Discussion:
[Link Posting] Why Intel will never let owners control the ME
(too old to reply)
Rich
2018-07-22 17:56:16 UTC
Permalink
####################################################################
# ATTENTION: This post is a reference to a website. The poster of #
# this Usenet article is not the author of the referenced website. #
####################################################################

<URL:https://www.devever.net/~hl/intelme>
Background
The Intel Management Engine is an auxillary microprocessor embedded into
modern Intel x86 CPUs or chipsets.1 It runs an Intel-signed proprietary
binary blob. Due to code signing restrictions enforced by the hardware,
it cannot be modified or replaced by the user. (AMD x86 CPUs have a
similar auxillary microprocessor, but they call it the Platform Security
Processor. It's locked down in exactly the same way; the AMD situation
cannot be considered to be any better.)
The ME firmware includes functionality relating to the system boot
process, but also things like DRM functionality. It also supports remote
management functionality (including an HTTP server, even) targeted at
enterprise IT; this functionality allows IT departments to manage client
machines remotely. It can access system memory without restriction. It
can access the network. Can the ME be disabled or removed?
This firmware cannot be removed. In response to the legitimate concern
about the nature and capabilities of the ME, some laptop vendors have
started advertising laptops with the ME "disabled" or "removed". This is
an exaggeration.
Although it's true on some older Intel platforms the system could boot
without the ME, on modern platforms the ME/PSP cannot be disabled
entirely because it is literally integral to the boot process in a
modern system. A modern, high-performance multi-core chip is a complex
beast and generally requires initialisation before the "normal" cores,
the ones on which your chosen OS runs, start executing their first
instruction. The x86 reset vector is a lie; a great deal happens before
the BIOS starts running.
There are two solutions available today to reduce the threat level posed
by the ME firmware: the "High Assurance Program" bit, and me_cleaner.
The HAP bit is a configuration flag offered by Intel apparently at the
request of the US government, and appears to disable most of the ME's
functionality, leaving only the functionality critical to system
operation running. me_cleaner removes optional modules from ME firmware
images (this modification is possible because the modules are signed
individually, so you can choose which modules to include), leaving only
the ones critical to boot. Both of these provide a worthwhile and
substantial reduction in attack surface. But this is not a total
disablement or removal of the ME, and it's inaccurate to refer to it as
such. Why Intel musn't allow you to control it
Intel/AMD will never allow machine owners to control the code executing
on the ME/PSP because they have decided to build a business on
preventing you from doing so. In particular, it's likely that they're
actually contractually obligated not to let you control these
processors.
The reason is that Intel literally decided to collude with Hollywood to
integrate DRM into their CPUs; they conspired with media companies to
lock you out of certain parts of your machine. After all, this is the
company that created HDCP.
This DRM functionality is implemented on the ME/PSP. Its ability to
implement DRM depends on you not having control over it, and not having
control over the code that runs on it. Allowing you to control the code
running on the ME would directly compromise an initiative which Intel
has been advancing for over a decade.
...
RS Wood
2018-07-23 01:32:36 UTC
Permalink
The ME firmware includes functionality relating to the system boot
process, but also things like DRM functionality. It also supports remote
management functionality (including an HTTP server, even) targeted at
enterprise IT; this functionality allows IT departments to manage client
machines remotely. It can access system memory without restriction. It
can access the network. Can the ME be disabled or removed?
This firmware cannot be removed. In response to the legitimate concern
about the nature and capabilities of the ME, some laptop vendors have
started advertising laptops with the ME "disabled" or "removed". This is
an exaggeration.
I'll be ready for a new computer soon - a desktop. I'm seriously
considering making it a raspberry pi. The fact that it's an ARM machine
and not Intel/AMD is at least part of the draw. The other is that I'm a
cheap bastard and the idea of running a minimalist machine as main
desktop is appealling. Of course as the web has gotten more atrocious
I'm using Lynx and W3M more and more, and eschewing forums for usenet,
etc. so a light, console environment satisfies most of my needs. I do
rip a lot of DVDs, for which I'd miss the horsepower of a bigger
machine. That's truly the only limitation I can think of if I go this
route.

