Wednesday, December 13th 2017
Intel to Deploy Management Engine Lock to Prevent Disabling, Rollback
It's been an interesting month for users as we've discovered that the most widely-used OS in the world could be one most of us had never even heard anything about before. Intel's Management Engine, a full-fledged computer inside Intel CPUs, runs on MINIX, and after it was outed that Intel's CPUs ran on it, multiple issues have been found with the approach, which has moved Intel towards outing a detection tool.
Intel is seemingly poising to move towards a full hardware lock of the Management Engines' capabilities, thus ensuring it can't be disabled. And even if Intel does send out firmware fixes for its already deployed CPUs with ME integration, the fact remains that the memory pool where the firmware is written is, well, re-writable - given enough access, miscreants could simply re-flash the ME to an earlier, vulnerable version, and thus acquire God Mode access to a victim's computer. To tackle both issues, Intel is moving towards a hardware lock of their ME.A recent confidential Intel Technical Advisory posted to GitHub stated that starting with ME version 12, the chip's Security Version Number (SVN), which gets incremented with updates to prevent rollbacks, "will be saved permanently in Field Programmable Fuses (FPFs) as a means to mitigate physically downgrading Intel ME [firmware] to a lower SVN." FPFs, once set, become read-only memory (ROM) and can't be so easily altered. providing Intel with a way to validate firmware versions in order to avoid a version rollback.
However, Purism, a company which has made its business to sell privacy-focused Librem laptops in which the Intel Management Engine has been (mostly) disabled, said that while the move was bound to improve security, it didn't fix the fundamental flaws in Intel's ME integration. Purism founder Todd Weaver told The Register that "The ME [Management Engine] hardware still ships on all Intel CPUs; the ME firmware (where this Positive Technologies security exploit is at) is still required by Intel," he said. "If users do not want the ME at all, there is no current Intel based CPU option."
Source:
The Register
Intel is seemingly poising to move towards a full hardware lock of the Management Engines' capabilities, thus ensuring it can't be disabled. And even if Intel does send out firmware fixes for its already deployed CPUs with ME integration, the fact remains that the memory pool where the firmware is written is, well, re-writable - given enough access, miscreants could simply re-flash the ME to an earlier, vulnerable version, and thus acquire God Mode access to a victim's computer. To tackle both issues, Intel is moving towards a hardware lock of their ME.A recent confidential Intel Technical Advisory posted to GitHub stated that starting with ME version 12, the chip's Security Version Number (SVN), which gets incremented with updates to prevent rollbacks, "will be saved permanently in Field Programmable Fuses (FPFs) as a means to mitigate physically downgrading Intel ME [firmware] to a lower SVN." FPFs, once set, become read-only memory (ROM) and can't be so easily altered. providing Intel with a way to validate firmware versions in order to avoid a version rollback.
However, Purism, a company which has made its business to sell privacy-focused Librem laptops in which the Intel Management Engine has been (mostly) disabled, said that while the move was bound to improve security, it didn't fix the fundamental flaws in Intel's ME integration. Purism founder Todd Weaver told The Register that "The ME [Management Engine] hardware still ships on all Intel CPUs; the ME firmware (where this Positive Technologies security exploit is at) is still required by Intel," he said. "If users do not want the ME at all, there is no current Intel based CPU option."
39 Comments on Intel to Deploy Management Engine Lock to Prevent Disabling, Rollback
I still feel the whole world would be more secure without the management engine "security features" however. AMD's PSP is no better. These things should all be removed.
It's a bit excessive but, in this day and age, I'm not at all surprised. There is a huge benefit to doing something like this because it could allow a manufacturer to even hard-code in memory information about the board is belongs to, like serial number and such. Information about the system and constants that aren't ever going to change (from their perspective.) It's not something we want but, from the perspective of Intel, it makes perfect sense.
Because, the owner of gamersnexus .net who knows way more than various computer hardware, more than you or I, said ME started with Skylake
So, now you will both be insulted and ask me why then did i ask here. Because I wanted to see how much crap you both talk.
OSdevr said to my question "No, ME has been around for about 10 years."
then provide proof.
en.m.wikipedia.org/wiki/Intel_Management_Engine
my apologies, ill go eat my words now... pass the salt.
Until the release of Nehalem processors, the ME was usually embedded into the motherboard's northbridge, following the Memory Controller Hub. With the newer Intel architectures (Intel 5 Series onwards), ME is included into the Platform Controller Hub.
en.wikipedia.org/wiki/Intel_Active_Management_Technology
If I'm not mistaken Intel switched to an x86 core with Skylake and were using a different architecture before. Why they didn't use an x86 core to begin with I have no idea.
EDIT: Can't find a source saying they switched architectures with Skylake but they did at least change a great deal of it according to me_cleaner. Also Libreboot agrees that it began in 2006 on the northbridge and was moved onto the CPU with Nehalem (aka the first of the Core i series).
Finded keylogger in Synaptics Touchpad keyboard driver
So are keyloggers, and they should be.
Edit: I just looked it up Sandy bridge was the first mainstream/consumer platform with IME installation drivers,
Either way, it's present on anything newer than or equal to a core 2. Whether or not there are drivers, it's there.