[HN Gopher] Disabling the Intel Management Engine
___________________________________________________________________
Disabling the Intel Management Engine
Author : metadat
Score : 366 points
Date : 2022-10-26 15:19 UTC (7 hours ago)
(HTM) web link (wiki.gentoo.org)
(TXT) w3m dump (wiki.gentoo.org)
| FortiDude wrote:
| The management engine is a privacy nightmare.
|
| It's incredibly useful for companies and organizations,
| especially when lending computers to their employees, but why the
| hell would this tech be put inside consumer devices? It just sits
| there as an exposed attack surface without the user even having
| the tools to maybe make something out of it.
| pwg wrote:
| > why the hell would this tech be put inside consumer devices
|
| Because it is cheaper to make one single CPU chip variant, that
| is then sold to both the corporate and consumer channels, than
| it is to make two, one with ME for the corporate channel, and
| another without ME for the consumer channel.
|
| Plus, once the ME was required to actually boot the CPU (note,
| why it became a requirement is a different argument), it then
| became much more expensive to omit for consumer grade CPU's
| because a "non-ME consumer grade" CPU would need to be a
| completely different chip with some alternate way to "initially
| boot up".
| throwaway0x7E6 wrote:
| Q:
|
| >but why the hell would this tech be put inside consumer
| devices?
|
| A:
|
| >It just sits there as an exposed attack surface
| washadjeffmad wrote:
| > It's incredibly useful for companies and organizations
|
| Is it? We don't use it for any of the 40k+ desktop or mobile
| devices we manage.
| jabroni_salad wrote:
| It gives you OOB management on every endpoint. These days I
| think it is less useful (I like autopilot/intune) but for
| some field devices it is nice to solve boot loop scenarios or
| similar bare metal problems over the internet instead of
| making a dude drive for 6 hours to BFE to find out why your
| doodad has ghosted.
| GekkePrutser wrote:
| Same here with 150k+. Not using it, certainly never asked for
| it.
|
| Same with all the vPro stuff (which is kinda related but not
| completely).
|
| We do use Windows autopilot though but that doesn't depend on
| IME.
| HideousKojima wrote:
| Back when I worked on the sysadmin side of things we used
| vPro for out of band management of servers in our
| datacenters, but we never used it for our 10k+ laptops and
| desktops.
| GekkePrutser wrote:
| Yeah exactly. We used Dell iDRAC remote management cards
| and HP ILO for that mostly. We still use the latter on
| the few servers we have left (which is very very few).
| But on laptops/desktops never.
|
| That still doesn't really give it any reason to have it
| in workstation chips, in Xeons perhaps...
| helpm33 wrote:
| If you're using Intel architecture, it needs at least some
| SMM: it is used on startup (initial hardware configuration)
| and often during power management events (CPU clock scaling,
| hibernation, etc). The article mentions that they disable
| most but not all of SMM, for those reasons.
| [deleted]
| rkagerer wrote:
| Hey Intel, I'd pay you a premium to buy a CPU with this crap
| already disabled.
| marcodiego wrote:
| Hey AMD, me too.
| adrian_b wrote:
| Some of the Dell professional laptops, at least many of the
| Dell Precision mobile workstations, have a customization option
| that allows the buyer to choose "Intel ME disabled".
|
| I hope that they really do disable it in the laptops sold with
| this option.
| pm2222 wrote:
| EFI, anyone? MBR works perfectly ok for me.
| [deleted]
| npteljes wrote:
| If anyone is interested, it's possible to buy a laptop with ME
| already disabled:
|
| https://puri.sm/products/librem-14/
|
| EDIT: there's more at Wikipedia:
|
| https://en.wikipedia.org/wiki/Intel_Management_Engine#Commer...
| jongjong wrote:
| The decision to create such an engine is so unwise, it's evil.
| no-dr-onboard wrote:
| @dang, maybe we should merge this? seems to be a dupe
| https://news.ycombinator.com/item?id=33344458
| dang wrote:
| There was one relevant comment in that thread. I've moved it
| hither. Thanks!
| maxchristman wrote:
| That post has a broken link, and this one is the resubmission.
| NoImmatureAdHom wrote:
| Anyone know if me_cleaner etc. work on the new 12th generation
| chips? It's not clear from the link.
| etiam wrote:
| Very nice reference.
|
| Anybody here got a complementary source to suggest for dealing
| with more difficult flash chips?
|
| ( > If your BIOS flash chip is in a PLCC or WSON package, you
| will need specialized equipment to connect to the chip, the
| process for which is not currently covered in this guide. )
|
| I've got a laptop with BIOS on WSON laying around unused since a
| while back because I haven't managed to take the time and dig up
| what's a reasonable way to interface with them. ( Bought the
| machine with an expectation of just clipping onto SOIC, like it's
| been in all my previous encounters. That'll teach me to look up
| the specs for the exact model rather than just something similar
| in the product line I guess.)
| LeifCarrotson wrote:
| There are two ways to do this:
|
| One is to buy an expensive, specialized test socket with pogo
| pins and a clamshell, from eg
| https://www.loranger.com/loranger_edc2/html/index.php or
| similar manufacturers. This is what you'd do if you wanted to
| do a burn-in test of some exotic amplifier or sensor, or to set
| up a small-scale assembly line and custom-program hundreds (not
| 1, not thousands) of these chips, and could write off a $100
| standard socket or $10,000 custom socket as a cost of doing
| business.
|
| The other way is to just use a hot-air gun to desolder the WSON
| from the motherboard, use some Chip Quik to temporarily solder
| it (or an identical chip you bought for $0.50 from Digikey) to
| a breakout board, program that, desolder it, then reattach it
| to the motherboard.
|
| Of course, the third way is to have the manufacturer or the
| distributor do this for you.
| laweijfmvo wrote:
| How does something like this access my network? Like if I'm
| connected to WiFi, what's the stack look like for this chip
| getting access to that without the OS cooperating?
| kevin_thibedeau wrote:
| It has an enhanced 486 running Minix and unrestricted access to
| everything on the system bus.
| mmis1000 wrote:
| Because the intel me 'is' a standalone system. So it can do
| anything on its own. Of course it won't connect to your WiFi
| because it didn't know the password. But lan connections don't
| need password so it can connect and listen to it in that case.
| erik_seaberg wrote:
| There is a standard for LAN authentication, though I think
| only high-end network hardware enforces it.
|
| https://en.wikipedia.org/wiki/IEEE_802.1X
| laweijfmvo wrote:
| Most laptops don't even have an RJ-45 anymore
| wmf wrote:
| WPA Enterprise is basically 802.1x over Wi-Fi and yes,
| the ME has drivers for Intel Wi-Fi cards.
| snuxoll wrote:
| Depends on your definition of "high-end", while I
| personally stick with Mikrotik and Juniper gear a TP-Link
| TL-SG2008 is only $70 and gives you 8x1GbE ports and
| support for 802.1x just fine. For wireless you'd use WPA-
| Enterprise, which is pretty common on most consumer grade
| routers (for some reason), readily accessible on anything
| you can install OpenWRT on, and then on prosumer stuff like
| Ubiquiti AP's.
| wmf wrote:
| It requires an Intel NIC which connects to both the main CPU
| and the ME at the same time. The ME has drivers for Intel NICs
| and a full TCP/IP stack. From the docs:
| https://software.intel.com/sites/manageability/AMT_Implement...
|
| "The Intel 82566 Gigabit Network Connection identifies out-of-
| band (OOB) network traffic (traffic targeted to Intel AMT) and
| routes it to the Intel ME instead of to the CPU. Intel AMT
| traffic is identified by dedicated IANA-registered port
| numbers. The [southbridge] holds the filter definitions that
| are applied to incoming and outgoing in-band network traffic
| (the message traffic to and from the CPU). These include both
| internally-defined filters and the application filters..."
| ridgered4 wrote:
| Does this mean if your motherboard lacks an Intel NIC (or if
| you use an add on card instead) that it cannot communicate?
| wmf wrote:
| Yes, that is my interpretation.
| jrmg wrote:
| How common are these Intel NICs?
| wmf wrote:
| 100% of business PCs have Intel NICs because it's required
| for vPro. In the consumer market Intel NICs are generally
| considered (marginally) higher quality than Realtek. Intel
| Wi-Fi is also very common.
| thrillgore wrote:
| Unfortunately it lost me at the risk to brick my computer. Intel
| needs to be brought to court to stop enabling IME, not with
| hacks. If i have to use IME, the system I use will be considered
| insufficient for secure purposes and i'll just use another system
| for secure matters.
| radicalcentrist wrote:
| The risk of bricking isn't so bad as long as you keep a copy of
| the original firmware. If the patched firmware doesn't boot,
| you can always revert back.
| Razengan wrote:
| Good thing there's nothing in like that in the Apple chips... or
| is there? :think:
| gjsman-1000 wrote:
| There is - it's called the "Secure Enclave." However, it is
| just another block on the processor and isn't this always-
| running ghost system underneath you. It cannot be shut down
| once started without a reboot - but it is completely up to you
| whether to start it in the first place. So, if you don't start
| the Secure Enclave and load its Apple-signed firmware, it will
| just sit there dark and unused.
| warner25 wrote:
| Usually when I'm reminded about IME (and whatever the equivalent
| is in AMD chips), it's in the context of some strong claims about
| it being "game over" for security and privacy against mass
| surveillance, engineered / funded by nation-state intelligence
| agencies, and rendering all other technical efforts moot. They
| make it sound plausible, and I think "why isn't this talked about
| or investigated more?" The section of the Wikipedia page that
| discusses the "backdoor" claim is frustratingly thin. I just
| don't know what to make of it. Hyperbole about a crappy thing,
| like the bloatware pre-installed on most new laptops and phones
| by the vendor? An open secret, with discussion about it
| suppressed?
| TheNewsIsHere wrote:
| This is offered very much in a "take it for what you will but
| for obvious reasons I am not going to give many more details"
| spirit. I worked for a major player in cybersecurity back when
| they were really trying to get everyone onboard with SGX. Our
| CISO was a technical guy, and worked closely with a peer who
| had a hybrid academic and professional background in
| cryptography. They both had strong credentials in mathematics
| and one was a practicing mathematician at one point.
|
| After a thorough review, all of the stakeholders who reviewed
| it told the executive leadership not to touch it because their
| opinion was that it couldn't offer anything meaningful beyond
| what we already had in place using the Windows API and it's
| interface with the TPM, and they had concerns about what they
| felt were insufficiencies in the SGX design.
|
| That experience was a bit more in-depth than I've detailed
| here, but the takeaway for me was that Blue was desperately
| trying to justify a technology that wasn't what it was hyped up
| to be.
|
| I've often thought IME is the same thing, "different day".
|
| Edit: typo
| VictorPath wrote:
| Before looking at IME, let's review other topics. Printer
| machine identification codes were secretly inserted into
| printers some time between the 1980s and 2004. Our
| communications are being monitored in a host of ways. One last
| refuge was our CPU, but now that is under foreign control as
| well.
|
| Then there's older US government operations like Minaret,
| Shamrock, Cointelpro etc. to surveil US domestic political
| activities, from black civil rights, to Vietnam doves, to a
| very extensive surveillance of feminist groups. Cointelpro also
| involved US intelligence disrupting political movements,
| writing poison pen letters (a database admin and 60s peacenik I
| knew had one sent to his boss, a lawsuit later revealed the FBI
| sent it).
|
| Nowadays this is PRISM, Xkeyscore etc. interacting with the
| telco monopolies and FAANG, to spy on Angela Merkel's phone
| calls (along with BND turned by the CIA), disrupt Airbus
| contracts in favor of US aerospace etc.
| npteljes wrote:
| I think we frankly don't know how much of a problem it is, yet.
| Since there's no widely applicable remote exploit for it, as
| far as the mainstream is concerned, all we're left to do is
| speculate on the risk. If someone operates a server, it's best
| practice not to have any extra services running on top of
| what's needed to run the original service. This is because
| every extra open port, software or complexity increases the
| attack surface. Same with Intel ME, people don't understand why
| it needs to be there, if nobody seems to even use it.
|
| Preinstalls are not hyperbole though, there were some nasty
| stuff over the years. Lenovo, for one, bundled Superfish, which
| man-in-the-middled all HTTPS browser communication[0]. Similar
| effort from Dell[1].
|
| I think ME's situation is similar to Stallman's attitude toward
| proprietary software. Proprietary is not evil by itself, but
| it's very easy to corrupt it to be so, and then the end user is
| powerless. And because the end user can't decide when this
| change happens, they are powerless to begin with. Therefore the
| thing shouldn't exist in the first place.
|
| [0]
| https://en.wikipedia.org/wiki/Superfish#Lenovo_security_inci...
|
| [1] https://en.wikipedia.org/wiki/Dell#Self-
| signed_root_certific...
| midislack wrote:
| It's a backdoor for sure. I think the extensive online campaign
| which desperately tries to prove its not, proves it is. Who can
| afford to police EVERY forum, social media platform, and web
| site only to call people mentally ill for suspecting it is?
| It's a pattern which only fits certain players.
| CyberDildonics wrote:
| > the extensive online campaign which desperately tries to
| prove its not, proves it is
|
| That's like saying the extensive campaign to prove the earth
| is a sphere proves it's flat. That isn't how logic works.
| Spooky23 wrote:
| That's what they want you to think.
|
| First they make you drink fluoridated dihydrogen monoxide,
| then when you get a job in enterprise IT, the extra ions in
| your teeth make you pay extra for vPro.
| pkulak wrote:
| It's just too old for people to be outraged about still.
| anonym29 wrote:
| By this logic, should we not be outraged by 19th and 20th
| century genocide?
| charcircuit wrote:
| Yes, as someone born in the 21st century all of that is
| just stuff in some history book that I was forced to learn
| to pass some test.
| Alupis wrote:
| > By this logic, should we not be outraged by 19th and 20th
| century genocide?
|
| Well, no. I don't think you will actually find a real
| person living today that matches a real definition of
| "outrage" for genocides in the 19th and 20th centuries.
|
| Discarding performative theatrics, you will find people who
| all agree it was bad... but they won't be literally
| outraged. The passing of time, and generations, has that
| affect.
| kragen wrote:
| Pretty sure Holocaust survivors and their immediate
| families, not to mention the scarcer immediate family
| members of Holocaust non-survivors, are still outraged
| about the Holocaust. I don't think that's performative
| theatrics.
| Spooky23 wrote:
| Performative theatrics is attempting in any way to
| contrast Intel vPro with the Holocaust.
| kragen wrote:
| Intel vPro and similar systems centralize power over
| communication and record-keeping in a way that has
| historically been both necessary and sufficient to cause
| atrocities like the Holocaust, the Great Leap Forward,
| GULAG, and so on.
|
| But, because of newly pervasive computer mediation of
| day-to-day interactions, these spyware systems
| potentially provide a degree of centralized social
| control that Stalin or Mao could never have dreamed of.
| Recent infringements on human rights in XUAR provide a
| preview of the resulting future. Essentialist
| explanations that attribute them to some unique depravity
| of the Chinese race are utterly implausible; they are due
| to the lack of effective checks and balances on state
| power.
|
| Consequently we can expect the atrocities resulting from
| systems like vPro to be far worse than the Holocaust or
| any other historical events.
| Alupis wrote:
| I cannot tell if you are arguing in good faith or if this
| is some very clever wit.
|
| Comparing vPro to Stalin, Mao, the Holocaust and more is
| really not serving to forward your argument...
| particularly while you have an iPhone or Android device
| in your pocket, watch curated TV content on your Smart
| TV, and drive your modern car into the office where you
| use your Windows or OSX computer and ISP provided DNS.