This Intel Management Engine stuff really leaves a bad taste. I don't
see how you can avoid Hollywood these days (never mind that the dreck
they're putting out isn't even worth pirating, for the most part). But
keeping hollywood on board sure has made a mess of our computing
hardware.

Maybe a cool RISC or MIPS machine some day? Meanwhile, posting from a
Lenovo netbook running an Atom chip I think, and if I recall you can't
trust Lenovo these days either. Who can you trust? If we make a truly
open machine, I hope we name the company "Snowden."
Rich
2018-07-23 11:07:35 UTC
Permalink
I do rip a lot of DVDs, for which I'd miss the horsepower of a bigger
machine.
If all you do is "rip" the DVDs, then the I/O rate of the DVD drive and
your storage system is the limiting factor.

But I suspect from "horsepower" you meant you "transcode" a lot of
DVDs, and yes, that consumes *lots* of horsepower.
This Intel Management Engine stuff really leaves a bad taste. I don't
see how you can avoid Hollywood these days (never mind that the dreck
they're putting out isn't even worth pirating, for the most part). But
keeping hollywood on board sure has made a mess of our computing
hardware.
Lockdown -- The coming war on general-purpose computing
https://boingboing.net/2012/01/10/lockdown.html
Maybe a cool RISC or MIPS machine some day?
RISC V gets mentioned occasionally. But there's precious little out
there beyond Intel/AMD and ARM these days to choose from in any
reasonable price range.
Richard Kettlewell
2018-07-23 14:57:40 UTC
Permalink
Post by RS Wood
The ME firmware includes functionality relating to the system boot
process, but also things like DRM functionality. It also supports remote
management functionality (including an HTTP server, even) targeted at
enterprise IT; this functionality allows IT departments to manage client
machines remotely. It can access system memory without restriction. It
can access the network. Can the ME be disabled or removed?
This firmware cannot be removed. In response to the legitimate concern
about the nature and capabilities of the ME, some laptop vendors have
started advertising laptops with the ME "disabled" or "removed". This is
an exaggeration.
I'll be ready for a new computer soon - a desktop. I'm seriously
considering making it a raspberry pi. The fact that it's an ARM machine
and not Intel/AMD is at least part of the draw.
Doesn’t the VideoCore have control of the Pi from boot? Seems quite
similar to the objection to the Intel and AMD designs, even if the
reason it’s like that is a bit different.
Post by RS Wood
This Intel Management Engine stuff really leaves a bad taste. I don't
see how you can avoid Hollywood these days (never mind that the dreck
they're putting out isn't even worth pirating, for the most part). But
keeping hollywood on board sure has made a mess of our computing
hardware.
AFAIK it’s nothing to do with Hollywood and largely a matter of
supporting management functions for enterprise customers.
Hard-to-disable network-facing attack surface is undeniably a cause for
concern but I don’t think it needs any additional conspiracy theories.
--
https://www.greenend.org.uk/rjk/
Bruce Horrocks
2018-07-23 23:04:37 UTC
Permalink
Post by RS Wood
I'll be ready for a new computer soon - a desktop. I'm seriously
considering making it a raspberry pi. The fact that it's an ARM machine
and not Intel/AMD is at least part of the draw. The other is that I'm a
cheap bastard and the idea of running a minimalist machine as main
desktop is appealling. Of course as the web has gotten more atrocious
I'm using Lynx and W3M more and more, and eschewing forums for usenet,
etc. so a light, console environment satisfies most of my needs. I do
rip a lot of DVDs, for which I'd miss the horsepower of a bigger
machine. That's truly the only limitation I can think of if I go this
route.
The RPi makes an excellent desktop - easily attached to the back of a
monitor and hidden out of site. Just need an external disk or NAS for
file storage. If you don't need much then a USB would be fine.
Post by RS Wood
This Intel Management Engine stuff really leaves a bad taste. I don't
see how you can avoid Hollywood these days (never mind that the dreck
they're putting out isn't even worth pirating, for the most part). But
keeping hollywood on board sure has made a mess of our computing
hardware.
If you want to avoid being spied on then Qubes OS
<https://www.qubes-os.org> is worth a look.

