Slashdot Mirror
Dell Begins Offering Laptops With Intel's 'Management Engine' Disabled (liliputing.com)
An anonymous reader quotes Liliputing.com
Linux computer vendor System76 announced this week that it will roll out a firmware update to disable Intel Management Engine on laptops sold in the past few years. Purism will also disable Intel Management Engine on computers it sells moving forward. Those two computer companies are pretty small players in the multi-billion dollar PC industry. But it turns out one of the world's largest PC companies is also offering customers the option of buying a computer with Intel Management Engine disabled.
At least three Dell computers can be configured with an "Intel vPro -- ME Inoperable, Custom Order" option, although you'll have to pay a little extra for those configurations... While Intel doesn't officially provide an option to disable its Management Engine, independent security researchers have discovered methods for doing that and we're starting to see PC makers make use of those methods.
The option appears to be available on most of Dell's Latitude laptops (from the 12- to 15-inch screens), including the 7480, 5480, and 5580 and the Latitude 14 5000 Series (as well as several "Rugged" and "Rugged Extreme" models).
Dell is charging anywhere from $20.92 to $40 to disable Intel's Management Engine.
At least three Dell computers can be configured with an "Intel vPro -- ME Inoperable, Custom Order" option, although you'll have to pay a little extra for those configurations... While Intel doesn't officially provide an option to disable its Management Engine, independent security researchers have discovered methods for doing that and we're starting to see PC makers make use of those methods.
The option appears to be available on most of Dell's Latitude laptops (from the 12- to 15-inch screens), including the 7480, 5480, and 5580 and the Latitude 14 5000 Series (as well as several "Rugged" and "Rugged Extreme" models).
Dell is charging anywhere from $20.92 to $40 to disable Intel's Management Engine.
So in theory, it doesn't matter if you order one of these 'Custom Order' editions? You'll be able to apply the exact same changes yourself?
Intel Management Engine: the original Systemd. ;)
Anons need not reply. Questions end with a question mark.
Does anyone trust Intel or Dell (or AMD or anyone else) enough at this point to actually believe that the chip is disabled? Or that it won't just be magically re-enabled the first time you log in to the machine? How can anyone independently verify that the chip is actually disabled and stays that way?
We need to move back towards more open hardware and things like physical switches to turn devices on and off, DIP switches to configure hardware, and on-board fuses that can be permanently blown to disable things you don't want. Oh, and mainboards/CPUs/chipsets that don't have this deep-state backdoor bullshit built-in in the first place.
None of this shit should have EVER found its way into consumer-grade hardware. EVER. The out of band management hardware should only have been able to be ordered on enterprise grade servers. This is really the only valid use case for this kind of technology. I've worked in a number of large corporate environments, and never once has the ME/vPro shit even been used on desktop PCs. Build it in to the servers that need it, and if a company really NEEDS it for their desktop support method, then it should be a special order.
Until it's physically gone from the board, you can bet it's never going to be permanently disabled.
Well, its a start, at least. With a little luck, maybe vendors will get the message that we don't want this black box privacy invading systems in our computers. I remember when Intel had us over to show off their latest and greatest and they were just gushing with pride over this system. I asked them then about the potential privacy and security problems and all they could answer with is don't worry, it will be the most secure system ever made. Like I haven't heard that a million times with the same result. After that, I was just treated like the party buzzkill.
"Be particularly skeptical when presented with evidence confirming what you already believe." -
Rather than having to follow yet a Slashdot link to another Slashdot link, which then has a link to the actual story - here is a direct one:
Researchers find a way to disable Intel's Management Engine.
#DeleteChrome
It's not in the CPU - the IME is in the South Bridge. AMD has their own version. I wouldn't be surprised if ARM has theirs as well.
I have noticed a number of Intel ME articles recently appearing on Slashdot. On the business laptops I maintain, firmware was available to resolve latest issues. After installing the latest ME firmware, I performed an unprovision through BIOS, then I went into the ME settings via Ctrl-P and added a password to the ME settings. All the ME settings for IP addresses, etc. are blank.
I ran the INTEL-SA-00075 procedures to verify unprovisioning and that the LMS service was stopped. My question is whether unprovisioning ME and using a strong password in ME and BIOS to prevent the provisioning results in the same end behavior as the "disable" that is being offered by System76 and Dell. What do you think Slashdot? Are any IT folks going through the configuration of Intel ME as I have done?
FYI, here is an example of the INTEL-SA-00075 risk assessment after the firmware upgrade and unprovision are verified:
Risk Assessment
Based on the analysis performed by this tool, this system's Firmware has been updated and system is in unprovisioned state. See Explanation for specifics.
Explanation:
The detected firmware on this system has the fix for INTEL-SA-00075. Ensure that the INTEL-SA-00075 tools were used to perform a full unprovisioning of the system prior to reprovisioning. This will remove any unauthorized configuration settings.
If Vulnerable, contact your OEM for support and remediation of this system.
For more information, refer to CVE-2017-5689 in the following link: CVE-2017-5689
or the Intel security advisory Intel-SA-00075 in the following link: INTEL-SA-00075
INTEL-SA-00075 Detection Tool
Application Version: 1.0.3.215
Scan date: 2017-11-29 16:06:18
Host Computer Information
Name: (snip)
Manufacturer: Hewlett-Packard
Model: HP EliteBook 8560w
Processor Name: Intel(R) Core(TM) i7-2620M CPU @ 2.70GHz
Windows Version: Microsoft Windows 10 Pro
ME Information
Version: 7.1.91.3272
SKU: Intel(R) Full AMT Manageability
Provisioning Mode: Not Provisioned
Control Mode: None
Is CCM Disabled: False
Driver installation found: True
EHBC Enabled: False
LMS service state: Stopped
microLMS service state: NotPresent
Is SPS: False
Intel created it's own operating system on a chip that is almost completely outside of user control. It has full functionality to read and take control of any part of your PC, even when it is powered off. All the code is black boxed and unreadable to the user so there is no auditing it to see if it is secure. If a hacker or virus was able to re-write the OS on the chip (something that has confirmed to be possible), they would have complete control of your system with virtually no way to remove it. For people in the tinfoil hat club (a club I visit from time to time), this means that Intel, and anyone that they choose to grant access to, such as FBI, NSA, etc., can clandestinely monitor all activity that you do on your PC without any indication that they are doing so and no security software that you run, commercial or home-brew, will alert you to the monitoring.
"Be particularly skeptical when presented with evidence confirming what you already believe." -
Yes, it's called a "Platform Security Processor".
1. https://libreboot.org/faq.html...
Thank you to the Linux hardware vendor who took the leadership role in opting out of this Intel spyware madness. For any of you thinking about finally escaping the Windows chamber of horrors, this company deserves your business.
When all you have is a hammer, every problem starts to look like a thumb.
In general opt-out is problematic. Most people don't do it then the vendors say "see no one wants to opt-out", making it a self-fulfilling prophecy. Now imagine you charge them or limit their options to some expensive computer models if they want to opt-out. That's not going to work.
And the basic problem here is that it's not me that I'm worried about it's, collectively, everyone else. The same logic as getting a Flu shot. THe herd immunity protects you more than the flu shot you just got.
I want everyone else to have a secure computer. And not just so they aren't mailing me trojans in cat pictures or attacking me across the network, But also so they aren't attacking my bank or DDOS-ing netflix when I'm watching Game of thrones.
Some drink at the fountain of knowledge. Others just gargle.
It's not Dell's fault and it did genuinely take some effort on their part to figure out a way to do this without bricking machines in a fairly reliable manner. They also tend to have the best support in the industry, meaning if Intel figures out a way to reactivate it Dell will be on the hook for disabling it again, $20-$40 is nothing for that kind of long term support on a system they have no actual control over.
Well, that's fucking scary. What is the alleged upside to Intel ME? Asking for a friend...
Mass configuration, deployment, and recovery for a large fleet of desktop computers you are tasks with managing.
You enable ME to remotely control the hardware and provision its boot drive, and manage the initial setup of the OS down for untrained staff for repair purposes.
You can enable it by hitting Control-P at boot, turn ME on, setup an IP/vlan, and upload a public key into it to authenticate.
Alternately you can load some config files on a USB stick to do that, and hitting Control-P will see this and use those configs for you.
Alternately again, if you buy a hundred or more PCs a year, you can provide a special public key and ME-Manager IP address to your OEM, and they put it into a special provisioning mode with that info.
On first boot it will contact your provisioning server and accept configurations sighed with that special keypairs private key, and the provisioning server then uploads the real public key and other settings.
Once provisioned, you can instruct the system to mount an ISO image over the network to be in the optical drives place, and send power on/off events.
Generally you'll do this to load your initial OS base image and let it image the HD for your company.
Once that part completes, the base image OS does its own initial setup depending on OS (Active directory for windows; ldap with puppet for unix or RedHats launchpad as just two examples)
When a desktop has a boot drive failure, you can order a new HD and have it shipped to the branch office, and have nearly anyone swap the HD out.
In the mean time you've reset the system to be in provisioning mode, so you instruct your "remote hands" to change out the HD for the new one and hit the power button.
The system comes up and has the HD imaged again, either with a previous backup, or your base image, and go from there.
The concept is a great one.
However the GP is telling the truth when they say the ME code can't be audited.
That's a pretty big problem as you have to trust Intel that it does what they say it does.
Of course to even get to ME, you need either layer-3 network access or physical access.
If one has physical access they already "own" the system, and already falls under physical security instead.
It's the local LAN access that can be a problem.
The concern in the real world isn't so much about Intel or the government, as those bodies already don't have access into our firewalls nor do we provide them VPN access in. It's about other employees which need to be in the building to do their work and thus have access to the LAN.
GP also intentionally confused the separate issues with taking over the ME code.
Researchers have found code exploits and used those to perform the hijacking of the ME.
There is zero evidence Intel has any additional access than is claimed.
This is like saying a one-off typo in some code that results in a remote exploit in your webserver is the exact same thing as the makers of that webserver intentionally granting someone else access to your system. And that is rarely the case.
As the ME code isn't able to be audited the possibility is not zero percent.
But even if it could be shown Intels code has no backdoors and everything is written to work exactly like the ME documentation says it does, that only means Intel is trustworthy in their intentions. Bugs in code that result in an exploit are still very possible and still a real threat.
I just don't see the usefulness of saying "Looks like a bug in OpenSSH has an exploit, and Linus allowed it to be put on Linux, thusly I will never trust another thing Linus says or writes including any patches to fix the problem" purely due to not being smart enough to understand the math and code doing encryption.
Most of that is simply false, and I have proven it myself with HP Compaq, EliteDesk, and EliteBook hardware.
You don't need access inside a network or on the physical machine, it has been proven to "call home" and receive orders much as botnets do, over unblocked HTTP requests.
Etherial shows nothing except ARP traffic while powered off, or powered on in any mode but provisioning mode.
In provisioning mode Etherial shows two TCP connections to my provisioning server, and neither are HTTP.
You can't stop it if it is plugged into a network
Until ME is enabled, it doesn't even perform ARP requests let alone is capable or tries to send packets anywhere.
and all of the benefits you listed already existed in other forms which didn't require a massive multi-million-dollar engineering effort to stick inside the chip undetected for years.
It was never hidden in the chip, you just didn't bother reading Intels documentation, which was publicly available on Intels website since before vPro and ME hit the market.
Yes management cards were available before, but they are equally closed source and not auditable, and cost extra per PC to deploy.
If it were legitimate it would have been public knowledge from the start,
Which is has been.
https://software.intel.com/en-us/articles/intel-active-management-technology-start-here-guide-intel-amt-9
https://www.intel.com/content/www/us/en/software/setup-configuration-software.html
Documentation goes back to 2008 when vPro, the software containing ME, was released.
not a secret projects the alphabet agencies recruited hardware developers for, required top secret clearance to undertake within the Intel team working on it, etc.
Any evidence for that claim? Other than Intels own website and documentation that disproves it was "secret"?
