Slashdot Mirror
The Trouble With Intel's Management Engine (hackaday.com)
szczys writes: You've used many devices that have Intel's Management Engine built into them, even if you haven't heard of it before. This is the lowest level of security, built directly into the chips. But obscurity is part of its security and part of its weakness. Nobody knows exactly how ME works, yet it includes a wide range of features that would be frightening if exploited. The ME is always listening, able to receive packets even when the device is asleep. And it has the lowest level of access to every part of the computer system.
Between lack of a useful setup routine, centralized management, etc.. it's a royal PITA to actually work with on an Enterprise level.. It's nice though.. I'll give them that.. onboard VNC for BIOS level control like a DRAC/BMC/ORA/iLO, etc and ability to send WOL to PC level hardware is nice for those pesky users that have totally messed things up.. It's also useful for remote rebuilding of machines since you can remote redirect ISOs and such..
But.. again.. royal PITA to setup and the documentation is scattered and horrible to read through.
What do you mean "if"?
https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Known_vulnerabilities_and_exploits
Given that the ARM core in AMD APUs conform to ARM TrustZone, which seems better documented than IME, I'd assume that yes, AMD documents it.
In Soviet Russia, Jesus asks: "What Would You Do?"
It does a bit more than this. Heck, when the system is turned off (S5), it can still publish a webpage interface to the network. This is more than wake on lan or power saving mode.
AMD calls their version of the IME the "Platform Security Processor (PSP)".
One of the side effects is that open source BIOS projects are effectively dead for desktops.
I read the internet for the articles.
Yeah, that's a big difference between "turn on power" and "here's a HTTP SERVER running while in sleep"
Previous parent is intentionally deceptive trying to blur the line. Shitty.
Maybe you should actually learn about AMD's product lineup: http://www.anandtech.com/show/...
Yes, in the year 2012 it was a futuristic feature. Then 2013 happened. Where have you been?
AntiFA: An abbreviation for Anti First Amendment.
As opposed to 30 years of hacks from 1981 and layers and upon layers which only a select few knew the secrets with the bios?
EFI was supported here before Windows 8. Now slashdot has become a fear of change site for IT folks which is hypocracy. Not saying UEFI is perfect but I am glad the bios is about dead.
BIOS could have been replaced with a modern EFI that merely fixed the issues with BIOS, and there would have been no issues. The problem is it was replaced with UEFI, which is much like replacing initd with systemd, and I apologize for the insult to UEFI in advance.
Like DOS with expanded vs extended ram tricks needed for games I welcomed Windows NT/95 greatly to say goodbye. Same is true with BIOS and all the limitations like 2 TB disks which that hack was implemented because the bios is hardset at 40 meg disks and a virtual 2 TB wrap around was put in.
BIOS had issues with small pointers it used (16 bit IIRC, of which several were "reserved") So you had 1024 cylinders as a max, and 512bit sectors, so the first cut was to create a cluster in between those two, which allowed for more space by aggregating sectors into clusters which could be addressed in a single cylinder. (This is all so long ago, I'm sure I have something wrong) All of this was based on the early early storage mediums where those terms really related to their physical counterparts.
Personally, I said goodbye to DOS with OS/2 - flat memory addressing and true pre-emption over time-slicing. I've run several other OSes since then. I am looking forward to the security disaster that is Windows NT/2K/XP/VISTA/8/10 to go away and be replaced by something sane.
The cesspool just got a check and balance.
The PSP is nothing like IME. IME is a dedicated chip for remote management, which you can't touch.
PSP is simply a separate ARM core that you can control, including running a separate OS. The PSP ARM core, in turn, has a common ARM feature called TrustZone, which provides very strong security guarantees for the software running inside the TrustZone. Again, you control how this is configured and what software runs in the TrustZone.
I don't know about the PSP specifically, but most ARM chips with TrustZone also support something called HAB (High Assurance Boot), which is basically a secure boot mechanism like TPM. It allows you to set a public key used to verify the boot image, and using e-fuses you can programmatically make the public key immutable.
But ARM chips almost always come without any firmware pre-configured. The whole thing is a clean slate. The intention is for people (usually companies) to build their own special-purpose applications using these capabilities, and usages very widely.
IME, by contrast, is just pure evil. If you're lucky, the IME controller is only tied into a particular NIC, in which case you should make sure to _never_ plug anything into that NIC--perhaps fill it with glue. That doesn't solve all the issues--theoretically an attacker could tickle bugs in the IME purely from running in user space on the main CPU--but it closes a huge security hole. Yes, attackers have remotely broken into servers via IME, in some cases just by using the default passwords.