On 05/01/2017 11:25 PM, Vít Šesták wrote: > Some notes: > > * Applying the patch probably requires BIOS update (and MoBo vendor releasing > the update), I guess. > * I wonder what is the technical distinction between home and SMB/Enterprise. > Is it vPro? > * I am not sure how can I check the version. There are some ME/AMT-related > Linux tools, but I have found rather tools for remote management than tools > for accessing AMT on local machine. > * I wonder what does “exploitable locally” mean. If physical access is > required, I am not sure what would attacker gain (AEM bypass at most, I > guess). If it allows unprivileged user to elevate privileges, this might be > interesting for Qubes, depending on the attack vector: If it requires attack > over network interface, then sys-net can perform it. If it involves ME > software for the OS (maybe for accessing the MEI PCI device), we should be > adequately isolated on Qubes. I hope that Qubes adds some protection in any > case and it is not exploitable from other VMs than sys-net. > * There seems to be some MEI PCI device (see lspci | grep -i mei) in dom0 and > /dev/mei0. I am not sure how all the parts (network stack, MEI PCI device, > MEI software for OS and management while offline) are connected together.. I > am also unsure if having it in dom0 is good (i.e., it prevents passing > malicious inputs to it) or bad (i.e., it adds attack surface). The safest > approach seems to be attaching it to /dev/null with IOMMU (VT-d) isolation. > Just crerating an autostarted (and maybe also autoshutdown) > network-disconnected dummy VM with all ME-related PCI devices should do the > trick. The VM would be trusted not to pass any malicious input to MEI, but it > would not be trusted for anything else (so that it could absorb attack from > MEI). I am unsure if this adds some actual protection or if it is totally > hopeless. > > Regards, > Vít Šesták 'v6ak' >
Not necessarily. Intel does provide flashing utilities along with the ME firmware updates, but it's up to your OEM to release them to you. Or for you to procure them from somewhere else. As for checking versions, it's all tied to the firmware and not the utilities. You can probably tell which one you have through your BIOS menu; it should display it. Some other tips here: http://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools.html#msg10193 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/oe98oh%24t1a%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.
