[gentoo-user] Intel ucode updates for ME issues?

[gentoo-user] Intel ucode updates for ME issues?

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 269 bytes --]

I notice that an update for sys-firmware/intel-microcode just come through
on ~amd64, does that address the ME issues?

http://www.zdnet.com/article/intel-weve-found-severe-bugs-in-secretive-management-engine-affecting-millions/

Or will my NUC need a firmware update?

[-- Attachment #2: Type: text/html, Size: 459 bytes --]

Re: [gentoo-user] Intel ucode updates for ME issues?

[Taiidan]

On 11/22/2017 12:42 AM, Adam Carter wrote:

> I notice that an update for sys-firmware/intel-microcode just come through
> on ~amd64, does that address the ME issues?
>
> http://www.zdnet.com/article/intel-weve-found-severe-bugs-in-secretive-management-engine-affecting-millions/
>
> Or will my NUC need a firmware update?
>
That would be "solved"[1] via a firmware update, microcode update is 
microcode - only for the cpu.
If you don't get one for your hardware due to the vendor saying it is 
"too old" (to scam you to buy a new motherboard for no reason) you can 
bisect the BIOS update and add it yourself (ask on the coreboot 
mailinglist how to do this for more info) not too difficult.

Using ME cleaner would also solve the issue and you wouldn't need any 
more firmware updates when the next "bug" comes around.


[1] Intel ME/AMD PSP will always be full of security "bugs" as they are 
designed to be an uber backdoor for god knows who - one can avoid this 
via getting either a slightly older x86-64 setup such as 
KCMA-D8/KGPE-D16 opteron motherboards (RYF libre firmware and a libre 
bmc firmware is available for them they also don't need microcode updats 
for series 2 CPU's), a g505S laptop (open source init firmware 
available) or a TALOS 2 server/workstation (POWER9, very very high 
performance high end server hardware with the usual price for that level 
of performance but you get libre firmware AND libre hardware RYF 
certification pending on release)

Re: [gentoo-user] Intel ucode updates for ME issues?

[R0b0t1]

On Tue, Nov 21, 2017 at 11:42 PM, Adam Carter <adamcarter3@gmail.com> wrote:
> I notice that an update for sys-firmware/intel-microcode just come through
> on ~amd64, does that address the ME issues?
>

No. As a sidenote, microcode updates can only remove or patch out
functionality. They can't modify functionality in complex ways.

> http://www.zdnet.com/article/intel-weve-found-severe-bugs-in-secretive-management-engine-affecting-millions/
>

Does anyone have more information on this? Has anything been
published? I'm interested in exploiting my own computers so I can
control the ME.

> Or will my NUC need a firmware update?

It is possible that this can't be fixed. Early versions of ME (at
least) had secret Huffman decoding tables designed into the ASIC that
were used to decompress the firmware. I am not sure if it is possible
to change these.

Cheers,
     R0b0t1

Re: [gentoo-user] Intel ucode updates for ME issues?

[R0b0t1]

On Wed, Nov 22, 2017 at 6:03 PM, Taiidan@gmx.com <Taiidan@gmx.com> wrote:
> Using ME cleaner would also solve the issue and you wouldn't need any more
> firmware updates when the next "bug" comes around.
>

Intel ME has been found to remain active after being disabled, and
some motherboards that do not ship as "vPro enabled" and consequently
haven't had the licensing paid for certain features have been found
with those same features enabled. I own an Asus laptop which is
affected. Some Asus forum post reported that there's a Java-based SOAP
webserver listening on the port associated with Intel ME. Intel ME is
not visible to the BIOS, and so it can't be turned any more "off."

Cheers,
     R0b0t1

Re: [gentoo-user] Intel ucode updates for ME issues?

[Taiidan]

On 11/22/2017 11:16 PM, R0b0t1 wrote:

> Does anyone have more information on this? Has anything been
> published? I'm interested in exploiting my own computers so I can
> control the ME.
It seems that it is the same people who figured out HAP mode but they 
haven't made a blog update I would ask on the coreboot mailinglist, 
there are some very smart people there.

Although I doubt you will find any real information anywhere at all due 
to the recent "white hat" tendency to restrict the real nuts and bolts 
info and utilities to wealthy corporations instead of us peons who 
*gasp* might do something "bad" with it/don't have lots of money to pay 
for a "premier" support account.

I am curious as to why you wish to do this, considering you can buy a 
libre firmware owner controlled motherboard with better functionality 
(ex: OpenBMC) than any me/psp board for only $250 and $100 for a FX-8310 
equivalent cpu.