The justifications for the existence of it are like the shills
Oh, damn, wish I saw that sooner before actually providing you with facts you don't care about.
Yes, I use technology, that makes me a shill by your definition.
Continue on with your fantasies, I'll stop ruining them.
They didn't create their own OS. It runs MINIX.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
That is what they already use with cellphones to disable your ability to run DRM'd videos and such on a rooted/jailbroken device.
What we need is jumpers that can electrically disable hardware. As it is right now, even jumpers on the motherboard are most likely soft switches. If you doubt me, go read the spec sheets for SPI flash. Hint: No SPI flash chip actually respects the write-disable pin in hardware. All of them require external software support in order to strap the SPI flash to read-only mode, and only AFTER the system powers on. Meaning that anyone who can power glitch your SPI flash can potentially rewrite while the system is operating, unless the north/southbridge has their own softstraps that disable it until reboot. (Hint: Intel does.) The real solution is a long and hard work at the software ecosystem we have allowed to build up, and crowdfunding hardware designs for common older fab technologies that we can get produced for cheap. Parallax the makers of the Propeller chip and the Stamp boards had a discussion on Hackaday a few months back on exactly this. Taping on 300NM cost ~250k for stencils, not including other manufacturing costs. A few million dollar kickstarter and the right hardware engineers and we could do that. Pentium 3 era process technology, but we have almost 20 years of design tech to improve what we manufacture on that same process. If that string of kickstarters is successful then more people would be willing to invest in a next generation design on a better process technology. Maybe 45-28nm with SOI or another improved technology. If this second campaign succeeds you will have dozens of competitive groups/companies willing to build open hardware designs on-contract for up front prices. Get a few of these going and we will have an ecosystem of standardized and open processors, bus interface chips, and other electronic components needed for building custom systems of whatever form factor, power envelope, and reliability rating you need.
But until somebody makes that leap with an actual desktop/modular notebook product, we're going to stay tied to proprietary technology that we can trust less with every passing day.
P.S. We really need an SPI chip that physically follows the write-lock strap pin.
https://github.com/corna/me_cl...
I hope you're not posting from your phone then, because your phone's modem contains an encrypted OS that runs separately from any OS installed in ROM which is closed source and closed vendor, so you can't even look at the binary blob. And if it thinks you're trying to tamper with it, it'll reboot your phone.
The core is MINIX but, what has been cracked of it shows that Intel has rolled their own version of it. It's hard to be sure what is stock and what is Intel's at this point. I'm sure with all the hype that someone will jack the code off the chip and find out one way or the other. Either that or the source code will find it's way to Wikileaks.
"Be particularly skeptical when presented with evidence confirming what you already believe." -
TrustZone is just a hardware-level (think at the data bus level) capability to allow software to be non-secure (eg, Normal World) or secure (eg, Secure World). This happens at the at the AXI interface level with a special bit called the 'NS bit'. Every single AXI transaction carries this bit. Now, on its own this is harmless as TrustZone requires another software-level portion of this called the TrustZone Secure Monitor (ARMv7 and prior) or ARM Trusted Firmware (ARMv8 and later).
ARM Trusted Firmware (ATF) is open source here: https://github.com/ARM-software/arm-trusted-firmware
TrustZone is described here: https://www.arm.com/products/security-on-arm/trustzone
This is COMPLETELY DIFFERENT technology from what is being done by Intel because this TrustZone/ATF are technologies that run on the actual CPU and actually time-share CPU cycles while the CPU is alive. If the CPU is not up and running and configured properly then they are completely useless and have no impact on security.
What intel is doing is having a *COMPLETELY SEPARATE* computing subsystem on the chipset that operates independently of your traditional x86 CPU cycles. That is what makes it so dangerous. Its operations is completely asynchronous to anything else.
It is not the same thing with AMD and currently it is unbroken for AMD. Intel seems to really have screwed up the security of the ME, while AMD seem to have been a lot more conservative.
I fully agree that it is a problem there as well and that these things need to be auditable by anyone and reliably disabling must be possible.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
PSP (now ASP, actually -- wasn't aware of the name change) makes use of TrustZone.
