Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Trouble With Intel's Management Engine (hackaday.com)

Posted by Soulskill on from the probably-not-NOx-emissions dept.

szczys writes: You've used many devices that have Intel's Management Engine built into them, even if you haven't heard of it before. This is the lowest level of security, built directly into the chips. But obscurity is part of its security and part of its weakness. Nobody knows exactly how ME works, yet it includes a wide range of features that would be frightening if exploited. The ME is always listening, able to receive packets even when the device is asleep. And it has the lowest level of access to every part of the computer system.

7 of 106 comments (clear)

  1. Stopped reading after... by CajunArson · · Score: 5, Insightful

    Stopped reading the conspiracy rant after this delicious gem:

    Instead of a proper BIOS that can trace its origins to the first x86 computers, computers today have UEFI and Secure Boot, a measure designed to only allow signed software to run on the device.

    Yeah, so because they finally abandoned BIOS, modern computers are suddenly insecure. With the implication that BIOS was somehow secure. Yeah, bullshit.

    I'm not even saying that the IME is necessarily perfect, but conspiracy-theory drivel doesn't do much for me. That goes double for when it seems to be directed at one vendor and one vendor only while pretending that everybody else out there (AMD [which flat-out embeds an ARM processor in its parts to copy the functionality of IME], anything running ARM, etc.) is all magically secure.

    --
    AntiFA: An abbreviation for Anti First Amendment.
    1. Re:Stopped reading after... by Anonymous Coward · · Score: 4, Interesting

      IME has always been a buggy piece of shit with absolutely no visibility by anyone outside of Intel or without strict NDAs, that is a fair statement. I have no experience with AMDs equivalent to speak of. But IME was always a black box of vague claims, poor implementations, bugs and secret sauce. That devices have embedded FW is unavoidable in this day and age, it's a fact of life and people need to get over it (I'm looking at systems companies who are allergic to software). But normally that embedded FW has a fixed function, is scope limited such that it can be reasonably tested and verified by the design teams and "must work". It's not like a more typical software development model (even for BIOS or UEFI) where if they have to release a patch they will do it. Updating IME can be sketchy given where it's fingers may lie in a design. IME seems to confuse all those boundaries and I haven't worked with anyone who has liked it.

      Confusing BIOS and UEFI into this discussion is distracting, they are generally unrelated (but again, given the sketchy scope of IME, there are tie-ins).

    2. Re:Stopped reading after... by red_dragon · · Score: 4, Informative

      Given that the ARM core in AMD APUs conform to ARM TrustZone, which seems better documented than IME, I'd assume that yes, AMD documents it.

      --
      In Soviet Russia, Jesus asks: "What Would You Do?"
    3. Re:Stopped reading after... by Anonymous Coward · · Score: 5, Funny

      ...with absolutely no visibility by anyone outside of Intel or without strict NDAs...

      Not true. As one who is under strict NDA, I'm pretty sure that Intel doesn't even know how it works or what it does.

    4. Re:Stopped reading after... by Anonymous Coward · · Score: 4, Informative

      It does a bit more than this. Heck, when the system is turned off (S5), it can still publish a webpage interface to the network. This is more than wake on lan or power saving mode.

    5. Re:Stopped reading after... by Gr8Apes · · Score: 4, Informative

      As opposed to 30 years of hacks from 1981 and layers and upon layers which only a select few knew the secrets with the bios?

      EFI was supported here before Windows 8. Now slashdot has become a fear of change site for IT folks which is hypocracy. Not saying UEFI is perfect but I am glad the bios is about dead.

      BIOS could have been replaced with a modern EFI that merely fixed the issues with BIOS, and there would have been no issues. The problem is it was replaced with UEFI, which is much like replacing initd with systemd, and I apologize for the insult to UEFI in advance.

      Like DOS with expanded vs extended ram tricks needed for games I welcomed Windows NT/95 greatly to say goodbye. Same is true with BIOS and all the limitations like 2 TB disks which that hack was implemented because the bios is hardset at 40 meg disks and a virtual 2 TB wrap around was put in.

      BIOS had issues with small pointers it used (16 bit IIRC, of which several were "reserved") So you had 1024 cylinders as a max, and 512bit sectors, so the first cut was to create a cluster in between those two, which allowed for more space by aggregating sectors into clusters which could be addressed in a single cylinder. (This is all so long ago, I'm sure I have something wrong) All of this was based on the early early storage mediums where those terms really related to their physical counterparts.

      Personally, I said goodbye to DOS with OS/2 - flat memory addressing and true pre-emption over time-slicing. I've run several other OSes since then. I am looking forward to the security disaster that is Windows NT/2K/XP/VISTA/8/10 to go away and be replaced by something sane.

      --
      The cesspool just got a check and balance.
  2. Re:The copy writes itself by jandrese · · Score: 4, Informative

    AMD calls their version of the IME the "Platform Security Processor (PSP)".

    One of the side effects is that open source BIOS projects are effectively dead for desktops.

    --

    I read the internet for the articles.