Does ME Manufacturing mode allow the user to change all the configuration? Does it mean that hackers who incidentally purchased such a machine (but probably not Apple's) with ME Manufacturing mode enabled, can theoretically port coreboot to the machine, then flash their own public key fingerprints into ME, using Boot Guard to protect firmware signed by themselves instead of OEM's?
I remember several bunches of Lenovo laptop series released a few years ago seems to have the same vulnerability, and porting coreboot to those computers with earlier chipsets is a real possibility, only prevented by Boot Guard signature. But finding these unpatched and vulnerable series of machines is a hit-or-miss game with minimum chance of success. If someone really implements tools to do all these things, is it possible that the secondhand vulnerable motherboards would be the gold in the hacker communities and be sold at a high price?
Another fact is that ME is a part of the PCH, which is located on the CPU package. If a hacker has access to a BGA rework technician in a professional repair workshop, it should be possible to desolder the original CPU from the board, and install a new one with unconfigurated ME to "own" the machine.
Exactly. Remember Intel ME is a great utility and has some awesome abilities. The issue that people have is not the fact there is a CPU running another CPU that looks after the main one. It's that it's closed source and has remote control capabilities that can not be controlled by the user.
If Intel would just allow an owner to build and flash their own Intel ME version using their own private/public keys then no one would have an issue with that. It's the fact it's a secret closed system that has full control to monitor everything you do, and can not be fully disabled.
You can only flash coreboot if the BootGuard isn't blown. Nothing else will allow you to run coreboot on a mobile Intel platform because the CPU has a hard-fused hash of the public key for the IBB (boot code in the CPU ROM/factory microcode) and via that, the ACM. (Authenticated Code Module, loaded via ME)
This means that you cannot run an Intel CPU without getting an ACM signed by Intel. And that ACM only works with the ME and an Intel formatted SPI flash partitioning scheme.
Keep in mind that this hard lockdown only applies to those SoC-ish chips like the mobile PCH+CPU combo chips. Once the PCH and CPU are separate, it's a different story with real options, all the way down to replacing the PCH with one that doesn't have the fuses for BootGuard blown.
Manufacturing mode does allow you to access all of the SPI, but it doesn't allow you to add malware of change the firmware as long as BootGuard is still on since you need the RSA private key from the manufacturer to change the firmware, or the RSA private key from Intel to change the IBB+ACM combo package.
The Lenovo series you are referring to had a similar but different issue; BootGuard was in validate-only mode, so you can edit the SPI flash and remove the UEFI part, but leave in everything else (ME, GbE, config, IFF, partition data etc.) This has been a non-default configuration for a while, and as you noted, even then it was hard to find one that had that specific firmware/fuse combination.
The ME on platforms with sockets is in the PCH which is on the mainboard, not on the CPU, so in theory it is possible to man-in-the-middle the CPU-PCH communication.
Another note: a lot of Intel boards have the CCA debug options for ME still enabled due to a mishap from Intel; CCA is the Closed Chassis Adapter which basically runs JTAG over USB3 directly onto the ME CPU core. Getting a USB 3 cable and removing some pins turns it in to a poor man's CCA cable, running some FOSS software on the host will then enable to you stop the ME core on the target and modify memory at will. This basially enables a tethered ME jailbreak, but also ME malware persistence.
It sure would be nice if we could just purchase such unlocked devices directly.
You used to actually control the devices you purchased. Then mobile comes along and so far we've seen locked OS accounts (rooting), locked bootloaders, and locked basebands. Now there's locked ME or PSP. This is getting ridiculous, as well as difficult to keep track of. Perhaps we need some sort of "Fully Unlocked" certification to indicate that a device you're considering purchasing would actually be yours?
In other words, this vulnerability is "the insecurity that gives us freedom"? That's what it looks like from a quick scan through the article, and if that's the case this is yet another sad instance where the authoritarian "security" community is openly hostile against user freedom.
On that moral point, a relevant comment I made on an article recently: https://news.ycombinator.com/item?id=18102434 Anyone who is actively finding and closing local-only "exploits" for ME, ones which require root access in the first place, is being actively user-hostile.
>But finding these unpatched and vulnerable series of machines is a hit-or-miss game with minimum chance of success
Bios update version changes or the name itself mentions 'intel ME' in the manufacturer's site for their products[1] it should be fairly simple to find computers with an older bios version.
They also have a history of selling x86 systems while articulating vague hopes that the blob/owner control situation will improve in the future, despite this being clearly implausible. In one case for example, they claimed they might get Intel to sign a custom ME firmware for them in the future. Anyone who knows anything about the ME knows that Intel would never do this, ever.
Appears to mostly be an enterprise offering; I'm not quite sure if any of these companies would sell me a server for personal use. And even then I don't think I'd be able to request control over the various keys they're in control of (ie request the work be done to get me keypairs of my own, which I do think is theoretically possible).
This is bad in a DoS-type of way. BootGuard only loads correctly signed firmware, the root of trust is an Intel RSA keypair and the hash of the pubkey is burned into the CPU during Intel's manufacturing. The PCH (on the same chip in mobile cases) has the ME which also has fuses, and as long as the CPU only accepts signed code form the ME, and the ME has BootGuard fuse blown, the only thing you can really do is disable a system by nuking the SPI (or just flipping one random bit to invalidate the signature).
To fix it, you'd have to re-flash the SPI chip.
As far as I know, manufacturing mode only allows you to add signing keys if those keys are signed by Intel, so adding your own keys won't help. Adding a key from another manufacturer with known exploitable firmware could work, but loading that firmware on incompatible hardware won't let you boot the machine so you still get nothing.
All in all; nice find, yes you can disable machines via software, but other than that, not as interesting as I had hoped it to be. (IBB or ACM exploits would be very very very sweet)
It also means that instead of having to compromise Intel's signing key to gain full control, now it's also possible to use any compromised key that's been signed by Intel, which may not be as well guarded as Intel's one.
"The weakness of "security through obscurity" is so well known as to be obvious. Yet major hardware manufacturers, citing the need to protect intellectual property, often require a non-disclosure agreement (NDA) before allowing access to technical documentation. "
I believe the actual reason for "security through obscurity" is that it's a delay tactic used against well-funded adversaries.
There's an inherent problem in security. A company, existing in the private sector, could never hope to overcome the infinite resources of a nation state. It's literally, mathematically, financially impossible.
A nation state could even apply a rule like, if they know a particular technology was developed by roughly 500 engineers at some company, a nation state could employ 5x the number of engineers used; simply as a rule. So in this case, they could employ 2500 security researchers to overcome some security problem.
It's also possible to build systems that are correct, such that no adversary with any amount of resources could find a security hole. Many CPUs in the past have been correct. Probably most major commercial ones before 2000 were. So it's not mathematically impossible.
The beauty of public key cryptography is that a x5 increase in security researchers is nowhere near a x2^128 increase in difficulty. What's pitiful is coming up with O(1) schemes and hoping for security through obscurity to keep them safe.
Is there a way to enroll your own platform key on the latest UEFI Secure Boot enabled Macs? They do not include the 'Microsoft Corporation UEFI CA' therefore a bootloader signed by Microsoft's UEFI binary signing service (which most popular Linux distros do) cannot be verified. And that means you must disable Secure Boot to boot something other than macOS or Windows. And that means you don't really control, therefore don't really own, your hardware.
[+] [-] bcaa7f3a8bbc|7 years ago|reply
I remember several bunches of Lenovo laptop series released a few years ago seems to have the same vulnerability, and porting coreboot to those computers with earlier chipsets is a real possibility, only prevented by Boot Guard signature. But finding these unpatched and vulnerable series of machines is a hit-or-miss game with minimum chance of success. If someone really implements tools to do all these things, is it possible that the secondhand vulnerable motherboards would be the gold in the hacker communities and be sold at a high price?
Another fact is that ME is a part of the PCH, which is located on the CPU package. If a hacker has access to a BGA rework technician in a professional repair workshop, it should be possible to desolder the original CPU from the board, and install a new one with unconfigurated ME to "own" the machine.
[+] [-] turblety|7 years ago|reply
If Intel would just allow an owner to build and flash their own Intel ME version using their own private/public keys then no one would have an issue with that. It's the fact it's a secret closed system that has full control to monitor everything you do, and can not be fully disabled.
[+] [-] oneplane|7 years ago|reply
This means that you cannot run an Intel CPU without getting an ACM signed by Intel. And that ACM only works with the ME and an Intel formatted SPI flash partitioning scheme.
Keep in mind that this hard lockdown only applies to those SoC-ish chips like the mobile PCH+CPU combo chips. Once the PCH and CPU are separate, it's a different story with real options, all the way down to replacing the PCH with one that doesn't have the fuses for BootGuard blown.
Manufacturing mode does allow you to access all of the SPI, but it doesn't allow you to add malware of change the firmware as long as BootGuard is still on since you need the RSA private key from the manufacturer to change the firmware, or the RSA private key from Intel to change the IBB+ACM combo package.
The Lenovo series you are referring to had a similar but different issue; BootGuard was in validate-only mode, so you can edit the SPI flash and remove the UEFI part, but leave in everything else (ME, GbE, config, IFF, partition data etc.) This has been a non-default configuration for a while, and as you noted, even then it was hard to find one that had that specific firmware/fuse combination.
The ME on platforms with sockets is in the PCH which is on the mainboard, not on the CPU, so in theory it is possible to man-in-the-middle the CPU-PCH communication.
Another note: a lot of Intel boards have the CCA debug options for ME still enabled due to a mishap from Intel; CCA is the Closed Chassis Adapter which basically runs JTAG over USB3 directly onto the ME CPU core. Getting a USB 3 cable and removing some pins turns it in to a poor man's CCA cable, running some FOSS software on the host will then enable to you stop the ME core on the target and modify memory at will. This basially enables a tethered ME jailbreak, but also ME malware persistence.
[+] [-] Reelin|7 years ago|reply
You used to actually control the devices you purchased. Then mobile comes along and so far we've seen locked OS accounts (rooting), locked bootloaders, and locked basebands. Now there's locked ME or PSP. This is getting ridiculous, as well as difficult to keep track of. Perhaps we need some sort of "Fully Unlocked" certification to indicate that a device you're considering purchasing would actually be yours?
[+] [-] userbinator|7 years ago|reply
On that moral point, a relevant comment I made on an article recently: https://news.ycombinator.com/item?id=18102434 Anyone who is actively finding and closing local-only "exploits" for ME, ones which require root access in the first place, is being actively user-hostile.
[+] [-] Abishek_Muthian|7 years ago|reply
Bios update version changes or the name itself mentions 'intel ME' in the manufacturer's site for their products[1] it should be fairly simple to find computers with an older bios version.
[1] : https://www.acer.com/ac/en/IN/content/support-product/6752?b...
[+] [-] markovbot|7 years ago|reply
[+] [-] walterbell|7 years ago|reply
1) Purism has been discussed on HN, trying to extend their laptop coreboot success to a phone form factor, http://puri.sm
2) Librebox is a desktop computer with coreboot, from Portugal, https://libretrend.com and https://youtube.com/watch?&v=mHyJCSqWhFw
For data centers, OpenCompute server owners are also the "OEM" and in control of more keys.
[+] [-] hlandau|7 years ago|reply
They also have a history of selling x86 systems while articulating vague hopes that the blob/owner control situation will improve in the future, despite this being clearly implausible. In one case for example, they claimed they might get Intel to sign a custom ME firmware for them in the future. Anyone who knows anything about the ME knows that Intel would never do this, ever.
[+] [-] mpartel|7 years ago|reply
[+] [-] exikyut|7 years ago|reply
Appears to mostly be an enterprise offering; I'm not quite sure if any of these companies would sell me a server for personal use. And even then I don't think I'd be able to request control over the various keys they're in control of (ie request the work be done to get me keypairs of my own, which I do think is theoretically possible).
Hmph.
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] icebraining|7 years ago|reply
[+] [-] oneplane|7 years ago|reply
To fix it, you'd have to re-flash the SPI chip.
As far as I know, manufacturing mode only allows you to add signing keys if those keys are signed by Intel, so adding your own keys won't help. Adding a key from another manufacturer with known exploitable firmware could work, but loading that firmware on incompatible hardware won't let you boot the machine so you still get nothing.
All in all; nice find, yes you can disable machines via software, but other than that, not as interesting as I had hoped it to be. (IBB or ACM exploits would be very very very sweet)
[+] [-] jarfil|7 years ago|reply
[+] [-] debt|7 years ago|reply
I believe the actual reason for "security through obscurity" is that it's a delay tactic used against well-funded adversaries.
There's an inherent problem in security. A company, existing in the private sector, could never hope to overcome the infinite resources of a nation state. It's literally, mathematically, financially impossible.
A nation state could even apply a rule like, if they know a particular technology was developed by roughly 500 engineers at some company, a nation state could employ 5x the number of engineers used; simply as a rule. So in this case, they could employ 2500 security researchers to overcome some security problem.
[+] [-] tlb|7 years ago|reply
[+] [-] jarfil|7 years ago|reply
[+] [-] superherointj|7 years ago|reply
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] cmurf|7 years ago|reply
[+] [-] unknown|7 years ago|reply
[deleted]