back to article Linux laptop-flinger says bye-bye to buggy Intel Management Engine

In a slap to Intel, custom Linux computer seller System76 has said it will be "disabling" the Intel Management Engine in its laptops. Last month, Chipzilla admitted the existence of firmware-level bugs in many of its processors that would allow hackers to spy on and meddle with computers. One of the most important …

Silver badge

1) Shouldn't be necessary

2) No guarantees (bound by whatever Intel does, basically)

3) They don't sell Windows (so... sure... they can make a PC without it but what about the other 95% of the world that wants a laptop without it?)

4)Holy cow have you seen the prices?!

5
41
Anonymous Coward

1. It is. ME is basically a computer in your computer. It's a proprietary backdoor, and has been cracked.

2. No, they're not.

3. Their market is developers and alike, not consumers/corporate.

4. See 3.

44
4
Anonymous Coward

"Linux laptop-flinger"

I'm sure both customers are delighted.

8
29
Silver badge
Devil

Oh Really?

So you expect a laptop with 2.5TB of SSD storage to be sold at Walmart/Tesco type prices?

Yeah, a machine with a Xeon processor or 4 NVIDIA compute cards will set you back a pound or two too.

Although they also have cheaper machines.

29
1
x 7
Silver badge

doesn't the ME require a driver?

what happens if you simply don't install it?

3
31
Silver badge

In case you missed the hint - it does not require a driver.

It is an antonymous operating system (based on venerable MINIX) running on a tiny CPU embedded inside your "actual" CPU, with a direct access to the whole of the physical memory and to the network interface (as both network and memory controller are implemented inside modern Intel CPUs). The goal apparently was to enable the remote administrator to manage the machine, even after e.g. its BIOS was borked and the "actual" CPU is unable to boot the operating system.

44
1

>>It is an antonymous op

OOps autocorrect - I think you mean autonomous.

But yea, no driver required. The ME is so powerful it doesn't depend on some piffling little driver. It is omnipotent. My Dell has a new BIOS version specifically to disable ME. Lucky ME.

21
2
Silver badge

"What happens if you don't install it [the driver] ?" looks like willingness to learn to me, which puts x 7 several orders of intelligence above the average manager. We're not born experts, it takes pain, exposure to lusers and unwilling loss of follicles. Enough with the down-votes already.

x 7, imagine a Raspberry Pi made small enough to fit into a motherboard chipset with electronic tentacles that reach deep into the parent machine. The operating system for this parasitic computer is embedded into the BIOS, so it initialises first before the BIOS/EFI hands off to the real operating system. The only way to confound it (as pointed out downthread, it's not really permanently castrated, just befuddled) is to take away its bits of BIOS to the point it enters a halted state and minds its own sodding business. All the driver does is allows you to interact with it from the main operating system. Without the driver, it's still there with its tentacles in your RAM and buses but your OS isn't aware of what the conduit that links the parasitic computer to the main computer is for.

36
1
Silver badge
Pint

Re: >>It is an antonymous op

@Mike 125 - of course, thanks

5
0
Silver badge

Wow, Minix! Got a copy and the book right here!

0
0
Silver badge

Or to put it more simply, the Intel ME is basically similar to the iLo/DRAC/out-of-band-managment you might be familiar with from servers.

0
2
Silver badge
Flame

Matryoshka dolls

A computer within a computer with access to everything and no idea what it is up to. Yes, that's a brilliant idea, especially if we can't see the code or use it for our own purposes.

Two machines here with IME, a Lenovo G710 and a Tecra M10. The former required a full strip-down and a CH341A dongley thing with an SOIC8 clip to remove this malware. The latter (well done, Toshiba) allows disabling the thing before it even starts, confirmed by intelmetool. On the Lenovo, removing all but BUP has left a dangling USB device that can no longer enumerate. I suspect this is the JTAG port oft reported but it's a pain in the arse as it spams syslog.

That said, I can live with a dead USB device hanging off of bus 3. It's infinitely preferable to hardware which does $DEITY knows what behind my back.

Yes, @x 7 it requires a driver for the control interface, yet the underlying processor and code still run regardless of driver status. If it's exposed to $SKIDDIE or $THREELETTERAGENCY you're SOL and JWF¹. Please note that AMD on anything newer than Piledriver also has something similar called PSP/Secure Processor which is pretty much the same idea - closed source crap running at ring -3.

¹ Shit out of luck and jolly well fucked.

36
1
Silver badge

Re: Matryoshka dolls

I am surprised you have managed to disable it at all.

