Re: [gentoo-user] disable Intel Mgr Engine

[Mick]

On Friday, 14 September 2018 08:53:51 BST Marc Joliet wrote:
> Am Freitag, 14. September 2018, 04:47:21 CEST schrieb james:
> > > Me cleaner only nerfs it by removing various modules, either BUP (init)
> > > still runs or the kernel still runs plus any option/mask roms.
> > 
> > Perhaps a bit of detail on this?
> 
> Taiidan is referring to https://github.com/corna/me_cleaner.  I don't
> remember the details (and have no experience with it), but AFAIK it does
> remove a good chunk of the ME.
> 
> HTH

Yes, there's a description in the URL James had posted when starting this 
thread:

https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/
Disabling_the_Intel_Management_Engine

"Nicola Corna's me_cleaner ... removes the vast majority of the ME's software 
modules (including network stack, RTOS and Java VM), leaving only the 
essential 'bring up' components (the latter being necessary because, on modern 
systems if the IME fails to initialize, either the machine startup will be 
completely halted at that point, or startup will appear to complete, only for 
a watchdog timer to reset the whole PC 30 minutes later."

So, the Management Engine itself is not disabled, only some of its modules.  
To an extent the ME is partially incapacitated, but the engine itself within 
the CPU is alive and kicking and it's only a re-flash away from being re-
enabled.

With AMD's PSP/Secure Technology an out of band embedded Arm processor 
presents a major security backdoor.  Ryzenfall, Fallout and Chimera, are all 
vulnerability beauties available to compromise your security, courtesy of 
AMD's dev dept.  It makes me smile that MS Azure is apparently running on 
these CPUs.  No ME cleaner equivalent is available for these CPUs yet.

As Taiidan has mentioned only old MoBos of the Intel/AMD oligopoly are safe 
from being pawned-by-design, as well as IBM's POWER9.  For laptops however as 
far as I know there is little choice other than recycling old MoBos.

-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] disable Intel Mgr Engine

[Marc Joliet]

Am Freitag, 14. September 2018, 04:47:21 CEST schrieb james:
> > Me cleaner only nerfs it by removing various modules, either BUP (init)
> > still runs or the kernel still runs plus any option/mask roms.
> 
> Perhaps a bit of detail on this?

Taiidan is referring to https://github.com/corna/me_cleaner.  I don't remember 
the details (and have no experience with it), but AFAIK it does remove a good 
chunk of the ME.

HTH
-- 
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] disable Intel Mgr Engine

[mad.scientist.at.large]

I want to say minix.  It's online but i don't remember where.  I believe it 
connects directly to the built in network jack and people were able to hack it 
enough through that port to see what OS it was running and there are likely 
exploits through that connection.  Not at all sure how far people have gotten 
with it.
I believe (would have to check) that someone on the list said the opterons 
were/are the last chips before the psp etc. was part of the processor (is that 
where it's at in amd chips?).
I've seriously considered, in the near future, building some reconfigurable 
computing fabric with fpga chips.  Which let's you run any processor model that 
fits on the hardware and that you can write some form of HDL (hardware 
descriptive language, i.e. hardware functioning specified in a design language, 
which can easily be changed to explore any type of arch you want, given enough 
fabric, and have many cores running in parallel say for DSP, GPU, CPU, etc. so 
that the arch, instruction set, and hardware utilization is as high as 
possible, for an fpga.  

Down side is more power, more board space, and obviously more cost potentially. 
 The larger hardware software development companies often do this to produce 
hardware that emulates chips they can't get their hands on yet because they 
aren't being sold yet but have a preliminary specification expected to be close 
to the final form.  Note that you can always fix hardware security flaws this 
way as the hardware is reconfigurable at will.  I have seen cryptomining rigs 
using fpga hardware with high power efficiency, but they are custom designed 
board etc. to make maximum use of the fpga and obviously highly optimized in 
other ways.
I'm fascinated by this whole area of knowledge and application, i.e. having 
full control and access to everything.
Bellow is a sig referencing that news channel, which I've like for a very long 
time.  They tend to do a good job, IMHO.  I do know what's going on, I am 
terrified in a way I never have been before, considering the likelyhood the 
future will be far to interesting in my country for some time and I'm getting 
too old for chaos.  Mild issues setting it the way I want right now, too many 
urgent things to do and too many bad days.