|
| This would definitely count in the "performative
| theatrics" category of any normal book. Why is this age
| so sensationalized? Words are becoming meaningless due to
| overuse, abuse and re-definition to fit convenient
| arguments...
| anonym29 wrote:
| I'm in no way conflating the impact of the two, I'm
| pointing out that the implication of the original comment
| "It's just too old for people to be outraged about
| still", is that people shouldn't be outraged at evil
| things solely because those evil things happened a long
| time ago.
|
| The implication itself is ridiculous. Time does not make
| evil things less evil.
|
| To suggest that I'm contrasting the impact of ME (not the
| same as vPro) with the holocaust is either blatantly
| missing the point or a deliberate, bad faith strawman.
| Alupis wrote:
| The word "outrage" is problematic. It implies, by it's
| very definition, that the mere mention of these things
| brings people into a furry of uncontrollable anger.
|
| I would wager people are abusing the word and changing
| it's meaning to sensationally signal displeasure or
| disappointment with historical events. Those are not the
| same.
|
| Outrage has an emotional immediacy to it. It's really
| hard to be actually outraged by events that transpired 40
| years ago, 100 year ago, centuries ago or more.
|
| I assert there is no human alive today that is actually,
| really outraged by the Holocaust or any of the other
| atrocities mankind has perpetuated over it's history. Who
| would they be outraged with? Hitler - who has been dead
| for 77 years? The Nazi party that has not existed for 77
| years?
|
| It would be quite emotionally immature to be literally
| outraged with any of this in a modern context...
| pkulak wrote:
| I'm not telling you what emotions to have, just observing
| the world around me.
| hsbauauvhabzb wrote:
| Those two things have disproportionate direct impact and
| can't really be compared on the same level. But apples for
| apples, school educates students about genocide and not
| about the privacy considerations of backdoor chips.
| anonym29 wrote:
| I'm in no way conflating the impact of the two, I'm
| pointing out that the implication of the original comment
| "It's just too old for people to be outraged about
| still", is that people shouldn't be outraged at evil
| things solely because those evil things happened a long
| time ago. The implication itself is ridiculous. Time does
| not make evil things less evil.
|
| To suggest that I'm contrasting the impact of ME (not the
| same as vPro) with the holocaust is either blatantly
| missing my point (that the implication of the original
| comment is obviously completely false) or a deliberate,
| bad faith strawman.
| michaelt wrote:
| _> Hyperbole about a crappy thing, like the bloatware pre-
| installed on most new laptops and phones by the vendor? An open
| secret, with discussion about it suppressed?_
|
| Personally, I worry about things like IME based on an entirely
| hypothetical theory: I think many of the big tech companies are
| riddled with spies from a variety of nations.
|
| My rationale for this is simply that if I was in charge of a
| spy agency's offensive cybersecurity group, my top priority
| would be placing agents in Microsoft, Apple, Google,
| Cloudflare, Juniper, Cisco and so on. They'd have orders be
| careless in undetectably subtle ways - nobody's imprisoning a
| guy just because he added log4j to the codebase in 2010. To me
| this seems well within the capabilities of a spy agency with a
| multi-billion-dollar budget and tens of thousands of employees.
|
| Even with code reviews, I doubt anyone could deliver a project
| like IME with no security bugs, if five of their peers were
| compromised by different nations' spy agencies.
|
| If you think that's completely believable and what else would
| spy agencies be doing in the modern age, you'd be very
| suspicious of IME. But if you think that's an undisprovable
| conspiracy theory with no solid evidence whatsoever, you might
| think IME sounds just fine.
| warner25 wrote:
| > my top priority would be placing agents in Microsoft,
| Apple, Google, Cloudflare, Juniper, Cisco
|
| Interesting thought. Or more likely, I'd guess, spy agencies
| might recruit existing Big Tech company employees who have
| access to sensitive and desirable things. That's usually how
| it happens, reportedly, when American security clearance
| holders get caught doing bad things: they aren't deep cover
| agents who spent years working their way into position, they
| approached or got approached by foreign agents because of
| their position.
| myself248 wrote:
| Before Snowden, I think absence of evidence could often be
| construed as evidence of absence.
|
| But I think that ship has well and truly sailed.
|
| We now know that, behind closed doors in classified places,
| every bad thing we imagined might be happening, _was_
| happening, and then some, beyond the scale of the wildest
| imaginations of the most paranoid activists. And then some, and
| then some.
|
| The fact that we don't have proof of _this_ particular bad
| thing, which is entirely possible and downright trivial and
| could actually be the entire purpose for which the
| functionality was designed, should in no way suggest that the
| capability isn't being used.
|
| Ten years ago, I could see that being a reasonable argument.
| Now it just rings as blindingly naive.
| charcircuit wrote:
| It's not talked about more because it's a crazy conspiracy
| theory that has no merit. After all these years of scrutiny the
| worst vulnerability required physical access and disassembly in
| order to preform a hardware attack.
|
| The people who believe this conspiracy theory, like many
| others, peddle misinformation to prove their point. No matter
| how much you try and debunk it you can't change their mind.
| warner25 wrote:
| Yeah, see that's the other side of the story that doesn't
| seem to be told much either, and I'm interested in that too.
| It does seem like some researcher or journalist should have
| blown the case open by now if this thing were systematically
| providing telemetry from everyone's "powered off" (but still
| plugged in) machines to an intelligence agency. Can you point
| to an article or paper that thoroughly debunks the claims as
| crazy conspiracy theories?
| pencilguin wrote:
| gjsman-1000 wrote:
| It doesn't necessarily need to be a backdoor. Look up Remote
| Attestation, which is getting easier every year. With that, you
| can run whatever software you want on your device - but other
| servers do not need to talk to your device if they detect that
| you are.
|
| It's coming up in Android more with SafetyNet. If your device
| is rooted, you fail SafetyNet. If you fail SafetyNet, almost
| all banking app servers will refuse to talk to you, rendering
| their apps useless. SafetyNet could be spoofed historically,
| but SafetyNet is moving into hardware instead of software since
| ~2020, so the spoofing has gotten way, way harder and may cross
| into downright impossible.
|
| It's also coming to Windows with the Windows 11 TPM 2.0
| requirement. See the video game Valorant, for example. If you
| are on Windows 11, it will mandate that you have a TPM 2.0
| enabled and Secure Boot enabled. It has exceptions for VMs and
| Windows 10 and earlier right now - but they can literally close
| that door, at any time, and immediately remotely lock all
| machines to that requirement. No amount of game patching will
| bypass it - the multiplayer servers won't talk to you unless
| your hardware cryptographically reports that you've passed
| Secure Boot checks.
| LinuxBender wrote:
| _If you fail SafetyNet, almost all banking app servers will
| refuse to talk to you_
|
| This is probably unique to me but I see that as a bonus
| security feature. All I want to use the phone for is voice,
| text, mumble, irc and ssh/sftp, only things hosted by me. Im
| still trying to find a non-google rom that is well supported
| for my model of android. If I could get a vendor unlocked CAT
| I would turn the droid into a dedicated mp3 player.
| denton-scratch wrote:
| > It's also coming to Windows with the Windows 11 TPM 2.0
| requirement.
|
| My Lenovo L430 is apparently incapable of running Win11 for
| that reason. Win10 will soon be out of support, so I'm
| preparing to blow away my last-ever Windows system, and
| become all-Linux. I'm looking forward to it.
| fencepost wrote:
| Isn't 'soon' 3 years from now? And it'll definitely impact
| PCs more than 7-10 years old at that point, but that's kind
| of a hard number to get worked up about. If it's that big a
| deal, when the deadline gets closer buy a new-to-you 7 year
| old machine for a couple hundred dollars.
| azalemeth wrote:
| This it's all true, and all frankly awful. I refuse to take
| part in apps that do this and implore you all to do the same.
| arprocter wrote:
| The AMD version is
| https://en.wikipedia.org/wiki/AMD_Platform_Security_Processo...