The Platform Security Processor (PSP) is built in on all Family 16h + systems (basically anything post-2013), and controls the main x86 core startup. PSP firmware is cryptographically signed with a strong key similar to the Intel ME. If the PSP firmware is not present, or if the AMD signing key is not present, the x86 cores will not be released from reset, rendering the system inoperable.
The PSP is an ARM core with TrustZone technology, built onto the main CPU die. As such, it has the ability to hide its own program code, scratch RAM, and any data it may have taken and stored from the lesser-privileged x86 system RAM (kernel encryption keys, login data, browsing history, keystrokes, who knows!). To make matters worse, the PSP theoretically has access to the entire system memory space (AMD either will not or cannot deny this, and it would seem to be required to allow the DRM “features” to work as intended), which means that it has at minimum MMIO-based access to the network controllers and any other PCI/PCIe peripherals installed on the system.
So, as I said, PSP (neigh ASP) is AMD's version of Intel's ME and is based on ARM TrustZone. It's literally an ARM core with TrustZone that manages the boot process and provides various out-of-band features separate from the x86 cores.
You are correct, though, that TrustZone is something completely different; but AMD's PSP (ASP) relies on TrustZone. I did misunderstand how much of that functionality came from TrustZone so, thank you for the additional info.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
How do you know?
Lights-out management.
When these things are sitting in datacentres, corporate networks, or any of a thousand other legitimate places, they can be managed by a remote support person via the network even if they can't even boot (e.g. BIOS access, switching to PXE booting and re-imaging and then restoring to normal operation, debugging, etc.).
It's a legitimate feature, which is used by lots of places that want such a feature. However, what it's doing ENABLED BY DEFAULT is another question entirely, as it is listening to the network, running even when the main processor isn't inside an OS yet, and able to have full remote control of the PC in question.
Servers and corporate client machines have had this or similar iLO technology for decades. You can't just waste time walking to every machine with a suspected fault, when you're running thousands of machines across dozens of sites.
But from a consumer point of view, it would be as simple as a "disable" option in the UEFI/BIOS, and defaulting to "off" for retail sales. Because in those circumstances, there is no reason to need such options, they will never be utilised, and they will always be likely to be compromised in the same way that IME is able to be compromised at the moment.
The situation is a bit worse with Qualcom chipsets.
The thing running with Intel ME on the motherboard's own embed computer, or with AMD PSP on the extra security core on the latest CPUs, is just basically a ROM.
You're free to hack it.
You might break your computer while doing it (e.g.: some require signed bit to get executed, most of these embed "ring -3" OSes have watchdogs that force the whole system to reboot or not even leave reset if they don't trigger, etc.)
But you can still break your computer if you want and maybe in the process produce a fully functioning computer with the "ring -3" OS either completely disabled or defanged and reduced to the most innocuous minimum (only the part triggering the watchdog, no networking at all).
With mobile chipsets (mostly Qualcom, but applies to others too) the thing that is in the northbridge of your SoC and that is in charge of handling the RAM, etc... is the baseband modem.
It's the piece of hardware that is also in charge of what goes out on the radio frequencies, and these frequencies happen to be heavily regulated (unlike the 2.4 Ghz used by everything else like Wifi, Bluetooth or your micro-oven).
If you don't hold a special license (like telcos and soc manufacturer do), you're not even legally allowed to modify this piece firmware.
That's the whole reason while, for their smartphone Librem 5, Purism is using some older FreeScale chipset, and keeping the baseband modem in a separate chips that doesn't have access to any critical component but only speaks over a standard protocol.
in short :
- researchers can freely try to find ways to completely remove or at least de-fang Intel ME and AMD PSP. And laptop manufacturer are free to then re-use this work to produce Intel-ME-less / AMD PSP-less laptops.
- researchers cannot legally modify the baseband firmware, and if a phone manufacturer were to try to use their work to produce phone using special "firmware with the backdoor removed" they'll be in for a hefty fine and their product banned. The only way would be for the people holding the license to the radio frequency (basically telcos, and chipset/SoC/PCB manufacturer) to accept their mods upstream and release an official firmware.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]