Democracy now!


13. Sep 2018 20:56 by gar...@verizon.net :


> On 9/13/18 7:52 PM, > mad.scientist.at.la...@tutanota.com 
> >  wrote:
>> Actually, we now know what linux it runs and people are starting to
>> break it, at least as far as finding bugs.� 
>
>
> Do enlighten me; what linux (ebedded) does ME run? any details are of
> interest to me.
>
>
>> Remember, this is embeded, no easy way to update the code to patch 
>> exploits.� 
>
> Many embedded systems are rather sloppy with security, once you find
> the jtag or other low level interface pins. Not hard to get find docs on
> most boards? Often other ports can be used to download codes to a
> variety of memory on the boards. It takes time, unless you get docs,
> which then it is fairly routine for embedded devs.
>
>
>> Just need to rootkit that sucker, or don't buy frigin intel.
>
> agreed.
>>
>> Gee, I'd really love an openpower machine, but i'm not rich, and most of
>> us aren't.� I'm disabled, I will never be able to buy a new computer,
>> much less a top of the line unit.
>
> I have no interest about openpower, but surely there is a way to get you
> some better hardware?
>
>>
>> What ever happened to the open bios project?� seemed like there was real
>> progress and that the bridge chip makers etc. were finally making
>> documentation available to someone other than the main bios makers.
>
> I've just never really worked on this ME/PSP issue. Surely there are
> sites and projects that welcome folks to participate and get the basic
> info on the state of the public knowledge?
>
>
>> Democracy now!
>
> Dream on. Everybody has a different view of democracy. Gated communities
> and isolate communities are the wave of the future. Different folks just
> do not get along, socially. Online filters out the unacceptable
> differences. Besides the world is preparing for war. 8 billion strong,
> and jobs for less than a billion?  War cometh
>
> Get small and hide
>
> Now about you getting some better hardware. Drop me some private mail.
>
> James
>
>
>> 13. Sep 2018 14:55 by >> taii...@gmx.com >>  <>> 
>> mailto:taii...@gmx.com >> >:
>>
>> Impossible - ME can't be disabled.
>>
>> Me cleaner only nerfs it by removing various modules, either BUP (init)
>> still runs or the kernel still runs plus any option/mask roms.
>>
>> If you want a PC without black boxes either buy a pre-PSP amd board like
>> KGPE-D16/KCMA-D8, g505s laptop and install coreboot/libreboot+openbmc or
>> get a non-x86 device like the brand new/fast OpenPOWER9 TALOS 2
>> (>> https://raptorcs.com 

Re: [gentoo-user] disable Intel Mgr Engine

[james]

On 9/13/18 7:52 PM, mad.scientist.at.la...@tutanota.com wrote:
> Actually, we now know what linux it runs and people are starting to
> break it, at least as far as finding bugs.� 


Do enlighten me; what linux (ebedded) does ME run? any details are of
interest to me.


> Remember, this is embeded, no easy way to update the code to patch 
> exploits.� 

Many embedded systems are rather sloppy with security, once you find
the jtag or other low level interface pins. Not hard to get find docs on
most boards? Often other ports can be used to download codes to a
variety of memory on the boards. It takes time, unless you get docs,
which then it is fairly routine for embedded devs.


> Just need to rootkit that sucker, or don't buy frigin intel.

agreed.
> 
> Gee, I'd really love an openpower machine, but i'm not rich, and most of
> us aren't.� I'm disabled, I will never be able to buy a new computer,
> much less a top of the line unit.

I have no interest about openpower, but surely there is a way to get you
some better hardware?

> 
> What ever happened to the open bios project?� seemed like there was real
> progress and that the bridge chip makers etc. were finally making
> documentation available to someone other than the main bios makers.

I've just never really worked on this ME/PSP issue. Surely there are
sites and projects that welcome folks to participate and get the basic
info on the state of the public knowledge?


> Democracy now!

Dream on. Everybody has a different view of democracy. Gated communities
and isolate communities are the wave of the future. Different folks just
do not get along, socially. Online filters out the unacceptable
differences. Besides the world is preparing for war. 8 billion strong,
and jobs for less than a billion?  War cometh

Get small and hide

Now about you getting some better hardware. Drop me some private mail.