|
| They seem to update it a lot less frequently than Intel
| NoImmatureAdHom wrote:
| The existence of the High Assurance Platform (HAP) bit makes it
| pretty clear that 1) three-letter agencies don't trust the IME,
| and strongly implies that 2) they asked for it to be there in
| the first place.
|
| "High Assurance Platform"
| https://trademarks.corporationwiki.com/marks/high-assurance-...
| warner25 wrote:
| Yeah, that's the kind of thing I've seen before, lots of
| circumstantial evidence that makes the claims sound
| plausible, but then the trail just seems to stop cold.
| NoImmatureAdHom wrote:
| I mean, it is the NSA. They're probably pretty good at what
| they do. I should hope so, tax dollars pay for it.
| shrubble wrote:
| 'Who benefits?' Seems to be a relevant question.
|
| Intel has to have spent quite a bit of money to add any
| feature that you see; so why would they do that without a
| strong market case...?
| NoImmatureAdHom wrote:
| Yeah, nobody in this topic has copped to actually _using_
| the ME so far. I 've never heard of anyone using it.
| AnssiH wrote:
| Most do not use it "directly", but instead use features
| implemented by it.
|
| E.g. I've used Intel Platform Trust Technology (PTT) to
| implement system security features, and AFAIK that runs
| on ME.
| boppo1 wrote:
| >trail just seems to stop cold.
|
| There's your evidence.
| djbusby wrote:
| No, that's the absence of evidence.
| NoImmatureAdHom wrote:
| Only when your priors are that absence of evidence (in
| the sense of the trail going cold) is normal. Your parent
| comment's point is that this is a _conspicuous_ absence
| of evidence.
| salawat wrote:
| Abscence of evidence isn't evidence of the abscence
| thereof.
|
| That it runs cold lodges it firmly in the "we are pointedly
| not going to talk about it" space, which for me is where
| the worry even starts. If my little gray hat wearing mind
| can come up with plausible ways to exploit something like
| that...
|
| A) I am not that smart
|
| And
|
| B) Someone in a position to pull something like that off
| has probably already implemented it.
| checkyoursudo wrote:
| With regard to the guide itself, please be aware that the guide,
| of which this is but a one section, is no longer actively
| maintained (since 2020).
|
| It is a great and useful guide. I have used it to modify my own
| Gentoo installation. But, be aware of what you are doing. :)
| pkulak wrote:
| This is the big benefit of companies like System76 that disable
| this for you.
| freefal wrote:
| "removes the vast majority of the ME's software modules
| (including network stack, RTOS and Java VM)"
|
| There's a Java VM on these things?!
| mmis1000 wrote:
| Not surprised, Java vm is literally everywhere. From your
| credit card to sim, if it is a ic card then there is Java vm.
| It is almost universal language for mini embedded system for
| some reason I don't understand.
| goodpoint wrote:
| > It is almost universal language for mini embedded system
| for some reason I don't understand.
|
| Marketing-fueled hype.
| smolder wrote:
| IIUC, it's because it's easier to rigorously prove the VM
| prevents classes of bugs (i.e. memory safety issues) and then
| _reuse_ that VM in many places than it is to rigorously prove
| that many separate embedded systems _not relying_ on the VM
| have independently avoided those bugs.
| hedora wrote:
| Is there an example of a JVM that has been proven correct
| in this sense?
|
| I haven't heard of one.
| [deleted]
| dmitrygr wrote:
| ME gets a lot of well-deserved hate. And a lot of work goes into
| disabling it. But I am surprised that none of the people working
| on such projects ever looked at the very peculiar ME payloads
| that intel chromebooks carry for hints on how to do it better...
| londons_explore wrote:
| Why exactly isn't there a setting or jumper to just disable this?
|
| I don't really see a business reason for Intel to make this hard
| to do...
|
| They _could_ totally have made the machine reset if the ME couldn
| 't be initialized. But they didn't.
| nullc wrote:
| > They could totally have made the machine reset if the ME
| couldn't be initialized. But they didn't.
|
| Hm? That's what they did: if you disable too much of the ME the
| computer will reboot after 30 minutes.
| w1nst0nsm1th wrote:
| Remind me of that secured phone sold by a german company to
| governments around the world.
|
| In practice, the company was indeed a joint venture involving
| the US government who used a german proxy to sold compromised
| hardware to unsuspecting official. Everything went straigh to
| NSA.
| rolph wrote:
| rather than disable ME, i would want to pwn it.
|
| you can dump, substantially re-engineer, and write back, to add
| utility, and provide service to end user.
|
| or could it be like the one ring?
| RetpolineDrama wrote:
| It's absolutely insane that _this_ is what it takes to get IME
| fully disabled.
| chasil wrote:
| This does not _and cannot_ "fully disable" the ME subsystem on
| modern CPUs.
|
| A small remnant is left operational - without it, a PC shuts
| down after 30 minutes (this is well-known).
|
| The Core 2 Duo/Quad architecture was the last iteration where
| the ME subsystem could be entirely removed.
|
| I posted two BIOS images on this link for old HP machines. They
| can easily be flashed from within the booted bios without much
| hassle. Looking for the link...
|
| Found it on Bing of all places!
|
| https://github.com/corna/me_cleaner/issues/233
| tomxor wrote:
| > The Core 2 Duo/Quad architecture was the last iteration
| where the ME subsystem could be entirely removed.
|
| Yeah, but unfortunately intel also didn't bother providing
| microcode patches for meltdown on those chipsets "because to
| old" by some arbitrary definition of "old".
| chasil wrote:
| These are vulnerable to Meltdown, and the page table
| isolation patches are required to secure kernel memory.
| These do involve a performance hit, so I'd recommend Core-2
| Quad 9550s as an upgrade for a minimally-usable machine.
|
| However, these are not SMT/hyperthreaded, so many of the
| Specter vulnerabilities do not apply.
|
| OpenBSD runs well enough on them, and these machines are
| likely what I trust most with this OS.
|
| Most Linux runs on these machines (RedHat 9 doesn't -
| requires an i3), but will pause on the mei_me module and
| look for a response from the ME that you have lobotomized;
| blacklist the related modules if you want to boot faster.
| chasil wrote:
| The well-known spectre-meltdown check says that my Q9650
| is not vulnerable to Meltdown or Spectre 1-3.
|
| It is vulnerable to variant 3a, 4, Fallout, Zombieload,
| and and both RIDLs.
|
| https://github.com/speed47/spectre-meltdown-checker
| [deleted]
| [deleted]
| dottedmag wrote:
| Well, it's a very detailed guide how to dump contents of flash
| device, update and put it back.
|
| If the guide said "dump the flash" and "write back the flash"
| instead of the detailed instructions, and only described
| firmware manipulation steps in details it would be much
| shorter.
| intelVISA wrote:
| Both absolutely insane and completely understandable.
|
| ...hopefully RISC-V will save us from this nightmare.
| gjsman-1000 wrote:
| Ha - no. Absolutely not. I don't know where this total myth
| came from that RISC-V is open source therefore
| implementations will be better.
|
| RISC-V is just an ISA (Instruction Set) that anyone can use,
| but what people use it in, and how they use it, is not
| specified and does not have to be open source. Apple could
| take RISC-V, plop it in their iPhone, and release it tomorrow
| in a processor that only boots Apple-signed code and requires
| proprietary firmware without any issue whatsoever. Intel
| could literally release a Core i5 with a RISC-V instruction
| set and an Intel ME built-in, no problem.
|
| Where the hope mainly comes from is small chip developers
| like SiFive, who make many of their drivers and such open-
| source. But that's only if you buy from vendors like them -
| if you implement your own RISC-V core, there's no requirement
| that the drivers or firmware be open-source for it, in any
| way. You might say that's a missed opportunity. I say RISC-V
| wouldn't have caught on otherwise.
| smoldesu wrote:
| > I don't know where this total myth came from that RISC-V
| is open source therefore implementations will be better.
