Some notes: * Applying the patch probably requires BIOS update (and MoBo vendor releasing the update), I guess. * I wonder what is the technical distinction between home and SMB/Enterprise. Is it vPro? * I am not sure how can I check the version. There are some ME/AMT-related Linux tools, but I have found rather tools for remote management than tools for accessing AMT on local machine. * I wonder what does “exploitable locally” mean. If physical access is required, I am not sure what would attacker gain (AEM bypass at most, I guess). If it allows unprivileged user to elevate privileges, this might be interesting for Qubes, depending on the attack vector: If it requires attack over network interface, then sys-net can perform it. If it involves ME software for the OS (maybe for accessing the MEI PCI device), we should be adequately isolated on Qubes. I hope that Qubes adds some protection in any case and it is not exploitable from other VMs than sys-net. * There seems to be some MEI PCI device (see lspci | grep -i mei) in dom0 and /dev/mei0. I am not sure how all the parts (network stack, MEI PCI device, MEI software for OS and management while offline) are connected together. I am also unsure if having it in dom0 is good (i.e., it prevents passing malicious inputs to it) or bad (i.e., it adds attack surface). The safest approach seems to be attaching it to /dev/null with IOMMU (VT-d) isolation. Just crerating an autostarted (and maybe also autoshutdown) network-disconnected dummy VM with all ME-related PCI devices should do the trick. The VM would be trusted not to pass any malicious input to MEI, but it would not be trusted for anything else (so that it could absorb attack from MEI). I am unsure if this adds some actual protection or if it is totally hopeless.
Regards, Vít Šesták 'v6ak' -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3e805a35-c9b4-400f-8d64-a4656595a49a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
