Slashdot Mirror

← Back to Stories (view on slashdot.org)

System76 Will Disable Intel Management Engine On Its Linux Laptops (liliputing.com)

Posted by BeauHD on from the gone-with-the-wind dept.

System76 is rolling out a firmware update for its recent laptops that will disable the Intel Management Engine altogether. The decision comes after a major security vulnerability was discovered that would allow an attacker with local access to execute arbitrary code. Liliputing reports: What's noteworthy in the System76 announcement is that the PC maker isn't just planning to disable Intel ME in computers that ship from now on. The company will send out an update that disables it on existing computers with 6th, 7th, or 8th-gen Intel Core processors. System76 also notes that Intel ME "provides no functionality for System76 laptop customers and is safe to disable." Right now the firmware update will only be available for computers running Ubuntu 16.04 or later or a related operating system with the System76 driver. But the company says it's working on developing a command line tool that should work on laptops running other GNU/Linux-based operating systems. System76 says it will also release an update for its desktop computers... but on those machines the update will patch the security vulnerability rather than disabling Intel ME altogether.

19 of 149 comments (clear)

  1. Re:If it works by Narcocide · · Score: 3, Interesting

    I want to belieeeeeve!!! Save us system76 you're our only hope!!

  2. Re:I will only buy non-Intel chips now by Narcocide · · Score: 5, Interesting

    At this point all AMD has to do is willingly release the information to provably disable their own management engine equivalent and they can sweep the market.

  3. Re: I will only buy non-Intel chips now by lucasnate1 · · Score: 5, Informative

    Too late, amd has psp.

    --
    Avantgarde Hebrew science fiction
  4. Re:If it works by cfalcon · · Score: 4, Informative

    There was new-ish news about this from the summer. A few privacy-minded places are starting to shut the ME down in various ways, some by spoofing the flag the government uses to disable it on its own systems, others in other ways.

  5. Re:Yawn by Anonymous Coward · · Score: 2, Interesting

    Typical slashdot user who is never satisfied by any progress toward something nice...

  6. Re:Yawn by Narcocide · · Score: 2

    Oh, admit it, you're thinking of drilling some holes in a few motherboards as a test, too.

  7. Having worked at Intel... by GerryGilmore · · Score: 4, Insightful

    ...IME was originally designed for servers only. Any OldFarts(TM) out there - remember crash carts? Yeah, the ability to remotely power-cycle servers was a really big deal when you're running hundreds/thousands of servers and VMs were just a pie in the sky. Also, basic front-end network management 101 handled security. There are still good reasons to allow IME in server deployments, but I see no good reason for including this in laptops. I suspect that this was brought into the Core line due to those people building servers needing remote management using i7, etc. chips, but that's just a guess.

    1. Re:Having worked at Intel... by tlhIngan · · Score: 4, Interesting

      I suspect that this was brought into the Core line due to those people building servers needing remote management using i7, etc. chips, but that's just a guess.

      No, it was brought into the main chips because servers have stuff like IPMI and ILO for remote management, but employee PCs do not. And the same reason servers can be remotely managed can be applied to employee PCs and laptops. The only difference is servers are usually concentrated in a few areas, so it's much easier for 10,000 servers to be locally managed than 10,000 PCs, making the case for remote management of PCs even more critical.

      You can do bare metal bringups - perhaps the employee got to their desk and their PC is dead - it won't load the OS and there's lots of error messages. IT's effectively ILO or IPMI for consumer grade machines.

      Of course, you can't "disable" IME - you can neuter it. The firmware that controls power and boot and startup and all that must still run in order for the main CPU to be brought up, so you need IME to do that part. Neutering basically disables all the remore management while leaving the power management code still active.

  8. Re:LOL! Not really (downmod me? I repost)... apk by OrangeTide · · Score: 4, Interesting

    Your downmodded posts aren't hidden. They are correctly categorized as garbage. Some people will browse and see the 0 and -1 garbage, usually other mods or brave people with too much free time.

