SoylentNews is people
SoylentNews
from the idle-hands-devil's-playthings dept.
Positive Technologies has posted an interesting article about disabling the Intel Management Engine 11 via an undocumented mode.
Our team of Positive Technologies researchers has delved deep into the internal architecture of Intel Management Engine (ME) 11, revealing a mechanism that can disable Intel ME after hardware is initialized and the main processor starts. In this article, we describe how we discovered this undocumented mode and how it is connected with the U.S. government's High Assurance Platform (HAP) program.
[...] Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) chip and a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer. The ability to execute third-party code on Intel ME would allow for a complete compromise of the platform.
[...] Unfortunately, analysis of Intel ME 11 was previously impossible because the executable modules are compressed by Huffman codes with unknown tables. Nonetheless, our research team (Dmitry Sklyarov, Mark Ermolov, and Maxim Goryachy) managed to recover these tables and created a utility for unpacking images. The utility is available on our GitHub page.
Hey, the government isn't the only one who wants "high assurance" for their computers. We trolls and average peons would like to think our systems are secure as well.
But it gets better.
Intel allows motherboard manufacturers to set a small number of ME parameters. For this, the company provides hardware manufacturers with special software, including utilities such as Flash Image Tool (FIT) for configuring ME parameters and Flash Programming Tool (FPT) for programming flash memory directly via the built-in SPI controller. These programs are not provided to end users, but they can be easily found on the Internet.
From these utilities, you can extract a large number of XML files (detailed description of the process). These files contain a lot of interesting information: the structure of ME firmware and description of the PCH strap, as well as special configuration bits for various subsystems integrated into the PCH chip. One of the fields, called "reserve_hap", drew our attention because there was a comment next to it: "High Assurance Platform (HAP) enable".
[Ed Note - The fine article contains the following disclaimer:
Disclaimer: The methods described here are risky and may damage or destroy your computer. We take no responsibility for any attempts inspired by our work and do not guarantee the operability of anything. For those who are aware of the risks and decide to experiment anyway, we recommend using an SPI programmer.
You've been warned.]
(Score: 4, Insightful) by The Mighty Buzzard on Friday September 01 2017, @10:26AM (11 children)
Yup. I hate dropping cash to Intel because their price:value ratio is shit compared to AMD's currently but if I can have a new CPU that I am the boss of that'll make up for the cost difference.
My rights don't end where your fear begins.
(Score: 5, Insightful) by Hyperturtle on Friday September 01 2017, @04:05PM (10 children)
Why are you going to reward them for providing you a benefit because of a mistake?
This *will* get sealed up with an update--either via Windows 10 automandatory-for-security purposes, via some bios update that claims to do something else, or just on new hardware that simply won't have this option -- just like all of their previous hardware that only was exploitable once exploits were found.
Stating that this sways your decision "to give them money" seems like the wrong metric is being used, at least based on the context.
Do yourself a favor and buy something used; don't let them profit from their eventual correcting of their mistake by rewarding them directly.
This is no different to me than if someone said that because some hack in a savegame file allowed for the PS3 to run an alternate OS again, Sony products are suddenly worth buying again. Not they aren't--at least not brand new consoles and not because of a mistake that unexpectedly enables a feature they thought they stamped out.
Intel(Sony) already had made the decision to take away user control. They have made no statement suggesting they want to give control back. Exploits get patched, and what can't get patched easily will be fixed in the next product. Preventing the patches can get challenging as the OSes mature.
And Windows 10, as we know, can do ever greater and greater invasive checks--and enforcement.
I imagine that some people will find, perhaps if this is done on major brand hardware (as opposed to a DIY computer/motherboard)--then using the right ME firmware module settings will be enforced unless via corporate control. Some INF will downloaded in the background without asking. Then after the next reboot, a check will determine you're not compliant --no properly functioning OS for you on next bootup, contact your administrator for assistance.
It's not like Windows hasn't remotely bricked machines before because it didn't like bios changes.
Or maybe I am just paranoid--but it seems I am not alone in that regard.
(Score: 3, Interesting) by The Mighty Buzzard on Friday September 01 2017, @04:32PM (3 children)
Because ARM chips won't play the games I want to play and parts for my Phenom II x6 box aren't going to be replaceable forever.
Besides, I don't/never will run Windows 10 and why would I update the bios on a working system?
And if you think they won't leave this feature built into all future chips, you've underestimated how many chips the NSA buys by quite a lot.
My rights don't end where your fear begins.
(Score: 2) by KiloByte on Saturday September 02 2017, @10:16AM (1 child)
While this box starts getting long in the tooth, it's the fastest machine included in the recent reverse-engineering of AMD microcode. Thus, we're going to be having some fun if we don't upgrade.
Ceterum censeo systemd esse delendam.
(Score: 2) by Hyperturtle on Wednesday September 20 2017, @04:51PM
Yes-- this is what I mean by bios upgrades and associated 'hacks'.
There is a lot of potential to add features to otherwise old hardware with the community surrounding keeping the platforms alive.
It is even possible to update the 'OROMS' or 'option roms' -- like for the Intel ME discussed, or the RST(e) (disk drive controllers), the network cards, even the E-SATA controller if one is present--sometimes USB-3 chipsets as well are influenced.
A good place to start looking is the 'win-raid forum', which has many people from all over the spectrum working on how to get more out of what they have--sometimes contributing modifications, sometimes providing instructions, or links to tools. (I've donated a few bucks there like I have here--there are some great technical references there that much harder to find outside of their forum.)
The site doesn't host anything directly, since the changes can be questionable as far as who owns the code in a given modification described, so keep in mind that caveat emptor very much applies.
