Re: [coreboot] Disabling Intel ME 11 via undocumented mode

And so far, nobody was able to crack Huffman, thus to have ability to reverse-engineer plain kernel executable. Not true. See http://blog.ptsecurity.com/2017/12/huffman-tables-intel-me.html , https://github.com/ptresearch/unME11 and https://github.com/IllegalArgument/Huffman11 Regards

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

Hello! (Today on my regular laptop who might be so gifted with the Intel ME.) All this nattering and grommishing around about the Intel ME device is interesting and fun sort-of. But this does not explain what the Intel ME is and what it does. And what about it has caused an almost incredible

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

On Thu, 14 Dec 2017 20:25:53 -0500 Youness Alaoui wrote: > In my opinion, the ME is indeed disabled because the entire ME > functionality is disabled, no ME processes are running, and the kernel > on its own is irrelevant, even if it keeps running. > However, I

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

> pretty sure the I is for Intel ;-) Sure. AMD has AME, as I recall. VIA has VME, Cyrix had CME, etc. ;-) It is ME, simple and plain. I(ntel)ME is a pleonasm (please, look on the Webster Dictionary what the pleonasm is?!). Zoran On Fri, Dec 15, 2017 at 6:18 PM, Matt DeVillier

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

On Fri, Dec 15, 2017 at 10:23 AM, Zoran Stojsavljevic < zoran.stojsavlje...@gmail.com> wrote: > IME (I is typo) = ME . > pretty sure the I is for Intel ;-) (or, at least that's how I've seen it referenced elsewhere) > > Zoran > -- coreboot mailing list: coreboot@coreboot.org

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

IME (I is typo) = ME . Zoran On Fri, Dec 15, 2017 at 5:14 PM, Gregg Levine wrote: > Hello! > (I'm working from the office today on a library computer...) > My regular laptop might be wearing one of those dratted things. But > before we start confusing people further,

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

Hello! (I'm working from the office today on a library computer...) My regular laptop might be wearing one of those dratted things. But before we start confusing people further, perhaps one of the group needs to reiterate exactly what that contraption is, and why it was necessary. Oh and what the

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

Thanks. They didn't seriously include a Java Runtime Environment into the IME?? I can't believe what's going on with this company. Am Freitag, den 08.12.2017, 16:16 +0100 schrieb Thomas Heijligen: > For those who are interested in the Intel ME, the slides and white  > papers > from the Black Hat

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

In my opinion, the ME is indeed disabled because the entire ME functionality is disabled, no ME processes are running, and the kernel on its own is irrelevant, even if it keeps running. However, I do not have anymore a strong counter opinion to your statement that you don't consider the ME to be

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thank you for the detailed response; I figured there had to be some basic miscommunication somewhere. :-) So I assume we now agree that the ME on Sylake + is not disabled, merely limited? On 12/14/2017 01:20 AM, Youness Alaoui wrote: > Hi, > > From

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

> According to Positive Technologies, on Skylake and higher (like the > Purism machines) the kernel loads the BUP, and the HAP bit only disables > the normal userspace processes This is very good observation. Let us look again into the unknown code, compressed by Huffman (unknown tables):

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

Thanks for elaborating and shedding light on this for some of us non-experts who are just lurking around. On Thu, Dec 14, 2017 at 2:20 AM, Youness Alaoui < kakar...@kakaroto.homelinux.net> wrote: > Hi, > > From the PT article you linked to, after the stage 5 of BUP execution : > "It is at this

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

Hi, >From the PT article you linked to, after the stage 5 of BUP execution : "It is at this stage that we find HAP processing; in this mode, BUP hangs instead of executing InitScript. This means that the remaining sequence of actions in normal mode has nothing to do with HAP and will not be

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 According to Positive Technologies, on Skylake and higher (like the Purism machines) the kernel loads the BUP, and the HAP bit only disables the normal userspace processes [1]. What proof do you have that the kernel itself is halted? [1]

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

> I guess I still disagree with the use of the word "disabled". If the ME > wasn't required for boot, and was actually disabled within a few cycles > of its CPU starting, the remaining attack surface simply wouldn't exist. > This is not what happens though, and AFAIK even the ME kernel continues

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

On 12/12/2017 12:11 PM, Denis 'GNUtoo' Carikli wrote: As I understand, this by itself isn't sufficient yet to boot a post-GM45 Intel with free software, however it gives a lot of insight on how things work and enables all researchers to understand better the Management Engine and recent Intel

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

On Fri, 8 Dec 2017 21:34:57 +0100 (CET) eche...@free.fr wrote: > For those who are interested in the Intel ME, the slides and white > papers > from the Black Hat Europe are public. > >

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

For those who are interested in the Intel ME, the slides and white papers from the Black Hat Europe are public. https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine.pdf

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

> Neither the ME or the PSP can ever be removed from their respective systems. I already wrote extensively about this in the previous thread (I 1000% agree with you, Tim). But these people revealed the almost whole architecture how ME boots the modern INTEL platform, and, frankly, I never

