LWN: Comments on "Disabling Intel ME 11 via undocumented mode (Positive Technologies)"

Disabling Intel ME 11 via undocumented mode (Positive Technologies)

nix — Fri, 08 Sep 2017 21:02:42 +0000

Yeah, sorry, I got it backwards -- my motherboard manual states that the BMC starts the ME which then starts the CPU, not the other way round. But that's still Linux booting Linux booting Linux. :)

(I believe that at least some BMCs can function with no (other) CPUs, because my motherboard has a special front panel and mobo light state for 'no CPUs detected'. Those lights are driven by the BMC.)

Disabling Intel ME 11 via undocumented mode (Positive Technologies)

metux — Wed, 06 Sep 2017 00:43:46 +0000

Did I get this right - they managed to run an modified firmware on the PCH ?

That could give us interesting opportunities: put our own OS on it - maybe an barebox, plan9 or linux.

The hard part probably is finding out what the lowlevel initialization code actually does
(IOW: what's necessary to bring up the main CPU). OTOH, I'm sure, sooner or later
they'll find out. Hopefully they also find something that can be used as serial console (gpios ?)

I'm really looking forward to MACH_X86_PCH ;-)

If we continue this idea, we maybe could even get rid of the whole BIOS/UEFI crap, along w/ ACPI, etc.

The new system could look like some AMP approaches, we already have on some embedded platforms:

* own OS on PCH, with serial console (maybe even ssh ?)
* does all the power management, clocking, etc, all the really board specific stuff
* provides an virtio interface to the main CPU(s)
* maybe can partition multiple CPUs into separate memory / IO spaces
* maybe can directly talk to storage devices (perhaps SDHC ?) for filesystems
* additional functionalities like suspend, board-specific IOs, etc, via 9P channels
* provides an early VGA console

Disabling Intel ME 11 via undocumented mode (Positive Technologies)

rahvin — Sat, 02 Sep 2017 00:59:50 +0000

Maybe I don't know how IPMI systems work but I thought the IPMI system was completely separate on it's own die with it's own flash hooked in to the bios, video and the USB bus but otherwise completely independent of the CPU (it in fact powers on when plugged in even if the main computer is off just like ME). One of the strengths of this approach was no matter what's going on with the computer and CPU the IPMI can still function. I've always been curious if the IPMI can function without a CPU loaded.

Disabling Intel ME 11 via undocumented mode (Positive Technologies)

nix — Fri, 01 Sep 2017 12:58:28 +0000

On server-class Linux boxes it is used to boot Linux *twice*, since the BMC usually runs Linux too.

Disabling Intel ME 11 via undocumented mode (Positive Technologies)

Garak — Thu, 31 Aug 2017 00:45:34 +0000

"I agree completely but I doubt the spooks had any influence on this."

That strikes me as exceptionally naive. I suspect the spooks work at Intel and have many friends and contacts that work at Intel. And in various enterprise software development groups, and related journalistic organizations. The spooks in my estimation have tremendous ability to influence very precisely this sort of thing. To imagine they all choose not to leverage that influence... yeah, can't see it.

"the ME allows you to provision any computer remotely and perform reboots, bios edits and anything else you can think of short of replacing hardware."

I'm skeptical of this assertion. bios edits are just writing bits, I'm quite certain that long ago I saw pre-ME era computers that could manage that. Likewise a reboot-on-magic-lancookie KISS alternative for rebooting sounds like something I would trust more. If this was all innocent of any consciousness of decreased security for users, they would let the FOSS community freely analyze and enhance the code. But no, I imagine the spooks are quite happy hoarding that ability as much as they can for as long as they can. And my money is on them having entrenched themselves two layers deeper by the time the FOSS community gets into the security enhancement game of ME code. I mean, we witnessed how the Snowden story was reacted to by the government.

Disabling Intel ME 11 via undocumented mode (Positive Technologies)

rahvin — Wed, 30 Aug 2017 19:04:30 +0000

I believe what your talking about is the interface software not the underlying ME in the CPU. Every Intel CPU since 2008 has included an ME and only Intel knows what is running on it or if it varies between chips because it's not open source and Intel doesn't release any details about it.

Which is part of the reason it's such a major security vulnerability. It's unknown and untested code running on a CPU the user has no control over that has DMA access and can override the main CPU. It can copy any data off the system and send it wherever it wants and the only way to block it would be to firewall it externally because the host OS would never see the communication. I understand the Enterprise idea behind these things but the code should be open source and updateable because there is as big of a security vulnerability here than there is in the awful IPMI BMC linux stacks that are out there. One of these days the Blackhats are going to start probing these things and I have no doubt there is going to be vulnerability after vulnerability that's going to allow blackhats to take completely control of connected computers. It will make the Mirari botnet look like childs play.