(Score: 3, Interesting) by Hyperturtle on Saturday September 02 2017, @09:15PM
Oh, updating the BIOS on a working system is a risk... But I've modded in new microcodes and option rom features, like backporting Xeon microcodes into my motherboard and allowing NVMe storage to work natively via the installation of updates Intel RST rom codes. I've ended up with a number of custom roms on my hardware, depending on what I have been able to get things to do and what I've found floating around on-line that would work with a given chipset.
There are lots of reasons to update your bios, but I guess our mutual definition of "update the bios" is different -- I would 'upgrade' my bios.
I wouldn't likely update my bios, as you suggest, on a working system that has nothing wrong, unless there was something I specifically needed or wanted to enable that I can't get otherwise.
Anyway, NVMe on an x79 platform, is pretty fantastic. It's something that otherwise just isn't supported on the X79 platform and there are no X79's with built in m.2 ports for NVMe. Without the bios mod, I'd have to settle for M.2 to PCIe with AHCI protocl support for the storage (like an SATA SSD), but now I can run NVMe natively and it's far faster than my original storage. I only had to tinker a bit and then buy the storage.
There's lots of great hacks you can do to older gear... but I will concede it's sometimes way more convenient to just buy something that already works without having to void the warranty of what you already have, or risk blowing up the only one you've got trying to squeeze more out of it.
(Score: 4, Interesting) by jmorris on Friday September 01 2017, @04:46PM (2 children)
Read the article before saying something dumb. Intel confirmed the existence of the feature. They won't remove a feature that is a requirement by a large volume buyer like the U.S. Gov because that would be so dumb there isn't language to express the concept with.
What we should be pushing for is for motherboard makers to expose that knob in BIOS. We fought the CPUID and they did it, we just have to make sufficient noise that one of them sees an opportunity to move some additional units in a stagnant market. Now is the time, we have the whip hand.
These things are out of control. Did you read that description? Three (3) 486 class processors inside the chipset that we know almost nothing about and are cryptographically locked out of ever controlling? Shut it down!
Next we have to make AMD give us an escape mode too.
(Score: 1, Interesting) by Anonymous Coward on Friday September 01 2017, @10:52PM
The solution to this (sadly not for TMB there with his x86 videogame addiction..) is crowdfunding ACTUAL desktop chips.
Hell, find out if there are any design copyrights still being enforced on Socket 7/SS7 and use that. Depending on the unused pins (if any) we could even run multiprocessor support off the same socket, while providing single or dual socket boards that were electrically compatible with vintage pentium processors. And socket 7 should be good for at least 266 mhz, maybe more before running into the power/ground plane issues that lead the jump to 423/478/775.
All the ancillary tech is out of patent if not copyright, SDRAM and DDR chips are both cheap enough for low production run systems at reasonable affordable rates.
Won't be a shiny modern x86 or arm system in power, price, or performance, but just look at where bitcoin took mining development there. If you built a first generation, even if it isn't that great, you can get people jumping on the bandwagon for future generations if it is something they are willing to continue throwing money at to buy, whether for profit or privacy. Obviously you aren't going to be selling lots of 2k-10k computer systems like they were able to with mining rigs, but if you aim for a 100-500 dollar price, carefuly budget to step down pricing on old models as demand increases and new models can be added, you should have no trouble getting market share in the tens to hundreds of thousands of units. Not much by modern computer sales standards, but numbers that were quite good in years past, even when motherboards/cpus were only in the 150 dollar range each. And thanks to modern electronics sales and design most of the components can be bought/built for far less than those older parts were, especially if you can tape on older processors like 180nm (like the propeller 2 is planning to, and which was used for... the Pentium 3 era processors? Capable of up to 1.5 ghz with a 512k cache onboard. Maybe more given modern process technology or a carefully designed prefetcher.
(Score: 2) by Hyperturtle on Saturday September 02 2017, @08:41PM
I agree with everything you say, from the context you've stated it. My context was for end users being unable to exploit this in the long term, because the process will change, and the power of control will end up back where it was supposed to be. I never suggested the people that wanted the features were going to somehow be without it because their firmware secrets are now known.
And why call me dumb? I can't say I've stated the same about you. Lighten up.
(Score: 0) by Anonymous Coward on Friday September 01 2017, @10:21PM
Buy the systems used. Most used Intel/AMD hardware can be purchased for a pittance after the next generation comes out (not every gen obviously, and some of the newer gens have retained their value quite well.)
Like TMB AM3 is my primary, but motherboards are already unavailable new locally (and I need to purchase a replacement for a defective 970 for under 100 dollars) On the other hand, with ME stripping available, a lot of previously ignored intel hardware can also cover the gap for me, including hardware new enough to get version 2 IOMMU support for 'native hardware under virtualization', which has numerous benefits of its own if you can spoof a hardware config that doesn't appear to provide ME/PSP for exploitation.
(Score: 2) by PinkyGigglebrain on Friday September 01 2017, @10:58PM (1 child)
Your only paranoid when "they" aren't really out to get you.
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 1) by anubi on Saturday September 02 2017, @04:47AM
I am not afraid of "them" in the sense that "they are out to get me"...
Rather I feel the internet has some rather nasty characters in it, like a bad area of town, and when I make myself visible, I stand out like a target.
Asking me to get onto the internet with too much ID showing to me is like asking a businessman to take his daily store's cash receipts, on foot, briefcase in hand, to his bank on the other side of a bad neighborhood - all dressed up in suit and tie, signalling he's carrying money.
If I am going to use a public internet, I want to be able to identify myself ONLY to those I deem necessary to release that information to. To do anything else, I feel like a jackrabbit in a field of hungry wolves.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]