back to article Intel to slap hardware lock on Management Engine code to thwart downgrade attacks

Intel's Coffee Lake and Cannon Lake x86 processors can be fortified by computer manufacturers to prevent in hardware attempts to downgrade, exploit and potentially neuter Chipzilla's built-in creepy Management Engine. In June, Positive Technologies security researchers Mark Ermolov and Maxim Goryachy privately reported to …

  1. Anonymous Coward
    Big Brother

    Intel to thwart downgrade attacks

    And it's all done purely in the interests of protecting us from the cyber-islamo-fascists. The definition of trusted computing actually means that the manufacturers can be trusted to backdoor the hardware for the state security apparatus.

    1. The Man Who Fell To Earth Silver badge
      WTF?

      So...

      Does this mean that to be secure, I should only buy machines with AMD CPU's?

      1. eldakka

        Re: So...

        Does this mean that to be secure, I should only buy machines with AMD CPU's?
        As has been pointed out in the comments of many of the recent articles regarding Intel's IME, AMD has its own version embedded in its chips/chipsets called the PSP. Therefore AMD-based systems are potentially susceptible to the same types of attacks and privacy and security concerns.

        1. kain preacher

          Re: So...

          But not on their main stream desktop CPUs.

          1. whitepines
            Alert

            Re: So...

            This is a common misconception. The server folks like to think the PSP is only for "those consumer chips", and the consumers like to think somehow the PSP is an enterprise-only feature.

            Let me be as clear as possible. EVERY AMD CPU has the PSP. It cannot be removed, it cannot be disabled, and it has full access to the x86 cores and all of the system components. It's stored on rewriteable firmware storage and anyone with access to the AMD signing key can run their code at the highest possible privilege level on the entire system.

            Scared yet?

            1. Chronos

              Re: So...

              Let me be as clear as possible. EVERY AMD CPU has the PSP. It cannot be removed, it cannot be disabled, and it has full access to the x86 cores and all of the system components. It's stored on rewriteable firmware storage and anyone with access to the AMD signing key can run their code at the highest possible privilege level on the entire system.

              Correct, with the tiny qualifier of CPUs and APUs >= family 16h. Trinity and Richland APUs on socket FM1 and Phenom II and Athlon II CPUs on Socket AM3 are probably the last to be PSP-free. A general rule-of-thumb is if it's a 2013 or newer core, it has PSP/Secure Processor.

              1. whitepines

                Re: So...

                Good point, thanks for the correction. I completely forgot the (rather awful) earth-mover series cores were even being manufactured any more since they're completely and utterly obsolete at this point.

                1. whitepines
                  Trollface

                  Re: So...

                  Oh look, an AMD fanboi is stalking me and downvoting. How cute. Don't you have to apply updates to your Windows 10 home edition installation by now?

                2. Chronos

                  Re: So...

                  It's pertinent information if anyone is looking to specifically avoid this mess, as is the fact that Core number numeral devices, more often than not, do come with ME, albeit easily disabled on at least some of the ICH9 variants. I wasn't trying to contradict you or "be clever," just inform.

                  1. whitepines

                    Re: So...

                    @Chronos I appreciate the correction; my comment was directed at the unknown drive-by downvoter, not you. As you said, people need to know what they have to do to avoid this mess, and it's not pretty...

                    1. Chronos

                      Re: So...

                      @whitepines, yes, it would be better if they'd join the debate rather than just clicking the little button, wouldn't it? I agree that the down-vote was unwarranted.

            2. michael.moon

              Re: So...

              perhaps a better solution , obviously only for the security minded , publish which chip which IO pins do what , so we can use a scalpel to physically cut those lines, after all not much use having a management god mode if you CAN'T access it cant reprogram the firmware to get around the physically cut lines.

              Surely this is the buyers preference ? they bought the motherboard it's there hardware , give people the data to PERMINANTLY RENDER THE FUNCTION USELESS!! . :-) or has it been embedded into the cpu itself , surely it must be on it's own separate IC or would not have unfettered access to the memory also

              1. whitepines

                Re: So...

                They're way ahead of you here. Not only is this core on the silicon itself, but disabling it by cutting lines would be rather like drilling holes in the starter motor on your car. The platform simply won't boot without that core, since the core is responsible for starting the platform.

