For those who are interested in the Intel ME, the slides and white
papers
from the Black Hat Europe are public.
https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine.pdf
https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine-wp.pdf
https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME-Flash-File-System-Explained.pdf
https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME-Flash-File-System-Explained-wp.pdf
In the conclusion they say "[...]. Such a vulnerability has the
potential to
jeopardize a number of technologies, including [...] Intel Boot Guard
[...].
Maybe it's possible to deactivate Boot Guard permanently or inject
custom
keys to run own firmware.
On 08.12.2017 15:40, Alberto Bursi wrote:
On 12/08/2017 02:59 PM, Timothy Pearson wrote:
That's just the HAP bit. The ME is limited but NOT disabled, and the
remaining stubs are still hackable [1].
Neither the ME or the PSP can ever be removed from their respective
systems. They can both be limited to some extent, but to call either
of
them "disabled" is rather far from the truth.
Hacking them requires being able to write in the SPI flash, or to have
buggy UEFI firmware. Which means most systems are still vulnerable.
But it is also true that if someone can hack UEFI he pwns you anyway,
even without ME.
So imho ME with the HAP bit can be called "disabled", although the
fight
isn't over as ME isn't the only thing that was a threat anyway.
There is still need to secure the UEFI firmware (which is needed even
if
ME didn't exist), and doing a hardware mod to have a hardware switch to
turn the SPI chip read-only at the hardware level (also needed
regardless of ME).
I think many SPI chips only need some pin pulled high/low to go in
read-only mode, and I frankly trust a dumb switch many orders of
magnitude more than Boot Guard or anything software-based.
-Alberto
--
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot
