a joint venture involving | the US government who used a german proxy to sold compromised | hardware to unsuspecting official. Everything went straigh to | NSA. | rolph wrote: | rather than disable ME, i would want to pwn it. | | you can dump, substantially re-engineer, and write back, to add | utility, and provide service to end user. | | or could it be like the one ring? | RetpolineDrama wrote: | It's absolutely insane that _this_ is what it takes to get IME | fully disabled. | chasil wrote: | This does not _and cannot_ "fully disable" the ME subsystem on | modern CPUs. | | A small remnant is left operational - without it, a PC shuts | down after 30 minutes (this is well-known). | | The Core 2 Duo/Quad architecture was the last iteration where | the ME subsystem could be entirely removed. | | I posted two BIOS images on this link for old HP machines. They | can easily be flashed from within the booted bios without much | hassle. Looking for the link... | | Found it on Bing of all places! | | https://github.com/corna/me_cleaner/issues/233 | tomxor wrote: | > The Core 2 Duo/Quad architecture was the last iteration | where the ME subsystem could be entirely removed. | | Yeah, but unfortunately intel also didn't bother providing | microcode patches for meltdown on those chipsets "because to | old" by some arbitrary definition of "old". | chasil wrote: | These are vulnerable to Meltdown, and the page table | isolation patches are required to secure kernel memory. | These do involve a performance hit, so I'd recommend Core-2 | Quad 9550s as an upgrade for a minimally-usable machine. | | However, these are not SMT/hyperthreaded, so many of the | Specter vulnerabilities do not apply. | | OpenBSD runs well enough on them, and these machines are | likely what I trust most with this OS. | | Most Linux runs on these machines (RedHat 9 doesn't - | requires an i3), but will pause on the mei_me module and | look for a response from the ME that you have lobotomized; | blacklist the related modules if you want to boot faster. | chasil wrote: | The well-known spectre-meltdown check says that my Q9650 | is not vulnerable to Meltdown or Spectre 1-3. | | It is vulnerable to variant 3a, 4, Fallout, Zombieload, | and and both RIDLs. | | https://github.com/speed47/spectre-meltdown-checker | [deleted] | [deleted] | dottedmag wrote: | Well, it's a very detailed guide how to dump contents of flash | device, update and put it back. | | If the guide said "dump the flash" and "write back the flash" | instead of the detailed instructions, and only described | firmware manipulation steps in details it would be much | shorter. | intelVISA wrote: | Both absolutely insane and completely understandable. | | ...hopefully RISC-V will save us from this nightmare. | gjsman-1000 wrote: | Ha - no. Absolutely not. I don't know where this total myth | came from that RISC-V is open source therefore | implementations will be better. | | RISC-V is just an ISA (Instruction Set) that anyone can use, | but what people use it in, and how they use it, is not | specified and does not have to be open source. Apple could | take RISC-V, plop it in their iPhone, and release it tomorrow | in a processor that only boots Apple-signed code and requires | proprietary firmware without any issue whatsoever. Intel | could literally release a Core i5 with a RISC-V instruction | set and an Intel ME built-in, no problem. | | Where the hope mainly comes from is small chip developers | like SiFive, who make many of their drivers and such open- | source. But that's only if you buy from vendors like them - | if you implement your own RISC-V core, there's no requirement | that the drivers or firmware be open-source for it, in any | way. You might say that's a missed opportunity. I say RISC-V | wouldn't have caught on otherwise. | smoldesu wrote: | > I don't know where this total myth came from that RISC-V | is open source therefore implementations will be better. | | The hope is that (unlike x86/ARM) you will be able to | purchase core designs from people who aren't sockpuppets. | RISC-V will at least let people choose between which | backdoor they want installed, which is an upgrade from a | status quo of "All Your TCP Traffic Belongs To U.S.". | | It's not exactly Superman, descending from the skies to | deliver us from dystopia. But it's certainly a better path | than letting ARM dominate any more of our chip landscape. | walterbell wrote: | _> The hope is that (unlike x86 /ARM) you will be able to | purchase core designs from people who aren't | sockpuppets._ | | It also lowers the barrier to entry for new/rebranded | sockpuppets, but having choices is a step in the right | direction. | evilos wrote: | So... you're saying someone could (but not necessarily | will) save us using RISC-V. Seems like a