Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Sunday January 15 2017, @12:21AM   Printer-friendly
from the where-there-is-a-will,-there-is-a-way dept.

In some shiny good news to us of the tinfoil hat crew, Phoronix is reporting:

Many free software advocates have been concerned by Intel's binary-only Management Engine (ME) built into the motherboards on newer generations of Intel motherboards. The good news is there is now a working, third-party approach for disabling the ME and reducing the risk of its binary blobs.

Via an open-source, third-party tool called me_cleaner it's possible to partially deblob Intel's ME firmware images by removing any unnecessary partitions from the firmware, reducing its ability to interface with the system. The me_cleaner works not only with free software firmware images like Coreboot/Libreboot but can also work with factory-blobbed images. I was able to confirm with a Coreboot developer that this program can disable the ME on older boards or devices with BootGuard and disable Secure Boot. This is all done with a Python script.

Those unfamiliar with the implications on Intel's ME for those wanting a fully-open system can read about it on Libreboot.org.

Looks like I may not have to go ARM on my next desktop build after all.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0, Disagree) by Anonymous Coward on Sunday January 15 2017, @01:29AM

    by Anonymous Coward on Sunday January 15 2017, @01:29AM (#453977)

    I'm an open-source loving, Linux using, Fortune 500 IT guy and I'm kind of surprised to see people up in arms about Intel ME/AMT. Like this article is the first I've heard about it.
    I am a huge fan of vPro (AMT/ME specifically) - we now have it on thousands of our machines and the number of literal truck rolls it saves is measurable. So easy to remotely diagnose a computer even if it has a failing motherboard. So easy to remotely reimage a machine.
    That said, this technology is primarily only on business desktops and notebooks as far as I know. If you build your own machine from Newegg or Amazon, it's not going to have this on it. I guess maybe the market came from people buying used business equipment on eBay?

    Starting Score:    0  points
    Moderation   0  
       Interesting=1, Overrated=1, Disagree=1, Total=3
    Extra 'Disagree' Modifier   0  

    Total Score:   0  
  • (Score: 3, Informative) by Anonymous Coward on Sunday January 15 2017, @01:40AM

    by Anonymous Coward on Sunday January 15 2017, @01:40AM (#453978)

    It's baked into desktop processors. Some have it disabled like the low end i3's and the pentiums. So companies have to shell out more for the i5's. But to my knowledge it is in every i7 and activated.
    Depending on the motherboard you may not even be able to shut it off to the limited degree that uefi allows.

    As of right now it's a storm in a teacup. Theoretically it is possible to use it to put on rootkits that the host os can't even see at all. But according to all i can find this is all theoretical, and requires physical root access at which point your system is hosed anyway.
    Be warned if you look through the github page and the support page. Using this can and WILL break other things. There are reports of no longer being able to see gpu's(in optimus equipped laptops), lan and wireless cards going poof. And a few cases where the monitor would just up and shut off unless someone had say a fast refreshing game or video running.

  • (Score: 2, Insightful) by Anonymous Coward on Sunday January 15 2017, @02:20AM

    by Anonymous Coward on Sunday January 15 2017, @02:20AM (#453983)

    You're surprised people are upset about this because you're an "open source" advocate and not a free software advocate [gnu.org]; there's a subtle yet important difference between the two. To someone who values freedom, any proprietary software is going to disgust them to some extent.

    • (Score: 5, Insightful) by The Mighty Buzzard on Sunday January 15 2017, @02:51AM

      by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Sunday January 15 2017, @02:51AM (#453988) Homepage Journal

      It's proprietary hardware that you're utterly and completely unable to shut off in this case. It's another CPU running below ring 0 that's able to access memory and peripherals, up to and including activating while the computer is "powered off". It is straight up a hardware root kit that it has been completely impossible to remove and still have a functioning computer. What possible reason could there be for not allowing the disabling of it in home computers besides allowing remote surveillance?

