back to article Linux laptop-flinger says bye-bye to buggy Intel Management Engine

In a slap to Intel, custom Linux computer seller System76 has said it will be "disabling" the Intel Management Engine in its laptops. Last month, Chipzilla admitted the existence of firmware-level bugs in many of its processors that would allow hackers to spy on and meddle with computers. One of the most important …

  1. Lee D Silver badge

    1) Shouldn't be necessary

    2) No guarantees (bound by whatever Intel does, basically)

    3) They don't sell Windows (so... sure... they can make a PC without it but what about the other 95% of the world that wants a laptop without it?)

    4)Holy cow have you seen the prices?!

    1. Anonymous Coward
      Anonymous Coward

      1. It is. ME is basically a computer in your computer. It's a proprietary backdoor, and has been cracked.

      2. No, they're not.

      3. Their market is developers and alike, not consumers/corporate.

      4. See 3.

    2. Anonymous Coward
      Anonymous Coward

      "Linux laptop-flinger"

      I'm sure both customers are delighted.

    3. JEDIDIAH
      Devil

      Oh Really?

      So you expect a laptop with 2.5TB of SSD storage to be sold at Walmart/Tesco type prices?

      Yeah, a machine with a Xeon processor or 4 NVIDIA compute cards will set you back a pound or two too.

      Although they also have cheaper machines.

  2. x 7

    doesn't the ME require a driver?

    what happens if you simply don't install it?

    1. Bronek Kozicki

      In case you missed the hint - it does not require a driver.

      It is an antonymous operating system (based on venerable MINIX) running on a tiny CPU embedded inside your "actual" CPU, with a direct access to the whole of the physical memory and to the network interface (as both network and memory controller are implemented inside modern Intel CPUs). The goal apparently was to enable the remote administrator to manage the machine, even after e.g. its BIOS was borked and the "actual" CPU is unable to boot the operating system.

      1. Mike 125

        >>It is an antonymous op

        OOps autocorrect - I think you mean autonomous.

        But yea, no driver required. The ME is so powerful it doesn't depend on some piffling little driver. It is omnipotent. My Dell has a new BIOS version specifically to disable ME. Lucky ME.

        1. Bronek Kozicki
          Pint

          Re: >>It is an antonymous op

          @Mike 125 - of course, thanks

      2. anonymous boring coward Silver badge

        Wow, Minix! Got a copy and the book right here!

    2. Chronos

      "What happens if you don't install it [the driver] ?" looks like willingness to learn to me, which puts x 7 several orders of intelligence above the average manager. We're not born experts, it takes pain, exposure to lusers and unwilling loss of follicles. Enough with the down-votes already.

      x 7, imagine a Raspberry Pi made small enough to fit into a motherboard chipset with electronic tentacles that reach deep into the parent machine. The operating system for this parasitic computer is embedded into the BIOS, so it initialises first before the BIOS/EFI hands off to the real operating system. The only way to confound it (as pointed out downthread, it's not really permanently castrated, just befuddled) is to take away its bits of BIOS to the point it enters a halted state and minds its own sodding business. All the driver does is allows you to interact with it from the main operating system. Without the driver, it's still there with its tentacles in your RAM and buses but your OS isn't aware of what the conduit that links the parasitic computer to the main computer is for.

    3. phuzz Silver badge

      Or to put it more simply, the Intel ME is basically similar to the iLo/DRAC/out-of-band-managment you might be familiar with from servers.

  3. Chronos
    Flame

    Matryoshka dolls

    A computer within a computer with access to everything and no idea what it is up to. Yes, that's a brilliant idea, especially if we can't see the code or use it for our own purposes.

    Two machines here with IME, a Lenovo G710 and a Tecra M10. The former required a full strip-down and a CH341A dongley thing with an SOIC8 clip to remove this malware. The latter (well done, Toshiba) allows disabling the thing before it even starts, confirmed by intelmetool. On the Lenovo, removing all but BUP has left a dangling USB device that can no longer enumerate. I suspect this is the JTAG port oft reported but it's a pain in the arse as it spams syslog.