|
| The hope is that (unlike x86/ARM) you will be able to
| purchase core designs from people who aren't sockpuppets.
| RISC-V will at least let people choose between which
| backdoor they want installed, which is an upgrade from a
| status quo of "All Your TCP Traffic Belongs To U.S.".
|
| It's not exactly Superman, descending from the skies to
| deliver us from dystopia. But it's certainly a better path
| than letting ARM dominate any more of our chip landscape.
| walterbell wrote:
| _> The hope is that (unlike x86 /ARM) you will be able to
| purchase core designs from people who aren't
| sockpuppets._
|
| It also lowers the barrier to entry for new/rebranded
| sockpuppets, but having choices is a step in the right
| direction.
| evilos wrote:
| So... you're saying someone could (but not necessarily
| will) save us using RISC-V. Seems like a necessary
| precondition to it.
| MisterTea wrote:
| > Where the hope mainly comes from is small chip developers
| like SiFive, who make many of their drivers and such open-
| source.
|
| But there are still roadblocks as they likely bought the
| memory controller from a 3rd party as an IP block they drop
| into their chip. This means the bring up procedure for the
| memory controller is proprietary and delivered in blob form
| to be loaded into the black box ip. Likely the same for
| other 3rd party ip blocks as developing this stuff from
| scratch is very difficult and time consuming. Especially
| for critical hardware like memory controllers. This makes
| opening the platforms firmware just as tricky as any other
| chip from $bigvendor. This makes full top to bottom
| security audits difficult or impossible.
| justinclift wrote:
| > Where the hope mainly comes from is small chip developers
| like SiFive, who make many of their drivers and such open-
| source. But that's only if you buy from vendors like them
| ...
|
| So, you're saying it _is_ possible (or will be down the
| track...) as long as things are bought from SiFive or a
| similar OSS-friendly place.
|
| That's still a large improvement over the current
| situation, even if other vendors take different, locked
| down approach.
| RobotToaster wrote:
| It's still an improvement over x86, where anyone who
| manufactured an alternative would be sued into oblivion by
| intel for patent infringement.
| sprash wrote:
| Next year all x86_64 patents will expire. From then on
| everybody can make a IME/PSP/Pluton-free x86_64 chip.
| This makes RISC V completely obsolete since the x86
| ecosystem is obviously much more mature.
| smoldesu wrote:
| > This makes RISC V completely obsolete since the x86
| ecosystem is obviously much more mature.
|
| While I'd really love to agree with you, the IPC of a
| RISC-V chip can annihilate an x86 machine on equivalently
| advanced manufacturing node. It's performance-per-watt
| can reach up to 10x efficiency over x86 in the right
| situations, and pretty much all of the cool stuff we like
| in x86 can be added as an ISA extension.
|
| If we're headed to a RISC/low-power computing future,
| RISC-V will be the future people's champion. x86 will be
| a legacy compatibility mode that we use for games and
| "retrocomputing", likely.
| tmtvl wrote:
| X86 may be mature but I think the M1 has shown that there
| is plenty of potential for improvement. I know M1 is ARM
| instead of RISCV, but there may yet be ways to get better
| chips.
|
| That said, the hardware we have is really good, it's just
| the software side that is a complete garbage heap.
| smoldesu wrote:
| Apple Silicon was an interesting move when you look at it
| from a numbers perspective. The M1 is a really impressive
| chip, but AMD had competitive x86 hardware that was out
| on the 7nm node. It benchmarked ~10% slower (the 4800u
| did, at least), consumed more power (25w max vs 15w max)
| and ran equally as hot as M1, but it did make me wonder -
| could AMD have made an M1-class chip if TSMC sold them
| the 5nm silicon they needed? It's hard to say, and
| arguably the Zen process wasn't (and still isn't)
| competitive with Apple's process enhancement.
|
| Still though, AMD seems convinced that x86 can compete
| against modern RISC ISAs. They aren't far away from
| proving themselves right, honestly.
| intelVISA wrote:
| Ofc, as you mentioned RISC-V is simply an open-source ISA;
| however, it is arguably the groundwork for chips
| independent of Intel/AMD.
| midislack wrote:
| In the future, buying Chinese designed and made RISV-V will
| be the way to assure yourself that there's no extra NSA
| garbage in there.
| RunSet wrote:
| But according to Intel it exists to provide functionality that
| is desired by hardware owners.
|
| Big "Look what you made me do" energy.
| GekkePrutser wrote:
| As hardware owner I disagree.
|
| Both personally and as part of the management team of 150.000
| computers at work, we don't use this stuff there either.
| chasil wrote:
| I can tell you that I have used HPE Integrated Lights Out
| (iLO) on Gen8/9/10 servers.
|
| It is a great help for server lock-ups - it is able to
| force a full power-down of the main board and cold-boot.
|
| The software behind iLO was also a presentation at
| BlackHat, so it's important to keep them patched (and I
| don't know anybody else that does).
|
| https://www.blackhat.com/us-21/briefings/schedule/index.htm
| l...
| everforward wrote:
| I've used that and Dell's DRAC. They have their uses. We
| ran those on a separate network, and it was somewhat
| routine to use them to get into a host that was locked up
| or had disconnected from the network somehow.
|
| It's definitely a security risk, but at a big company
| with a poorly managed IT department it wasn't the worst
| offender.
| GekkePrutser wrote:
| Yep we use that too but it has nothing to do with IME.
|
| We also have Dells with iDRAC cards. But it's a nice
| thing with iLO that it's built-in, _and_ it can be
| managed on a completely dedicated out-of-band network.
| Unlike the IME thing.
|
| I understand there's a point to this in stuff like
| servers, but for workstations?
| Spooky23 wrote:
| I use it to segment network access.
|
| The devices are on an untrusted network and VPN into a
| LAN based on the device assignment. Things like printers
| are on a separate network, and there's no cleartext on
| the network.
|
| In the case of laptops, if they fall out of certain
| compliance baselines, they get remote wiped or bricked.
| criddell wrote:
| Parts of it you want. The management engine does a lot of
| stuff and I don't think you can say all of it is good or bad.
| It would be nice if they would break it down area-by-area and
| give owners some controls to disable the unnecessary parts.
| qu4z-2 wrote:
| What is a thing it does that a user may want?
| flenserboy wrote:
| It makes a body wonder just who Intel thinks the hardware
| owners are.
| nonrandomstring wrote:
| > "functionality that is desired by hardware owners"
|
| We hear this all the time don't we? Claims that something is;
|
| "Because people want it".
|
| "Markets demand it".
|
| But we see absolutely no evidence of them whatsoever, this
| mythical mass of people clamouring for features that are
| strangely aligned with the things big-tech suppliers and
| manufacturers wish ti push and get to simply assert that
| "people want".
|
| We like to think of ourselves as "evidence based, rational
| society" We'll happily hold governments, scientific and
| health research to a high standard of evidence. Even
| Wikipedia articles demand "citation needed".
|
| Show us those people! Back up your claims Intel.
| iszomer wrote:
| How is Intel ME any different in functionality than the
| Baseboard Management Controller usually found on servers
| (eg: Aspeed)? And what of those whom extend these feature
| sets with boards like the Raspberry Pi?
| UI_at_80x24 wrote:
| Here's the real kick in the nuts that IME does compared
| to BMC or other 'Management ports'.
|
| (1) It is not something that you can (easily) disable
|
| (2) It uses the same Network port that your LAN NIC uses
| instead of a separate "I won't plug that in if I don't
| want it" NIC.
|
| (3) Security/Patches? This is outside the control of the
| BIOS manufacturer, so how do you make sure it's patched
| and upto date? and
|
| (4) It wasn't an option.
| gwillen wrote:
| Note that the BMC does not always restrict itself to the
| BMC port. I've worked with machines that have a dedicated
| BMC port, but also have a BIOS-configurable option (on by
| default) to let it use whatever port is connected.
| wmf wrote:
| That's a really low bar because (1) BMCs are a security
| nightmare because their firmware is garbage and (2) many
| PC owners do not need or want BMCs.
|
| I think the ME hating is kinda strident but it has a
| bunch of undocumented firmware and your PC still works
| after you remove it so... what was that firmware doing?
| dislikedtom2 wrote:
| if someone wants and demands it, it's the nice people at
| cia and nsa
| pexabit wrote:
| The tell is that you cannot even pay more to buy ME-
| disabled hardware when it is obvious that there is plenty
| of money in it, at little additional cost to Intel. The
| workaround in me_cleaner was originally intended for
| government buyers that demanded it. And they probably had
| good reason to demand it.
| djbusby wrote:
| This seems like the hardware owners are demanding the
| opposite of what Intel is delivering.
| Manu40 wrote:
| Rather, it's both.
|
| The government folk want it gone from theirs, but they
| want the rest of us to have it. Thus the claim "Our users
| want it" is true, in a tongue in cheek way.
| sidewndr46 wrote:
| I feel similar with 5G. I don't know anyone who was
| actually demanding 5G speeds from their phone, or excited
| about it. Technically it's very cool, but I'm unsure it
| actually is enabling end users to do something they could
| not.
|
| From my experience, I actually must disable 5G. The 4G
| network in my area actually works well enough in all
| circumstances. The 5G network is all-or-nothing. I either
| wind up with incredible speeds or completely unusable.
| generalizations wrote:
| Is the end user actually the market this is aimed at? All
| we really know is that 5G and the Intel ME are endeavors
| that are expected to make a profit. But who wants this
| enough to pay for it? Someone does. If not the mass
| market consumer, then who?
| cedilla wrote:
| In the case of 5G, telcos love it. It's vastly less
| expensive to run than any lower G, both in cities and the
| countryside. That interest even aligns with end users'
| interest.
| Manu40 wrote:
| Except they still charge the same anyways, or more.
|
| I'm with Telus up here in Canada. You pay the same old
| rates as per the usual for 5G speeds. If however you go
| with their subsidiary (Koodo) using the older
| infrastructure, you can pay a little less for similar
| packages.
|
| Check it out yourself. Mind you, I use prepaid, cause I
| don't want to be on a contract, so I buy my own phone and
| use it. Koodo even charges more for bringing your own
| phone, since they aren't collecting on having leased one
| to you.
|
| https://www.telus.com/en/mobility/prepaid/plans?linktype=
| sub... https://www.koodomobile.com/en/rate-
| plans?INTCMP=KMNew_NavMe...
|
| Simply put, if I want to save money while still having
| enough data for what I actually need data for; I can
| either spend about 35-40$ with Koodo for 2-4GB of data at
| 3 & 4G speeds; or 40-50$ for 2.5-4.5GB at 4 & 5G speeds.
| I round things this way by the way, because of taxes.
| Also, auto-top up also tends to give some extra data too.
| 500MB more. So generous of them (/s).
|
| And also, this is new packages. They just updated them
| with the new promo on Telus with that whole 1GB extra
| data and 10$ one time credit. I'm gonna have to call them
| and get that I guess. Unless they auto gave it to me? Who
| knows with them. Ultimately, I only need 500MB though,
| since I use Spotify in offline mode, and only download
| music via my wifi at home; and the only other thing I
| tend to use is Google Maps which can also be downloaded
| ahead of time to save on data.
|
| Edit: I should also note that they do actually state 4G
| on the Telus website, but my phone says I am getting 5G
| speeds. Hence why I state 5G. I could care less what they
| claim on their website. End user experience is truth.
| Zigurd wrote:
| Some aspects of 5G are sensible in that they take
| advantage of improving hardware to use spectrum more
| efficiently: denser encoding, full-duplex radios, etc.
|
| Some of it, like beam steering that tracks moving
| devices, which is going to be challenging to make it work
| in real world cases, and using spectrum that makes it
| hard to penetrate inside cars and buildings, is a reach
| nobody asked for.
|
| Some seems greed driven, like "If we can convince AWS
| customers they need to put computing at the network edge
| we (telcos) will capture some of the value AWS
| accumulates now."
|
| As for your 4G network, that's what we call 5Ge now.
| sidewndr46 wrote:
| I knew a guy who worked on cell phone beam forming from
| the tower 20 years ago. He said it worked flawlessly in
| Florida where the company was based. He also said every
| single deployment failed because no where in the US has
| such a flat terrain without reflections.
|
| Is 5Ge some sort of joke? Or is that a real designation.
| Spooky23 wrote:
| If you have Verizon, that's a bad idea as they've bungled
| the rollout and LTE performs poorly in many areas.
| ridgered4 wrote:
| Knowing Intel, if this functionality was actually desired by
| hardware owners it would only be available on high end
| chipsets and i7+ processors.
| smolder wrote:
| Depending on the motherboard it can be very hard, pretty easy,
| or very easy. For my one motherboard that isn't covered by me-
| cleaner due to the newness, I verifiably turned off ME the
| "pretty easy" way: By downloading the latest bios from
| gigabyte, opening it in Intel's CSME tools (there are download
| links on some forums geared towards bios modding), flipping the
| unlabeled "reserved bit" which turns on "high assurance
| platform mode", and then flashing that bios .bin, also with
| Intel's tools.
|
| I believe some motherboards won't let you flash the modded bios
| if it's cryptographically unsigned or something like that,
| which is good for other reasons... but I haven't run into it
| myself.
|
| I've disabled ME on a couple of supermicro boards too, using
| me-cleaner, since they were supported. (What I consider the
| "very easy" method.)
|
| edit: Sibling poster is right that it can't be _fully_
| disabled. I do assume it 's _effectively_ disabled when it no
| longer appears in device manager and Intel 's ME inspection
| tools show it as disabled.
| borissk wrote:
| A slightly off-topic question: many modern motherboard have a
| function to flash a BIOS even without CPU present (e.g. Gigabyte
| markets it as Q-Flash). Any idea how does that technically work?
| Do they put a separate CPU on the motherboard?
| greycol wrote:
| smolder has a comment in this thread expressing viability for
| some boards doing this.
|
| https://news.ycombinator.com/item?id=33347065
| tymscar wrote:
| I just upgraded to a Ryzen 9 7950x with a Gigabyte x670e
| motherboard and while using qflash+ I also got curious but
| nothing online answers how it works and the manual is too
| simplistic to include the details. If I would have to guess
| It's probably the chipset?
| the-printer wrote:
| Are there any caveats to disabling the IME?
|
| This side of computing can become daunting in the context of the
| direction that the world is heading. So many acronyms and
| backronyms lie beneath the chassis of our devices running
| commands and loops; looping and commanding and checksumming and
| checking sumthin' out.
|
| Checking what out and sending it where?
|
| - " _We need to verify that the code is signed for your safety_."
|
| - " _But it came from your App Store, emperor of the mononymic
| enterprise_."
| wmf wrote:
| Certain DRM will no longer work so you may not be able to play
| Netflix or whatever.
| egberts1 wrote:
| That's why I never use the onboard Ethernet chipset, ever.
|
| Even if it's BIOS-disable.
|
| Just buy a decent Intel (or even RTL) Ethernet NIC PCI card, or
| two.
| w1nst0nsm1th wrote:
| In short IME is a hardware spyware ? That's it ?
| rolph wrote:
| out of band networked/remote hardware management.
| stalfosknight wrote:
| Intel's spyware is one big reason I look forward to switching to
| Apple Silicon soon.
| jeffbee wrote:
| You believe there are not non-architectural cores in Macs?
| stalfosknight wrote:
| Do you have evidence otherwise?
| jeffbee wrote:
| Yeah, I do. Every system has tons of non-architectural
| cores for security, power management, and for other
| purposes. Apple advertises some of theirs as for example
| "secure enclave" and, on older Macs, the T1 and T2 security
| processor which runs the proprietary closed-source BridgeOS
| and has unfettered access to everything on the system.
| stalfosknight wrote:
| Which one of these cores perform the same functions and
| present the same attack surface as the IME?
| tzmudzin wrote:
| Closed source, so we can speculate (or try to reverse
| engineer/break it).
| stalfosknight wrote:
| So at best we have cynicism / paranoia regarding Apple's
| T2.
| jeffbee wrote:
| That's all anyone has against IME, also. And BridgeOS
| isn't any more secure. There are tons of known flaws in
| it.
| stalfosknight wrote:
| Part of it runs bridgeOS. The Secure Enclave runs
| something else altogether called sepOS.
|
| https://support.apple.com/guide/security/secure-enclave-
| sec5...
| anonym29 wrote:
| By a 'zero trust' security philosophy, anything short of
| completely open source is inherently untrustable.
|
| You may not be practicing that philosophy, but that
| doesn't make those who do "paranoid" any more than
| corporations implementing PCI-DSS controls.
|
| Security does not work retroactively, only proactively.
| 8jy89hui wrote:
| Couldn't the T2 chip (or other Apple security chips) do similar
| things?
| mmis1000 wrote:
| Isn't T2 there because apple didn't trust intel me at all?
|
| There is no one trust about this sh*t except intel
| themselves.
|
| The only difference is apple have the power to ask intel get
| rid of it but we don't.
| tzmudzin wrote:
| I am not an expert in Apple hardware / firmware, but I admire
| your trust that the US government could not exert the same
| influence on Apple as they did on Intel.
|
| Intel probably had to disclose the existence of IME due to
| collaboration with mainboard vendors. Apple does not face this
| constraint, so it is a lot easier for them to keep such
| subsystems under wraps.
|
| Of course I'm just speculating here, but a product typically
| mirrors its environment.
| samatman wrote:
| The IME was never a secret. Anyone can decap an Intel chip
| and point to it.
|
| I find it implausible that the A/M series chips have an
| independent subsystem that is so obfuscated that the expert
| attention which each Apple die receives has turned up no
| trace of it.
|
| The company has its own approach to secure compute with the
| T2 modules, but no, I don't believe Apple would be able to
| hide something like IME on their CPUs without it being
| detected as such.
| bilinguliar wrote:
| "Anyone can decap a chip" made me laugh. I am curious how
| many people can do that and then understand what is going
| on.
| samatman wrote:
| The point is that the answer is "everyone who needs to be
| able to".
|
| The number of expert and curious people, with the means,
| is higher than the number of new chip types Apple or
| Intel produces. There's always a detailed die photo
| available within the first few weeks of a product
| launching.
| fragmede wrote:
| Which is to say, it's hiding in plain sight. The secure
| enclave and T2 modules can do _things_ to the processor.
| Who 's to say "things" doesn't include ME-like
| capabilities?
| wmf wrote:
| The people who reverse-engineered the secure enclave
| firmware can say that.
| samatman wrote:
| It might be useful to go over Wikipedia's entry for both
| platforms, here's the IME:
|
| https://en.wikipedia.org/wiki/Intel_Management_Engine
|
| And this for the T2:
|
| https://en.wikipedia.org/wiki/Apple_T2
|
| Neither of these are obscure products, they are of great
| interest to reversers and other security researchers. The
| list of shady things IME does which the T2 isn't known to
| is extensive.
| kragen wrote:
| In recent decades it has become much harder in most
| countries to get access to the red fuming nitric acid
| necessary to decap epoxy-encapsulated chips; it's
| considered a "drug precursor" and/or "explosives
| precursor". I hear that a few years ago someone figured out
| that boiling the chip in colophony for a few hours also
| works? At the boiling point of the colophony, that is, not
| water. I haven't tried it myself.
| melvyn2 wrote:
| Oh, the irony... Remember the hardwired 'Find My' geolocation
| function built into the permanently-on T2 chip?
| NoImmatureAdHom wrote:
| Trusting Apple...doesn't make a lot of sense. They're almost
| entirely security-by-obscurity. You have nothing to go on but
| their promises.
| fragmede wrote:
| Apple doesn't tell us everything, but they do say a lot so I
| don't think I'd call it security by obscurity.
|
| https://support.apple.com/guide/security/secure-enclave-
| sec5...
|
| https://help.apple.com/pdf/security/en_US/apple-platform-
| sec...
|
| They give us the architecture diagrams and tell us how the
| locks on their doors work, but they don't gives us the keys
| for it.
|
| Remember: You don't actually own any iOS device because you
| can't run unsigned code that you wrote on it.
| NoImmatureAdHom wrote:
| If the builds aren't verifiable and you can't put what you
| want on there then it's just promises, which are worth
| nothing.
|
| > Remember: You don't actually own any iOS device because
| you can't run unsigned code that you wrote on it.
|
| We agree about that!
| stalfosknight wrote:
| I'm with you on the general idea that we shouldn't blindly
| believe everything a for-profit corporation says but at the
| same time we shouldn't allow fact-free speculation, rumor, or
| just plain cynicism to masquerade as facts either.
| NoImmatureAdHom wrote:
| I don't think it's controversial that trust in Apple's
| extremely locked-down ecosystem basically comes down to "we
| promise". If it's closed source you can't verify. Even if
| it's open, if it's not a reproducible build (or your own
| build) that you install yourself then who knows what's on
| there and what it does?
| r00fus wrote:
| Is there an equivalent to IME for AMD and/or Apple M-class
| processors (that would similarly benefit from disabling for home
| user)?
| chasil wrote:
| AMD relies on ARM's Trustzone to do this.
|
| "The PSP itself represents an ARM core with the TrustZone
| extension which is inserted into the main CPU die as a
| coprocessor."
|
| https://en.wikipedia.org/wiki/AMD_Platform_Security_Processo...
| GuB-42 wrote:
| The equivalent for AMD CPUs is called the Platform Security
| Processor (PSP). I am not aware of a way to disable it.
|
| I don't know about Apple CPUs but they definitely have co-
| processors running besides the main CPU.
|
| In fact, many people talk about the IME but the practice of
| having proprietary systems with their own privileged hardware
| is the norm nowadays. Another example is the "baseband"
| processor in phones, it is a complete proprietary system with
| its own processor, OS, etc... and it controls the modem, among
| other things.
| oarmstrong wrote:
| I'd like to know more about AMD specifically too. I'm well
| aware that PSP is their equivalent but there seems to be so
| little information out there about it. Is it really an
| equivalent? Is it as bad as ME? Can it be disabled? Does it
| have the same level of access as ME? Have their been any
| exploits of it yet?
|
| The wikipedia page is rather bare. There's a couple of papers
| linked to but frankly they go over my head. Is there any
| respectable analysis out there?
| arprocter wrote:
| https://en.wikipedia.org/wiki/AMD_Platform_Security_Processo...
| CrLf wrote:
| The IME gets a lot of hate around here, but let's not get
| distracted by it: higher-privilege co-processors running code
| outside the main OS' control is becoming (or already is) the norm
| everywhere. Intel-based PCs are just one instance of it (and
| perhaps not even the most egregious one).
|
| Most hardware has evolved to effectively run the main OS under a
| sandbox where it "thinks" it is in control, but isn't.
|
| A nice talk on this: https://www.youtube.com/watch?v=36myc8wQhLo
| Xelbair wrote:
| Sure, but does the separate co-processor needs access to
| network stack? for a typical end user? definitely not.
| nullc wrote:
| Is _any_ remote management system available to the public
| using the ME stuff on consumer systems? I haven 't seen it.
|
| And when you look at server hardware the have completely
| different backdoor facilities.
|
| It really looks like pure pretext, especially since there
| isn't just a simple bios option to comprehensively and
| completely disable it.
| bragr wrote:
| It does if you want remote management, which almost every IT
| department does.
| [deleted]
| salawat wrote:
| ...And which almost every pther computer decidedly does
| not, and more problematically, every other computer user
| has no visibility into the configuration, implementation
| details, or actual specs of said highly privileged
| component.
