Re: Who/What does the "secure" in Secure Boot refer to?
@phuzz: Thanks for the clarification, but I'm still puzzled. I mentioned Secure Boot simply because that's the only layer I'm aware of between the OS and the IME. Since the owners of those layers (Microsoft and Intel) appear to be unable to do the job without additional help, it did seem like an intermediate layer might be relevant. I'll have another go at framing my questions and perhaps you or someone else can clarify things.
Who writes the patch? Is it just Intel or do they just explain what needs to change and leave it up to someone downstream? Does that patch depend on the CPU, the chipset, anything else more vendor-specific?
Who distributes the patch? It clearly isn't something that Microsoft can distribute via Windows Update or else Intel could just give them the code. There seems to be a requirement for someone in the middle to be involved EITHER in the authorship (bringing vendor-specific details to the code) or the distribution channel (providing vendor-specific authentication for the code).
How is the patch applied? Does the patch program run instructions at the (regular) OS level that automagically cause the patch to be uploaded to the IME, or does it have to ask an intermediate (such as the UEFI layer) to help with delivery?
An finally, perhaps a little tongue in cheek, if the vulnerability lets someone hi-jack the IME, why can't Intel use the vulnerability to produce a "universal" patch that doesn't need the co-operation of foot-dragging vendors? Less tongue in cheek, I think it is reasonable to assume that *some* people are working on such a thing, even if Intel aren't.