The Trouble With Intel's Management Engine (hackaday.com)

← Back to Stories (view on slashdot.org)

The Trouble With Intel's Management Engine (hackaday.com)

Posted by Soulskill on Friday January 22, 2016 @06:54AM from the probably-not-NOx-emissions dept.

szczys writes: You've used many devices that have Intel's Management Engine built into them, even if you haven't heard of it before. This is the lowest level of security, built directly into the chips. But obscurity is part of its security and part of its weakness. Nobody knows exactly how ME works, yet it includes a wide range of features that would be frightening if exploited. The ME is always listening, able to receive packets even when the device is asleep. And it has the lowest level of access to every part of the computer system.

10 of 106 comments (clear)

Min score:

Reason:

Sort:

Stopped reading after... by CajunArson · 2016-01-22 06:59 · Score: 5, Insightful

Stopped reading the conspiracy rant after this delicious gem:

Instead of a proper BIOS that can trace its origins to the first x86 computers, computers today have UEFI and Secure Boot, a measure designed to only allow signed software to run on the device.
Yeah, so because they finally abandoned BIOS, modern computers are suddenly insecure. With the implication that BIOS was somehow secure. Yeah, bullshit.
I'm not even saying that the IME is necessarily perfect, but conspiracy-theory drivel doesn't do much for me. That goes double for when it seems to be directed at one vendor and one vendor only while pretending that everybody else out there (AMD [which flat-out embeds an ARM processor in its parts to copy the functionality of IME], anything running ARM, etc.) is all magically secure.

--
AntiFA: An abbreviation for Anti First Amendment.
1. Re:Stopped reading after... by Anonymous Coward · 2016-01-22 07:15 · Score: 4, Interesting
  
  IME has always been a buggy piece of shit with absolutely no visibility by anyone outside of Intel or without strict NDAs, that is a fair statement. I have no experience with AMDs equivalent to speak of. But IME was always a black box of vague claims, poor implementations, bugs and secret sauce. That devices have embedded FW is unavoidable in this day and age, it's a fact of life and people need to get over it (I'm looking at systems companies who are allergic to software). But normally that embedded FW has a fixed function, is scope limited such that it can be reasonably tested and verified by the design teams and "must work". It's not like a more typical software development model (even for BIOS or UEFI) where if they have to release a patch they will do it. Updating IME can be sketchy given where it's fingers may lie in a design. IME seems to confuse all those boundaries and I haven't worked with anyone who has liked it.
  Confusing BIOS and UEFI into this discussion is distracting, they are generally unrelated (but again, given the sketchy scope of IME, there are tie-ins).
2. Re:Stopped reading after... by red_dragon · 2016-01-22 07:23 · Score: 4, Informative
  
  Given that the ARM core in AMD APUs conform to ARM TrustZone, which seems better documented than IME, I'd assume that yes, AMD documents it.
  
  --
  In Soviet Russia, Jesus asks: "What Would You Do?"
3. Re:Stopped reading after... by Anonymous Coward · 2016-01-22 07:25 · Score: 5, Funny
  
  ...with absolutely no visibility by anyone outside of Intel or without strict NDAs...
  Not true. As one who is under strict NDA, I'm pretty sure that Intel doesn't even know how it works or what it does.
4. Re:Stopped reading after... by Anonymous Coward · 2016-01-22 07:27 · Score: 4, Informative
  
  It does a bit more than this. Heck, when the system is turned off (S5), it can still publish a webpage interface to the network. This is more than wake on lan or power saving mode.
5. Re:Stopped reading after... by CajunArson · 2016-01-22 08:38 · Score: 3, Informative
  
  Maybe you should actually learn about AMD's product lineup: http://www.anandtech.com/show/...
  Yes, in the year 2012 it was a futuristic feature. Then 2013 happened. Where have you been?
  
  --
  AntiFA: An abbreviation for Anti First Amendment.
6. Re:Stopped reading after... by Gr8Apes · 2016-01-22 11:20 · Score: 4, Informative
  
  As opposed to 30 years of hacks from 1981 and layers and upon layers which only a select few knew the secrets with the bios?
  EFI was supported here before Windows 8. Now slashdot has become a fear of change site for IT folks which is hypocracy. Not saying UEFI is perfect but I am glad the bios is about dead.
  
  BIOS could have been replaced with a modern EFI that merely fixed the issues with BIOS, and there would have been no issues. The problem is it was replaced with UEFI, which is much like replacing initd with systemd, and I apologize for the insult to UEFI in advance.
  
  Like DOS with expanded vs extended ram tricks needed for games I welcomed Windows NT/95 greatly to say goodbye. Same is true with BIOS and all the limitations like 2 TB disks which that hack was implemented because the bios is hardset at 40 meg disks and a virtual 2 TB wrap around was put in.
  BIOS had issues with small pointers it used (16 bit IIRC, of which several were "reserved") So you had 1024 cylinders as a max, and 512bit sectors, so the first cut was to create a cluster in between those two, which allowed for more space by aggregating sectors into clusters which could be addressed in a single cylinder. (This is all so long ago, I'm sure I have something wrong) All of this was based on the early early storage mediums where those terms really related to their physical counterparts.
  Personally, I said goodbye to DOS with OS/2 - flat memory addressing and true pre-emption over time-slicing. I've run several other OSes since then. I am looking forward to the security disaster that is Windows NT/2K/XP/VISTA/8/10 to go away and be replaced by something sane.
  
  --
  The cesspool just got a check and balance.
IME is powerful, but a nightmare to mess with by Anonymous Coward · 2016-01-22 06:59 · Score: 3, Informative

Between lack of a useful setup routine, centralized management, etc.. it's a royal PITA to actually work with on an Enterprise level.. It's nice though.. I'll give them that.. onboard VNC for BIOS level control like a DRAC/BMC/ORA/iLO, etc and ability to send WOL to PC level hardware is nice for those pesky users that have totally messed things up.. It's also useful for remote rebuilding of machines since you can remote redirect ISOs and such..
But.. again.. royal PITA to setup and the documentation is scattered and horrible to read through.
Re:The copy writes itself by jandrese · 2016-01-22 07:49 · Score: 4, Informative

AMD calls their version of the IME the "Platform Security Processor (PSP)".

One of the side effects is that open source BIOS projects are effectively dead for desktops.

--

I read the internet for the articles.
Re:The copy writes itself by Anonymous Coward · 2016-01-22 14:27 · Score: 3, Informative

The PSP is nothing like IME. IME is a dedicated chip for remote management, which you can't touch.
PSP is simply a separate ARM core that you can control, including running a separate OS. The PSP ARM core, in turn, has a common ARM feature called TrustZone, which provides very strong security guarantees for the software running inside the TrustZone. Again, you control how this is configured and what software runs in the TrustZone.
I don't know about the PSP specifically, but most ARM chips with TrustZone also support something called HAB (High Assurance Boot), which is basically a secure boot mechanism like TPM. It allows you to set a public key used to verify the boot image, and using e-fuses you can programmatically make the public key immutable.
But ARM chips almost always come without any firmware pre-configured. The whole thing is a clean slate. The intention is for people (usually companies) to build their own special-purpose applications using these capabilities, and usages very widely.
IME, by contrast, is just pure evil. If you're lucky, the IME controller is only tied into a particular NIC, in which case you should make sure to _never_ plug anything into that NIC--perhaps fill it with glue. That doesn't solve all the issues--theoretically an attacker could tickle bugs in the IME purely from running in user space on the main CPU--but it closes a huge security hole. Yes, attackers have remotely broken into servers via IME, in some cases just by using the default passwords.