|
|
Subscribe / Log in / New account

Disabling Intel ME 11 via undocumented mode (Positive Technologies)

Disabling Intel ME 11 via undocumented mode (Positive Technologies)

Posted Aug 29, 2017 21:32 UTC (Tue) by SEJeff (guest, #51588)
Parent article: Disabling Intel ME 11 via undocumented mode (Positive Technologies)

Also of note for people interested in this is a more hack-n-slash approach:

https://github.com/corna/me_cleaner

to post comments

Disabling Intel ME 11 via undocumented mode (Positive Technologies)

Posted Aug 30, 2017 1:03 UTC (Wed) by jhoblitt (subscriber, #77733) [Link] (4 responses)

Does stripping down the ME firmware also disable a BMC/IPMI?

Disabling Intel ME 11 via undocumented mode (Positive Technologies)

Posted Aug 30, 2017 2:02 UTC (Wed) by mjg59 (subscriber, #23239) [Link] (3 responses)

Machines with BMCs don't tend to have an ME, but in the cases that do, no - they're entirely separate.

Disabling Intel ME 11 via undocumented mode (Positive Technologies)

Posted Aug 30, 2017 10:20 UTC (Wed) by nix (subscriber, #2304) [Link] (2 responses)

Machines with BMCs don't tend to have a ME *with AMT in it*, but as I understand it all (Intel) machines with BMCs sold in the last few years will have a ME too -- you need some of it (BUP in particular) just to bring up the CPU. The ME will not bother to ship AMT, does very little after boot other than perhaps providing the TPM and the useless 'protected media path' stuff, and will delegate a lot of its work to the BMC (e.g. bringing up DRAM, etc), but still exists and indeed has dedicated communication channels to the BMC to let the BMC keep track of the state of the part of booting that is the ME's responsibility so it can light up LEDs on the motherboard, etc.

Really this is such a complicated tangle I'm amazed modern servers manage to boot at all. No wonder they take so damn long to do it. I guess it helps that both the ME and the BMC have watchdog timers so if the other one messes up too badly and the boot hangs an immediate reboot-and-try-again can be triggered.

Disabling Intel ME 11 via undocumented mode (Positive Technologies)

Posted Aug 30, 2017 16:01 UTC (Wed) by mjg59 (subscriber, #23239) [Link] (1 responses)

Yeah I think I was being overly pedantic - enterprise Xeons run the SPS stack rather than the ME stack, but there's still something implementing much the same functionality (though I don't think PTT or protected media path are typically provided on those boards?)

Disabling Intel ME 11 via undocumented mode (Positive Technologies)

Posted Aug 30, 2017 19:04 UTC (Wed) by rahvin (guest, #16953) [Link]

I believe what your talking about is the interface software not the underlying ME in the CPU. Every Intel CPU since 2008 has included an ME and only Intel knows what is running on it or if it varies between chips because it's not open source and Intel doesn't release any details about it.

Which is part of the reason it's such a major security vulnerability. It's unknown and untested code running on a CPU the user has no control over that has DMA access and can override the main CPU. It can copy any data off the system and send it wherever it wants and the only way to block it would be to firewall it externally because the host OS would never see the communication. I understand the Enterprise idea behind these things but the code should be open source and updateable because there is as big of a security vulnerability here than there is in the awful IPMI BMC linux stacks that are out there. One of these days the Blackhats are going to start probing these things and I have no doubt there is going to be vulnerability after vulnerability that's going to allow blackhats to take completely control of connected computers. It will make the Mirari botnet look like childs play.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds