Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Sunday January 15 2017, @12:21AM   Printer-friendly [Skip to comment(s)]
from the where-there-is-a-will,-there-is-a-way dept.

In some shiny good news to us of the tinfoil hat crew, Phoronix is reporting:

Many free software advocates have been concerned by Intel's binary-only Management Engine (ME) built into the motherboards on newer generations of Intel motherboards. The good news is there is now a working, third-party approach for disabling the ME and reducing the risk of its binary blobs.

Via an open-source, third-party tool called me_cleaner it's possible to partially deblob Intel's ME firmware images by removing any unnecessary partitions from the firmware, reducing its ability to interface with the system. The me_cleaner works not only with free software firmware images like Coreboot/Libreboot but can also work with factory-blobbed images. I was able to confirm with a Coreboot developer that this program can disable the ME on older boards or devices with BootGuard and disable Secure Boot. This is all done with a Python script.

Those unfamiliar with the implications on Intel's ME for those wanting a fully-open system can read about it on Libreboot.org.

Looks like I may not have to go ARM on my next desktop build after all.


Original Submission

Related Stories

Intel Management Engine Hacked Using USB 23 comments

It looks like it's nearly game over for the Intel Management Engine:

Positive Technologies, which in September said it has a way to attack the Intel Management Engine, has dropped more details on how its exploit works.

The firm has already promised to demonstrate [a] God-mode hack in December 2017, saying the bug "allows an attacker of the machine to run unsigned code in the Platform Controller Hub on any motherboard".

For some details, we'll have to wait, but what's known is bad enough: Intel Management Engine (IME) talks to standard Joint Test Action Group (JTAG) debugging ports. As [does] USB, so Positive Technologies researchers put the two together and crafted a way to access IME from the USB port.

[...] The latest attack came to Vulture South's attention via a couple of Tweets:

Game over! We (I and @_markel___ ) have obtained fully functional JTAG for Intel CSME via USB DCI. #intelme #jtag #inteldci pic.twitter.com/cRPuO8J0oG

— Maxim Goryachy (@h0t_max) November 8, 2017

Full access the Intel ME( >=Skylake) by JTAG debugging via USB DCI https://t.co/TMvOirXOVI @ptsecurity @h0t_max @_markel___

— Hardened-GNU/Linux (@hardenedlinux) November 8, 2017

The linked blog post [in Russian] explains that since Skylake, the PCH – Intel's Platform Controller Hub, which manages chip-level communications – has offered USB access to JTAG interfaces that used to need specialised equipment. The new capability is DCI, Direct Connect Interface.

Reddit discussion linked by LoRdTAW in a journal.

Previously: Intel Management Engine Partially Defeated
Disabling Intel ME 11 Via Undocumented Mode
How-To: Disabling the Intel Management Engine
Andrew Tanenbaum's Open Letter to Intel About MINIX 3


Original Submission

Andrew Tanenbaum's Open Letter to Intel About MINIX 3 45 comments

Professor Andrew S. Tanenbaum from the Department of Computer Science at Vrije Universiteit Amsterdam wrote "An Open Letter to Intel" regarding Intel's use of MINIX 3 to run the Intel Management Engine (video) built into their processors:

Thanks for putting a version of MINIX 3 inside the ME-11 management engine chip used on almost all recent desktop and laptop computers in the world. I guess that makes MINIX the most widely used computer operating system in the world, even more than Windows, Linux, or MacOS. And I didn't even know until I read a press report about it. Also here and here and here and here and here (in Dutch), and a bunch of other places.

[...] Note added later: Some people have pointed out online that if MINIX had a GPL license, Intel might not have used it since then it would have had to publish the modifications to the code. Maybe yes, maybe no, but the modifications were no doubt technical issues involving which mode processes run in, etc. My understanding, however, is that the small size and modular microkernel structure were the primary attractions. Many people (including me) don't like the idea of an all-powerful management engine in there at all (since it is a possible security hole and a dangerous idea in the first place), but that is Intel's business decision and a separate issue from the code it runs. A company as big as Intel could obviously write its own OS if it had to. My point is that big companies with lots of resources and expertise sometimes use microkernels, especially in embedded systems. The L4 microkernel has been running inside smartphone chips for years.

Professor Tanenbaum did the initial design and development of MINIX, a microkernel used primarily for teaching. He has helped guide it through the years as a small community around it has grown. Lately it has adopted much of the NetBSD userspace. The IME is a full operating system system running inside x86 computers. It gets run before whatever system on the actual hard disk even starts booting.

PSPtool Allows Further Investigation of AMD's Platform Security Processor 11 comments

AMD Secure Technology PSP Firmware Now Explorable, Thanks to Researcher's Tool

A security researcher this week released the PSPtool, a software tool that "aims to lower the entry barrier for looking into the code running" on the AMD Platform Security Processor (PSP), officially known as AMD Secure Technology, and other AMD subsystems. The PSP serves similar functions to those of Intel's Management Engine (ME) processor. However, just like the Intel ME, the secretive and undocumented nature of the chip worries security and privacy advocates.

The researcher going by the online name of cwerling described the PSPTool as a "Swiss Army knife" for dealing with the AMD PSP's firmware. The tool is based on reverse-engineering efforts of AMD's proprietary file system that the company uses to pack firmware blobs into UEFI firmware images.

Usually, all firmware blobs can be parsed by another software program called the UEFITool. However, in this case AMD's firmware files are located in padding volumes that can't be parsed by the UEFITool. This is the reason for the PSPTool, which can locate the PSP firmware within UEFI images and parse it. Through this tool, more researchers can look into what their local PSP chip is doing to their computers, as its actions are normally hidden from the operating system or the main processor.

Previously: AMD to Consider Coreboot/Libreboot Support
AMD Confirms its Platform Security Processor Code will Remain Closed-Source

Related: Intel Management Engine Partially Defeated
EFF: Intel's Management Engine is a Security Hazard\
Disabling Intel ME 11 Via Undocumented Mode
Intel Management Engine Critical Firmware Update
HP Chip Protects Intel's Management Engine


Original Submission

AMD Confirms its Platform Security Processor Code will Remain Closed-Source 35 comments

Submitted via IRC for TheMightyBuzzard

Since the launch of AMD Ryzen, a small piece of hardware that handles basic memory initialization as well as many security functions has been the center of some controversy. Called the Platform Security Processor (the "PSP" for short) it is essentially an arm core with complete access to the entire system. Its actions can be considered "above root" level and are for the most part invisible to the OS. It is similar in this regard to Intel's Management Engine, but is in some ways even more powerful.

Why is this a bad thing? Well, let's play a theoretical. What happens if a bug is discovered in the PSP, and malware takes control of it? How would you remove it (Answer: you couldn't). How would you know you needed to remove it? (answer, unless it made itself obvious, you also wouldn't). This scenario is obviously not a good one, and is a concern for many who asked AMD to open-source the PSPs code for general community auditing.

Bit late to the reporting but we haven't covered it yet, so here it is. And I was so looking forward to a new desktop too. Guess this one will have to stay alive until ARM becomes a viable replacement.

Source: https://www.techpowerup.com/235313/amd-confirms-its-platform-security-processor-code-will-remain-closed-source

Previous:
The Intel Management Engine, and How it Stops Screenshots
Intel x86 Considered Harmful
Of Intel's Hardware Rootkit
Intel Management Engine Partially Defeated
EFF: Intel's Management Engine is a Security Hazard
Malware uses Intel AMT feature to steal data, avoid firewalls


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Informative) by driven on Sunday January 15 2017, @12:41AM

    by driven (6295) on Sunday January 15 2017, @12:41AM (#453969)

    Like the AMT application, these DRM applications, which in themselves are defective by design, demonstrate the omnipotent capabilities of the ME: this hardware and its proprietary firmware can access and control everything that is in RAM and even everything that is shown on the screen.

    I won't pretend to know much about CPU internals, but that last statement of its "omnipotent" capability reminded me of the Super Snapshot [pcmuseum.ca] cartridge for Commodore 64 computers. You could freeze execution of whatever was running, debug it, modify it, save it to disk as a runnable snapshot file that would resume the program at the point when it was interrupted. It could even scan memory before and after losing a life in a game and often was able to auto-detect what memory location had to be modified to give you infinite lives. I've always missed that kind of functionality with PCs.
    Sorry, couldn't help take a trip down memory lane. :)

    • (Score: -1, Troll) by Anonymous Coward on Sunday January 15 2017, @12:46AM

      by Anonymous Coward on Sunday January 15 2017, @12:46AM (#453970)

      Blah blah blah.
      Soylentnews is Old people.

