Fascinating!! ----- Mail d'origine ----- De: Thomas Heijligen <s...@posteo.de> À: coreboot@coreboot.org Envoyé: Fri, 08 Dec 2017 16:16:30 +0100 (CET) Objet: Re: [coreboot] Disabling Intel ME 11 via undocumented mode
For those who are interested in the Intel ME, the slides and white papers from the Black Hat Europe are public. https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine.pdf https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine-wp.pdf https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME-Flash-File-System-Explained.pdf https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME-Flash-File-System-Explained-wp.pdf In the conclusion they say "[...]. Such a vulnerability has the potential to jeopardize a number of technologies, including [...] Intel Boot Guard [...]. Maybe it's possible to deactivate Boot Guard permanently or inject custom keys to run own firmware. On 08.12.2017 15:40, Alberto Bursi wrote: > On 12/08/2017 02:59 PM, Timothy Pearson wrote: >> >> That's just the HAP bit. The ME is limited but NOT disabled, and the >> remaining stubs are still hackable [1]. >> >> Neither the ME or the PSP can ever be removed from their respective >> systems. They can both be limited to some extent, but to call either >> of >> them "disabled" is rather far from the truth. >> >> > > Hacking them requires being able to write in the SPI flash, or to have > buggy UEFI firmware. Which means most systems are still vulnerable. > > But it is also true that if someone can hack UEFI he pwns you anyway, > even without ME. > > So imho ME with the HAP bit can be called "disabled", although the > fight > isn't over as ME isn't the only thing that was a threat anyway. > > There is still need to secure the UEFI firmware (which is needed even > if > ME didn't exist), and doing a hardware mod to have a hardware switch to > turn the SPI chip read-only at the hardware level (also needed > regardless of ME). > > I think many SPI chips only need some pin pulled high/low to go in > read-only mode, and I frankly trust a dumb switch many orders of > magnitude more than Boot Guard or anything software-based. > > -Alberto -- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot -- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot