This page is a wiki. Please login or create an account to begin editing.


13 posts / 0 new
Last post
24bit's picture
Offline
Joined: 2010 Nov 19
Actions against Intel ME ?

Many here may know that since implementation of the vPro feature with Intel cpus, there is a hidden OS running side by side with the visible OS you choose to run on your computer.
The hidden OS is a Minix type OS, its firmware was first located in the north bridge and was moved into the cpu die with i3/i5/i7 cpu powered computers. The beast itself got the name Management Engine.

The features of the secret OS are not very well documented, but its known that Minix is running most of the time, given a device gets power, one way or the other. The hidden OS has control over pretty much all of a given computer´s hardware, including network of course - got its own MAC address even.

It may have been worth a thought to have an additional OS running, in case users have totally messed up their computer and call for remote service. As there is no way for the end user to opt out, its also a nice tool to spy on the customer, tinker with a device without the owner´s knowledge or shut down a given computer at will.

INTEL has recently woken up, as the possibility of hacking the disguised Minix has become plausible and INTEL is offering a utility to check whether a given computer is vulnerable.
INTEL-SA-00075 Detection Tool is available for Windows, a Linux utility is available too.

INTEL_ME

Disabling the AMT feature in EFI/BIOS looks like a good idea, but Minix is up and running anyway, listening to some ports too, presumably.

Because of the above, its jokingly said that Minix is the worlds most often installed OS, regardless whether you wanted it or not. Wink

Let me know if you got some insight into ME features and possible fixes, please.

To determine whether you got a vPro system, you may look here:
https://communities.intel.com/docs/DOC-2033
https://msp.intel.com/find-a-vpro-system

Comments

3371-Alpha's picture
Offline
Joined: 2016 Mar 15

Now I'm GLAD I'm still on PowerPC.

24bit's picture
Offline
Joined: 2010 Nov 19

Absolutely. Security through obscurity. Smile Dell Optiplex 745 to 780 are not equipped with the full featured ME for example.

I´m a year too late about this topic seemingly.
Looks like its technically possible to remove ME, but not for me. Wink
https://hardenedlinux.github.io/firmware/2016/11/17/neutralize_ME_firmwa...

MikeTomTom's picture
Offline
Joined: 2009 Dec 7

Thanks for the posts and link, 24bit.

Groan I'm not "techie" enough to follow this one through tho' Tongue Guess I'll need to "live with it" Sad

semvalidade2006's picture
Offline
Joined: 2017 Jan 21

I don't have information about this particular implementation, but all high-end servers are built with a running OS that allows us to control the server remotely. However, it is not inside the server CPU but as an additional CPU. Each vendor has a different name for it.

semvalidade2006's picture
Offline
Joined: 2017 Jan 21

As I suspected: "Simply said, that means Intel ME adds another processor on the motherboard to manage the other sub-systems. As a matter of fact, it is more than just a microprocessor: it’s a microcontroller with its own processor, memory, and I/O. Really just like if it was a small computer inside your computer.

That supplemental unit is part of the chipset and is NOT on the main CPU die. Being independent, that means Intel ME is not affected by the various sleep state of the main CPU and will remain active even when you put your computer in sleep mode or when you shut it down."

This is a very common approach for all server vendors. Not sure why all the buzz about it.

SkyCapt's picture
Offline
Joined: 2017 Jan 11

".. yours is the only one that ever created a simulation within the simulation, something that we never could have expected." Though, I've been expecting it for over fifteen years.

I never approved of the "Big Switch" to Intel processors. Once upon a time, there was a new computer. It was unveiled to the masses via video clip declaring "1984 won't be like 1984." The consortium of Intel+IBM+Microsoft was portrayed as "Big Brother", why do they call themselves "Intel?" Intel never earned goodguy status by me, the top slot has always been occupied by the biggest liar. The entire G5 series was a flop, burned by IBM on that one. My overclocked G4 (2003) performs better than my overclocked C2D (2008). The G4 is a one core 32bit system, it defeats the dual core 64bits, because the thing most appealing about it is it (secretly) has two channel asynchronous RAM and I see both channels working in my favor. Every computer made since robs you of at least 50% and more. This happened at the same time the entire internet swore ATA-100 meant "upto 100 MB/sec" when all you need is an FM radio to show it is 100 MHz, a two byte wide bus so the ATA-100 bandwidth is really 100x2 = "upto 200 MB/sec" but programmed to feign a 100 MB/sec bus. You get half or less of that bus, and every other bus since. The industry makes Propaganda Machines.