Disabling Intel ME 11 via undocumented mode (Positive Technologies)

rahvin — Wed, 30 Aug 2017 16:53:20 +0000

I agree completely but I doubt the spooks had any influence on this. It's all enterprise driving this. Although I'm sure the NSA appreciates the vulnerabilities you need to remember they also have to protect their own systems and bugs in the ME won't stay in only their hands. It's in their interest to see any bugs patched because of the potential for spying against their own systems.

Enterprise customers are demanding these features, the ME allows you to provision any computer remotely and perform reboots, bios edits and anything else you can think of short of replacing hardware. The big companies want this and they pay Intel's exorbitant fee to turn the ME on because even though the ME runs at all times you can't actually use it without paying Intel.

Disabling Intel ME 11 via undocumented mode (Positive Technologies)

mjg59 — Wed, 30 Aug 2017 16:01:21 +0000

Yeah I think I was being overly pedantic - enterprise Xeons run the SPS stack rather than the ME stack, but there's still something implementing much the same functionality (though I don't think PTT or protected media path are typically provided on those boards?)

Disabling Intel ME 11 via undocumented mode (Positive Technologies)

fratti — Wed, 30 Aug 2017 12:18:31 +0000

I heavily doubt this. ME isn't on the huge numbers of ARM devices such as Android phones, and AMD doesn't use ME either (but their own equivalent solution, which likely doesn't run MINIX). It also doesn't apply to the huge number of older Intel CPUs still out there; remember that especially in developing countries, people won't be running the latest hardware.

If ME11 was older and smartphones didn't happen you'd probably be right.

That being said, MINIX being used to boot Linux is already funny enough in of itself.

Disabling Intel ME 11 via undocumented mode (Positive Technologies)

nix — Wed, 30 Aug 2017 10:20:59 +0000

Machines with BMCs don't tend to have a ME *with AMT in it*, but as I understand it all (Intel) machines with BMCs sold in the last few years will have a ME too -- you need some of it (BUP in particular) just to bring up the CPU. The ME will not bother to ship AMT, does very little after boot other than perhaps providing the TPM and the useless 'protected media path' stuff, and will delegate a lot of its work to the BMC (e.g. bringing up DRAM, etc), but still exists and indeed has dedicated communication channels to the BMC to let the BMC keep track of the state of the part of booting that is the ME's responsibility so it can light up LEDs on the motherboard, etc.

Really this is such a complicated tangle I'm amazed modern servers manage to boot at all. No wonder they take so damn long to do it. I guess it helps that both the ME and the BMC have watchdog timers so if the other one messes up too badly and the boot hangs an immediate reboot-and-try-again can be triggered.

Disabling Intel ME 11 via undocumented mode (Positive Technologies)

mjg59 — Wed, 30 Aug 2017 02:02:45 +0000

Machines with BMCs don't tend to have an ME, but in the cases that do, no - they're entirely separate.

Disabling Intel ME 11 via undocumented mode (Positive Technologies)

ncm — Wed, 30 Aug 2017 01:44:25 +0000

It's reprehensible that Intel has not published utilities, themselves, to turn off ME and its backdoor vulnerabilities. Reprehensible, negligent, possibly actionable? It wouldn't be surprising if it turned out the spooks already rely heavily on ME for back doors; we will know for sure if the lawsuits are blocked. But for victims of the built-in vulnerabilities to have standing for such a suit, it seems not enough, in American courts, that the vulnerabilities are designed in; there need to be exploits in the wild causing measurable harm.

Disabling Intel ME 11 via undocumented mode (Positive Technologies)

jhoblitt — Wed, 30 Aug 2017 01:03:59 +0000

Does stripping down the ME firmware also disable a BMC/IPMI?

Disabling Intel ME 11 via undocumented mode (Positive Technologies)

jhoblitt — Wed, 30 Aug 2017 01:02:00 +0000

So at what point is the ME going to need a complete embedded system to boot it? It's MEs all the way down...

Disabling Intel ME 11 via undocumented mode (Positive Technologies)

ewan — Tue, 29 Aug 2017 23:00:58 +0000

On a side note, this probably makes Minix one of the world's most widely deployed OSes.

Who saw that coming?

Disabling Intel ME 11 via undocumented mode (Positive Technologies)

SEJeff — Tue, 29 Aug 2017 21:32:36 +0000

Also of note for people interested in this is a more hack-n-slash approach:

https://github.com/corna/me_cleaner