      Get with the times, dinosaur! If you don't have an embedded keylogger tweeting everything you text, you're too old live.

    • (Score: 0) by Anonymous Coward on Sunday January 15 2017, @01:05AM

      by Anonymous Coward on Sunday January 15 2017, @01:05AM (#453973)

      I remember the days when you could manually POKE memory to do codes. But make sure you check the parameters correctly, otherwise you could get some interesting results. I remember a friend of mine that wrote a program that would randomly change the memory of program just out of the curiosity of what would happen.

      • (Score: 0) by Anonymous Coward on Sunday January 15 2017, @03:03AM

        by Anonymous Coward on Sunday January 15 2017, @03:03AM (#453993)

        You can still do that.

      • (Score: 0) by Anonymous Coward on Sunday January 15 2017, @05:48AM

        by Anonymous Coward on Sunday January 15 2017, @05:48AM (#454018)

        Now it's called Cortana.

    • (Score: 2) by FatPhil on Sunday January 15 2017, @01:36PM

      by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Sunday January 15 2017, @01:36PM (#454074) Homepage
      Yeah, there was something like that for a zx spectrum too. Happy days.
      --
      I know I'm God, because every time I pray to him, I find I'm talking to myself.
  • (Score: 0, Disagree) by Anonymous Coward on Sunday January 15 2017, @01:29AM

    by Anonymous Coward on Sunday January 15 2017, @01:29AM (#453977)

    I'm an open-source loving, Linux using, Fortune 500 IT guy and I'm kind of surprised to see people up in arms about Intel ME/AMT. Like this article is the first I've heard about it.
    I am a huge fan of vPro (AMT/ME specifically) - we now have it on thousands of our machines and the number of literal truck rolls it saves is measurable. So easy to remotely diagnose a computer even if it has a failing motherboard. So easy to remotely reimage a machine.
    That said, this technology is primarily only on business desktops and notebooks as far as I know. If you build your own machine from Newegg or Amazon, it's not going to have this on it. I guess maybe the market came from people buying used business equipment on eBay?

    • (Score: 3, Informative) by Anonymous Coward on Sunday January 15 2017, @01:40AM

      by Anonymous Coward on Sunday January 15 2017, @01:40AM (#453978)

      It's baked into desktop processors. Some have it disabled like the low end i3's and the pentiums. So companies have to shell out more for the i5's. But to my knowledge it is in every i7 and activated.
      Depending on the motherboard you may not even be able to shut it off to the limited degree that uefi allows.

      As of right now it's a storm in a teacup. Theoretically it is possible to use it to put on rootkits that the host os can't even see at all. But according to all i can find this is all theoretical, and requires physical root access at which point your system is hosed anyway.
      Be warned if you look through the github page and the support page. Using this can and WILL break other things. There are reports of no longer being able to see gpu's(in optimus equipped laptops), lan and wireless cards going poof. And a few cases where the monitor would just up and shut off unless someone had say a fast refreshing game or video running.

    • (Score: 2, Insightful) by Anonymous Coward on Sunday January 15 2017, @02:20AM

      by Anonymous Coward on Sunday January 15 2017, @02:20AM (#453983)

      You're surprised people are upset about this because you're an "open source" advocate and not a free software advocate [gnu.org]; there's a subtle yet important difference between the two. To someone who values freedom, any proprietary software is going to disgust them to some extent.

      • (Score: 5, Insightful) by The Mighty Buzzard on Sunday January 15 2017, @02:51AM

        It's proprietary hardware that you're utterly and completely unable to shut off in this case. It's another CPU running below ring 0 that's able to access memory and peripherals, up to and including activating while the computer is "powered off". It is straight up a hardware root kit that it has been completely impossible to remove and still have a functioning computer. What possible reason could there be for not allowing the disabling of it in home computers besides allowing remote surveillance?

        --
        My rights don't end where your fear begins.
        • (Score: 0) by Anonymous Coward on Sunday January 15 2017, @05:20AM

          by Anonymous Coward on Sunday January 15 2017, @05:20AM (#454011)

          So is absolute computrace but at least you can supposedly disable that in the Bios/uefi sometimes. UEFI rootkits are what scare me.