24bit's picture
Offline
Joined: 2010 Nov 19

Yeah, seems we have to live with a hidden secondary OS running on its own cpu,
when using a fairly recent Intel rig.
I see the point for server setups of course, to have a simple drop back console for emergency tasks.
For the common notebook or desktop user there is no benefit to gain from the management engine, methinks.
In contrary, as long as the hidden OS was running on ARCompact nobody had thought about it much.
Running ME-11 on new hardware, Minix on X86, changes the game completely.
The well known organisations with the three letter acronyms get even easier access to my computer - bad enough.
Migrating ME to the "new" X86 platform is also an invitation to a huge army of hardly payed hackers around the world to play around with the secretly embedded system.
The average user can do nothing against that, as the management engine is hidden from user land, integrated into the platform controller hub enabling all communication between cpu and peripherals.

One ME/AMT security issue was already documented: https://nvd.nist.gov/vuln/detail/CVE-2017-5689
Others will follow.

SkyCapt's picture
Offline
Joined: 2017 Jan 11

Your take on ME sounds about right.

I played with my Mirror Door northbridge today, a good story.
I've made a lot of changes to my OS 9 to improve performance. I tried building a new volume starting with my OEM OS 9.2.1 Install CD I've owned since it was new (disc was made on Sept 10 2001) so I could document every alteration I make which gives me the best performance, especially concerning its Video Generator for a 1920x1200 display, a super achievement when a screen that big is this fast and smooth and crisp on a native OS 9 computer.

So when I got done building the OS volume, it wasn't as fast as it was supposed to be. I overlooked one of my past improvements, and I had to rediscover what it is. Turned out I forgot to erase the "Classic RAVE" extension. I had been erasing it previously as part of my self imposed "OS9<>OSX Firewall" but I didn't recognize that erasing it improves the performance of my booted OS9 volume - Classic RAVE is only for Classic Environ, while booted OS9 uses the extension "QuickDraw 3D RAVE" instead. So RAVE is a 'driver' for interfacing with the northbridge chip, specifically the 'blitter' unit within that chip. RAVE is one of those 'backronym' meaning something like "Rasterization Acceleration Velocity Engine", not to be confused with the RAGE ATI graphics card. RAVE is a blitter-driver then, as evident by the "QuickDraw" in its filename - and when booted in OS9, having "Classic RAVE" throws one of those wrenches into the delicate works.

I make around a dozen changes to OS 9.2.1 - each one might be small potatoes but when my adjustments are all combined the difference between it and the OS 9.2.2 final-version-of-everything supplied by Apple is outrageous. The most mysterious of my changes has to do with removing "taxes" that were placed on RAM bandwidth. I disable the "Apple Enet DLPI Support" and the "Firewire Enabler" extensions, turning off the Ethernet and FW ports, but their "taxes" and other taxes dont stay gone permanently unless I input a strange sequence as a Startup Item. The sequence ought to accomplish NOTHING so it seems!, but it turns out to be life or death for getting at my best speed! I spent weeks doing this by myself, and I'll bet no one else has done the same. If I don't document this, the knowledge will be lost.

24bit's picture
Offline
Joined: 2010 Nov 19

I did get along with the command line version of the Intel tool meanwhile.
Did I tell you I am a CLI hater since the Amiga days?
Anyway things do work with the Windows C: prompt, not with the new Windows PowerShell though.
I got the status report at the bottom now. Not as bad as before, but ME is still there and running.
ME is too far integrated into boot and system start to totally disable it.
No idea what to do with my T420 Hackintosh, installing Windows just to disable Client Control Mode?

ME_02

Edit: Luckily I could boot with a spare Windows HDD from my T60.
As Windows had finished updating drivers, the Intel GUI utility reported similar info as above.

MacTouch's picture
Offline
Joined: 2016 Mar 19

I have found this detailed page from Wikipedia. I hope sincerely that will help u, 24bit. Wink

24bit's picture
Offline
Joined: 2010 Nov 19

Thanks MacTouch, that pretty much sums it up.

"The only way to actually fix this vulnerability is to install a firmware update. Intel has made a list of updates available."
I´ll follow the links to see how I´ll fare.

The Windows notebook is updated by a Lenovo firmware update, the Sierra brother had its firmware modified when I got it, including AMT disabling, totally forgot about it.
Things seem to be fixed for now. I hope others with ME 7.1 will find firmware their upgrades as well.
This is how things look like now:

ME05

bertyboy's picture
Offline
Joined: 2009 Jun 14

http://www.zdnet.com/article/intel-weve-found-severe-bugs-in-secretive-m...