On 11/22/2017 11:18 PM, R0b0t1 wrote:

> On Wed, Nov 22, 2017 at 6:03 PM, Taiidan@gmx.com <Taiidan@gmx.com> wrote:
>> Using ME cleaner would also solve the issue and you wouldn't need any more
>> firmware updates when the next "bug" comes around.
>>
> Intel ME has been found to remain active after being disabled, and
> some motherboards that do not ship as "vPro enabled" and consequently
> haven't had the licensing paid for certain features have been found
> with those same features enabled. I own an Asus laptop which is
> affected. Some Asus forum post reported that there's a Java-based SOAP
> webserver listening on the port associated with Intel ME. Intel ME is
> not visible to the BIOS, and so it can't be turned any more "off."
I understand the limitations of me_cleaner, although in this case it 
would in fact solve the problems as all the currently *publicly* 
discovered "bugs" are all ME feature exploits (and the features are 
removed by me_cleaner) rather than exploits of the ME kernel although I 
am certain that one is on the way.

Believe me I know what I am talking about, I regularly provide support 
on the coreboot mailinglist and I own a variety of devices that are 
owner controlled with libre firmware (and of course no ME/PSP).

Re: [gentoo-user] Intel ucode updates for ME issues?

[R0b0t1]

On Wed, Nov 22, 2017 at 10:36 PM, Taiidan@gmx.com <Taiidan@gmx.com> wrote:
> On 11/22/2017 11:16 PM, R0b0t1 wrote:
>
>> Does anyone have more information on this? Has anything been
>> published? I'm interested in exploiting my own computers so I can
>> control the ME.
>
> It seems that it is the same people who figured out HAP mode but they
> haven't made a blog update I would ask on the coreboot mailinglist, there
> are some very smart people there.
>
> Although I doubt you will find any real information anywhere at all due to
> the recent "white hat" tendency to restrict the real nuts and bolts info and
> utilities to wealthy corporations instead of us peons who *gasp* might do
> something "bad" with it/don't have lots of money to pay for a "premier"
> support account.
>

This does make me sad. In a case such as this it makes the most sense
to me that the details be released so people who want to control their
devices are allowed to do so before the holes are patched.

> I am curious as to why you wish to do this, considering you can buy a libre
> firmware owner controlled motherboard with better functionality (ex:
> OpenBMC) than any me/psp board for only $250 and $100 for a FX-8310
> equivalent cpu.
>

I attempted to use some vPro/ME functionality and found it broken or
unsuable. So, I suppose I want access to the ME so I can use it for
what it was advertised to do. Currently I have not gotten it to do any
of those things, and its security is unprovable.

> On 11/22/2017 11:18 PM, R0b0t1 wrote:
>
>> On Wed, Nov 22, 2017 at 6:03 PM, Taiidan@gmx.com <Taiidan@gmx.com> wrote:
>>>
>>> Using ME cleaner would also solve the issue and you wouldn't need any
>>> more
>>> firmware updates when the next "bug" comes around.
>>>
>> Intel ME has been found to remain active after being disabled, and
>> some motherboards that do not ship as "vPro enabled" and consequently
>> haven't had the licensing paid for certain features have been found
>> with those same features enabled. I own an Asus laptop which is
>> affected. Some Asus forum post reported that there's a Java-based SOAP
>> webserver listening on the port associated with Intel ME. Intel ME is
>> not visible to the BIOS, and so it can't be turned any more "off."
>
> I understand the limitations of me_cleaner, although in this case it would
> in fact solve the problems as all the currently *publicly* discovered "bugs"
> are all ME feature exploits (and the features are removed by me_cleaner)
> rather than exploits of the ME kernel although I am certain that one is on
> the way.
>
> Believe me I know what I am talking about, I regularly provide support on
> the coreboot mailinglist and I own a variety of devices that are owner
> controlled with libre firmware (and of course no ME/PSP).

Well, at no point did I question your aptitude, but I think the
information I outlined is a pretty good argument for assuming the ME
can not be disabled.

Even if true, there's not much to be done about it anyway.

Cheers,
     R0b0t1

Re: [gentoo-user] Intel ucode updates for ME issues?

[Taiidan]

On 11/23/2017 12:47 AM, R0b0t1 wrote:

> I think the information I outlined is a pretty good argument for assuming the ME
> can not be disabled.
>
> Even if true, there's not much to be done about it anyway
Yeah it certainly can't be disabled (I argue this point on a regular 
basis to no avail), as in non functional as it is involved in the 
pre-BIOS-boot process.
A certain low-morals company claims that they "disable" it with 
me_cleaner (they also infer they made it) but that is impossible.

To me disabled is no electricity flowing through it/physically 
disconnected and that couldn't be the case without enough money and 
resources to the point where one could simply make a POWER laptop with 
the current lot of POWER9 CPU's (ie: downclock and do some power saving 
engineering) - so de-facto impossible.