Intel to Deploy Management Engine Lock to Prevent Disabling, Rollback

[Raevenlord]

It's been an interesting month for users as we've discovered that the most widely-used OS in the world could be one most of us had never even heard anything about before. Intel's Management Engine, a full-fledged computer inside Intel CPUs, runs on MINIX, and after it was outed that Intel's CPUs ran on it, multiple issues have been found with the approach, which has moved Intel towards outing a detection tool.

Intel is seemingly poising to move towards a full hardware lock of the Management Engines' capabilities, thus ensuring it can't be disabled. And even if Intel does send out firmware fixes for its already deployed CPUs with ME integration, the fact remains that the memory pool where the firmware is written is, well, re-writable - given enough access, miscreants could simply re-flash the ME to an earlier, vulnerable version, and thus acquire God Mode access to a victim's computer. To tackle both issues, Intel is moving towards a hardware lock of their ME.





A recent confidential Intel Technical Advisory posted to GitHub stated that starting with ME version 12, the chip's Security Version Number (SVN), which gets incremented with updates to prevent rollbacks, "will be saved permanently in Field Programmable Fuses (FPFs) as a means to mitigate physically downgrading Intel ME [firmware] to a lower SVN." FPFs, once set, become read-only memory (ROM) and can't be so easily altered. providing Intel with a way to validate firmware versions in order to avoid a version rollback.

However, Purism, a company which has made its business to sell privacy-focused Librem laptops in which the Intel Management Engine has been (mostly) disabled, said that while the move was bound to improve security, it didn't fix the fundamental flaws in Intel's ME integration. Purism founder Todd Weaver told The Register that "The ME [Management Engine] hardware still ships on all Intel CPUs; the ME firmware (where this Positive Technologies security exploit is at) is still required by Intel," he said. "If users do not want the ME at all, there is no current Intel based CPU option."



View at TechPowerUp Main Site

 

[R-T-B]

Antirollback qfuses, essentially. You simply can't downgrade. It's not new, they've been doing it in phones for some time. Very difficult to defeat, if done right.

I still feel the whole world would be more secure without the management engine "security features" however. AMD's PSP is no better. These things should all be removed.

 

[biffzinker]

Correction @Raevenlord: Minix is running from within the Platform Controller Hub's on die Intel Quark or ARC for Broadwell, and earlier.

 

[Katanai]

lol So Intel's "solution" to the problem is to make future ME's not being able to be stoped in any way or form? This, to make you feel "safer" right?

 

[xorbe]

But if your modded bios code never checks the fuses ...

 

[Aquinus]

But if your modded bios code never checks the fuses ...

That depends on how it's implemented. You could have a series of fuses that cause entire segments of memory to become read-only by doing something like shorting out certain command lines going to memory that are responsible for doing writes because there are certain parts of memory circuits that can be physically shorted or broken to cause memory to become read-only at the hardware level. Something like this would allow a developer to program a region of memory up until the point where you want to lock it and prevent changes. It's also not a terrible idea either because if there is a change you want to make but, you're not entirely certain if you want it to be permanent or not, you can just not lock that region of memory and if that assumption changes or your boss tells you to flick the switch, you add a tiny bit of code and the next time it runs, it will do its magic and that memory segment will be untouchable.

It's a bit excessive but, in this day and age, I'm not at all surprised. There is a huge benefit to doing something like this because it could allow a manufacturer to even hard-code in memory information about the board is belongs to, like serial number and such. Information about the system and constants that aren't ever going to change (from their perspective.) It's not something we want but, from the perspective of Intel, it makes perfect sense.

 

[OSdevr]

That depends on how it's implemented. You could have a series of fuses that cause entire segments of memory to become read-only by doing something like shorting out certain command lines going to memory that are responsible for doing writes because there are certain parts of memory circuits that can be physically shorted or broken to cause memory to become read-only at the hardware level. Something like this would allow a developer to program a region of memory up until the point where you want to lock it and prevent changes.

They've been doing this in the microcontroller world forever, they're actually called 'lock bits' (at least by Atmel). They are used to prevent program code from being read or rewritten, very useful if you have competitors who want to copy your stuff.

 

[R-T-B]

But if your modded bios code never checks the fuses ...

The idea is the unupdatable bootloader checks a cryptographically signed bios code version, not the other way around, thus no real way to "mod" it

 

[voltage]

was skylake the first to use ME? anyone know?

 

[OSdevr]

was skylake the first to use ME? anyone know?

No, ME has been around for about 10 years.

 

[R-T-B]

No, ME has been around for about 10 years.

Indeed, since about the core series IIRC.

 

[voltage]

Your just guessing and don't know for sure. Why not tell the truth and say so.

Because, the owner of gamersnexus .net who knows way more than various computer hardware, more than you or I, said ME started with Skylake

So, now you will both be insulted and ask me why then did i ask here. Because I wanted to see how much crap you both talk.

OSdevr said to my question "No, ME has been around for about 10 years."

then provide proof.

