Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Sunday January 15 2017, @12:21AM   Printer-friendly
from the where-there-is-a-will,-there-is-a-way dept.

In some shiny good news to us of the tinfoil hat crew, Phoronix is reporting:

Many free software advocates have been concerned by Intel's binary-only Management Engine (ME) built into the motherboards on newer generations of Intel motherboards. The good news is there is now a working, third-party approach for disabling the ME and reducing the risk of its binary blobs.

Via an open-source, third-party tool called me_cleaner it's possible to partially deblob Intel's ME firmware images by removing any unnecessary partitions from the firmware, reducing its ability to interface with the system. The me_cleaner works not only with free software firmware images like Coreboot/Libreboot but can also work with factory-blobbed images. I was able to confirm with a Coreboot developer that this program can disable the ME on older boards or devices with BootGuard and disable Secure Boot. This is all done with a Python script.

Those unfamiliar with the implications on Intel's ME for those wanting a fully-open system can read about it on Libreboot.org.

Looks like I may not have to go ARM on my next desktop build after all.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by jmorris on Monday January 16 2017, @08:34PM

    by jmorris (4844) on Monday January 16 2017, @08:34PM (#454498)

    We need to focus our agitation on that, to demand that the hardware in these systems be fully documented, that the key systems support multiple keys and the ability to add / remove keys in a secure way.

    Reread what I wrote, reposted above. The management engines are too useful, demanding they be entirely eliminated is not going to happen. Entirely independent IPMI plug in boards suffer most of the same problems (if installed) and cost enough more that integrating it into the chipset is going to be a winning economic move. Demanding they be fully documented and put under the control of corporate IT is an idea they could pretty easily be convinced is a good one and buy into. The "enthusiast" and home market is shrinking / collapsing so the needs of the corporate customer is going to win any argument with Intel / AMD as to what features are important. Get a few Fortune 500 IT directors to announce that an open, documented and rekeyable management engine would be an instant decisive feature in a buying decision and it is a pretty safe bet AMD would play ball. If they do, Intel will quickly be dragged along.

    Remember, you can be 100% RMS pure or you can actually change the world, rarely can you do both. We need the corporate types to buy in to this fight. And this time we can be 99% RMS pure if we pitch it right so it isn't really a hard decision. We won't ever secure our IT infrastructure without some serious rethinking, properly applied crypto enforced lockdown is probably going to be a part of any successful solution. The current lockdown implementation actually makes us less secure though. We only have to truthfully communicate that to the people in positions to influence big enough purchasing decisions to outweigh the pressure coming from the spooks and big media. Securing the banks and critical infrastructure should be more important than making Netflix streams 100% unrecordable on 100% of hardwre sold. If we can't sell that we suck and deserve to lose.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 1) by Burz on Thursday January 19 2017, @06:12AM

    by Burz (6156) on Thursday January 19 2017, @06:12AM (#455918)

    The reason why we're having this discussion is that yes, indeed, the industry is "going there"... trying to spy on and manipulate every last aspect of an individual's life. The other aspects of computing products are divided between the competent, useful bits and the incompetent f-ckery. What we're seeing already on the horizon is mostly an unsavory mixuture of manipulation and f-ckery (the competence is mostly focused on manipulation).

    ME's aren't "too useful". That's an idiotic position when other architectures operate fine without it. The only truly useful aspect of ME is TXT that allows a machine to verify itself to a user (yes, you read that right). Now, tell me that can't be done without a general purpose extra-processor and its idiotic radio/Internet connection.

    RMS is right. At least in the sense that there will have to be fully open and viable hardware designs--with fabs that are open to auditing--to keep the proprietary vendors honest. And for that to happen, open hardware will have to claim a really large chunk of the 'market'. You look at the security-focused distros like Qubes, even when they got into this swearing that proprietary=fine, now see the writing on the wall... the security focus is now paramount, and it converts the most ardent proprietor.

    So mewl about "purity" all you want. It won't convince anyone studying today's critical problem spaces that their Bitcoin or other ops are safe in the hands of either MS *or* Intel. Give them a few thousand bits or logic gates to rule with, and they will f-ck us all over with them if they are unchallenged (and do NOT preach to me about 'competition' between corporate players).