necessary | precondition to it. | MisterTea wrote: | > Where the hope mainly comes from is small chip developers | like SiFive, who make many of their drivers and such open- | source. | | But there are still roadblocks as they likely bought the | memory controller from a 3rd party as an IP block they drop | into their chip. This means the bring up procedure for the | memory controller is proprietary and delivered in blob form | to be loaded into the black box ip. Likely the same for | other 3rd party ip blocks as developing this stuff from | scratch is very difficult and time consuming. Especially | for critical hardware like memory controllers. This makes | opening the platforms firmware just as tricky as any other | chip from $bigvendor. This makes full top to bottom | security audits difficult or impossible. | justinclift wrote: | > Where the hope mainly comes from is small chip developers | like SiFive, who make many of their drivers and such open- | source. But that's only if you buy from vendors like them | ... | | So, you're saying it _is_ possible (or will be down the | track...) as long as things are bought from SiFive or a | similar OSS-friendly place. | | That's still a large improvement over the current | situation, even if other vendors take different, locked | down approach. | RobotToaster wrote: | It's still an improvement over x86, where anyone who | manufactured an alternative would be sued into oblivion by | intel for patent infringement. | sprash wrote: | Next year all x86_64 patents will expire. From then on | everybody can make a IME/PSP/Pluton-free x86_64 chip. | This makes RISC V completely obsolete since the x86 | ecosystem is obviously much more mature. | smoldesu wrote: | > This makes RISC V completely obsolete since the x86 | ecosystem is obviously much more mature. | | While I'd really love to agree with you, the IPC of a | RISC-V chip can annihilate an x86 machine on equivalently | advanced manufacturing node. It's performance-per-watt | can reach up to 10x efficiency over x86 in the right | situations, and pretty much all of the cool stuff we like | in x86 can be added as an ISA extension. | | If we're headed to a RISC/low-power computing future, | RISC-V will be the future people's champion. x86 will be | a legacy compatibility mode that we use for games and | "retrocomputing", likely. | tmtvl wrote: | X86 may be mature but I think the M1 has shown that there | is plenty of potential for improvement. I know M1 is ARM | instead of RISCV, but there may yet be ways to get better | chips. | | That said, the hardware we have is really good, it's just | the software side that is a complete garbage heap. | smoldesu wrote: | Apple Silicon was an interesting move when you look at it | from a numbers perspective. The M1 is a really impressive | chip, but AMD had competitive x86 hardware that was out | on the 7nm node. It benchmarked ~10% slower (the 4800u | did, at least), consumed more power (25w max vs 15w max) | and ran equally as hot as M1, but it did make me wonder - | could AMD have made an M1-class chip if TSMC sold them | the 5nm silicon they needed? It's hard to say, and | arguably the Zen process wasn't (and still isn't) | competitive with Apple's process enhancement. | | Still though, AMD seems convinced that x86 can compete | against modern RISC ISAs. They aren't far away from | proving themselves right, honestly. | intelVISA wrote: | Ofc, as you mentioned RISC-V is simply an open-source ISA; | however, it is arguably the groundwork for chips | independent of Intel/AMD. | midislack wrote: | In the future, buying Chinese designed and made RISV-V will | be the way to assure yourself that there's no extra NSA | garbage in there. | RunSet wrote: | But according to Intel it exists to provide functionality that | is desired by hardware owners. | | Big "Look what you made me do" energy. | GekkePrutser wrote: | As hardware owner I disagree. | | Both personally and as part of the management team of 150.000 | computers at work, we don't use this stuff there either. | chasil wrote: | I can tell you that I have used HPE Integrated Lights Out | (iLO) on Gen8/9/10 servers. | | It is a great help for server lock-ups - it is able to | force a full power-down of the main board and cold-boot. | | The software behind iLO was also a presentation at | BlackHat, so it's important to keep them patched (and I | don't know anybody else that does). | | https://www.blackhat.com/us-21/briefings/schedule/index.htm | l... | everforward wrote: | I've used that and Dell's DRAC. They have their uses. We | ran those on a separate network, and it was somewhat | routine to use them to get into a host that was locked up | or had disconnected from the network somehow. | | It's definitely a security risk, but at a big company | with a poorly