|
| It's one thing to have it, but if it sits out of my reach,
| sorry hoss, I just don't trust you that much, and the fact
| you and your buddies all do it and are the only shops in
| town doesn't make me feel any better.
| boppo1 wrote:
| Can we not have separate enterprise and individual classes
| of processor?
| ranger207 wrote:
| Heck, ECC is already market-segregated
| bubblethink wrote:
| This is also segmented. The remote management stuff is
| marketed as vpro which is not available in all SKUs.
| However, all Intel processors need the ME.
| wmf wrote:
| Consumer PCs already don't have vPro/AMT, although Intel
| can't afford to make separate hardware so there's a
| concern that the out-of-band hardware path could be
| activated later by malware.
| Spooky23 wrote:
| We do. Every time this topic comes up, everyone gets
| angry about something that doesn't affect them, at all.
| vetinari wrote:
| We do, sort of.
|
| In order to have network access, Intel Management Engine
| is not enough, it does not have full network access at
| all. You need Intel AMT (also marketed as "vPro"), and
| that one is paid extra. With CPUs featuring such support
| being separate SKUs, so you would definitely know -- and
| you can check in ark. You also need to pair it with Intel
| ethernet or wifi, any other network interface is not good
| enough.
|
| So here you have it, your separate class of processor.
| goodpoint wrote:
| This is plain false.
| chasil wrote:
| No IT department wants their remote management at BlackHat.
|
| https://www.runzero.com/blog/ilo-vulnerabilities/
|
| I'm not sure that iDRAC is much better; haven't checked
| lately.
| snuxoll wrote:
| At least with IPMI interfaces on servers they have a
| dedicated NIC port you can put on a restricted network.
| [deleted]
| akira2501 wrote:
| > higher-privilege co-processors running code outside the main
| OS' control is becoming (or already is) the norm everywhere.
|
| I don't think this fact is what you should focus on. That fact
| the blobs are binary, closed, proprietary, signed but not
| easily verifiable by the user, and not easy to disable is the
| problem.
|
| The promise is they're going to "improve security for PCs."
| Yet, they're using techniques that we know to be invalid.
| There's no reason to tolerate this.
| freedude wrote:
| When you consider both at the same time it is cause to pause
| and speculate on how malware might take advantage of this
| built-in tool.
| armchairhacker wrote:
| They can have a physical switch or tool to disable it, or
| sell separate chips with/without IME.
|
| Unfortunately there isn't really incentive for Intel to do
| this, unless larger companies / governments refuse to run
| IME-enabled chips due to security concerns.
| Sirened wrote:
| Yep, the practical difference between a hidden higher privldihe
| level and another random coprocessor on the system bus which
| can send memory writes to your core's internal MMIO region
| (common on ARM based SoCs, anyways) is quite literally zero. If
| you can write arbitrary physical memory, the entire system is
| cooked (well, mostly, but RIP SGX). IME is no worse than random
| DSP, ISP, ML, etc. cores on your average SoC in terms of its
| privilege in the system. Don't miss the forest for the trees.
| uncletammy wrote:
| > higher-privilege co-processors running code outside the main
| OS' control is becoming (or already is) the norm everywhere
|
| There may be good arguments for allowing these types of
| "features" but this is not one of them. I'm so tired of seeing
| "it's fine because everyone else is doing it too"
| marcosdumay wrote:
| The GP is not saying anything is fine.
| nicce wrote:
| Well, he kinda makes it sound like that the fight is over
| and it is time to move on.
| blueflow wrote:
| Yes, and its a movement into the wrong direction. I do not
| trust the vendors to run code on co-processors that i have no
| control over. I somewhat expect it to be spyware and ads/data
| collection soon.
| ethbr0 wrote:
| And support DRM to protect media companies' IP.
|
| Because $$$ talks, and there's a _lot_ of money in media.
| nicce wrote:
| Well, luckily we have TPM chip just for that...
| pedro2 wrote:
| Nope. kernel module mei_hdcp exists on modern systems.
| hsbauauvhabzb wrote:
| 'Everyone else is doing it' is a bad excuse. Arbitrarily
| focusing on intel has made it so others know if they perform
| shady actions then it's possible they'll also become an
| arbitrary target.
|
| The disproportionate hate is a good thing, if you ask me.
| StillBored wrote:
| I sorta disagree with the premise of that talk, although the
| problem is real.
|
| Its just that even that talk vastly underestimated just how
| many microcontrollers exist on a modern machine.
|
| In the past those controllers were isolated to a few areas
| (disk controllers, higher end network cards), but the drive
| over the past decade+ for more efficient devices and
| "universal" packetized buses (ex PCIe, USB), has sprinkled them
| in places simply to monitor utilization and adjust bus clocks,
| as well as packet scheduling and error/retry logic, etc, etc,
| etc. I was reading about some of the latest m.2 NVMe
| controllers a while back and IIRC there were something like a
| half dozen independent Arm's just inside the controller. The
| last fully open disk stack on a PC was probably an MFM/RLL
| controller in the mid 1980's.
|
| So, while I would love if the manufacture of every little USB
| device or whatever published the full register documentation,
| firmware listings, whatever, that ship has long sailed. The
| worst part isn't looking for the piles of scattered SPI flash
| eeproms on random boards, its the integrated "Secure" sides of
| these devices which happen to be all but invisible. None of
| that is going to be documented anytime in the near future.
| Every single one of these companies hides their "secret sauce"
| in the firmware of these devices, be that how to minimize
| latency on a NVMe device, to how to get maximum throughput on a
| wifi chip, to how to increase a DRAM controllers power
| efficiency. In some of these cases, the firmware probably isn't
| even that special, they are doing basically the same thing as
| every one of their competitors, but you will never get them to
| admit it.
|
| So, imagining that an "OS" can control this mess like a 1960's
| mainframe is nonsense. Modern mainframes don't even control
| stuff at that level anymore.
|
| So like software abstractions, we have hardware abstractions
| which provide higher level constructs for low level software to
| talk to. Be that something like XHCI where the system talks to
| generic endpoint queues and a processor does all the low level
| packet building/scheduling or its something like the tiny
| integrated cores making decisions about which parts of a CPUs
| clock and power domains need to be dynamically enabled/disabled
| for a given perf/power profile and the OS talks to generic
| firmware interfaces to set policies. To even LBA disk layouts
| which abstract away all the details of flash channels, COW,
| wear leveling, NAND error correction, bit pattern sensing,
| page/block erase sizes, etc.
|
| In the end, if someone wanted to actually work on this problem,
| the first step towards open hardware isn't really building a
| RISC-V system, its building competitive NIC's, keyboards, USB
| controllers, etc, etc, etc with open hardware designs. What we
| have today is like linux, everyone wants to work on the kernel,
| no one wants to maintain old crufty code in Make. So, in the
| end swapping an x86 for a RISC-V doesn't give you more open
| hardware if its still got its own management processors tied to
| the same closed hardware IP for literally everything else in
| the machine.
| Kukumber wrote:
| They banned Huawei equipments for less than that
|
| How come Intel get away with it?
|
| I went ahead and i disabled it
| alex_duf wrote:
| It's about who's your threat. The us government probably like
| having an American company (Intel) that distributes an attack
| vector. But they probably don't like being distributed one.
| clhodapp wrote:
| Architecturally, that is fine... but if it's not open and well-
| specified it will continually face (well-deserved) distrust.
| dottedmag wrote:
| Apple M* CPUs do not have anything like that.
|
| Their coprocessors are not higher-privileged. On the contrary,
| they are all isolated from AP, each other and main memory (by
| IOMMU).
| dizhn wrote:
| Thank you thank you thank you. I've been trying to find this
| talk forever after watching it once. I immediately knew this
| was it when I saw it under this particular thread. Super
| Illuminating stuff.
___________________________________________________________________
(page generated 2022-10-26 23:00 UTC)