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/08/2017 08:40 AM, Alberto Bursi wrote: > > > On 12/08/2017 02:59 PM, Timothy Pearson wrote: >> >> That's just the HAP bit. The ME is limited but NOT disabled, and the >> remaining stubs are still hackable [1]. >> >> Neither the ME or the PSP

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

On 12/08/2017 02:59 PM, Timothy Pearson wrote: > > That's just the HAP bit. The ME is limited but NOT disabled, and the > remaining stubs are still hackable [1]. > > Neither the ME or the PSP can ever be removed from their respective > systems. They can both be limited to some extent, but to

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 That's just the HAP bit. The ME is limited but NOT disabled, and the remaining stubs are still hackable [1]. Neither the ME or the PSP can ever be removed from their respective systems. They can both be limited to some extent, but to call either of

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

On Wed, 30 Aug 2017 18:09:51 -0400 "taii...@gmx.com" wrote: > On 08/30/2017 03:28 PM, Timothy Pearson wrote: > > >> POWER9 workstations are already coming on the market: > >> > >> https://raptorcs.com/TALOSII/ > >> > >> Note that IBM selling similar machines directly would

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

On 08/30/2017 03:28 PM, Timothy Pearson wrote: POWER9 workstations are already coming on the market: https://raptorcs.com/TALOSII/ Note that IBM selling similar machines directly would likely be more expensive, not less, based on POWER8 price comparisons between IBM and other vendors. People

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

Try this backup copy from the Internet Archive: https://web.archive.org/web/20121211162830/fm.csl.sri.com/LAW/2009/dobry-law09-HAP-Challenges.pdf 2017-08-30 1:00 GMT-03:00 taii...@gmx.com : > I can't download the .pdf file for some reason (maybe the tla's got to it?) >

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/29/2017 11:00 PM, taii...@gmx.com wrote: > I can't download the .pdf file for some reason (maybe the tla's got to it?) > http://fm.csl.sri.com/LAW/2009/dobry-law09-HAP-Challenges.pdf > can someone send it to me? > Thanks > > > Thoughts: > Sad

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

On 08/30/2017 07:06 AM, taii...@gmx.com wrote: > Yes it is called AMD-PSP and present in the newer stuff such as AM4 and > FM2+, although they did entertain the idea of providing a method to > disable it in a reddit thread which a PR guy claims the CEO paid > attention to so I suppose a

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

On 08/30/2017 12:58 AM, Philipp Stanner wrote: Am 29.08.2017 um 20:15 schrieb Timothy Pearson: On 08/29/2017 06:10 AM, Rene Shuster wrote: Wow. My favorite part is where the NSA itself basically admits that the ME can't be trusted! I wonder if they are looking at other architectures or if

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

Am 29.08.2017 um 20:15 schrieb Timothy Pearson: > On 08/29/2017 06:10 AM, Rene Shuster wrote: > > Wow. > > My favorite part is where the NSA itself basically admits that the ME > can't be trusted! I wonder if they are looking at other architectures > or if this HAP bit was enough for their needs?

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

I can't download the .pdf file for some reason (maybe the tla's got to it?) http://fm.csl.sri.com/LAW/2009/dobry-law09-HAP-Challenges.pdf can someone send it to me? Thanks Thoughts: Sad this is still not an actual method of disablement, but it doesn't really matter as anyone who buys *new* x86

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

OK, thanks for the clarification. On Tue, Aug 29, 2017 at 4:13 PM, Timothy Pearson < tpear...@raptorengineering.com> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 08/29/2017 02:57 PM, Leah Rowe wrote: > > > > > > On 29/08/17 19:15, Timothy Pearson wrote: > >> On 08/29/2017

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/29/2017 02:57 PM, Leah Rowe wrote: > > > On 29/08/17 19:15, Timothy Pearson wrote: >> On 08/29/2017 06:10 AM, Rene Shuster wrote: >>> Wow. > >> My favorite part is where the NSA itself basically admits that the >> ME can't be trusted! I

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

http://fm.csl.sri.com/LAW/2009/dobry-law09-HAP-Challenges.pdf (linked in PTSecurity's blogpost) might have the answer to your question, but it's not accessible for me. On Tue, Aug 29, 2017 at 3:57 PM, Leah Rowe wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > >

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 29/08/17 19:15, Timothy Pearson wrote: > On 08/29/2017 06:10 AM, Rene Shuster wrote: >> Wow. > > My favorite part is where the NSA itself basically admits that the > ME can't be trusted! I wonder if they are looking at other > architectures

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/29/2017 06:10 AM, Rene Shuster wrote: > Wow. My favorite part is where the NSA itself basically admits that the ME can't be trusted! I wonder if they are looking at other architectures or if this HAP bit was enough for their needs? - --

Re: [coreboot] Disabling Intel ME 11 via undocumented mode

Wow. On Mon, Aug 28, 2017 at 12:08 PM, Matthias Gliwka wrote: > Some new development on disabling Intel ME 11: http://blog.ptsecurity. > com/2017/08/disabling-intel-me.html > > Kind regards, > Matthias Gliwka > > -- > coreboot mailing list: coreboot@coreboot.org >