        • (Score: 3, Informative) by RamiK on Sunday January 15 2017, @11:28AM

          by RamiK (1813) on Sunday January 15 2017, @11:28AM (#454051)

          What possible reason could there be for not allowing the disabling of it in home computers besides allowing remote surveillance?

          As with the case of HDCP [wikipedia.org], the official rational is DRM.

          And yeah, it's bull-manure.

          --
          compiling...
      • (Score: 0) by Anonymous Coward on Sunday January 15 2017, @02:51AM

        by Anonymous Coward on Sunday January 15 2017, @02:51AM (#453989)

        "open source" advocate and not a free software advocate

        Some call me . . . . . Bruce?

      • (Score: 0) by Anonymous Coward on Sunday January 15 2017, @05:18AM

        by Anonymous Coward on Sunday January 15 2017, @05:18AM (#454010)

        No no, original Anonymous coward here. Sorry I was lazy with my verbiage. FLOSS and Richard Stallman definitely Reigns Supreme in my book. I still rock the copyleft DECSS t-shirt.

      • (Score: 2) by butthurt on Monday January 16 2017, @01:47AM

        by butthurt (6141) on Monday January 16 2017, @01:47AM (#454222) Journal

        Just trolling? Intel have released open-source drivers for their Active Management Technology (which is part of the IME) but the AMT and IME are, if I'm not mistaken, totally closed-source.

        https://sourceforge.net/projects/openamt/ [sourceforge.net]

        Open source proponents share some beliefs with the GNU folks. For instance, they advocate that software should be freely redistributable and that programmers should be allowed to make derivative works.

        https://opensource.org/docs/osd [opensource.org]

        They differ about making proprietary software from free code. There is a GNU licence which permits that, but its use is discouraged.

        https://en.wikipedia.org/wiki/LGPL [wikipedia.org]

    • (Score: 0) by Anonymous Coward on Sunday January 15 2017, @03:02AM

      by Anonymous Coward on Sunday January 15 2017, @03:02AM (#453992)

      Can you share some links that explain how to do some of the stuff you mention? I'd like to try it out and learn more... (yes, I will be Google'n shortly but I'm not certain of what terms to search on so a few links would be helpful to me and perhaps others).

      • (Score: 0) by Anonymous Coward on Sunday January 15 2017, @05:37AM

        by Anonymous Coward on Sunday January 15 2017, @05:37AM (#454016)

        For vPro?
        You want the Open Manageability Developer Tool Kit.
        Get it here: http://www.meshcommander.com/open-manageability [meshcommander.com]
        You will also need a PC with it enabled. The default password is admin which it forces you to change before AMT is active and you will need to pick a strong password. You get into it by pushing ctrl-P when the machine is booting up. All you have to do is change the password and activate in the settings. Then you can remotely control that PC. You can turn on the VNC server in the NIC and VNC to the computer. You need a strong password that is exactly eight characters.

        • (Score: 0) by Anonymous Coward on Sunday January 15 2017, @06:34AM

          by Anonymous Coward on Sunday January 15 2017, @06:34AM (#454025)

          Ok, that's pretty friggin' sweet...

        • (Score: 2) by Scruffy Beard 2 on Sunday January 15 2017, @07:40AM

          by Scruffy Beard 2 (6030) on Sunday January 15 2017, @07:40AM (#454038)

          OK, you said: "You need a strong password that is exactly eight characters."

          That is only about 48bits of entropy.

          I hope time-outs are implemented.

    • (Score: 5, Informative) by sjames on Sunday January 15 2017, @05:57AM

      by sjames (2882) on Sunday January 15 2017, @05:57AM (#454021) Journal

      It's a matter of scope. ME is often abused to prevent a machine from booting what you want it to boot. It also gets it's fingers way too deep into the system allowing various horrible things to exist. It can see and rewrite memory, for example.

      Remote management was a thing long before ME existed. The older setups had a BMC that controlled power, intercepted one of the serial ports, and could present a file to USB as a virtual DVD. Later versions could also grab the display for KVM capabilities. They generally have a connection to i2c so they can report on measured voltages, temperatures, and fan RPMs as well.

      Unlike the ME, the system was not in any way dependent on the BMC. In fact, older servers had a socket for a BMC sub-board. If you wanted the capability you would buy the board and plug it in. I prefer the current state where it is cheap enough that they just include it on the mainboard. If you don't want it, just configure it to only use the management network connection and then leave it unplugged.