      --
      My rights don't end where your fear begins.
      • (Score: 0) by Anonymous Coward on Sunday January 15 2017, @05:20AM

        by Anonymous Coward on Sunday January 15 2017, @05:20AM (#454011)

        So is absolute computrace but at least you can supposedly disable that in the Bios/uefi sometimes. UEFI rootkits are what scare me.

      • (Score: 3, Informative) by RamiK on Sunday January 15 2017, @11:28AM

        by RamiK (1813) on Sunday January 15 2017, @11:28AM (#454051)

        What possible reason could there be for not allowing the disabling of it in home computers besides allowing remote surveillance?

        As with the case of HDCP [wikipedia.org], the official rational is DRM.

        And yeah, it's bull-manure.

        --
        compiling...
    • (Score: 0) by Anonymous Coward on Sunday January 15 2017, @02:51AM

      by Anonymous Coward on Sunday January 15 2017, @02:51AM (#453989)

      "open source" advocate and not a free software advocate

      Some call me . . . . . Bruce?

    • (Score: 0) by Anonymous Coward on Sunday January 15 2017, @05:18AM

      by Anonymous Coward on Sunday January 15 2017, @05:18AM (#454010)

      No no, original Anonymous coward here. Sorry I was lazy with my verbiage. FLOSS and Richard Stallman definitely Reigns Supreme in my book. I still rock the copyleft DECSS t-shirt.

    • (Score: 2) by butthurt on Monday January 16 2017, @01:47AM

      by butthurt (6141) on Monday January 16 2017, @01:47AM (#454222) Journal

      Just trolling? Intel have released open-source drivers for their Active Management Technology (which is part of the IME) but the AMT and IME are, if I'm not mistaken, totally closed-source.

      https://sourceforge.net/projects/openamt/ [sourceforge.net]

      Open source proponents share some beliefs with the GNU folks. For instance, they advocate that software should be freely redistributable and that programmers should be allowed to make derivative works.

      https://opensource.org/docs/osd [opensource.org]

      They differ about making proprietary software from free code. There is a GNU licence which permits that, but its use is discouraged.

      https://en.wikipedia.org/wiki/LGPL [wikipedia.org]

  • (Score: 0) by Anonymous Coward on Sunday January 15 2017, @03:02AM

    by Anonymous Coward on Sunday January 15 2017, @03:02AM (#453992)

    Can you share some links that explain how to do some of the stuff you mention? I'd like to try it out and learn more... (yes, I will be Google'n shortly but I'm not certain of what terms to search on so a few links would be helpful to me and perhaps others).

    • (Score: 0) by Anonymous Coward on Sunday January 15 2017, @05:37AM

      by Anonymous Coward on Sunday January 15 2017, @05:37AM (#454016)

      For vPro?
      You want the Open Manageability Developer Tool Kit.
      Get it here: http://www.meshcommander.com/open-manageability [meshcommander.com]
      You will also need a PC with it enabled. The default password is admin which it forces you to change before AMT is active and you will need to pick a strong password. You get into it by pushing ctrl-P when the machine is booting up. All you have to do is change the password and activate in the settings. Then you can remotely control that PC. You can turn on the VNC server in the NIC and VNC to the computer. You need a strong password that is exactly eight characters.

      • (Score: 0) by Anonymous Coward on Sunday January 15 2017, @06:34AM

        by Anonymous Coward on Sunday January 15 2017, @06:34AM (#454025)

        Ok, that's pretty friggin' sweet...

      • (Score: 2) by Scruffy Beard 2 on Sunday January 15 2017, @07:40AM

        by Scruffy Beard 2 (6030) on Sunday January 15 2017, @07:40AM (#454038)

        OK, you said: "You need a strong password that is exactly eight characters."

        That is only about 48bits of entropy.

        I hope time-outs are implemented.