managed IT department it wasn't the worst | offender. | GekkePrutser wrote: | Yep we use that too but it has nothing to do with IME. | | We also have Dells with iDRAC cards. But it's a nice | thing with iLO that it's built-in, _and_ it can be | managed on a completely dedicated out-of-band network. | Unlike the IME thing. | | I understand there's a point to this in stuff like | servers, but for workstations? | Spooky23 wrote: | I use it to segment network access. | | The devices are on an untrusted network and VPN into a | LAN based on the device assignment. Things like printers | are on a separate network, and there's no cleartext on | the network. | | In the case of laptops, if they fall out of certain | compliance baselines, they get remote wiped or bricked. | criddell wrote: | Parts of it you want. The management engine does a lot of | stuff and I don't think you can say all of it is good or bad. | It would be nice if they would break it down area-by-area and | give owners some controls to disable the unnecessary parts. | qu4z-2 wrote: | What is a thing it does that a user may want? | flenserboy wrote: | It makes a body wonder just who Intel thinks the hardware | owners are. | nonrandomstring wrote: | > "functionality that is desired by hardware owners" | | We hear this all the time don't we? Claims that something is; | | "Because people want it". | | "Markets demand it". | | But we see absolutely no evidence of them whatsoever, this | mythical mass of people clamouring for features that are | strangely aligned with the things big-tech suppliers and | manufacturers wish ti push and get to simply assert that | "people want". | | We like to think of ourselves as "evidence based, rational | society" We'll happily hold governments, scientific and | health research to a high standard of evidence. Even | Wikipedia articles demand "citation needed". | | Show us those people! Back up your claims Intel. | iszomer wrote: | How is Intel ME any different in functionality than the | Baseboard Management Controller usually found on servers | (eg: Aspeed)? And what of those whom extend these feature | sets with boards like the Raspberry Pi? | UI_at_80x24 wrote: | Here's the real kick in the nuts that IME does compared | to BMC or other 'Management ports'. | | (1) It is not something that you can (easily) disable | | (2) It uses the same Network port that your LAN NIC uses | instead of a separate "I won't plug that in if I don't | want it" NIC. | | (3) Security/Patches? This is outside the control of the | BIOS manufacturer, so how do you make sure it's patched | and upto date? and | | (4) It wasn't an option. | gwillen wrote: | Note that the BMC does not always restrict itself to the | BMC port. I've worked with machines that have a dedicated | BMC port, but also have a BIOS-configurable option (on by | default) to let it use whatever port is connected. | wmf wrote: | That's a really low bar because (1) BMCs are a security | nightmare because their firmware is garbage and (2) many | PC owners do not need or want BMCs. | | I think the ME hating is kinda strident but it has a | bunch of undocumented firmware and your PC still works | after you remove it so... what was that firmware doing? | dislikedtom2 wrote: | if someone wants and demands it, it's the nice people at | cia and nsa | pexabit wrote: | The tell is that you cannot even pay more to buy ME- | disabled hardware when it is obvious that there is plenty | of money in it, at little additional cost to Intel. The | workaround in me_cleaner was originally intended for | government buyers that demanded it. And they probably had | good reason to demand it. | djbusby wrote: | This seems like the hardware owners are demanding the | opposite of what Intel is delivering. | Manu40 wrote: | Rather, it's both. | | The government folk want it gone from theirs, but they | want the rest of us to have it. Thus the claim "Our users | want it" is true, in a tongue in cheek way. | sidewndr46 wrote: | I feel similar with 5G. I don't know anyone who was | actually demanding 5G speeds from their phone, or excited | about it. Technically it's very cool, but I'm unsure it | actually is enabling end users to do something they could | not. | | From my experience, I actually must disable 5G. The 4G | network in my area actually works well enough in all | circumstances. The 5G network is all-or-nothing. I either | wind up with incredible speeds or completely unusable. | generalizations wrote: | Is the end user actually the market this is aimed at? All | we really know is that 5G and the Intel ME are endeavors | that are expected to make a profit. But who wants this | enough to pay for it? Someone does. If not the mass | market consumer, then who? | cedilla wrote: | In the case of 5G, telcos love it. It's vastly less | expensive to run than any lower G, both in cities and the | countryside. That interest even aligns with end users' | interest. | Manu40 wrote: | Except they still charge the same anyways, or more. | | I'm with Telus up here in Canada. You pay the same old | rates as per the usual for 5G speeds. If however you go | with their subsidiary (Koodo) using the older | infrastructure, you can pay a little less for similar | packages. | | Check it out yourself. Mind you, I use prepaid, cause I | don't want to be on a contract, so I buy my own phone and | use it. Koodo even charges more for bringing your own | phone, since they aren't collecting on having leased one | to you. | | https://www.telus.com/en/mobility/prepaid/plans?linktype= | sub... https://www.koodomobile.com/en/rate- | plans?INTCMP=KMNew_NavMe... | | Simply put, if I want to save money while still having | enough data for what I actually need data for; I can | either spend about 35-40$ with Koodo for 2-4GB of data at | 3 & 4G speeds; or 40-50$ for 2.5-4.5GB at 4 & 5G speeds. | I round things this way by the way, because of taxes. | Also, auto-top up also tends to give some extra data too. | 500MB more. So generous of them (/s). | | And also, this is new packages. They just updated them | with the new promo on Telus with that whole 1GB extra | data and 10$ one time credit. I'm gonna have to call them | and get that I guess. Unless they auto gave it to me? Who | knows with them. Ultimately, I only need 500MB though, | since I use Spotify in offline mode, and only download | music via my wifi at home; and the only other thing I | tend to use is Google Maps which can also be downloaded | ahead of time to save on data. | | Edit: I should also note that they do actually state 4G | on the Telus website, but my phone says I am getting 5G | speeds. Hence why I state 5G. I could care less what they | claim on their website. End user experience is truth. | Zigurd wrote: | Some aspects of 5G are sensible in that they take | advantage of improving hardware to use spectrum more | efficiently: denser encoding, full-duplex radios, etc. | | Some of it, like beam steering that tracks moving | devices, which is going to be challenging to make it work | in real world cases, and using spectrum that makes it | hard to penetrate inside cars and buildings, is a reach | nobody asked for. | | Some seems greed driven, like "If we can convince AWS | customers they need to put computing at the network edge | we (telcos) will capture some of the value AWS | accumulates now." | | As for your 4G network, that's what we call 5Ge now. | sidewndr46 wrote: | I knew a guy who worked on cell phone beam forming from | the tower 20 years ago. He said it worked flawlessly in | Florida where the company was based. He also said every | single deployment failed because no where in the US has | such a flat terrain without reflections. | | Is 5Ge some sort of joke? Or is that a real designation. | Spooky23 wrote: | If you have Verizon, that's a bad idea as they've bungled | the rollout and LTE performs poorly in many areas. | ridgered4 wrote: | Knowing Intel, if this functionality was actually desired by | hardware owners it would only be available on high end | chipsets and i7+ processors. | smolder wrote: | Depending on the motherboard it can be very hard, pretty easy, | or very easy. For my one motherboard that isn't covered by me- | cleaner due to the newness, I verifiably turned off ME the | "pretty easy" way: By downloading the latest bios from | gigabyte, opening it in Intel's CSME tools (there are download | links on some forums geared towards bios modding), flipping the | unlabeled "reserved bit" which turns on "high assurance | platform mode", and then flashing that bios .bin, also with | Intel's tools. | | I believe some motherboards won't let you flash the modded bios | if it's cryptographically unsigned or something like that, | which is good for other reasons... but I haven't run into it | myself. | | I've disabled ME on a couple of supermicro boards too, using | me-cleaner, since they were supported. (What I consider the | "very easy" method.) | | edit: Sibling poster is right that it can't be _fully_ | disabled. I do assume it 's _effectively_ disabled when it no | longer appears in device manager and Intel 's ME inspection | tools show it as disabled. | borissk wrote: | A slightly off-topic question: many modern motherboard have a | function to flash a BIOS even without CPU present (e.g. Gigabyte | markets it as Q-Flash). Any idea how does that technically work? | Do they put a separate CPU on the motherboard? | greycol wrote: | smolder has a comment in this thread expressing viability for | some boards doing this. | | https://news.ycombinator.com/item?id=33347065 | tymscar wrote: | I just upgraded to a Ryzen 9 7950x with a Gigabyte x670e | motherboard and while using qflash+ I also got curious but | nothing online answers how it works and the manual is too | simplistic to include the details. If I would have to guess | It's probably the chipset? | the-printer wrote: | Are there any caveats to disabling the IME? | | This side of computing can become daunting in the context of the | direction that the world is heading. So many acronyms and | backronyms lie beneath the chassis of our devices running | commands and loops; looping and commanding and checksumming and | checking sumthin' out. | | Checking what out and sending it where? | | - " _We need to verify that the code is signed for your safety_." | | - " _But it came from your App Store, emperor of the mononymic | enterprise_." | wmf wrote: | Certain DRM will no longer work so you may not be able to play | Netflix or whatever. | egberts1 wrote: | That's why I never use the onboard Ethernet chipset, ever. | | Even if it's BIOS-disable. | | Just buy a decent Intel (or even RTL) Ethernet NIC PCI card, or | two. | w1nst0nsm1th wrote: | In short IME is a hardware spyware ? That's it ? | rolph wrote: | out of band networked/remote hardware management. | stalfosknight wrote: | Intel's spyware is one big reason I look forward to switching to | Apple Silicon soon. | jeffbee wrote: | You believe there are not non-architectural cores in Macs? | stalfosknight wrote: | Do you have evidence otherwise? | jeffbee wrote: | Yeah, I do. Every system has tons of non-architectural | cores for security, power management, and for other | purposes. Apple advertises some of theirs as for example | "secure enclave" and, on older Macs, the T1 and T2 security | processor which runs the proprietary closed-source BridgeOS | and has unfettered access to everything on the system. | stalfosknight wrote: | Which one of these cores perform the same functions and | present the same attack surface as the IME? | tzmudzin wrote: | Closed source, so we can speculate (or try to reverse | engineer/break it). | stalfosknight wrote: | So at best we have cynicism / paranoia regarding Apple's | T2. | jeffbee wrote: | That's all anyone has against IME, also. And BridgeOS | isn't any more secure. There are tons of known flaws in | it. | stalfosknight wrote: | Part of it runs bridgeOS. The Secure Enclave runs | something else altogether called sepOS. | | https://support.apple.com/guide/security/secure-enclave- | sec5... | anonym29 wrote: | By a 'zero trust' security philosophy, anything short of | completely open source is inherently untrustable. | | You may not be practicing that philosophy, but that | doesn't make those who do "paranoid" any more than | corporations implementing PCI-DSS controls. | | Security does not work retroactively, only proactively. | 8jy89hui wrote: | Couldn't the T2 chip (or other Apple security chips) do similar | things? | mmis1000 wrote: | Isn't T2 there because apple didn't trust intel me at all? | | There is no one trust about this sh*t except intel | themselves. | | The only difference is apple have the power to ask intel get | rid of it but we don't. | tzmudzin wrote: | I am not an expert in Apple hardware / firmware, but I admire | your trust that the US government could not exert the same | influence on Apple as they did on Intel. | | Intel probably had to disclose the existence of IME due to | collaboration with mainboard vendors. Apple does not face this | constraint, so it is a lot easier for them to keep such | subsystems under wraps. | | Of course I'm just speculating here, but a product typically | mirrors its environment. | samatman wrote: | The IME was never a secret. Anyone can decap an Intel chip | and point to it. | | I find it implausible that the A/M series chips have an | independent subsystem that is so obfuscated that the expert | attention which each Apple die receives has turned up no | trace of it. | | The company has its own approach to secure compute with the | T2 modules, but no, I don't believe Apple would be able to | hide something like IME on their CPUs without it being | detected as such. | bilinguliar wrote: | "Anyone can decap a chip" made me laugh. I am curious how | many people can do that and then understand what is going | on. | samatman wrote: | The point is that the answer is "everyone who needs to be | able to". | | The number of expert and curious people, with the means, | is higher than the number of new chip types Apple or | Intel produces. There's always a detailed die photo | available within the first few weeks of a product | launching. | fragmede wrote: | Which is to say, it's hiding in plain sight. The secure | enclave and T2 modules can do _things_ to the processor. | Who 's to say "things" doesn't include ME-like | capabilities? | wmf wrote: | The people who reverse-engineered the secure enclave | firmware can say that. | samatman wrote: | It might be useful to go over Wikipedia's entry for both | platforms, here's the IME: | | https://en.wikipedia.org/wiki/Intel_Management_Engine | | And this for the T2: | | https://en.wikipedia.org/wiki/Apple_T2 | | Neither of these are obscure products, they are of great | interest to reversers and other security researchers. The | list of shady things IME does which the T2 isn't known to | is extensive. | kragen wrote: | In recent decades it has become much harder in most | countries to get access to the red fuming nitric acid | necessary to decap epoxy-encapsulated chips; it's | considered a "drug precursor" and/or "explosives | precursor". I hear that a few years ago someone figured out | that boiling the chip in colophony for a few hours also | works? At the boiling point of the colophony, that is, not | water. I haven't tried it myself. | melvyn2 wrote: | Oh, the irony... Remember the hardwired 'Find My' geolocation | function built into the permanently-on T2 chip? | NoImmatureAdHom wrote: | Trusting Apple...doesn't make a lot of sense. They're almost | entirely security-by-obscurity. You have nothing to go on but | their promises. | fragmede wrote: | Apple doesn't tell us everything, but they do say a lot so I | don't think I'd call it security by obscurity. | | https://support.apple.com/guide/security/secure-enclave- | sec5... | | https://help.apple.com/pdf/security/en_US/apple-platform- | sec... | | They give us the architecture diagrams and tell us how the | locks on their doors work, but they don't gives us the keys | for it. | | Remember: You don't actually own any iOS device because you | can't run unsigned code that you wrote on it. | NoImmatureAdHom wrote: | If the builds aren't verifiable and you can't put what you | want on there then it's just promises, which are worth | nothing. | | > Remember: You don't actually own any iOS device because | you can't run unsigned code that you wrote on it. | | We agree about that! | stalfosknight wrote: | I'm with you on the general idea that we shouldn't blindly | believe everything a for-profit corporation says but at the | same time we shouldn't allow fact-free speculation, rumor, or | just plain cynicism to masquerade as facts either. | NoImmatureAdHom wrote: | I don't think it's controversial that trust in Apple's | extremely locked-down ecosystem basically comes down to "we | promise". If it's closed source you can't verify. Even if | it's open, if it's not a reproducible build (or your own | build) that you install yourself then who knows what's on | there and what it does? | r00fus wrote: | Is there an equivalent to IME for AMD and/or Apple M-class | processors (that would similarly benefit from disabling for home | user)? | chasil wrote: | AMD relies on ARM's Trustzone to do this. | | "The PSP itself represents an ARM core with the TrustZone | extension which is inserted into the main CPU die as a | coprocessor." | | https://en.wikipedia.org/wiki/AMD_Platform_Security_Processo... | GuB-42 wrote: | The equivalent for AMD CPUs is called the Platform Security | Processor (PSP). I am not aware of a way to disable it. | | I don't know about Apple CPUs but they definitely have co- | processors running besides the main CPU. | | In fact, many people talk about the IME but the practice of | having proprietary systems with their own privileged hardware | is the norm nowadays. Another example is the "baseband" | processor in phones, it is a complete proprietary system with | its own processor, OS, etc... and it controls the modem, among | other things. | oarmstrong wrote: | I'd like to know more about AMD specifically too. I'm well | aware that PSP is their equivalent but there seems to be so | little information out there about it. Is it really an | equivalent? Is it as bad as ME? Can it be disabled? Does it | have the same level of access as ME? Have their been any | exploits of it yet? | | The wikipedia page is rather bare. There's a couple of papers | linked to but frankly they go over my head. Is there any | respectable analysis out there? | arprocter wrote: | https://en.wikipedia.org/wiki/AMD_Platform_Security_Processo... | CrLf wrote: | The IME gets a lot of hate around here, but let's not get | distracted by it: higher-privilege co-processors running code | outside the main OS' control is becoming (or already is) the norm | everywhere. Intel-based PCs are just one instance of it (and | perhaps not even the most egregious one). | | Most hardware has evolved to effectively run the main OS under a | sandbox where it "thinks" it is in control, but isn't. | | A nice talk on this: https://www.youtube.com/watch?v=36myc8wQhLo | Xelbair wrote: | Sure, but does the separate co-processor needs