      The advantage is that their reach into the system is quite limited. The BMC (baseboard management controller) couldn't see what was being booted, much less prevent it, for example.

      I've been using that (often in the form of IPMI) to remote manage machines for years, including OS installs. ME brings only risk to the table.

    • (Score: 2, Insightful) by Anonymous Coward on Sunday January 15 2017, @04:07PM

      by Anonymous Coward on Sunday January 15 2017, @04:07PM (#454104)

      Um everything I have built has had this built in, with no way to disable it, and slowing the boot process (perhaps not much -- but it's there).

      I cannot opt out of getting it, and I can't get the same CPU without this built into it in order to save a few bucks.

      I don't know what you've been building that doesn't have this in it, but my builds are not used ebay equipment. I am not buying celerons or peons or whatever the low end hardware has in them these days -- I put xeons on the desktop and often play games with them. I pay extra for top performance and this is something I would spend 8 hours searching for an alternative so I can save $1 on the price, because I do not want to have it available on my hardware.

      In much the same way, I do not want video streaming built into my video card drivers, I do not want additional apps and social feedback enabled. I DONT WANT THAT. But they charge me for it and I have to accept it because the only alternatives are from people more skilled than me assembling drivers for free on their own time that don't work as well as the real thing.

      For all of this wisdom of the crows and social economy, vendors and manufactuers dont care about what people want -- they care about getting people to want things more efficiently. And remote control and remote viewing and telemetry are real great ways to gain insight into that, don't you think?

      AMD and nvidia building in the video streaming stuff in their cards makes it so that way the vpro and intel management engine is able to deliver your high resolution desktop via the modernized NSAkey-- in hardware. Who needs tempest or packet captures when you can just target user that regularly reports in because of the drivers, and start streaming? It works great for people not regularly posting to social networks...

      People that manage their own computers are a secretive threat that support russia; that is what I learned in the movie wargames at least! and as entertaining as it was, its already true that people that take their security and privacy seriously are suspicious and worthy of additional analysis. Baking it into the hardware doesnt make me feel any safer, in fact, it makes me even more paranoid--but even more pissed that I have to pay for my own shackles.

      • (Score: 0) by Anonymous Coward on Monday January 16 2017, @12:02PM

        by Anonymous Coward on Monday January 16 2017, @12:02PM (#454350)

        but even more pissed that I have to pay for my own shackles.

        It has always been that way. If shackles didn't pay for themselves, they wouldn't had been made.

    • (Score: 3, Touché) by Type44Q on Sunday January 15 2017, @06:00PM

      by Type44Q (4347) on Sunday January 15 2017, @06:00PM (#454122)

      Like this article is the first I've heard about it.

      Perhaps you should be reading rather than posting...

    • (Score: 1) by butthurt on Monday January 16 2017, @01:50AM

      by butthurt (6141) on Monday January 16 2017, @01:50AM (#454223) Journal

      > So easy to remotely reimage a machine.

      What could possibly go wrong?

  • (Score: 0) by Anonymous Coward on Sunday January 15 2017, @02:58AM

    by Anonymous Coward on Sunday January 15 2017, @02:58AM (#453990)

    Intel forces this shit on everyone and it takes years to break/disable it. In the next year or two, Intel will replace it with the next generation that is even more hack-proof and then we'll start over. AMT/ME is kinda like cell phones in the sense that it offers really useful utility to those who need it but is also capable of some serious tin-foil-hat shit. Cell phones actually fucking spy on you but society isn't rejecting them. Ditto for AMT/ME. Also, AMD has their own version of this so why aren't we bashing on them as well?

    • (Score: 3, Informative) by The Mighty Buzzard on Sunday January 15 2017, @03:01AM

      Because theirs wasn't the flavor that was semi-disabled?

      --
      My rights don't end where your fear begins.
    • (Score: 2, Funny) by aristarchus on Sunday January 15 2017, @03:50AM

      by aristarchus (2645) on Sunday January 15 2017, @03:50AM (#453996) Journal

      AMD has their own version of this so why aren't we bashing on them as well?

      Good question! Because they don't? Or perhaps you could enlighten us all, in order to begin the AMD bashing. AMD is certainly how I have avoided processor serial numbers and multiplication mistakes and ME and all the other goodness that Intel has thrown at us over the decades.

      --
      Die Republikkkanische Partei isst die weissvolken partei.
      • (Score: 1, Informative) by Anonymous Coward on Sunday January 15 2017, @06:06AM

        by Anonymous Coward on Sunday January 15 2017, @06:06AM (#454023)

        AMD ship with Trustzone, starting in 2015 I believe. The software is 'Pro Control Center'. Not sure if it's only the high end CPUs or the whole line...

        http://techreport.com/news/29121/amd-goes-pro-with-trustzone-enabled-apus [techreport.com]

        http://www.amd.com/en-us/innovations/software-technologies/security [amd.com]

        • (Score: 4, Interesting) by The Mighty Buzzard on Sunday January 15 2017, @11:30AM

          As far as I've been able to dig up, it's the whole line produced after the Phenom II. I'll grant you I didn't dig all that hard though.

          --
          My rights don't end where your fear begins.
          • (Score: 0) by Anonymous Coward on Monday January 16 2017, @05:57PM

            by Anonymous Coward on Monday January 16 2017, @05:57PM (#454443)

            Fam 16h and above, and possibly not EVERY Fam 16h, but definitely all models in laptops or FM2+ desktop processors (Original Desktop FM2, AM3+ and below, and POSSIBLY AM1 don't contain the TrustZone variant. Some of the others may have the older LM32 variant in their southbridges however, which I am not fully versed on if it is signed or unsigned code necessary to operate it. There is a C3 presentation from the last couple years involving reserve engineering and exploiting of the LM32 variant, including running his own code, but not as I remember if it could be injected into a bios engine and booted 'natively'.)

            AM4 has the same TrustZone based implementation as the previous chips, meaning for anybody sane it is a non-starter compared to Intel. AMD's only two benefits over Intel the past could years had been ECC and lack of ME style DRM in the CPU/motherboard chipsets, and they have now eliminated BOTH of those advantages, outside of server chips for the ECC.

            Intel ME is now the 'better' of the two if you get 2 generation old processors or earlier. The TrustZone based kernel doesn't even allow the CPU to boot without being initialized first, and unless it gets proven otherwise, it is a single system image blob in the firmware, rather than a series of blobs like the Intel versions have been up until this point.

            The real solution at this point is open hardware. But every attempt at it so far lacks ambition. There are lots of small embedded CPU derivatives, including RISC-V and SuperH based, but none that have bothered to even implement an old (and out of patent!) memory subsystem, or seperate northbridge chip to handle interfacing with quantities of RAM so even a minimally useful desktop/notebook board could be produced. If I didn't know better I would almost think these projects were intentionally placed to make it seem like the economics necessary to produce a CPU ASIC aren't there, even though it has been managed for Bitcoin and a variety of niche processors for other markets (Including the Parallela 'supercomputer on a chip' processor, which got produced but never went beyond the dev board with FPGA interfacing and being slaved to a main processor.)

      • (Score: 0) by Anonymous Coward on Sunday January 15 2017, @08:43AM

        by Anonymous Coward on Sunday January 15 2017, @08:43AM (#454041)

        They didn't chose the company name "intel" for no reason! Not like "Google", which they only chose because "Skynet" was already in use.

    • (Score: 0) by Anonymous Coward on Sunday January 15 2017, @05:29AM

      by Anonymous Coward on Sunday January 15 2017, @05:29AM (#454012)

      I was never able to get AMD DASH to work at all. HP dc6005's.

  • (Score: 4, Insightful) by jmorris on Sunday January 15 2017, @07:12PM

    by jmorris (4844) on Sunday January 15 2017, @07:12PM (#454132)

    These management engines that also act as DRM / lockdown platforms are wonderful tools if in the hands of the rightful owner / admin of a group of machines. The objection is to the inability to actually take ownership of hardware. We need to focus our agitation on that, to demand that the hardware in these systems be fully documented, that the key systems support multiple keys and the ability to add / remove keys in a secure way.

    The default configuration could be very similar to current practice. The chipmaker puts their key in at the top and signed the keys for the BIOS vendor / OEM. This allows a default machine to accept signed updates without any changes in current practices. It would assume the final customer trusts the chipmaker and OEM utterly of course, likely because they lack the inhouse IT infrastructure for any other option.

