Wednesday, December 13th 2017

Intel to Deploy Management Engine Lock to Prevent Disabling, Rollback

by
Raevenlord
 Discuss (39 Comments)
It's been an interesting month for users as we've discovered that the most widely-used OS in the world could be one most of us had never even heard anything about before. Intel's Management Engine, a full-fledged computer inside Intel CPUs, runs on MINIX, and after it was outed that Intel's CPUs ran on it, multiple issues have been found with the approach, which has moved Intel towards outing a detection tool.

Intel is seemingly poising to move towards a full hardware lock of the Management Engines' capabilities, thus ensuring it can't be disabled. And even if Intel does send out firmware fixes for its already deployed CPUs with ME integration, the fact remains that the memory pool where the firmware is written is, well, re-writable - given enough access, miscreants could simply re-flash the ME to an earlier, vulnerable version, and thus acquire God Mode access to a victim's computer. To tackle both issues, Intel is moving towards a hardware lock of their ME.
A recent confidential Intel Technical Advisory posted to GitHub stated that starting with ME version 12, the chip's Security Version Number (SVN), which gets incremented with updates to prevent rollbacks, "will be saved permanently in Field Programmable Fuses (FPFs) as a means to mitigate physically downgrading Intel ME [firmware] to a lower SVN." FPFs, once set, become read-only memory (ROM) and can't be so easily altered. providing Intel with a way to validate firmware versions in order to avoid a version rollback.

However, Purism, a company which has made its business to sell privacy-focused Librem laptops in which the Intel Management Engine has been (mostly) disabled, said that while the move was bound to improve security, it didn't fix the fundamental flaws in Intel's ME integration. Purism founder Todd Weaver told The Register that "The ME [Management Engine] hardware still ships on all Intel CPUs; the ME firmware (where this Positive Technologies security exploit is at) is still required by Intel," he said. "If users do not want the ME at all, there is no current Intel based CPU option."
Source: The Register

Related News

Add your own comment

39 Comments on Intel to Deploy Management Engine Lock to Prevent Disabling, Rollback

#26
biffzinker
voltageI really don't want to move back to AMD product for a number of reasons
Moving to AMD gets you the same embedded (ARM Cortex A5 using ARM's Trustzone) security processor.
Posted on Reply
#27
buggalugs
R-T-BMy brothers x58 system had management engine drivers IIRC, board was a dx58so2.

Either way, it's present on anything newer than or equal to a core 2. Whether or not there are drivers, it's there.
I had an X58/920 system too and there was no IME installation drivers for those boards. Here is the link for the driver support for the Asus P6X58-D Premium motherboard, and there are no IME drivers in the list:

www.asus.com/au/supportonly/P6X58D%20Premium/HelpDesk_Download/

And here is the link for a Asus P67/Sandybridge board that does have IME installation drivers:

www.asus.com/au/supportonly/P8H67-I%20Deluxe/HelpDesk_Download/

Maybe they used them on xeon or something like that, but the Sandy Bridge systems was the first mainstream/consumer platform that used IME installation drivers, that was around 2010. I never like having to install those drivers. I dont know why, I think because I never really understood what they do, besides "security"
Posted on Reply
#28
biffzinker
buggalugsI never like having to install those drivers. I dont know why, I think because I never really understood what they do, besides "security"
Also gets rid of the yellow exclamation icon in Device Manager.
Posted on Reply
#29
voltage
ah, so no choice really. since you seem to know much regarding this issue. AMD X86 procs do not use ARM architecture. Are you suggesting AMD took Trustzone security processor and added it to their X86 platforms??? wow if yes...
Posted on Reply
#30
OSdevr
voltageah, so no choice really. since you seem to know much regarding this issue. AMD X86 procs do not use ARM architecture. Are you suggesting AMD took Trustzone security processor and added it to their X86 platforms??? wow if yes...
I'm not certain, but I think the "security processor" in AMD CPUs actually is an ARM core. It doesn't have to be x86 and until recently Intel didn't use an x86 one either.

The security processor is an extra processor added to the main CPU, it doesn't have to be anything like the main cores.
Posted on Reply
#31
voltage
OK, got ya. Then, knowing all this info. I ask you your opinion, Why is it that the entire web is freaking out (exaggerating of course to make a point) over Intel's ME, yet no one bitched, moaned or complained over AMD's version??? (ARM's Trustzone)
Another way to ask the same question, why all the Intel bashing and no AMD bashing? any idea as to why?
Posted on Reply
#32
OSdevr
voltageOK, got ya. Then, knowing all this info. I ask you your opinion, Why is it that the entire web is freaking out (exaggerating of course to make a point) over Intel's ME, yet no one bitched, moaned or complained over AMD's version??? (ARM's Trustzone)
Another way to ask the same question, why all the Intel bashing and no AMD bashing? any idea as to why?
Possibly because it was recently discovered that Intel ME runs the MINIX operating system and subsequently there have been some bugs and security holes found in it. That and everyone knows about Intel and few know about AMD.
Posted on Reply
#33
voltage
Yet, in 2009 there was this claiming MINIX is more secure than Windows itself OR even more secure than Linux. www.infoq.com/news/2009/05/MINIX

I suppose its a never ending subject, no matter the angle.
Posted on Reply
#34
StrayKAT
voltageYet, in 2009 there was this claiming MINIX is more secure than Windows itself OR even more secure than Linux. www.infoq.com/news/2009/05/MINIX

I suppose its a never ending subject, no matter the angle.
It's not hard to be more secure than linux actually... and that has been the argument between Linus and Tanenbaum since the beginning. Or rather, the argument of monolithic vs microkernels.
Posted on Reply
#36
R-T-B
StrayKATUnpopular, but it's not going to affect the typical user either way. Still, everyone should have options. These are PCs, after all.
It is when spyware begins to hijack it.
voltageI do wonder will AMD implement a version of ME?
They already have, for some time. It's called the AMD PSP.
Posted on Reply
#37
StrayKAT
R-T-BIt is when spyware begins to hijack it.
Well, personally, that's not a concern of mine. I haven't had spyware problems for ages... but I'm probably more dilligent than others.

I'd be more worried about a specifically targetted attack.. I can see getting really screwed by a personal enemy (or if I had a business with enemies). But I'm under the radar here too. As are many.
Posted on Reply
#38
R-T-B
StrayKATWell, personally, that's not a concern of mine. I haven't had spyware problems for ages... but I'm probably more dilligent than others.
I haven't either. But we aren't really normal use cases, as you note.
Posted on Reply
#39
TheLostSwede
News Editor
OSdevr:mad:

If I'm not mistaken Intel switched to an x86 core with Skylake and were using a different architecture before. Why they didn't use an x86 core to begin with I have no idea.

EDIT: Can't find a source saying they switched architectures with Skylake but they did at least change a great deal of it according to me_cleaner. Also Libreboot agrees that it began in 2006 on the northbridge and was moved onto the CPU with Nehalem (aka the first of the Core i series).
You're correct that they used to use a different CPU architecture before, it was running on an ARC core in the early days - en.wikipedia.org/wiki/ARC_(processor)
en.wikipedia.org/wiki/Intel_Active_Management_Technology#Hardware
Posted on Reply
Add your own comment
May 21st, 2025 20:01 CDT change timezone

Latest GPU Drivers

New Forum Posts

Popular Reviews

Controversial News Posts