    That said, I can live with a dead USB device hanging off of bus 3. It's infinitely preferable to hardware which does $DEITY knows what behind my back.

    Yes, @x 7 it requires a driver for the control interface, yet the underlying processor and code still run regardless of driver status. If it's exposed to $SKIDDIE or $THREELETTERAGENCY you're SOL and JWF¹. Please note that AMD on anything newer than Piledriver also has something similar called PSP/Secure Processor which is pretty much the same idea - closed source crap running at ring -3.

    ¹ Shit out of luck and jolly well fucked.

    1. Voland's right hand Silver badge

      Re: Matryoshka dolls

      I am surprised you have managed to disable it at all.

      Some of the functionality was supposed to be embedded into the CPU/SOC to a point where it cannot be removed short of destroying the CPU. So either Intel has failed its own design brief or there may be a way to re-enable it :)

      1. Chronos

        Re: Matryoshka dolls

        Certain implementations can be disabled by removing just enough of the code to stop it from running. You have to be very careful as some of these machines shut down after 30 minutes if the ME is in a particular state of not being able to boot.

        See ME Cleaner for details. It's not for the faint of heart but I was going to stop using this Lenovo if I couldn't rid myself of at least the ME code running at ring -3 so I had very little to lose. With a dump of both SPI chips, I could always restore it to factory state anyway.

    2. J. Cook Silver badge
      Joke

      Re: Matryoshka dolls

      But is there a computer inside the computer inside the computer, I.E., is there another level to go down to? *cues Inception BONG*

      *adds JWF to the TLA list* Yay I learned something new today!

      1. Jeffrey Nonken

        Re: Matryoshka dolls

        It's turtles all the way down.

        1. Anonymous Coward
          Anonymous Coward

          Re: Matryoshka dolls

          At the core you have the all-seeing Eye.

          ME = METATRON EYE, not "Management Engine".

          FOOLS!!

  4. Christian Berger

    Cool marketing idea

    I mean disabling it probably doesn't cost them anything, and puts that laptop rebrander on the map.

    One should note that the laptops currently on offer by refurbishers typically seem to be to old for ME... so it's not a pressing need yet.

    1. g00se

      Re: Cool marketing idea

      One should note that the laptops currently on offer by refurbishers typically seem to be to old for ME... so it's not a pressing need yet.

      Yes. You need a pre-2015 processor to escape it

      1. Lomax

        Re: Cool marketing idea

        Pre-2015? The guide I linked to below says

        "The Intel Management Engine ('IME' or 'ME') is an out-of-band co-processor integrated in all post-2006 Intel-CPU-based PCs."

        Which is correct?

        1. Chronos

          Re: Cool marketing idea

          The Tecra I mentioned up-thread is a Core 2 Duo. It has Intel ME, so I'd say the 2006 quote is the more accurate. If in doubt, assume it's there and check with intelmetool (a sub-project of coreboot) with iomem=relaxed passed to the kernel at boot if running >Linux 4.4.

          At this point, Intel's little backdoor snoop is quite well understood. What is more worrying is the number of people who have never heard of PSP or Secure Processor and think they're so much safer using AMD chippery.

          On x86 the assumption has to be, if it's fairly recent, that there's some form of hidden embuggerance that has the potential to bite you on the bum. Even if it doesn't fulfil the requirements for Active Management, you still don't know what that little Minix (apologies to Professor Tanenbaum - it runs a derivative of Minix, it wasn't his idea) parasite is doing which, given that it has direct access to memory (and you'll recall most devices are mapped into memory space these days), could be just about anything. In fact, even after running me_cleaner on the firmware dump I can't be 100% sure the thing really is in a stopped state after bringup but it's far better than trusting Intel's encrypted code buried in the flash chip.

        2. Kiwi
          Paris Hilton

          Re: Cool marketing idea

          "The Intel Management Engine ('IME' or 'ME') is an out-of-band co-processor integrated in all post-2006 Intel-CPU-based PCs."

          Which is correct?

          I had an old IBM machine a few years back that had it on, and it'd be circa 2006. Assuming I'm recalling the right machine.

          One of these IIRC :

          https://www.cnet.com/products/ibm-thinkcentre-m50-8185-pentium-4-2-8-ghz-256-mb-ram-40-gb-hdd/specs/

          Here's a 2010M MS technet post about IME

          https://social.technet.microsoft.com/Forums/windows/en-US/27e31ed5-b333-498b-b3db-7b710f3238c0/intel-management-engine-interface-what-is-it?forum=w7itprogeneral

          Tom's Hardware in 2011

          http://www.tomshardware.com/reviews/vpro-amt-management-kvm,3003-6.html

          MS Answers from 2009 :

          https://answers.microsoft.com/en-us/windows/forum/windows_7-hardware/intel-management-engine-interface-driver/7f13be54-fe75-4d79-aaf1-2f756e037035?auth=1

          So it's at least since 2009, even if it wasn't in the box I recall it being in (can't find a reference to it - that said the box I had may've had a mobo transplant and maybe wasn't the original mobo, or I'm remembering the wrong model number)

      2. Christian Berger

        Re: Cool marketing idea

        > Yes. You need a pre-2015 processor to escape it

        And few of those are already on the market.

  5. Lomax
    Linux

    I found this thorough and n00b-friendly guide for how to disable ME on the Gentoo wiki:

    https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Disabling_the_Intel_Management_Engine

    Thought it might interest those who wish to rid themselves of this malware.

    1. This post has been deleted by its author

    2. Lomax

      Why the "thumbs down"!?

    3. whitepines

      Not really "disabled" though, is it, and certainly not "rid" of it. If you think you're rid of it try deleting the ME kernel from your Flash device and see if your machine still works. Chances are it won't (except for some old 2007-era and earlier Intel systems).

      1. Lomax

        > Not really "disabled" though, is it, and certainly not "rid" of it.

        Yes, disabled:

        > sets the 'High Assurance Program' bit, an ME 'kill switch' that the US government reportedly had incorporated for PCs used in sensitive applications

        And mostly gone too:

        > removes the vast majority of the ME's software modules (including network stack, RTOS and Java VM), leaving only the essential 'bring up' components

        I'd say that by removing the network stack the "threat" is basically neutralised, no?

        1. whitepines

          No, not "disabled". The dictionary defines disabled as:

          "of a device or mechanism : rendered inoperative".

          The ME operates on every boot, and at minimum continues to listen for certain power control events. That does not qualify for the dictionary definition, and (at minimum) leaves the possibility of a ME kernel-level exploit being used in the future.

          Given that the kernel still runs, and that anyone with physical access to the machine can install god-level invisible malware that will survive OS and hypervisor re-installs, I would not say the threat is neutralized

          Then there's the little matter of the TPM not working on "limited" ME platforms. That's a major step backward for high security use cases, especially where you can't install a new hardware TPM.

          1. Kiwi
            WTF?

            Given that the kernel still runs, and that anyone with physical access to the machine can install god-level invisible malware that will survive OS and hypervisor re-installs, I would not say the threat is neutralized

            If someone has enough access to a machine to re-enable ME or install the other stuff, you've probably got bigger worries.

            Make checking it's disabled etc part of your new install process, and it won't be a problem until that person has physical access to the machine again. At which point, again, you have bigger issues to worry about. Oh, and they're likely a trusted member of your organisation. In that case your data is already gone because if they have that level of access and can't use ME they'll use other tricks.

  6. Marty McFly Silver badge
    Mushroom

    Alternative?

    Sooooo..... Not a big problem with AMD chipsets then?

    1. Nate Amsden

      Re: Alternative?

      I have read that AMD has similar technology (though haven't noticed that they have similar security issues with it yet).

