• jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    59
    arrow-down
    1
    ·
    1 year ago

    The article really doesn’t call out explicitly: The management engine never stops running, turning it off is nearly impossible, and if you do succeed the computer resets in 30 seconds. So this untrusted entity is constantly looking at everything happening, and the best we can do is load some dummy configuration so it doesn’t do anything, or perhaps it doesn’t do anything, because we don’t know.

    Having an architecture without the big brother chip sitting on the bus would be a huge huge bonus.

    • neuromancer@lemmy.world
      link
      fedilink
      English
      arrow-up
      11
      ·
      1 year ago

      Most sane people just want to disable ME because it increases the attack surface of your system, and using the HAP disable does exactly that.

      You can tell ME is shut down after the boot sequence is completed, which will protect your system from all ME attacks that does target the boot process.

    • neuromancer@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      ·
      1 year ago

      You can say that, but NovaCustom is working with 3mdeb to develop the Coreboot based Dasharo firmware, and m3deb is committing their work to Coreboot.

      Dasharo is the most promising attempt at making an open source firmware that is user-friendly enough that anyone can use it.

      The fact that you can buy an MSI Z690 and flash coreboot, without having to compile from source or use an eprom programmer, is a massive step in the right direction.

    • takeda@kbin.social
      link
      fedilink
      arrow-up
      36
      arrow-down
      2
      ·
      1 year ago

      Intel Management Engine is a component that has access to your computer on a level that even you, the computer owner, don’t have access to. It can be operated remotely, even when your computer is off.

      And traditionally you can’t even disable it (remember, you’re not the trusted party in that mix).

      https://en.wikipedia.org/wiki/Intel_Management_Engine

      • Otter@lemmy.ca
        link
        fedilink
        English
        arrow-up
        21
        ·
        edit-2
        1 year ago

        My understanding is that it’s meant to be an enterprise tool for Sys admins of business and schools to allow for remote monitoring and troubleshooting, but because it’s expensive to make two sets of devices, it’s in everything.

        Relevant bits from that wiki:

        The Intel Management Engine always runs as long as the motherboard is receiving power, even when the computer is turned off.

        .

        Intel’s main competitor AMD has incorporated the equivalent AMD Secure Technology (formally called Platform Security Processor) in virtually all of its post-2013 CPUs.

        .

        Critics like the Electronic Frontier Foundation (EFF), Libreboot developers, and security expert Damien Zammit accused the ME of being a backdoor and a privacy concern. Zammit stresses that the ME has full access to memory (without the owner-controlled CPU cores having any knowledge), and has full access to the TCP/IP stack and can send and receive network packets independently of the operating system, thus bypassing its firewall.

        .

        In the context of criticism of the Intel ME and AMD Secure Technology it has been pointed out that the National Security Agency (NSA) budget request for 2013 contained a Sigint Enabling Project with the goal to “Insert vulnerabilities into commercial encryption systems, IT systems, …” and it has been conjectured that Intel ME and AMD Secure Technology might be part of that program

        • takeda@kbin.social
          link
          fedilink
          arrow-up
          6
          ·
          1 year ago

          So who is using it? Where are tools which allow you to set up and manage the infrastructure? Why it can’t be disabled, except hacks, and one undocumented feature requested by NSA, because they did not want it running? It is a backdoor, if it wasn’t it would be disabled by default and you would have to pay premium to have that feature enabled.

          • Brkdncr@artemis.camp
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            Enterprise. Intel has a tool that lets you use it but other management services like SCCM and landesk have methods to use amt/vpro.

    • Draconic NEO@lemmy.world
      link
      fedilink
      English
      arrow-up
      25
      ·
      edit-2
      1 year ago

      IntelME is an embedded Microcontroller in the Intel Chipset (in the south-bridge chip) which depending on variations in generation, has a multitude of different features such as Active Management Technology used in IT department, clock controls and a few more things.

      Because it is closed source there are security concerns about possible vulnerabilities in it which could possibly be exploited, as well as several conspiracy theories about it. Due to that hobbyists as well as certain OEMs have found out ways to disable it in attempt to mitigate these issues.


      For more detailed information on it I would highly recommend this video by CCC on the subject, it covers what IntelME does and how it was able to be disabled.

      34C3 - Intel ME: Myths and reality (Youtube)

      34C3 - Intel ME: Myths and reality (media.ccc.de)

        • Draconic NEO@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Well provided your OEM hasn’t disabled it, on most of the computers I checked with IntelMEtool (the ones new enough to have IntelME) I found that AMT shows up as disabled on most of them, except for a few.

          • neuromancer@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            AMT only works on a system that has a chipset and CPU that supports AMT, which used to be the vPro line of laptops.

            Now pretty much everything is vPro, and it’s only the vPro enterprise that has AMT.

    • Amilo159@lemmy.world
      link
      fedilink
      English
      arrow-up
      23
      arrow-down
      1
      ·
      1 year ago

      As a tech enthusiast and it support personnel i can tell you this: no one knows, possibly not even Intel.

      • BarbecueCowboy@kbin.social
        link
        fedilink
        arrow-up
        5
        ·
        1 year ago

        I asked our Intel guy about it once. After you’ve dealt with vendors and sales engineers for long enough, you start to learn to detect when they have no clue how one of their offerings work. I’m not sure that I’ve ever heard so many non-specific comments, meaningless buzzwords, and attempts to redirect the conversation.

        I didn’t get it even a little bit until I found an open source project based on Intel AMT, and that’s apparently just a piece of ME.

    • Brkdncr@kbin.social
      link
      fedilink
      arrow-up
      10
      ·
      1 year ago

      It’s used for out of band management. With the correct hardware items (nic and gpu) it’s called vPro. With the proper certificate and supporting infrastructure it can auto-enroll into a management service such as SCCM. It allows companies to remotely view logs, bios settings and other items. With vPro it can include a complete remote KVM solution.

      You can disable it from most UEFI settings interfaces without worry of causing other issues.

    • flying_monkies@kbin.social
      link
      fedilink
      arrow-up
      8
      arrow-down
      2
      ·
      1 year ago

      It’s a microcontroller that runs within Intel based systems allowing full control access at the processor level. It runs outside of your processor and any time the system is plugged in or is on battery. It doesn’t require the main processor up for it to be accessible. More info on it on [wikipedia]https://en.wikipedia.org/wiki/Intel\_Management\_Engine).

      AMD’s equivalent is called AMD Secure Technology.

  • sramder@lemmy.world
    link
    fedilink
    English
    arrow-up
    23
    arrow-down
    2
    ·
    1 year ago

    Since that “article” wasn’t a quick search turned up this python script. I haven’t tried it yet, but it seems almost risk free… and if nothing else a decent way to test my motherboards bios recovery routine.

    • afa@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      That just modifies an image, you still need to flash it using something like UEFITool to do the rest, and a good guide to follow.

    • neuromancer@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      1
      ·
      1 year ago

      It doesn’t work anymore, you have not been able to clean CPUs after ~8th gen, you can only HAP disable ME on modern CPU.