          2. bombastic bob Silver badge

            Re: So...

            (regarding AMD's management engine)

            "But not their main stream desktop CPUs"

            I certainly HOPE so, that AMD CPUs for desktops don't ALL come "equipped" with a management engine like Intel's!

            This sort of thing makes it UNNECESSARILY hard for ME, having to do "that level of research" into new hardware...

            (from the article)

            "patches to kill off the security holes in the code are gradually being made available to organizations and people to download and install."

            How about "patches to PERMANENTLY FLIP THE HAP BIT" (as mentioned as a solution near the end of the article).

            1. whitepines

              Re: So...

              As I mentioned above, yes, they do come with AMD PSP. No way around it.

  2. Anonymous Coward
    Anonymous Coward

    hey intel

    screw you, nobody wants ME

    1. Anonymous Coward
      Anonymous Coward

      Re: hey intel

      Burn it. Burn it with fire.

  3. whitepines
    Mushroom

    ME free computing

    Excellent timing, what with POWER9 being released literally days ago. Pick up one of these and never worry about the ME or PSP again....

    https://raptorcs.com/TALOSII/

    1. S4qFBxkFFg

      Re: ME free computing

      I want one, but the motherboard they're offering makes the high-end stuff from Asus, MSI, etc. look like a budget choice. (>$2000!)

      Does anyone else even make Power9 MBs?

    2. Doctor Syntax Silver badge

      Re: ME free computing

      No laptops, then? And why on earth do they need to list a hex screwdriver as an accessory? Does it use screws with non-standard dimensions such as millicubits?

      1. whitepines

        Re: ME free computing

        I'd guess the long lengths of those drivers aren't all that common. POWER uses a spring loaded retention mechanism; you can see that if you look real close at the heatsink pictures. At any rate it's definitely a standard driver (says 5/32" on the page).

        Other vendors do make systems but the pricing is even worse. IBM launched their own server for GPU compute (the AC922), and there's also the Penguin Computing PE2112GTX. The Talos is currently the only system to focus on security and owner control, though, and it looks like there might be some hope for smaller, cheaper systems if you look at the Raptor Engineering Twitter page.

  4. Christian Berger

    If ME would be the first feature Intel wouldn't charge extra

    I mean, OK, there are actually reasons for wanting to have ME, but so far Intel has chosen to charge extra for every desirable feature. Want ECC-RAM, get a server chip, want virtualisation, get a server chip.

    1. Dan 55 Silver badge

      Re: If ME would be the first feature Intel wouldn't charge extra

      Dell charge $20 extra to disable the chip (i.e. flip the HAP bit) for you, on some laptops. Then there's Purism and System 76.

      https://fossbytes.com/laptops-intel-me-chip-disabled/

    2. phuzz Silver badge
      Unhappy

      Re: If ME would be the first feature Intel wouldn't charge extra

      Yep, get ME in the CPU for my home computer, where I don't need or want it, but when I buy a server at work we have to pay extra for the remote management features.

  5. A Non e-mouse Silver badge

    Optional

    Intel could, of course, listen to the market and sell versions of its chips without ME. But that would result in a lower kick-back from the three letter agencies.

  6. MacroRodent
    Big Brother

    AMD?

    Maybe Purism would have better luck petitioning AMD. They might see a market in selling chips that either lack their equivalent of ME, or provide a documented way for OEMs to totally disable it.

    OK, privacy and security conscious "hippies" is a small market, but it exists, and catering to it should not cost AMD any extra in new chip designs.

    1. whitepines
      Facepalm

      Re: AMD?

      AMD is on record stating that they will not be removing the PSP or allowing it to be disabled. It already provides a digital lock on features for their server chips, and they are moving more and more core functionality into the PSP.

      At minimum, it would be expensive for them to do an about face on this. Considering they also want a slice of the DRM pie, I highly doubt it is even being considered.

      1. Anonymous Coward
        Anonymous Coward

        Re: AMD?

        I think you might have better luck with Qualcomm

      2. phuzz Silver badge

        Re: AMD?

        What does AMD's PSP (or Intel's ME) have to do with DRM?

        Are you getting it confused with the TPM?

        1. eldakka

          Re: AMD?

          What does AMD's PSP (or Intel's ME) have to do with DRM?
          Apparently it is a key element in allowing 4k HD blu-ray decoding by ensuring a non-user accessible encrypted path from the Blu-ray player (or the HTML5 DRM browser plugins) and the display output. Basically, it is used to ensure that HDCP encryption is guaranteed end-to-end. It is, in many ways, a non-optional TPM module. Since the IME/PSP has full control over your computer, it can prevent/isolate user (well, the computer owner's) access to certain areas/features of the computer.

          1. whitepines
            Flame

            Re: AMD?

            Oh, it's worse than that. Remember the "Intel Upgrade Service" from back in 2010? Seems AMD brought it back; and I quote:

            "The PSP is capable of "locking" additional processor features"

            From https://mail.coreboot.org/pipermail/coreboot/2014-August/078489.html

            Also found the same general claim elsewhere online, but like all things ME/PSP related it's generally shrouded in mystery and myth....

            1. Anonymous Coward
              Anonymous Coward

              Re: AMD?

              Look for more news about the PSP incoming.

              No idea what the truth of this story will turn out to be, but don't write off a disable flag just yet. Don't rely on one turning up either though.

              1. bombastic bob Silver badge
                Happy

                Re: AMD?

                @Mycho

                thanks for that article link (about firmware updates to allow disabling PSP). I'll put off making a particular motherboard and CPU choice until AFTER this is all ironed out...

                /me wonders if Linux and the BSDs might some day include a method of disabling management engines...

              2. whitepines

                Re: AMD?

                That's already been largely debunked. The PSP still runs, it's not disabled, just UEFI doesn't talk to it. It's probably just a debug option in case UEFI gets so messed up the board doesn't boot for some reason.

                https://www.phoronix.com/forums/forum/hardware/motherboards-chipsets/994165-amd-reportedly-allows-disabling-psp-secure-processor-with-latest-agesa?p=994177#post994177

  7. Andy The Hat Silver badge

    Anti roll back ...

    is a good thing ... unless the update goes wrong in which case Intel have killed your system until they decide to release an update with a later version number.

    Nothing can possibly go wrong there then.

    1. Richard 12 Silver badge

      Re: Anti roll back ...

      Plus there aren't many of these "fuses" - normally only 16 or 32 bits.

      Normally they are used for the device serial number and as markers for warranty-breaking events (eg overclocked, overtemp etc)

      All they can is blow one more fuse each time.

      So they're betting all their customers physical hardware on never needing more than 15 firmware updates.

      Ever, on pain of total brick.

    2. Anonymous Coward
      Anonymous Coward

      Re: Anti roll back ...

      Most BIOSs store a backup of the firmware before writing the new one. I'm no CPU guru, but couldn't something similar be done securely? A chip that only ME can access, where it writes the old firmware, flashes the new, if the ME fails to come up, re-write the backup?

      So long as only the ME can access this "backup chip", it should be safe as for something nefarious to mess with the backup chip, it'd have to first compromise the ME, and you're hosed anyway.

  8. I Am Spartacus
    Devil

    Support for Linux

    It means that Linux distros have to be signed to use the secure boot. but that will stop you loading any device driver that taints the kernel.

    That new graphics engine? Sorry. but you can't use any of the special features until we get a kernel upgrade signed by Intel, which by the way, probably means that M$ also have to sign off on it.

    1. phuzz Silver badge

      Re: Support for Linux

      You're mixing up the ME with SecureBoot. They're different and separate things.

      So far the only machines I've heard of that don't allow you to either disable Secure Boot, or to add your own (non-microsoft) certificates are some of the Surface tablets.

      So, if you want to install a new graphics driver into your kernel, either use one of the distros that uses a signed shim, or add your own cert into your BIOS, and compile your own signed bootloader.

  9. zaax

    NSA won't allow them to turn it off.

  10. jms222

    With all its faults I do respect that just not having it isn't an option. I went to a talk about trying to replace it yielding essentially broken machines. The surprising thing was that people considered the result useful.

    It's the thing that stops the chip cooking itself after all.

    But maybe there is middle ground where the customer (machine maker) could have their variant supplied with all the remote management and USB<->JTAG crap removed but keeping power and thermal management.

    1. Doctor Syntax Silver badge

      "the customer (machine maker)"

      And therein lies the problem. Intel's customers are machine makers, not us. We, as the ultimate customers, are just at the end of the chain and there are, as yet, insufficient of us who actual care about security. Once a large scale malware campaign worms its way into the ME, possibly resulting in a class action, then we'll finally see Intel frantically scrabbling to try and roll back what they've done and launch ME-free chips.

    2. Dan 55 Silver badge

      They are different things. The SMM is not the same as the ME. You can (or should be able to) design a chip with the SMM but without the ME.

  11. conscience
    FAIL

    Writeable firmware is a terrible idea that wouldn't be necessary if Intel (and others) could be bothered to get their code right prior to shipping.

    We never had this trouble with the old ROM chips. Plus, if the ROM chips were socketed, there would still be the option to physically swap the chips if emergency updates were needed without leaving everyone wide open to attack and snooping. Anything has to be better than the current arrangement.

    1. Hescominsoon

      We never had this problem with ROM because security was an afterthought.....

    2. Kiwi

      Plus, if the ROM chips were socketed, there would still be the option to physically swap the chips if emergency updates were needed without leaving everyone wide open to attack and snooping. Anything has to be better than the current arrangement.

      Yes, because having your system vulnerable or down while waiting for the new chips to ship (and hopefully survive the wonderful security and handling procedures of courier/postal firms...) is so much better than quickly downloading software from the makers site and install it.

      Code is hard. It's practically impossible (even if theoretically possible) to produce software of a significant size without issues. It could even be that your software ships 100% bug and security flaw free, but someone else finds another way in.

      The "old rom chips" did not do anywhere near what is done today. I have somewhere around an ancient hub - 10mbs vs my GB switch. The hub cannot do the speed and despite being made with some very "old rom chips" is not nearly as secure as the switch.

      I've got graphics cards with socketed RAM chips and all sorts of other old junk lying around. I have photos which these machines could never hope to display. I've got a 5mb HDD around somewhere (full height MFM), and hundreds (if not thousands) of photographs that said drive could not hold.

      Things have moved on and are more complex.

      That said, AMD and Intel could make a way for the nastier side of their systems to be disabled if a customer desires, or require a jumper setting on the mobo to enable the communications side of it - lots of ways they could reasonably easily make it so those who want it can have it and those who hate it can kill it. We're probably not even talking cents per board, which they can reclaim by charging the end customers dollars per board anyway.

  12. Anonymous Coward
    Anonymous Coward

    Next week we’ll find out that the ME has an embedded management engine of its own (MeMe?) and that’ll get hacked too. And the following week... what a complete mess IT has become.

    1. AndyMulhearn

      Next week we’ll find out that the ME has an embedded management engine of its own (MeMe?) and that’ll get hacked too. And the following week... what a complete mess IT has become.

      I think you mean Mini ME?

  13. Anonymous Coward
    Anonymous Coward

    Brace

    "a brace of exploitable bugs – CVE-2017-5705, 5706, and 5707"

    2 != 3

    1. Anonymous Coward
      Anonymous Coward

      Re: Brace

      well...how about a leash of bugs? :)

  14. Anonymous Coward
    Anonymous Coward

    Blast from the past: remember 'Trusted Computing'?

    https://en.wikipedia.org/wiki/Trusted_Computing

    https://en.wikipedia.org/wiki/Trusted_Computing_Group

    Looks like not only software ('apps' and games) are going into walled gardens, it seems like the hardware department is also waging a war on openness.

    1. Chronos

      Re: Blast from the past: remember 'Trusted Computing'?

      The sad part is that 98% (number from anus) of users won't care. As long as Netflix works, fux not given.