(NB: There is a free trial - just choose to 'pay' $0 for the download).
--
Bruce Horrocks
Surrey
England
(bruce at scorecrow dot com)
Paul Sture
2018-07-23 23:26:16 UTC
Permalink
Post by Bruce Horrocks
If you want to avoid being spied on then Qubes OS
<https://www.qubes-os.org> is worth a look.
(NB: There is a free trial - just choose to 'pay' $0 for the download).
Hardware Compatibility List:

<https://www.qubes-os.org/hcl/>
--
The road to hell is paved with adverbs.
-- Stephen King
Bruce Horrocks
2018-07-24 23:10:16 UTC
Permalink
Post by Bruce Horrocks
The RPi makes an excellent desktop - easily attached to the back of a
monitor and hidden out of site. Just need an external disk or NAS for
file storage. If you don't need much then a USB would be fine.
s/site/sight/

D'oh.
--
Bruce Horrocks
Surrey
England
(bruce at scorecrow dot com)
RS Wood
2018-07-25 00:49:29 UTC
Permalink
Post by Bruce Horrocks
s/site/sight/
D'oh.
Out of sight but off site :)
Johnny B Good
2018-07-25 09:18:46 UTC
Permalink
Post by RS Wood
Post by Bruce Horrocks
s/site/sight/
D'oh.
Out of sight but off site :)
I had noticed but there was "no sight of that web site" so wasn't worth
pointing out such a minor spelling mix up. Still, I appreciate your
acknowledging the error.

In any case, it's one thing to know how to spell but another to avoid
context induced spelling errors such as this (web sites that are such a
painful sight to behold). :-)
--
Johnny B Good
Dario Niedermann
2018-07-27 11:30:02 UTC
Permalink
Post by Bruce Horrocks
If you want to avoid being spied on then Qubes OS
<https://www.qubes-os.org> is worth a look.
If the spying is going on at hardware level, there's nothing any OS can
do to prevent it. In the case at hand, the malicious* code is even
running on a different processor.

* not open for inspection == malicious
--
Dario Niedermann. Also on the Internet at:

gopher://darioniedermann.it/ <> https://www.darioniedermann.it/
Ivan Shmakov
2018-07-24 16:20:21 UTC
Permalink
Post by RS Wood
It can access system memory without restriction. It can access the
network. Can the ME be disabled or removed?
This firmware cannot be removed. In response to the legitimate
concern about the nature and capabilities of the ME, some laptop
vendors have started advertising laptops with the ME "disabled" or
"removed". This is an exaggeration.
I'll be ready for a new computer soon - a desktop. I'm seriously
considering making it a raspberry pi.
And why not, say, an A20-based OLinuXino LIME2? [1] Contrary to
RPi, they do not require non-free firmware to boot. (E. g., [2].)

(AIUI, the graphic acceleration code is expected to enter Linux
by the end of the year. Also, on-board NAND flash is not
supported; but there're models with eMMC, which is.)

[1] http://olimex.com/Products/OLinuXino/A20/
[2] http://wiki.debian.org/CheapServerBoxHardware
Post by RS Wood
The fact that it's an ARM machine and not Intel/AMD is at least part
of the draw. The other is that I'm a cheap bastard and the idea of
running a minimalist machine as main desktop is appealing.
OLinuXinos don't feel particularly cheap, but they're also Open
Source Hardware, which means if you feel like it, you can
download the board schematics and modify them to suit your needs.
Post by RS Wood
Of course as the web has gotten more atrocious I'm using Lynx and W3M
more and more, and eschewing forums for Usenet, etc. so a light,
console environment satisfies most of my needs.
About the same here (although like I said before, I've pretty
much switched to Lynx-only Web reading years ago.)

[...]
--
FSF associate member #7257 http://am-1.org/~ivan/
Loading...