access to | network stack? for a typical end user? definitely not. | nullc wrote: | Is _any_ remote management system available to the public | using the ME stuff on consumer systems? I haven 't seen it. | | And when you look at server hardware the have completely | different backdoor facilities. | | It really looks like pure pretext, especially since there | isn't just a simple bios option to comprehensively and | completely disable it. | bragr wrote: | It does if you want remote management, which almost every IT | department does. | [deleted] | salawat wrote: | ...And which almost every pther computer decidedly does | not, and more problematically, every other computer user | has no visibility into the configuration, implementation | details, or actual specs of said highly privileged | component. | | It's one thing to have it, but if it sits out of my reach, | sorry hoss, I just don't trust you that much, and the fact | you and your buddies all do it and are the only shops in | town doesn't make me feel any better. | boppo1 wrote: | Can we not have separate enterprise and individual classes | of processor? | ranger207 wrote: | Heck, ECC is already market-segregated | bubblethink wrote: | This is also segmented. The remote management stuff is | marketed as vpro which is not available in all SKUs. | However, all Intel processors need the ME. | wmf wrote: | Consumer PCs already don't have vPro/AMT, although Intel | can't afford to make separate hardware so there's a | concern that the out-of-band hardware path could be | activated later by malware. | Spooky23 wrote: | We do. Every time this topic comes up, everyone gets | angry about something that doesn't affect them, at all. | vetinari wrote: | We do, sort of. | | In order to have network access, Intel Management Engine | is not enough, it does not have full network access at | all. You need Intel AMT (also marketed as "vPro"), and | that one is paid extra. With CPUs featuring such support | being separate SKUs, so you would definitely know -- and | you can check in ark. You also need to pair it with Intel | ethernet or wifi, any other network interface is not good | enough. | | So here you have it, your separate class of processor. | goodpoint wrote: | This is plain false. | chasil wrote: | No IT department wants their remote management at BlackHat. | | https://www.runzero.com/blog/ilo-vulnerabilities/ | | I'm not sure that iDRAC is much better; haven't checked | lately. | snuxoll wrote: | At least with IPMI interfaces on servers they have a | dedicated NIC port you can put on a restricted network. | [deleted] | akira2501 wrote: | > higher-privilege co-processors running code outside the main | OS' control is becoming (or already is) the norm everywhere. | | I don't think this fact is what you should focus on. That fact | the blobs are binary, closed, proprietary, signed but not | easily verifiable by the user, and not easy to disable is the | problem. | | The promise is they're going to "improve security for PCs." | Yet, they're using techniques that we know to be invalid. | There's no reason to tolerate this. | freedude wrote: | When you consider both at the same time it is cause to pause | and speculate on how malware might take advantage of this | built-in tool. | armchairhacker wrote: | They can have a physical switch or tool to disable it, or | sell separate chips with/without IME. | | Unfortunately there isn't really incentive for Intel to do | this, unless larger companies / governments refuse to run | IME-enabled chips due to security concerns. | Sirened wrote: | Yep, the practical difference between a hidden higher privldihe | level and another random coprocessor on the system bus which | can send memory writes to your core's internal MMIO region | (common on ARM based SoCs, anyways) is quite literally zero. If | you can write arbitrary physical memory, the entire system is | cooked (well, mostly, but RIP SGX). IME is no worse than random | DSP, ISP, ML, etc. cores on your average SoC in terms of its | privilege in the system. Don't miss the forest for the trees. | uncletammy wrote: | > higher-privilege co-processors running code outside the main | OS' control is becoming (or already is) the norm everywhere | | There may be good arguments for allowing these types of | "features" but this is not one of them. I'm so tired of seeing | "it's fine because everyone else is doing it too" | marcosdumay wrote: | The GP is not saying anything is fine. | nicce wrote: | Well, he kinda makes it sound like that the fight is over | and it is time to move on. | blueflow wrote: | Yes, and its a movement into the wrong direction. I do not | trust the vendors to run code on co-processors that i have no | control over. I somewhat expect it to be spyware and ads/data | collection soon. | ethbr0 