  15. Hescominsoon

    This is false security

    So you make the update, effectively turn it to a ROM based system. Great that means it cannot be downgraded. What do you do when more exploits are found? Now you are stuck with a permanent vulnerability built into your hardware. This is no better than the supposed "rollback" vulnerability. Intel

    1. conscience

      Re: This is false security

      I'm not sure you understand. You can't update a system to be ROM based, it would be built that way. You wouldn't be able to upgrade or downgrade anything, but there wouldn't be any exploits in properly written, fully tested, finished code so no there would be no need to change the firmware - ever. That's the whole point of read-only firmware. Any potential exploits would have been found and fixed prior to the first release so, no, you wouldn't be stuck with any vulnerabilities. Having the ROM chip plug into a socket instead of soldered directly would facilitate swapping the chip in case of the odd accidental programming oversight, but it would deter manufacturers from rushing out untested code as there would be a significant cost involved other than writing the fix (manufacturing a new ROM chip plus a product recall to fit it).

      Getting the code right prior to release would be essential of course, but it's more than possible. If any manufacturer isn't able to write good, secure code without security bugs then they should hire someone who can do the job properly for them. Having rewritable firmware is just an excuse to ship unfinished, inadequately tested, poor quality code, as well as a cracker's wet dream.

      1. Richard 12 Silver badge

        Re: This is false security

        Such a system would also take an infinite amount of time to create.

        All non-trivial systems contain bugs.

        Intel already upgrade the firmware of the x86-64 CPU components, because the hardware silicon itself contains bugs.

        - it's called "microcode". The UEFI and BIOS show which version you've got.

        1. conscience

          Re: This is false security

          @Richard 12

          Infinite? Maybe if you are Intel! If the system is too complex, then it shouldn't be too hard to break it into into smaller, more manageable pieces that communicate securely with no way to do any real harm.

          In my opinion, hardware/software contains so many serious bugs these days primarily because manufacturers have the option to update it later (assuming the device/user has net access), so code and hardware is often rushed out without proper testing with an irresponsible "oh nevermind we'll patch it later" attitude. Trouble is, they don't always bother because it's cheaper and easier not to, or they simply don't have the in-house talent to do so.

          I'm aware of Intel's microcode, in Intel's case they would first have to get the hardware right then concentrate on getting the code done right. Not trivial for Intel, who don't seem to have adequate skills and so make more than their fair share of blunders, but it's been done before and other processors have been hard wired correctly before being sold. Intel would just need to avoid so many mistakes and do the job properly.

          1. Wulfhaven

            Re: This is false security

            If you break things into smaller and testable, verifiable parts, the bugs and security holes will be in the interaction between these small components instead, and that will not be provably bug free, thus it will take an infinate amount of time to test and verify complete freedom of exploitable bugs.

            anything remotely complex will have bugs, no matter which way you slice it up into manageable bits (or don't)

          2. Kiwi

            Re: This is false security

            Plus, if the ROM chips were socketed, there would still be the option to physically swap the chips if emergency updates were needed without leaving everyone wide open to attack and snooping. Anything has to be better than the current arrangement.

            If you're so much more skilled, or know of people more skilled at making chips than Intel, perhaps you should set up your own fab and start making CPU's?

            Think of how much good you could do with the money you'd make! And you can make it so any management engine can be disabled. Better, and much more secure chips that never need firmware updates! (not even when new hardware hits the market, or your competitors come up with a new feature you want to implement, or...........)

            1. conscience

              Re: This is false security

              @ Kiwi

              If the firmware code was done right in the first place there should be no waiting for replacement ROM chips to ship, and given the cost of doing so it would undoubtedly focus the minds of the manufacturers to put more effort into getting things finished and tested prior to release. The replacement option would only be to bail them out in the case of a monumental screw up. The trouble with downloading and installing something as important as firmware is that it just isn't very secure, especially when it can be done from within the OS, and there is nothing to stop a skilled malware writer adding in their own dodgy code or ME for their own purposes.

              Read-only ROM chips could do the same job as firmware stored on rewritable flash - either option would just be storage space for the code. I don't see why read-only ROM chip functionality would necessarily be any more limited than if it used rewritable flash for storage?

              A physical jumper or write-protect switch would be a very good start.

              As much as I'd enjoy the profits from my own chip fab, I'm no expert hardware guru (and don't have a few billion dollars to spare). The manufacturers just seem to be in too much of a rush to actually finish their products before selling them. Though Intel seem to have more problems than most, I'm not specifically having a pop at them either, e.g. AMD's Ryzen has also seen (too) many updates for things like faster memory compatibility etc. when that could and should have been finished prior to release. Same story with the software industry. Not sure they'd get away with it in other industries, would you buy v1.0 of a car with only one wheel? But hey don't worry, v1.1 will see the rest of the wheels added and we hope to add brakes in v1.2!