Some of the functionality was supposed to be embedded into the CPU/SOC to a point where it cannot be removed short of destroying the CPU. So either Intel has failed its own design brief or there may be a way to re-enable it :)

14
3
Silver badge

Re: Matryoshka dolls

Certain implementations can be disabled by removing just enough of the code to stop it from running. You have to be very careful as some of these machines shut down after 30 minutes if the ME is in a particular state of not being able to boot.

See ME Cleaner for details. It's not for the faint of heart but I was going to stop using this Lenovo if I couldn't rid myself of at least the ME code running at ring -3 so I had very little to lose. With a dump of both SPI chips, I could always restore it to factory state anyway.

18
1
Bronze badge
Joke

Re: Matryoshka dolls

But is there a computer inside the computer inside the computer, I.E., is there another level to go down to? *cues Inception BONG*

*adds JWF to the TLA list* Yay I learned something new today!

11
0
Silver badge

Re: Matryoshka dolls

It's turtles all the way down.

11
0
Anonymous Coward

Re: Matryoshka dolls

At the core you have the all-seeing Eye.

ME = METATRON EYE, not "Management Engine".

FOOLS!!

4
0
Silver badge

Cool marketing idea

I mean disabling it probably doesn't cost them anything, and puts that laptop rebrander on the map.

One should note that the laptops currently on offer by refurbishers typically seem to be to old for ME... so it's not a pressing need yet.

11
0

Re: Cool marketing idea

One should note that the laptops currently on offer by refurbishers typically seem to be to old for ME... so it's not a pressing need yet.

Yes. You need a pre-2015 processor to escape it

6
1

Re: Cool marketing idea

Pre-2015? The guide I linked to below says

"The Intel Management Engine ('IME' or 'ME') is an out-of-band co-processor integrated in all post-2006 Intel-CPU-based PCs."

Which is correct?

8
0
Silver badge

Re: Cool marketing idea

> Yes. You need a pre-2015 processor to escape it

And few of those are already on the market.

0
0
Silver badge

Re: Cool marketing idea

The Tecra I mentioned up-thread is a Core 2 Duo. It has Intel ME, so I'd say the 2006 quote is the more accurate. If in doubt, assume it's there and check with intelmetool (a sub-project of coreboot) with iomem=relaxed passed to the kernel at boot if running >Linux 4.4.

At this point, Intel's little backdoor snoop is quite well understood. What is more worrying is the number of people who have never heard of PSP or Secure Processor and think they're so much safer using AMD chippery.

On x86 the assumption has to be, if it's fairly recent, that there's some form of hidden embuggerance that has the potential to bite you on the bum. Even if it doesn't fulfil the requirements for Active Management, you still don't know what that little Minix (apologies to Professor Tanenbaum - it runs a derivative of Minix, it wasn't his idea) parasite is doing which, given that it has direct access to memory (and you'll recall most devices are mapped into memory space these days), could be just about anything. In fact, even after running me_cleaner on the firmware dump I can't be 100% sure the thing really is in a stopped state after bringup but it's far better than trusting Intel's encrypted code buried in the flash chip.

5
0
Silver badge
Paris Hilton

Re: Cool marketing idea

"The Intel Management Engine ('IME' or 'ME') is an out-of-band co-processor integrated in all post-2006 Intel-CPU-based PCs."

Which is correct?

I had an old IBM machine a few years back that had it on, and it'd be circa 2006. Assuming I'm recalling the right machine.

One of these IIRC :

https://www.cnet.com/products/ibm-thinkcentre-m50-8185-pentium-4-2-8-ghz-256-mb-ram-40-gb-hdd/specs/

Here's a 2010M MS technet post about IME

https://social.technet.microsoft.com/Forums/windows/en-US/27e31ed5-b333-498b-b3db-7b710f3238c0/intel-management-engine-interface-what-is-it?forum=w7itprogeneral

Tom's Hardware in 2011

http://www.tomshardware.com/reviews/vpro-amt-management-kvm,3003-6.html

MS Answers from 2009 :

https://answers.microsoft.com/en-us/windows/forum/windows_7-hardware/intel-management-engine-interface-driver/7f13be54-fe75-4d79-aaf1-2f756e037035?auth=1

So it's at least since 2009, even if it wasn't in the box I recall it being in (can't find a reference to it - that said the box I had may've had a mobo transplant and maybe wasn't the original mobo, or I'm remembering the wrong model number)

1
0
Linux

I found this thorough and n00b-friendly guide for how to disable ME on the Gentoo wiki:

https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Disabling_the_Intel_Management_Engine

Thought it might interest those who wish to rid themselves of this malware.