  • (Score: 5, Informative) by sjames on Sunday January 15 2017, @05:57AM

    by sjames (2882) on Sunday January 15 2017, @05:57AM (#454021) Journal

    It's a matter of scope. ME is often abused to prevent a machine from booting what you want it to boot. It also gets it's fingers way too deep into the system allowing various horrible things to exist. It can see and rewrite memory, for example.

    Remote management was a thing long before ME existed. The older setups had a BMC that controlled power, intercepted one of the serial ports, and could present a file to USB as a virtual DVD. Later versions could also grab the display for KVM capabilities. They generally have a connection to i2c so they can report on measured voltages, temperatures, and fan RPMs as well.

    Unlike the ME, the system was not in any way dependent on the BMC. In fact, older servers had a socket for a BMC sub-board. If you wanted the capability you would buy the board and plug it in. I prefer the current state where it is cheap enough that they just include it on the mainboard. If you don't want it, just configure it to only use the management network connection and then leave it unplugged.

    The advantage is that their reach into the system is quite limited. The BMC (baseboard management controller) couldn't see what was being booted, much less prevent it, for example.

    I've been using that (often in the form of IPMI) to remote manage machines for years, including OS installs. ME brings only risk to the table.

  • (Score: 2, Insightful) by Anonymous Coward on Sunday January 15 2017, @04:07PM

    by Anonymous Coward on Sunday January 15 2017, @04:07PM (#454104)

    Um everything I have built has had this built in, with no way to disable it, and slowing the boot process (perhaps not much -- but it's there).

    I cannot opt out of getting it, and I can't get the same CPU without this built into it in order to save a few bucks.

    I don't know what you've been building that doesn't have this in it, but my builds are not used ebay equipment. I am not buying celerons or peons or whatever the low end hardware has in them these days -- I put xeons on the desktop and often play games with them. I pay extra for top performance and this is something I would spend 8 hours searching for an alternative so I can save $1 on the price, because I do not want to have it available on my hardware.

    In much the same way, I do not want video streaming built into my video card drivers, I do not want additional apps and social feedback enabled. I DONT WANT THAT. But they charge me for it and I have to accept it because the only alternatives are from people more skilled than me assembling drivers for free on their own time that don't work as well as the real thing.

    For all of this wisdom of the crows and social economy, vendors and manufactuers dont care about what people want -- they care about getting people to want things more efficiently. And remote control and remote viewing and telemetry are real great ways to gain insight into that, don't you think?

    AMD and nvidia building in the video streaming stuff in their cards makes it so that way the vpro and intel management engine is able to deliver your high resolution desktop via the modernized NSAkey-- in hardware. Who needs tempest or packet captures when you can just target user that regularly reports in because of the drivers, and start streaming? It works great for people not regularly posting to social networks...

    People that manage their own computers are a secretive threat that support russia; that is what I learned in the movie wargames at least! and as entertaining as it was, its already true that people that take their security and privacy seriously are suspicious and worthy of additional analysis. Baking it into the hardware doesnt make me feel any safer, in fact, it makes me even more paranoid--but even more pissed that I have to pay for my own shackles.

    • (Score: 0) by Anonymous Coward on Monday January 16 2017, @12:02PM

      by Anonymous Coward on Monday January 16 2017, @12:02PM (#454350)

      but even more pissed that I have to pay for my own shackles.

      It has always been that way. If shackles didn't pay for themselves, they wouldn't had been made.

  • (Score: 3, Touché) by Type44Q on Sunday January 15 2017, @06:00PM

    by Type44Q (4347) on Sunday January 15 2017, @06:00PM (#454122)

    Like this article is the first I've heard about it.

    Perhaps you should be reading rather than posting...

  • (Score: 1) by butthurt on Monday January 16 2017, @01:50AM

    by butthurt (6141) on Monday January 16 2017, @01:50AM (#454223) Journal

    > So easy to remotely reimage a machine.

    What could possibly go wrong?