      Myself I have always been interested in the Intel AMT going back maybe 12 years when I first heard about it. My current and previous laptops have the features I see but are not "enabled" (as in don't have the software/licensing which seems to be enterprise specific). Though that may not stop the security stuff from being exploited.

      I am kind of assuming that most servers don't have this stuff enabled?(I also think that some server board makers like Supermicro or Tyan may sell boards with this ability) At least I have never noticed anything related to this tech in my HP servers, ever. They have iLO of course which is similar though not as tightly integrated. I have read that it needs Intel NICs, but am not sure if that is the case or not, if it is, then may explain why I've never seen it on my HP systems all of which seem to have broadcom NICs as their onboard interfaces, going back at least 10 years now.

    2. Crazy Operations Guy

      Re: Alternative?

      ARM is probably going to be your best bet for a system without a crap management sub-system running on it.

      1. Phil Endecott

        Re: Alternative?

        > ARM is probably going to be your best bet for a system

        > without a crap management sub-system running on it.

        My 8-core Thunder-X ARM motherboard (MP30-AR1) has an additional processor to provide remote management. Since it also provides the main VGA video output, disabling it might not be a great idea.

    3. John Miles

      Re: Alternative?

      AMD have “Platform Security Processor” or “PSP” (or now called AMD Secure Processor) - see

      https://www.amd.com/en-us/innovations/software-technologies/security

      worth Googling "AMD PSP" and reading other sources of info

  7. Stevie

    Bah!

    System 76 are actually shipping computers? Every time I look they have a "coming soon" sticker over the goods.

  8. JohnFen
    FAIL

    I am implenting an easier solution for new purchases

    I'm not buying anything with "Intel Inside".

  9. Updraft102

    Just a reminder

    In order for the backdoor to function remotely, the incoming connection has to come through the Intel NIC that is integrated into the PCH (platform control hub) that is also running the management engine. It listens on a few known ports for incoming connection attempts, and while it could conceivably thwart a software firewall's effort to close the port, a hardware firewall (for most consumers, as simple as a NAT router) would effectively block any such attempts from the WAN.

    The IME can also be exploited locally through USB, but then the attacker has to have physical access to the PC, which is bad news anyway. If an attacker can physically access the PC, is a management engine vulnerability really the chief concern?

    Not saying that it wasn't a bad idea on Intel's part to include such a backdoor... clearly, it was; this was just an accident waiting to happen. Still, the severity of the exploit needs to be kept in perspective. Why not take a moment to consider the attack vectors and see if it is really a threat to you, and if you can do anything to minimize it, before giving the "abandon ship" order?

    1. Anonymous Coward
      Anonymous Coward

      NOT

      A single firefox exploit will be able to make an IP connection to anywhere inside your DSL-NATed local network. Or a pwned Android which you have given the Wifi key for the DSL router.

      American IT is becoming more and more annoying.

    2. DropBear

      Re: Just a reminder

      Actually... this raises an interesting question. If the IME expects to link up through the motherboard integrated NIC, what happens if you simply ignore it (leave it unplugged) and add a PCI network card? Would the IME just find it and carry on unhindered? Granted, this would not help with any malware that came in through your "alternative" network and installed something on the IME... would doing this change anything at all...?

    3. JohnFen

      Re: Just a reminder

      "Why not take a moment to consider the attack vectors and see if it is really a threat to you, and if you can do anything to minimize it, before giving the "abandon ship" order?"

      Because any expansion of attack surface is bad. Sure, if you have some need that only Intel processors can fill, then doing a security and cost/benefit analysis makes sense. If, however, you are like the vast majority of users, Intel brings nothing unique and critical to the table, so the safer (and easier!) thing to do is to just not use their processors.

    4. Someone Else Silver badge
      Big Brother

      @Updraft102 -- Re: Just a reminder

      Still, the severity of the exploit needs to be kept in perspective. Why not take a moment to consider the attack vectors and see if it is really a threat to you, and if you can do anything to minimize it, before giving the "abandon ship" order?

