Slashdot Mirror
System76 Will Disable Intel Management Engine On Its Linux Laptops (liliputing.com)
System76 is rolling out a firmware update for its recent laptops that will disable the Intel Management Engine altogether. The decision comes after a major security vulnerability was discovered that would allow an attacker with local access to execute arbitrary code. Liliputing reports: What's noteworthy in the System76 announcement is that the PC maker isn't just planning to disable Intel ME in computers that ship from now on. The company will send out an update that disables it on existing computers with 6th, 7th, or 8th-gen Intel Core processors. System76 also notes that Intel ME "provides no functionality for System76 laptop customers and is safe to disable." Right now the firmware update will only be available for computers running Ubuntu 16.04 or later or a related operating system with the System76 driver. But the company says it's working on developing a command line tool that should work on laptops running other GNU/Linux-based operating systems. System76 says it will also release an update for its desktop computers... but on those machines the update will patch the security vulnerability rather than disabling Intel ME altogether.
Too late, amd has psp.
Avantgarde Hebrew science fiction
There was new-ish news about this from the summer. A few privacy-minded places are starting to shut the ME down in various ways, some by spoofing the flag the government uses to disable it on its own systems, others in other ways.
It gets worse. Some of them are probably still using Thinkpads, even though they're made by Lenovo. Now you'll say "No worries, if they re-image them they can avoid any spyware Lenovo put in there at the behest of the Chinese government".
Uh yeah, that won't help. Lenovo uses the WIndows Platform Binary feature to reinstall it. Basically you put an executable file into one of the ACPI tables. Windows copies it to disk and then runs it. With Administrator access. Probably more than Administrator access actually - I bet a native executable has more privilege than one running with Administrator rights on the Win32 subsystem does.
https://www.theregister.co.uk/...
To pull this off, the LSE exploits Microsoft's Windows Platform Binary Table (WPBT) feature. This allows PC manufacturers and corporate IT to inject drivers, programs and other files into the Windows operating system from the motherboard firmware.
The WPBT is stored in the firmware, and tells Windows where in memory it can find an executable called a platform binary to run. Said executable will take care of the job of installing files before the operating system starts.
"During operating system initialization, Windows will read the WPBT to obtain the physical memory location of the platform binary," Microsoft's documentation states.
"The binary is required to be a native, user-mode application that is executed by the Windows Session Manager during operating system initialization. Windows will write the flat image to disk, and the Session Manager will launch the process."
Crucially, the WPBT documentation stresses:
The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a "clean" configuration ... Because this feature provides the ability to persistently execute system software in the context of Windows, it becomes critical that WPBT-based solutions are as secure as possible and do not expose Windows users to exploitable conditions.
Oh dear. Secure as possible? Not in this case: security researcher Roel Schouwenberg found and reported a buffer-overflow vulnerability in the LSE that can be exploited to gain administrator-level privileges.
I.e. even if you reinstall them from a known clean image, they can still regrow the amputated LSE. And even if the LSE is not spyware, it contains exploitable vulnerabilities that a third party could use to install whatever they wanted. Lenovo didn't do this in Thinkpads, but they could.
At the moment the US is in the midst of media created paranoia about Russian hackers. Honestly if I were in charge of cybersecurity I'd be a lot more worried that the Chinese spy services would use something like LSE, with or without the cooperation of Lenovo, to spy on sensitive stuff.
And of course it's not just Lenovo laptops. There's Huawei phones and routers. Or indeed US brands which make routers in China could have either hacked firmware loaded onto them or the Chinese spy agencies could find an stockpile vulnerabilities in the manufacturer's firmware.
And then you have companies like XiaoMi with their young pioneer uniformed bunny signifying their devotion to the regime as a Taiwanese friend of mine pointed out
https://hungermarketingchina.w...
If you buy US stuff, you expect the US companies to cooperate with the NSA. If you buy Chinese stuff you expect Chinese companies to cooperate with its Chinese equivalents. XiaoMi's Young Pioneer bunny is none to subtle sign by the company that they're pro regime and it's not unreasonable to assume if the government asked them to help it out with national security they'd say yes.
Of course I can see
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Intel CPUs still run a blob at initialization called the FSP. This is sometimes entangled with the ME, but is separate and is not getting disabled. The blob is usually writable for updates and must run before any user-supplied code, so it's an ideal spot to put persistent malware to evade verified boot anti-persistence schemes. The AMD equivalent is called the PSP.