 

[TheLostSwede]

Your just guessing and don't know for sure. Why not tell the truth and say so.

Because, the owner of gamersnexus .net who knows way more than various computer hardware, more than you or I, said ME started with Skylake

So, now you will both be insulted and ask me why then did i ask here. Because I wanted to see how much crap you both talk.

OSdevr said to my question "No, ME has been around for about 10 years."

then provide proof.

Since 2008 -
https://en.m.wikipedia.org/wiki/Intel_Management_Engine

 

[voltage]

hmmm, I wonder why gamersnexus was on video stating ME started with Skylake, back about a month or so ago when the story was first making its rounds.

my apologies, ill go eat my words now... pass the salt.

 

[Paganstomp]

(ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current (as of 2015) Intel chipsets.

Until the release of Nehalem processors, the ME was usually embedded into the motherboard's northbridge, following the Memory Controller Hub. With the newer Intel architectures (Intel 5 Series onwards), ME is included into the Platform Controller Hub.

https://en.wikipedia.org/wiki/Intel_Active_Management_Technology

 

[OSdevr]

hmmm, I wonder why gamersnexus was on video stating ME started with Skylake, back about a month or so ago when the story was first making its rounds.

my apologies, ill go eat my words now... pass the salt.

If I'm not mistaken Intel switched to an x86 core with Skylake and were using a different architecture before. Why they didn't use an x86 core to begin with I have no idea.

EDIT: Can't find a source saying they switched architectures with Skylake but they did at least change a great deal of it according to me_cleaner. Also Libreboot agrees that it began in 2006 on the northbridge and was moved onto the CPU with Nehalem (aka the first of the Core i series).

 

[nem..]

MINIX OS inside of each intel cpu biggest designed backdoor nobody bats and eye

Finded keylogger in Synaptics Touchpad keyboard driver

 

[Frick]

hmmm, I wonder why gamersnexus was on video stating ME started with Skylake, back about a month or so ago when the story was first making its rounds.

my apologies, ill go eat my words now... pass the salt.

I'm thinking it was because the story started out that way, essentially, and he didn't fact check it.

 

[R-T-B]

MINIX OS inside of each intel cpu biggest designed backdoor nobody bats and eye

Finded keylogger in Synaptics Touchpad keyboard driver

I think you've been missing quite a few comments. ME and AMS PSP are really frickin unpopular.

So are keyloggers, and they should be.

 

[buggalugs]

There was no IME installation drivers on Nehalem, at least with socket 1366, consumer boards. It may have been onboard without the need for drivers but the first platform I used with IME installation drivers was Ivy bridge. They may have started with IME drivers on socket 1156 Sandy Bridge CPUs. I skipped Sandy Bridge so I cant say but its around that time.

Edit: I just looked it up Sandy bridge was the first mainstream/consumer platform with IME installation drivers,

 

[Katanai]

There was no IME installation drivers on Nehalem, at least with socket 1366, consumer boards. It may have been onboard without the need for drivers but the first platform I used with IME installation drivers was Ivy bridge. They may have started with IME drivers on socket 1156 Sandy Bridge CPUs. I skipped Sandy Bridge so I cant say but its around that time.

Edit: I just looked it up Sandy bridge was the first mainstream/consumer platform with IME installation drivers,

I don't understand why nobody compiles some real data on which systems had the ME processor in them. I've been looking everywhere to see if the x58 chipset had ME but I can't find anything conclusive. All I can find is that the other chipsets meant for enterprise from that era have it but I can't find anything on this one. I still have an i7 920 system laying around somewhere and I wanna see if I can trust it or not...

 

[R-T-B]

There was no IME installation drivers on Nehalem, at least with socket 1366, consumer boards. It may have been onboard without the need for drivers but the first platform I used with IME installation drivers was Ivy bridge. They may have started with IME drivers on socket 1156 Sandy Bridge CPUs. I skipped Sandy Bridge so I cant say but its around that time.

Edit: I just looked it up Sandy bridge was the first mainstream/consumer platform with IME installation drivers,

My brothers x58 system had management engine drivers IIRC, board was a dx58so2.

Either way, it's present on anything newer than or equal to a core 2. Whether or not there are drivers, it's there.

 

[eidairaman1]

Isn't this related to the SMBus/PMBus?

 

[StrayKAT]

I think you've been missing quite a few comments. ME and AMS PSP are really frickin unpopular.

So are keyloggers, and they should be.

Unpopular, but it's not going to affect the typical user either way. Still, everyone should have options. These are PCs, after all.

 

[voltage]

I really don't want to move back to AMD product for a number of reasons, but this issue is really me make me re-think doing so. Then again, I dont have much of anything to hide, it boils down to principle I suppose. I just don't like the idea Intel has implemented this without disclosure from the start. That said, I am very curious what kind of performance increase Intel's 10nm will have. Even if it was just another 10-15% over coffee lake, I would be satisfied, because I am still using a old i7 870, but it works great! I suppose ME wont go away? I do wonder will AMD implement a version of ME?