James


> 13. Sep 2018 14:55 by taii...@gmx.com :
> 
> Impossible - ME can't be disabled.
> 
> Me cleaner only nerfs it by removing various modules, either BUP (init)
> still runs or the kernel still runs plus any option/mask roms.
> 
> If you want a PC without black boxes either buy a pre-PSP amd board like
> KGPE-D16/KCMA-D8, g505s laptop and install coreboot/libreboot+openbmc or
> get a non-x86 device like the brand new/fast OpenPOWER9 TALOS 2
> (https://raptorcs.com) which is currently selling for less than
> equivilant x86 hardware.
> 
> The only owner controlled CPU arch now is OpenPOWER.
> 

Re: [gentoo-user] disable Intel Mgr Engine

[james]

On 9/13/18 4:55 PM, taii...@gmx.com wrote:
> Impossible - ME can't be disabled.

huh. did not know that.

> 
> Me cleaner only nerfs it by removing various modules, either BUP (init)
> still runs or the kernel still runs plus any option/mask roms.

Perhaps a bit of detail on this?

> 
> If you want a PC without black boxes either buy a pre-PSP amd board like
> KGPE-D16/KCMA-D8, 


Is there a master list of pre PSP amd systems around. I have some old K6
and such. Dirt slow but for transactions might be work the effort.



g505s laptop

"sorry, this product is no longer available"  from numerous searches.
I have an old IBK think pad, vitange 1990 that still works. External Cd
in on a cable. Still works great after battery change. I have not fired
it up in a few years.

I'm not a fan (at all) of lenovo.


and install coreboot/libreboot+openbmc


Yep on the todo list.

or
> get a non-x86 device like the brand new/fast OpenPOWER9 TALOS 2
> (https://raptorcs.com) which is currently selling for less than
> equivilant x86 hardware.

Not sure I want to 'take on another arch'. If I were to I put a RiscV
on a fpga, or something like that.


> 
> The only owner controlled CPU arch now is OpenPOWER.


Not even any of the ARM64 dev boards with 4G of DDR4 ?
Arm64 would be my preferred pathway forward.

Any details are most appreicated.

James

Re: [gentoo-user] disable Intel Mgr Engine

[mad.scientist.at.large]

Actually, we now know what linux it runs and people are starting to break it, 
at least as far as finding bugs.  Remember, this is embeded, no easy way to 
update the code to patch exploits.  Just need to rootkit that sucker, or don't 
buy frigin intel.
Gee, I'd really love an openpower machine, but i'm not rich, and most of us 
aren't.  I'm disabled, I will never be able to buy a new computer, much less a 
top of the line unit.
What ever happened to the open bios project?  seemed like there was real 
progress and that the bridge chip makers etc. were finally making documentation 
available to someone other than the main bios makers.

Democracy now!


13. Sep 2018 14:55 by taii...@gmx.com :


> Impossible - ME can't be disabled.
>
> Me cleaner only nerfs it by removing various modules, either BUP (init)
> still runs or the kernel still runs plus any option/mask roms.
>
> If you want a PC without black boxes either buy a pre-PSP amd board like
> KGPE-D16/KCMA-D8, g505s laptop and install coreboot/libreboot+openbmc or
> get a non-x86 device like the brand new/fast OpenPOWER9 TALOS 2
> (> https://raptorcs.com > ) which is currently selling 
> for less than
> equivilant x86 hardware.
>
> The only owner controlled CPU arch now is OpenPOWER.

Re: [gentoo-user] disable Intel Mgr Engine

[taii...@gmx.com]

Impossible - ME can't be disabled.

Me cleaner only nerfs it by removing various modules, either BUP (init)
still runs or the kernel still runs plus any option/mask roms.

If you want a PC without black boxes either buy a pre-PSP amd board like
KGPE-D16/KCMA-D8, g505s laptop and install coreboot/libreboot+openbmc or
get a non-x86 device like the brand new/fast OpenPOWER9 TALOS 2
(https://raptorcs.com) which is currently selling for less than
equivilant x86 hardware.

The only owner controlled CPU arch now is OpenPOWER.



0xDF372A17.asc
Description: application/pgp-keys

[gentoo-user] disable Intel Mgr Engine

[james]

Just ran across this:

https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide/Disabling_the_Intel_Management_Engine


Anyone try something like this before?

Any discussion or sharing would be appreciated.


James