Thanks. They didn't seriously include a Java Runtime Environment into the IME?? I can't believe what's going on with this company.
Am Freitag, den 08.12.2017, 16:16 +0100 schrieb Thomas Heijligen: > For those who are interested in the Intel ME, the slides and white > papers > from the Black Hat Europe are public. > > https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-H > ack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel- > Management-Engine.pdf > https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-H > ack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel- > Management-Engine-wp.pdf > https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME > -Flash-File-System-Explained.pdf > https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME > -Flash-File-System-Explained-wp.pdf > > In the conclusion they say "[...]. Such a vulnerability has the > potential to > jeopardize a number of technologies, including [...] Intel Boot > Guard > [...]. > > Maybe it's possible to deactivate Boot Guard permanently or inject > custom > keys to run own firmware. > > > On 08.12.2017 15:40, Alberto Bursi wrote: > > On 12/08/2017 02:59 PM, Timothy Pearson wrote: > > > > > > That's just the HAP bit. The ME is limited but NOT disabled, and > > > the > > > remaining stubs are still hackable [1]. > > > > > > Neither the ME or the PSP can ever be removed from their > > > respective > > > systems. They can both be limited to some extent, but to call > > > either > > > of > > > them "disabled" is rather far from the truth. > > > > > > > > > > Hacking them requires being able to write in the SPI flash, or to > > have > > buggy UEFI firmware. Which means most systems are still vulnerable. > > > > But it is also true that if someone can hack UEFI he pwns you > > anyway, > > even without ME. > > > > So imho ME with the HAP bit can be called "disabled", although the > > fight > > isn't over as ME isn't the only thing that was a threat anyway. > > > > There is still need to secure the UEFI firmware (which is needed > > even > > if > > ME didn't exist), and doing a hardware mod to have a hardware > > switch to > > turn the SPI chip read-only at the hardware level (also needed > > regardless of ME). > > > > I think many SPI chips only need some pin pulled high/low to go in > > read-only mode, and I frankly trust a dumb switch many orders of > > magnitude more than Boot Guard or anything software-based. > > > > -Alberto > > -- coreboot mailing list: [email protected] https://mail.coreboot.org/mailman/listinfo/coreboot
