Thread: "Replacing x86 firmware with Linux and Go"
View Single Post
  #2  
Old November 27th 17, 02:41 AM posted to alt.comp.hardware.pc-homebuilt
VanguardLH[_2_]
external usenet poster
  
Posts: 1,453
Default "Replacing x86 firmware with Linux and Go"
Lynn McGuire wrote:

"Replacing x86 firmware with Linux and Go"
http://www.osnews.com/comments/30097

"The Intel Management Engine (ME), which is a separate processor and
operating system running outside of user control on most x86 systems,
has long been of concern to users who are security and privacy
conscious. Google and others have been working on ways to eliminate as
much of that functionality as possible (while still being able to boot
and run the system). Ronald Minnich from Google came to Prague to talk
about those efforts at the 2017 Embedded Linux Conference Europe."
https://lwn.net/SubscriberLink/738649/81007748bf15c1e5/

I am not understanding the repercussions of this yet. But, it looks
serious, very serious.

https://en.wikipedia.org/wiki/Intel_Management_Engine

Twould be useful if they actually listed the affected chipsets (well,
the Intel CVE article gives details by OEM brand). Sounds like
something Intel would've incorporated with UEFI, not in the old BIOS
config. "Since 2008" isn't clear which chipsets have IME.

https://www.eff.org/deeplinks/2017/0...way-disable-it

The BIOS in my ancient desktop home PC is so limited in settings (it's a
salvaged Acer) that there would be no settings regarding AMT. Acer is
so terse in their documentation on the mobo that they don't even have a
section for BIOS settings. The EFF article mentions the following tool:

https://github.com/corna/me_cleaner

but with the warning that it could brick the computer. This program
acts like a firmware update: it will burn different code into the
EEPROMS, so you are trusting an unknown source to change the firmware in
your BIOS/UEFI. According to:

https://en.wikipedia.org/wiki/Nehale...roarchitecture)
"the first processor released with the Nehalem architecture was the
desktop Core i7, which was released in November 2008."

Well, I'm still back on an old Intel Core 2 quad-core processor. It's
G45 chipset (Intel 4-series chipset family) was introduced in 2008.
Haven't found a block diagram of the G45 chip showing the IME but it
seems that was a somewhat hidden function. Seems AMT targeted business-
class deployments.

https://communities.intel.com/thread/108479

A respondent there claims G45 does not have AMT but I haven't
independently verified their claim. The respondent said it is the "Q"
chipset class you have to watch out for. When looking at getting a new
mobo, it's the "Z" chipset class that I look for. You'll have to
research the chipset on your mobo to see if it has AMT. The chipset
might support AMT but that doesn't mean it was enabled on the mobo you
have. Have support for a function doesn't mean it got implemented.

https://en.wikipedia.org/wiki/Intel_vPro

Good luck contacting the maker of your mobo for details regarding AMT in
the model you bought. Too bad the author of me_cleaner didn't instead
write a reduced program that merely checked if AMT was available.

Intel is not ignoring the problem of AMT vulnerabilities; see:

https://security-center.intel.com/ad...nguageid=en-fr

which notes "This vulnerability does not exist on Intel-based consumer
PCs with consumer firmware, ..." So the nightmare seems limited to
corporate customers using vPro hardware (and possible with the "Q"
chipsets). The Intel article gives a list of PC makers and the articles
there regarding AMT vulnerability. In the Acer article, it looks like
the BIOS version in my mobo is much older than what Acer lists as
susceptible, but that's me guessing "P01-A2" precedes versions 6.x and
up. The Acer article lists the susceptible models. Mine isn't listed.
Acer provides a firmware update for the models listed. Looks like you
use their firmware update along with Intel's AMT Unprovisioning tool:

https://downloadcenter.intel.com/download/26781

All these fixes are altering firmware. Since I'm not in the lists, I'm
not farking over my desktop just to feel safer.

EFF's "letter" was published on May 8, 2017. Intel's CVE notice and
working with PC makers for firmware changes was May 1, 2017. The
datestamps are too close to tell if EFF didn't notice Intel's
announcement or if EFF didn't publish until a few days late.