      Updraft102, your rationalization strikes me along the lines of, "If you have nothing to hide, you have noting to fear."

      If it's there, it's a threat. Period. It may not be an easy-to-operate threat, but it's still a threat.

  10. whitepines
    FAIL

    NOT really disabled....partially deactivated is more correct

    You cannot just disable the ME. The ME is an integral part of boot on Intel platforms and must be started up before the system firmware running on the main x86 cores can do its job. All these "disabling" hacks with ME Cleaner and such do is to try to disable the ME's userspace or try to shut the ME back down after boot is complete.

    However, the simple fact is the ME *still runs* on *every boot*. It's not hard to imagine malware that leverages this to insert an APT (similar to an old school TSR) into the main x86 processor while the ME is still in control during the boot process -- such malware would be pretty much invisible and, best of all, the user doesn't even know to look for it because "my vendor told me the ME was disabled".

    I wonder who has legal liability in this scenario? System 76 by any chance?

    1. Anonymous Coward
      Anonymous Coward

      Re: NOT really disabled....partially deactivated is more correct

      So you want to threaten System 76 with legal action because of messing with Intel's backdoor ? What a nice person you are. How much does $TLA pay for this ?

      1. whitepines

        Re: NOT really disabled....partially deactivated is more correct

        Nope, just saying that they need to be careful about what they are claiming. "Disabled" is a word with a very specific meaning.

    2. Anonymous Coward
      Big Brother

      Re: NOT really disabled....partially deactivated is more correct

      "I wonder who has legal liability in this scenario? System 76 by any chance?"

      That would be the NSA, who made Intel include a Kill Switch, which is what enables System76 to disable it. You see, the NSA needed to disable iME on the desktop PCs used at Fort Meade :]

      1. whitepines

        Re: NOT really disabled....partially deactivated is more correct

        But, again, it's not really disabled, is it?

        As an analogy, if I have an air conditioning system, and I need someone to work on the compressor, it needs to be disabled for their safety. If I claim it's been disabled, but what I really mean is "oh, the compressor will still start randomly but the thermostat will turn it off in around 10 seconds, I promise!", that tech is going to be seriously injured.

        Since when did the meaning of "disabled" change?

  11. Anonymous Coward
    Anonymous Coward

    Should be standard in every version of Intel firmware

    What possible reason would there be for the handful of companies that develop EFI firmware for Intel PCs not to include an option to completely disable the ME?

    1. Anonymous Coward
      Anonymous Coward

      Re: Should be standard in every version of Intel firmware

      haha, ;)

  12. Anonymous Coward
    Anonymous Coward

    Security Concept of Intel Management Engine ?

    Can somebody explain what Intel's approach to securing the IME is ?

    There should be some sort of password check or crypto scheme before the IME accepts any outside commands for anything. That would be the sane version of things, I know...

    Just dogging through https://link.springer.com/chapter/10.1007/978-1-4302-6572-6_4

    1. Anonymous Coward
      Anonymous Coward

      Re: Security Concept of Intel Management Engine ?

      From my search it seems that

      1. The mbex password is an option. By default "admin"/"admin". Great.

      2. There are http/https servers running on 16992/3. They can only be accessed via a physically different machine for some reason.

      3. Not all PCs have AMT enabled

      4. For larger companies they seem to have another scheme. Could not get the details, though.

      5. Of course they had exploitable bugs in AMT, but apparently no way for automatic patching.

      1. JohnFen

        Re: Security Concept of Intel Management Engine ?

        "For larger companies they seem to have another scheme. Could not get the details, though."

        I actually worked with AMT for a number of years, and I can help you out here. The "other scheme" is PKE certs. You don't have to be a larger company for this -- all you need to do is run the AMT utility that Intel provides and install the cert you want to use.

  13. jonfr

    What about AMD?

    What is done about AMD Secure Processor?

    http://www.amd.com/en-us/innovations/software-technologies/security

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like