19
2

This post has been deleted by its author

Why the "thumbs down"!?

7
2
Bronze badge

Not really "disabled" though, is it, and certainly not "rid" of it. If you think you're rid of it try deleting the ME kernel from your Flash device and see if your machine still works. Chances are it won't (except for some old 2007-era and earlier Intel systems).

1
1

> Not really "disabled" though, is it, and certainly not "rid" of it.

Yes, disabled:

> sets the 'High Assurance Program' bit, an ME 'kill switch' that the US government reportedly had incorporated for PCs used in sensitive applications

And mostly gone too:

> removes the vast majority of the ME's software modules (including network stack, RTOS and Java VM), leaving only the essential 'bring up' components

I'd say that by removing the network stack the "threat" is basically neutralised, no?

3
1
Bronze badge

No, not "disabled". The dictionary defines disabled as:

"of a device or mechanism : rendered inoperative".

The ME operates on every boot, and at minimum continues to listen for certain power control events. That does not qualify for the dictionary definition, and (at minimum) leaves the possibility of a ME kernel-level exploit being used in the future.

Given that the kernel still runs, and that anyone with physical access to the machine can install god-level invisible malware that will survive OS and hypervisor re-installs, I would not say the threat is neutralized

Then there's the little matter of the TPM not working on "limited" ME platforms. That's a major step backward for high security use cases, especially where you can't install a new hardware TPM.

0
1
Silver badge
WTF?

Given that the kernel still runs, and that anyone with physical access to the machine can install god-level invisible malware that will survive OS and hypervisor re-installs, I would not say the threat is neutralized

If someone has enough access to a machine to re-enable ME or install the other stuff, you've probably got bigger worries.

Make checking it's disabled etc part of your new install process, and it won't be a problem until that person has physical access to the machine again. At which point, again, you have bigger issues to worry about. Oh, and they're likely a trusted member of your organisation. In that case your data is already gone because if they have that level of access and can't use ME they'll use other tricks.

2
1
Mushroom

Alternative?

Sooooo..... Not a big problem with AMD chipsets then?

0
4
Silver badge

Re: Alternative?

I have read that AMD has similar technology (though haven't noticed that they have similar security issues with it yet).

Myself I have always been interested in the Intel AMT going back maybe 12 years when I first heard about it. My current and previous laptops have the features I see but are not "enabled" (as in don't have the software/licensing which seems to be enterprise specific). Though that may not stop the security stuff from being exploited.

I am kind of assuming that most servers don't have this stuff enabled?(I also think that some server board makers like Supermicro or Tyan may sell boards with this ability) At least I have never noticed anything related to this tech in my HP servers, ever. They have iLO of course which is similar though not as tightly integrated. I have read that it needs Intel NICs, but am not sure if that is the case or not, if it is, then may explain why I've never seen it on my HP systems all of which seem to have broadcom NICs as their onboard interfaces, going back at least 10 years now.

6
0

Re: Alternative?

ARM is probably going to be your best bet for a system without a crap management sub-system running on it.

9
0

Re: Alternative?

AMD have “Platform Security Processor” or “PSP” (or now called AMD Secure Processor) - see

https://www.amd.com/en-us/innovations/software-technologies/security

worth Googling "AMD PSP" and reading other sources of info

3
0
Silver badge

Re: Alternative?

> ARM is probably going to be your best bet for a system

> without a crap management sub-system running on it.

My 8-core Thunder-X ARM motherboard (MP30-AR1) has an additional processor to provide remote management. Since it also provides the main VGA video output, disabling it might not be a great idea.

2
0
Silver badge

Bah!

System 76 are actually shipping computers? Every time I look they have a "coming soon" sticker over the goods.

1
4
Silver badge
FAIL

I am implenting an easier solution for new purchases

I'm not buying anything with "Intel Inside".

5
1
Silver badge

Just a reminder

In order for the backdoor to function remotely, the incoming connection has to come through the Intel NIC that is integrated into the PCH (platform control hub) that is also running the management engine. It listens on a few known ports for incoming connection attempts, and while it could conceivably thwart a software firewall's effort to close the port, a hardware firewall (for most consumers, as simple as a NAT router) would effectively block any such attempts from the WAN.

The IME can also be exploited locally through USB, but then the attacker has to have physical access to the PC, which is bad news anyway. If an attacker can physically access the PC, is a management engine vulnerability really the chief concern?