    Reasons that APK deserves frequent downmoding:
      1. lacks an account and always posts as AC
      2. makes duplicate posts
      3. admits to trying to avoid moderation
      4. frequently posts off topic advertisements for his [free] products and services.
      5. talks like a git. really his English phrasing is bizarre.

    --
    “Common sense is not so common.” — Voltaire
  9. Re:I will only buy non-Intel chips now by Anonymous Coward · · Score: 2, Interesting

    Yeah like how when Windows 10 introduced telemetry it became the Year of the Linux Desktop...that's right isn't it?

  10. It should be opt-in, not opt-out by Picodon · · Score: 5, Insightful

    ...I can't agree with the many reactionary Slashdot commenters...

    ...there should be a simple and transparent way to completely and verifiably disable it, ...

    I think it’s a bit more than that. The feature may be useful, but the outrage is legitimate. Consumers, most of whom arguably have no need for such feature, fortuitously found out about its existence and that it is enabled in their computers. They had not been told about it, so they had no way to even try to use it. Other people (government, corporate, hackers) knew about it, so the malicious among those were in the position of abusing it (by exploiting its features and its security flaws). No wonder consumers are in arms over this. They are not over-reacting.

    So, no, a way to disable it is not enough. This kind of feature requires full disclosure (before you buy), documentation (so that you can actually use the feature if you want) and, at least on systems sold to consumers who are unlikely to use it, it should be entirely disabled by default. Institutional customers who buy computers in quantity can (and indeed do) request the configuration that they want (including, for example, activation of Intel’s anti-theft protection).

  11. Re:/.ers clearly disagree OrangeTide FAKE name by rot16 · · Score: 2, Insightful

    I didn't know people like this existed. Until today. I feel like being extremely privileged.

  12. Minix more popular on laptops than Linux by Keruo · · Score: 5, Interesting

    Isn't it mind-boggling that Minix is actually more used on laptops currently than Linux?

    (The management engine runs custom version of Minix)

    --
    There are no atheists when recovering from tape backup.
  13. EZ way to cripple Intel AMT/ME by Anonymous Coward · · Score: 2, Interesting

    Stop it's ability to send info. outward via router port filtering ports 16992-16995 + 623-625 Intel AMT/ME uses in a modem/router external to OS/PC.

    Intel ME/AMT operates from your motherboard but has NO CONTROL OF YOUR MODEM/ROUTER!

    (This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)

    Additionally, once you disable the AMT engine's software interface (ez via software articles note)? A malware to 'repatch' this = impossible (bios updaters require it in usermode ware, e.g. ASUS).

    (I only allow 80, 8080 & 443 in/out here on a SINGLE stand-alone system (no home LAN but TCP/IP connected online in BOTH my modem or router port filters or software firewalls))

    HOWEVER - Be CERTAIN your modem/router's internal ware is "solid" too (turn off things like UPnP etc. & CHECK router/modem HAS NO KNOWN BACKDOOR EXPLOITS (tons do unfortunately)) - get it patched ASAP if it's KNOWN exploited & TONS of routers, ARE https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/

    * GOOD ROUTERS/MODEMS HAVE PORT FILTERING OPTIONS (crappy ones don't)!

    APK

    P.S.=> Good luck - it's the BEST EASIEST & CHEAPEST DEFENSE using what you already have (hopefully, again as not ALL modems have port filtering but most do & certainly GOOD ONES DO) vs. this threat by stopping it being able to communicate in/out period, from OUTSIDE of the INTEL chipset external to it via a router/firewall hardware... apk

  14. Re:If it works by Hal_Porter · · Score: 3, Informative

    It gets worse. Some of them are probably still using Thinkpads, even though they're made by Lenovo. Now you'll say "No worries, if they re-image them they can avoid any spyware Lenovo put in there at the behest of the Chinese government".

    Uh yeah, that won't help. Lenovo uses the WIndows Platform Binary feature to reinstall it. Basically you put an executable file into one of the ACPI tables. Windows copies it to disk and then runs it. With Administrator access. Probably more than Administrator access actually - I bet a native executable has more privilege than one running with Administrator rights on the Win32 subsystem does.

    https://www.theregister.co.uk/...

    To pull this off, the LSE exploits Microsoft's Windows Platform Binary Table (WPBT) feature. This allows PC manufacturers and corporate IT to inject drivers, programs and other files into the Windows operating system from the motherboard firmware.

    The WPBT is stored in the firmware, and tells Windows where in memory it can find an executable called a platform binary to run. Said executable will take care of the job of installing files before the operating system starts.

    "During operating system initialization, Windows will read the WPBT to obtain the physical memory location of the platform binary," Microsoft's documentation states.

    "The binary is required to be a native, user-mode application that is executed by the Windows Session Manager during operating system initialization. Windows will write the flat image to disk, and the Session Manager will launch the process."

    Crucially, the WPBT documentation stresses:

    The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a "clean" configuration ... Because this feature provides the ability to persistently execute system software in the context of Windows, it becomes critical that WPBT-based solutions are as secure as possible and do not expose Windows users to exploitable conditions.

    Oh dear. Secure as possible? Not in this case: security researcher Roel Schouwenberg found and reported a buffer-overflow vulnerability in the LSE that can be exploited to gain administrator-level privileges.

    I.e. even if you reinstall them from a known clean image, they can still regrow the amputated LSE. And even if the LSE is not spyware, it contains exploitable vulnerabilities that a third party could use to install whatever they wanted. Lenovo didn't do this in Thinkpads, but they could.

    At the moment the US is in the midst of media created paranoia about Russian hackers. Honestly if I were in charge of cybersecurity I'd be a lot more worried that the Chinese spy services would use something like LSE, with or without the cooperation of Lenovo, to spy on sensitive stuff.

    And of course it's not just Lenovo laptops. There's Huawei phones and routers. Or indeed US brands which make routers in China could have either hacked firmware loaded onto them or the Chinese spy agencies could find an stockpile vulnerabilities in the manufacturer's firmware.

    And then you have companies like XiaoMi with their young pioneer uniformed bunny signifying their devotion to the regime as a Taiwanese friend of mine pointed out

    https://hungermarketingchina.w...

    If you buy US stuff, you expect the US companies to cooperate with the NSA. If you buy Chinese stuff you expect Chinese companies to cooperate with its Chinese equivalents. XiaoMi's Young Pioneer bunny is none to subtle sign by the company that they're pro regime and it's not unreasonable to assume if the government asked them to help it out with national security they'd say yes.

    Of course I can see

    --
    echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  15. Hey, system76! by nightfire-unique · · Score: 2

    Design a model of your laptop with the original IBM 7-row keyboard and trackpoint, and you've got a customer for life here!

    --
    A government is a body of people notably ungoverned - AC
    1. Re:Hey, system76! by Ayano · · Score: 2

      They get their laptops from the generic laptop manufacturer that supplies both Clevo and Sarger.

      The only real add they have is a small crack driver support team and a little customization before shipping it to you.

      That said, it's guaranteed to work with the hardware, and I've had several s76 laptops both personally and purchased on my behalf at the workplace. Not really sure how I feel about them, but I do like their mobile workstations (a 'special' kind of laptop).

      --
      I don't read AC
  16. Inadequate fix by Anonymous Coward · · Score: 2, Informative

    Intel CPUs still run a blob at initialization called the FSP. This is sometimes entangled with the ME, but is separate and is not getting disabled. The blob is usually writable for updates and must run before any user-supplied code, so it's an ideal spot to put persistent malware to evade verified boot anti-persistence schemes. The AMD equivalent is called the PSP.

  17. How will this affect HDCP? by Rick+Schumann · · Score: 2

    Having worked at Intel for a while testing graphics drivers, I know that the Management Engine is also leveraged to perform HDCP (High Definition Content Protection) as well as remote-management functions; any idea how disabling it at the firmware level will affect that? If HDCP is disabled as well then some AV content might not be playable on Intel platforms.