  16. Rainer

    Macs don't have it, AFAIK

    Currently the only x86 computer without it.

    But hey, here come the "Apple robs our freedom"-trolls.

    1. Chronos
      Facepalm

      Re: Macs don't have it, AFAIK

      only

      That word does not mean what you think it means. TFA points you in the direction of several OEMs who will butcher/castrate ME or flip the HAP bit for you. Was this anti-troll rant a troll of its own, perchance?

    2. whitepines
      Stop

      Re: Macs don't have it, AFAIK

      Nope, Macs also have the ME. Every Intel CPU past ~2010 or so (with the exception of some Atom processors) has an ME. Just because Apple doesn't explicitly call out a low-level "feature" that is becoming somewhat widely reviled doesn't mean it isn't in there.

      No OEM has the ability to remove the ME, period. Dell et. al. try to use the HAP bit, but a recent presentation showed that's not enough to actually plug the holes....the remaining stubs are just as leaky as the rest of the ME firmware.

      1. Chronos

        Re: Macs don't have it, AFAIK

        No OEM has the ability to remove the ME, period.

        True. One can force the thing into a halted state, however, by removing everything but essential bringup (BUP in all the docs so far) code from the embedded firmware. For some machines, this means breaking out the SPI flasher. For others, mainly consumer motherboards, the EFI setup utility's own flasher usually suffices once you have run me_cleaner on the flash file.

        However, since the flash is accessible from the client OS (they're mostly just dangling from an SPI bus these days), it's conceivable that Chipzilla will conspire with MS or EFI vendors to put the code back again, quite possibly with a routine to halt the boot process completely and drop you into a flash rescue mode if it is anything less than fully operational. As you rightly say, the ME machine is still there with its tentacles in your entire memory space and remains a security risk.

        If I may be permitted the vulgarity, it's a right pain in the arse and is making x86 look even less appealing than it was before they started this nonsense.

      2. Sureo

        Re: Macs don't have it, AFAIK

        "...the exception of some Atom processors..."

        Joy ..... my 6 year old netbook is secure.

  17. Anonymous Coward
    Anonymous Coward

    Time to switch

    ARM chips do not have a Management Engine...

    1. Anonymous Coward
      Anonymous Coward

      Re: Time to switch

      Quote

      ARM chips do not have a Management Engine...

      YET.

      Whats the betting that those Server SOC's that Qualcomm are producing will have them sooner or later.

      However, with multiple foundries making the chips outside the USA there is scope for a range of ARM kit with huge 100pt labels

      NOT FOR SALE OR USE in the USA

      Bring it on. Who wants to sell to that 4th world country anyway?

    2. Hescominsoon

      Re: Time to switch

      AMD Non-Pro Ryzens to not have a built in management engine either.

      1. whitepines

        Re: Time to switch

        Yes, they do. The PSP.

  18. OffBeatMammal

    Hope they include enough Fuses to store the version numbers for several firmware updates... OMG, Y2K for Intel chips as one too many firmware updates overflow the fuse-box!

  19. Jedipadawan

    Linux and ARM are coming

    The dirt cheap ARM based Linux running general consumer laptop is not QUITE with us yet...

    ...but the hobbyists and egnineers who will make it happen are on it. The Pinebook has a year long waiting list, it is so popular. These geeks are going to make the open source, ARM based laptop happen.

    It's the only way of this kind of mess now.

    https://www.pine64.org/?page_id=3707

  20. Steve Knox
    Facepalm

    Two Things...

    A recent confidential Intel Technical Advisory posted to GitHub stated that starting with ME version 12, the chip's Security Version Number (SVN), which gets incremented with updates to prevent rollbacks, "will be saved permanently in Field Programmable Fuses (FPFs) as a means to mitigate physically downgrading Intel ME [firmware] to a lower SVN."

    1. GitHub link is now 404.

    2. What's to stop a miscreant from hacking up an image with an SVN of 0xFFFFFFFF or 0x7FFFFFFF* to permanently lock in a borked image?

    * depending on whether the comparison is signed or not...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like