Not saying that it wasn't a bad idea on Intel's part to include such a backdoor... clearly, it was; this was just an accident waiting to happen. Still, the severity of the exploit needs to be kept in perspective. Why not take a moment to consider the attack vectors and see if it is really a threat to you, and if you can do anything to minimize it, before giving the "abandon ship" order?

5
0
Bronze badge

NOT

A single firefox exploit will be able to make an IP connection to anywhere inside your DSL-NATed local network. Or a pwned Android which you have given the Wifi key for the DSL router.

American IT is becoming more and more annoying.

7
0
Silver badge

Re: Just a reminder

Actually... this raises an interesting question. If the IME expects to link up through the motherboard integrated NIC, what happens if you simply ignore it (leave it unplugged) and add a PCI network card? Would the IME just find it and carry on unhindered? Granted, this would not help with any malware that came in through your "alternative" network and installed something on the IME... would doing this change anything at all...?

2
0
Silver badge

Re: Just a reminder

"Why not take a moment to consider the attack vectors and see if it is really a threat to you, and if you can do anything to minimize it, before giving the "abandon ship" order?"

Because any expansion of attack surface is bad. Sure, if you have some need that only Intel processors can fill, then doing a security and cost/benefit analysis makes sense. If, however, you are like the vast majority of users, Intel brings nothing unique and critical to the table, so the safer (and easier!) thing to do is to just not use their processors.

3
0
Silver badge
Big Brother

@Updraft102 -- Re: Just a reminder

Still, the severity of the exploit needs to be kept in perspective. Why not take a moment to consider the attack vectors and see if it is really a threat to you, and if you can do anything to minimize it, before giving the "abandon ship" order?

Updraft102, your rationalization strikes me along the lines of, "If you have nothing to hide, you have noting to fear."

If it's there, it's a threat. Period. It may not be an easy-to-operate threat, but it's still a threat.

2
1
Bronze badge
FAIL

NOT really disabled....partially deactivated is more correct

You cannot just disable the ME. The ME is an integral part of boot on Intel platforms and must be started up before the system firmware running on the main x86 cores can do its job. All these "disabling" hacks with ME Cleaner and such do is to try to disable the ME's userspace or try to shut the ME back down after boot is complete.

However, the simple fact is the ME *still runs* on *every boot*. It's not hard to imagine malware that leverages this to insert an APT (similar to an old school TSR) into the main x86 processor while the ME is still in control during the boot process -- such malware would be pretty much invisible and, best of all, the user doesn't even know to look for it because "my vendor told me the ME was disabled".

I wonder who has legal liability in this scenario? System 76 by any chance?

6
2
Bronze badge

Re: NOT really disabled....partially deactivated is more correct

So you want to threaten System 76 with legal action because of messing with Intel's backdoor ? What a nice person you are. How much does $TLA pay for this ?

5
4
Silver badge
Big Brother

Re: NOT really disabled....partially deactivated is more correct

"I wonder who has legal liability in this scenario? System 76 by any chance?"

That would be the NSA, who made Intel include a Kill Switch, which is what enables System76 to disable it. You see, the NSA needed to disable iME on the desktop PCs used at Fort Meade :]

6
0
Bronze badge

Re: NOT really disabled....partially deactivated is more correct

But, again, it's not really disabled, is it?

As an analogy, if I have an air conditioning system, and I need someone to work on the compressor, it needs to be disabled for their safety. If I claim it's been disabled, but what I really mean is "oh, the compressor will still start randomly but the thermostat will turn it off in around 10 seconds, I promise!", that tech is going to be seriously injured.

Since when did the meaning of "disabled" change?

0
1
Bronze badge

Re: NOT really disabled....partially deactivated is more correct

Nope, just saying that they need to be careful about what they are claiming. "Disabled" is a word with a very specific meaning.

0
1
Silver badge

Should be standard in every version of Intel firmware

What possible reason would there be for the handful of companies that develop EFI firmware for Intel PCs not to include an option to completely disable the ME?

3
0
Anonymous Coward

Re: Should be standard in every version of Intel firmware

haha, ;)

4
0
Bronze badge

Security Concept of Intel Management Engine ?

Can somebody explain what Intel's approach to securing the IME is ?

There should be some sort of password check or crypto scheme before the IME accepts any outside commands for anything. That would be the sane version of things, I know...

Just dogging through https://link.springer.com/chapter/10.1007/978-1-4302-6572-6_4

2
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018