The EFF on Intel's Management Engine (CPU inside the CPU)

For discussions about security.
Post Reply
Message
Author
User avatar
souleau
Posts: 148
Joined: Sun 23 Oct 2016, 15:24

The EFF on Intel's Management Engine (CPU inside the CPU)

#1 Post by souleau »

From the article:

[quote]Since 2008, most of Intel’s CPUs have contained a tiny homunculus computer called the “Management Engine

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#2 Post by Flash »

By sheer dumb luck, I've only owned AMD machines. Was this management engine intended to control the scheduling of multi-core CPUs? I always wondered how that was done.

s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:

#3 Post by s243a »

Flash wrote:By sheer dumb luck, I've only owned AMD machines. Was this management engine intended to control the scheduling of multi-core CPUs? I always wondered how that was done.
I don't think it's an immediate concern. From the article:

"Not every machine is susceptible to the attack. For it to work, AMT has to have been both enabled and provisioned (commonly AMT is enabled but not provisioned by default). "

but this could change very quickly:
" But if there is even a single, minor flaw in that second system, you now have a devastating security disaster, because your main computer, by design, can't tell you what that second system is doing, nor can it override the instructions that the supervising system sends it -- once that supervising system is compromised, it's game over.

Intel won't tell us how to disable ME altogether for lots of reasons, but a big one is surely the fact that they've sold lots of entertainment companies on the promise of using ME for DRM -- for example, to stop you from running a program that converts one of the W3C's DRM-locked video streams into a download. Letting you shut down this back door into your computer -- and your whole digital life -- would also eliminate the means by which Intel plans to stop you from watching TV the wrong way. This is a terrible trade-off.
"
http://boingboing.net/2017/05/09/management-engine.html

s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:

#4 Post by s243a »

Here's something interesting:
While these may be useful to some people, it should be up to hardware owners to decide if this code will be installed in their CPUs or not. Perhaps most alarmingly, there is also reportedly a DRM module that is actively working against the user’s interests, and should never be installed in an ME by default.

For expert users on machines without Verified Boot, a Github project called ME cleaner exists and can be used to disable a Management Engine. But be warned: using this tool has the potential to brick hardware, and interested parties should exercise caution before attempting to protect their systems. A real solution is going to require assistance from Intel.
https://www.eff.org/deeplinks/2017/05/i ... disable-it

User avatar
Moose On The Loose
Posts: 965
Joined: Thu 24 Feb 2011, 14:54

#5 Post by Moose On The Loose »

Flash wrote:By sheer dumb luck, I've only owned AMD machines. Was this management engine intended to control the scheduling of multi-core CPUs? I always wondered how that was done.
Linux controls the dividing of tasks among the available threads (2 per core).

The coordination of access to shared resources like the path to RAM is done to fast for something coded to do. That bit is done by hardware with logic that looks like:

if A wants access and B is not using it then A gains access
if B wants access and A is not using it then B gains access
if both A and B wants access "flip a coin" and give it to one of them
otherwise anyone who want access waits

The "flip a coin" logic is usually a mysterious chain of flip flops and logic gates that really does something like alternate who gets priority. The real trick is in making sure that the "A gains access" signals don't glitch when both CPU's make the request. In something as fast as a modern computer, you can't count on the timing of the requests not being less than the time for a flip-flop to change state.

The new CPUs from AMD are looking better and better. I figure that if someone makes a mother board that holds perhaps 4 of them and a few TB of RAM it would be ideal for running puppy on for doing scientific computing. I may have to one day recode my FFT routine so that it works for more than 2 billion data points.

purple379
Posts: 157
Joined: Sat 04 Oct 2014, 22:23

'Intel Management Engine' has app in W10 uninstall program

#6 Post by purple379 »

While uninstalling a program in Windows 10 Pro 64 bit, I see Intel Management Engine has an app. Does this mean the app must be present for someone to use the Intel Management Engine in some way?

I seem to have seen posts indicating that AMD has also had a Firmware build that can take over control of our computers for the last several AMD processors.

I have a fourth Generation Intel laptop, I wonder if it can be taken over. Might be time for me to buy an older computer to use with TAILS.

Maybe a waste of effort. I am pretty sure the NSA is a huge employer of Linux programmers. Surely they have worked hard to infiltrate TAILS. Plus, until TAILS offers its product only through a number of countries, plus countries which are not part of the huge 10 eyes system. I don't see why I should trust it.

While I have never heard of it, I would not be surprised to find that they have added software to servers to track any specific login point.

Post Reply