wrote: | And support DRM to protect media companies' IP. | | Because $$$ talks, and there's a _lot_ of money in media. | nicce wrote: | Well, luckily we have TPM chip just for that... | pedro2 wrote: | Nope. kernel module mei_hdcp exists on modern systems. | hsbauauvhabzb wrote: | 'Everyone else is doing it' is a bad excuse. Arbitrarily | focusing on intel has made it so others know if they perform | shady actions then it's possible they'll also become an | arbitrary target. | | The disproportionate hate is a good thing, if you ask me. | StillBored wrote: | I sorta disagree with the premise of that talk, although the | problem is real. | | Its just that even that talk vastly underestimated just how | many microcontrollers exist on a modern machine. | | In the past those controllers were isolated to a few areas | (disk controllers, higher end network cards), but the drive | over the past decade+ for more efficient devices and | "universal" packetized buses (ex PCIe, USB), has sprinkled them | in places simply to monitor utilization and adjust bus clocks, | as well as packet scheduling and error/retry logic, etc, etc, | etc. I was reading about some of the latest m.2 NVMe | controllers a while back and IIRC there were something like a | half dozen independent Arm's just inside the controller. The | last fully open disk stack on a PC was probably an MFM/RLL | controller in the mid 1980's. | | So, while I would love if the manufacture of every little USB | device or whatever published the full register documentation, | firmware listings, whatever, that ship has long sailed. The | worst part isn't looking for the piles of scattered SPI flash | eeproms on random boards, its the integrated "Secure" sides of | these devices which happen to be all but invisible. None of | that is going to be documented anytime in the near future. | Every single one of these companies hides their "secret sauce" | in the firmware of these devices, be that how to minimize | latency on a NVMe device, to how to get maximum throughput on a | wifi chip, to how to increase a DRAM controllers power | efficiency. In some of these cases, the firmware probably isn't | even that special, they are doing basically the same thing as | every one of their competitors, but you will never get them to | admit it. | | So, imagining that an "OS" can control this mess like a 1960's | mainframe is nonsense. Modern mainframes don't even control | stuff at that level anymore. | | So like software abstractions, we have hardware abstractions | which provide higher level constructs for low level software to | talk to. Be that something like XHCI where the system talks to | generic endpoint queues and a processor does all the low level | packet building/scheduling or its something like the tiny | integrated cores making decisions about which parts of a CPUs | clock and power domains need to be dynamically enabled/disabled | for a given perf/power profile and the OS talks to generic | firmware interfaces to set policies. To even LBA disk layouts | which abstract away all the details of flash channels, COW, | wear leveling, NAND error correction, bit pattern sensing, | page/block erase sizes, etc. | | In the end, if someone wanted to actually work on this problem, | the first step towards open hardware isn't really building a | RISC-V system, its building competitive NIC's, keyboards, USB | controllers, etc, etc, etc with open hardware designs. What we | have today is like linux, everyone wants to work on the kernel, | no one wants to maintain old crufty code in Make. So, in the | end swapping an x86 for a RISC-V doesn't give you more open | hardware if its still got its own management processors tied to | the same closed hardware IP for literally everything else in | the machine. | Kukumber wrote: | They banned Huawei equipments for less than that | | How come Intel get away with it? | | I went ahead and i disabled it | alex_duf wrote: | It's about who's your threat. The us government probably like | having an American company (Intel) that distributes an attack | vector. But they probably don't like being distributed one. | clhodapp wrote: | Architecturally, that is fine... but if it's not open and well- | specified it will continually face (well-deserved) distrust. | dottedmag wrote: | Apple M* CPUs do not have anything like that. | | Their coprocessors are not higher-privileged. On the contrary, | they are all isolated from AP, each other and main memory (by | IOMMU). | dizhn wrote: | Thank you thank you thank you. I've been trying to find this | talk forever after watching it once. I immediately knew this | was it when I saw it under this particular thread. Super | Illuminating stuff. ___________________________________________________________________ (page generated 2022-10-26 23:00 UTC)