    To allow the owner to take control, each machine should be required to ship with a physical card containing a password to allow editing the key store. This would allow the savvy shop, or motivated individual, to generate their own keys and if they wanted to, dump ALL of the default ones. This would require them to download the firmware updates and resign them. This would ensure that only updates they wanted to deploy could be installed. And once the open source community had open replacements these could be signed and installed instead of the default vendor ones.

    The scheme above would retain all of the legitimate benefits while at least minimizing the impact of the negatives. The one exception would be DRM, any machine that dropped the chipmaker keys would probably just have to be denied access to "the precious" but in a corporate environment that is probably not a problem since it would allow them to repurpose those DRM locks to protect THEIR precious internal content from being copied out of the organization.

    • (Score: 1) by Burz on Monday January 16 2017, @06:10PM

      by Burz (6156) on Monday January 16 2017, @06:10PM (#454446)

      The problem with this thinking is that---besides the boot-time dependency---you have a meta-processor that system programmers aren't familiar with, runs entirely on obscure closed firmware, accesses the net without the OS, and has access to the entire system.

      This is a security risk practically by definition and making it 'play nice' won't help.

      • (Score: 2) by jmorris on Monday January 16 2017, @08:34PM

        by jmorris (4844) on Monday January 16 2017, @08:34PM (#454498)

        We need to focus our agitation on that, to demand that the hardware in these systems be fully documented, that the key systems support multiple keys and the ability to add / remove keys in a secure way.

        Reread what I wrote, reposted above. The management engines are too useful, demanding they be entirely eliminated is not going to happen. Entirely independent IPMI plug in boards suffer most of the same problems (if installed) and cost enough more that integrating it into the chipset is going to be a winning economic move. Demanding they be fully documented and put under the control of corporate IT is an idea they could pretty easily be convinced is a good one and buy into. The "enthusiast" and home market is shrinking / collapsing so the needs of the corporate customer is going to win any argument with Intel / AMD as to what features are important. Get a few Fortune 500 IT directors to announce that an open, documented and rekeyable management engine would be an instant decisive feature in a buying decision and it is a pretty safe bet AMD would play ball. If they do, Intel will quickly be dragged along.

        Remember, you can be 100% RMS pure or you can actually change the world, rarely can you do both. We need the corporate types to buy in to this fight. And this time we can be 99% RMS pure if we pitch it right so it isn't really a hard decision. We won't ever secure our IT infrastructure without some serious rethinking, properly applied crypto enforced lockdown is probably going to be a part of any successful solution. The current lockdown implementation actually makes us less secure though. We only have to truthfully communicate that to the people in positions to influence big enough purchasing decisions to outweigh the pressure coming from the spooks and big media. Securing the banks and critical infrastructure should be more important than making Netflix streams 100% unrecordable on 100% of hardwre sold. If we can't sell that we suck and deserve to lose.

        • (Score: 1) by Burz on Thursday January 19 2017, @06:12AM

          by Burz (6156) on Thursday January 19 2017, @06:12AM (#455918)

          The reason why we're having this discussion is that yes, indeed, the industry is "going there"... trying to spy on and manipulate every last aspect of an individual's life. The other aspects of computing products are divided between the competent, useful bits and the incompetent f-ckery. What we're seeing already on the horizon is mostly an unsavory mixuture of manipulation and f-ckery (the competence is mostly focused on manipulation).

          ME's aren't "too useful". That's an idiotic position when other architectures operate fine without it. The only truly useful aspect of ME is TXT that allows a machine to verify itself to a user (yes, you read that right). Now, tell me that can't be done without a general purpose extra-processor and its idiotic radio/Internet connection.

          RMS is right. At least in the sense that there will have to be fully open and viable hardware designs--with fabs that are open to auditing--to keep the proprietary vendors honest. And for that to happen, open hardware will have to claim a really large chunk of the 'market'. You look at the security-focused distros like Qubes, even when they got into this swearing that proprietary=fine, now see the writing on the wall... the security focus is now paramount, and it converts the most ardent proprietor.

          So mewl about "purity" all you want. It won't convince anyone studying today's critical problem spaces that their Bitcoin or other ops are safe in the hands of either MS *or* Intel. Give them a few thousand bits or logic gates to rule with, and they will f-ck us all over with them if they are unchallenged (and do NOT preach to me about 'competition' between corporate players).