Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 16 submissions in the queue.

Intel Management Engine Partially Defeated

posted by janrinok on Sunday January 15 2017, @12:21AM   Printer-friendly
from the where-there-is-a-will,-there-is-a-way dept.

The Mighty Buzzard writes:

In some shiny good news to us of the tinfoil hat crew, Phoronix is reporting:

Many free software advocates have been concerned by Intel's binary-only Management Engine (ME) built into the motherboards on newer generations of Intel motherboards. The good news is there is now a working, third-party approach for disabling the ME and reducing the risk of its binary blobs.

Via an open-source, third-party tool called me_cleaner it's possible to partially deblob Intel's ME firmware images by removing any unnecessary partitions from the firmware, reducing its ability to interface with the system. The me_cleaner works not only with free software firmware images like Coreboot/Libreboot but can also work with factory-blobbed images. I was able to confirm with a Coreboot developer that this program can disable the ME on older boards or devices with BootGuard and disable Secure Boot. This is all done with a Python script.

Those unfamiliar with the implications on Intel's ME for those wanting a fully-open system can read about it on Libreboot.org.

Looks like I may not have to go ARM on my next desktop build after all.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Intel Management Engine Partially Defeated | Log In/Create an Account | Top | 39 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Informative) by sjames on Sunday January 15 2017, @05:57AM

    by sjames (2882) on Sunday January 15 2017, @05:57AM (#454021) Journal

    It's a matter of scope. ME is often abused to prevent a machine from booting what you want it to boot. It also gets it's fingers way too deep into the system allowing various horrible things to exist. It can see and rewrite memory, for example.

    Remote management was a thing long before ME existed. The older setups had a BMC that controlled power, intercepted one of the serial ports, and could present a file to USB as a virtual DVD. Later versions could also grab the display for KVM capabilities. They generally have a connection to i2c so they can report on measured voltages, temperatures, and fan RPMs as well.

    Unlike the ME, the system was not in any way dependent on the BMC. In fact, older servers had a socket for a BMC sub-board. If you wanted the capability you would buy the board and plug it in. I prefer the current state where it is cheap enough that they just include it on the mainboard. If you don't want it, just configure it to only use the management network connection and then leave it unplugged.

    The advantage is that their reach into the system is quite limited. The BMC (baseboard management controller) couldn't see what was being booted, much less prevent it, for example.

    I've been using that (often in the form of IPMI) to remote manage machines for years, including OS installs. ME brings only risk to the table.

    Starting Score:    1  point
    Moderation   +3  
       Informative=3, Total=3
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   5