Is it true that the issue that all free-hardware manufacturers are facing is that Intel i-Gen CPUs, i3 i5 i7, are coming with something called the ‘Intel Management Engine’. It’s a blackbox which could be running any manner of code on the machine, the US government actually is the only entity to be able to order Intel i-Gen CPUs without the ME.
I think this is not correct. I think more correct is: Intel put in the functionality that halts the IME because otherwise the US government would spit the dummy (for good reason). Having put that functionality in … every (even half recent) Intel CPU has the IME and everyone has the functionality to halt it.
Is it possible that the US government can secretly buy CPUs from Intel that have no IME? Well, yes, I am certainly in no position to rule that out but it seems unlikely given the role that the IME plays and the direction that things are going.
The IME is a separate CPU (still x86 but much more limited than the main CPUs and with some modifications). It runs blackbox software that only Intel can understand and only Intel can modify - so noone can audit it, much less add or subtract or modify functionality. So these are definitely points of badness for anyone concerned about security and for anyone who wants open source.
The problems with the IME seem to be getting worse, over the decades since its introduction in about 2008.
If the US government really has a concern about this and wants to flex its muscle with Intel, a more nuanced approach might be to demand that Intel provide to the US government the source code for the software that runs on the IME, plus the information needed to verify that the supplied source code is the true source code.
There are many existing topics on this for you to search for.
Are you saying there is a program that halts it in any computer, and without physically opening the cover?
My understanding is that the IME documents functionality whereby you can ask the IME to halt (after it has done its, um, initial mischief). It is of course a blackbox so you would not likely be able to verify that it complied with the request - and that may only apply to the Intel CPUs being sold in current Purism hardware i.e. future Intel CPUs may simply make the IME unable to be tamed at all.
1 Like
I am loathe to answer because there are so many others around that know so much more, and I feel uncertain how much of this discussion even belongs on the Purism forum.
Intel Management Engine (ME) is required as part of the basic boot up of computer. Can’t get around that.
But the portion we all mean to point out is part of ME that can be surreptitiously, without my knowledge, remotely reprogram my computer to accomplish what they want. and I guess that is variable; Reading Passwords. Reading text of communications to and from others. Just knowing the names and addresses of others – Human Rights Defenders., can be dangerous to the lives of others. Perhaps protecting my ideas from being stolen. To much said about the obvious possibilities.
It is my understanding that Purism has, on its laptops has already stopped the Intel ME from being remotely programmed on its laptops. Probably I should stop here.
It is my conjecture that me, as an individual, could never stop the NSA (I live in the USA, pick your own countries major government surveillance organization) if they decide to watch all of my electronic things. And they do not need to use the Intel ME to accomplish that.
Any power group, government, or big corporation is not going to use an expensive trick, like the bad part of the Intel ME, to watch me. If they could purchase the hack to use Intel ME, legally, or black market. It would surely cost millions. I am not worth it.
To those who have not thought through the dollar cost of trying to watch just them.
and as some posters here have pointed out Intel seems intent on keeping the feature. If Intel had wanted to remove the negative parts of its Management Engine, they could have made it part of an update. As best as I know, they still plan to keep the feature. I don’t trust the intent of Intel. Notice several major tech companies have been willing to bend to the demands of authoritarian governments.
If the company refuses, their product might be replaced. The company might be putting the quality of life of its employees at risk if they refuse.
Where is Intel going to sell more Processors in the next ten years? India? China? Corporations have shown their goals are about the money.
Dell sells computers with different goals in mind. Here in the US one can go into WalMart and buy a Dell laptop for a high school kid which is more about the color of the laptop than quality of manufacture. Then one can buy a Dell Laptop meant for a business Person, for more money, and it be more quality of manufacture. I guess you knew that.
Several years ago, story posted on the internet: Someone at Dell made a mistake and listed as part of their catalog of computers, some computers listed, which had the negative part of the Intel ME neutralized (however they phrased it). Pretty good guess this catalog was meant for the DOD, Pentagon… I would guess if a Congressman wanted that level of laptop, they could contact Dell, and prove who they were. My hunch, a CongressPerson on an Intelligence Committee should be able to buy such a thing.
If you are younger, you might not remember Windows 7 users could stop Windows Update. and then entire internet was slowed because of bots, and other kinds of Malware which an update of Windows could stop. To be fair; Microsoft was also infamous for pushing out Windows Updates which crashed Windows, and it was difficult for non-techie users to get their broken Windows working.
Does Intel need this ME feature to -say, implement a change to computer to stop malware.
I doubt that is their intent.
I am guessing I am confirming some information already posted.
1 Like
Regarding “remotely reprogram”, there appear to be two different things mentioned in your post.
Both are concerns but the considerations and technical challenges and mitigations could be different.
My understanding is that the ME has more than enough access to compromise your computer (reprogram it) if the functionality to do so already exists within the ME - and, as a blackbox, you don’t really know what functionality the ME has.
My understanding is that, in Purism computers, the ME is denied access to the network by virtue of not using the built-in ethernet within the chipset (not connected to an RJ-45 connector) and instead including a separate, dedicated ethernet (and of course optionally a separate, dedicated WiFi card - in which case maybe no ethernet at all is connected). That might not be 100% robust but it is much better than not doing that.
The effect of that should be to frustrate any command-and-control bot inside the ME and make it more difficult for the ME itself to accept remote reprogramming. (I don’t know whether the ME can actually be updated on the fly but I guess the ME can always trigger a crash in order to get a reboot or wait for the next normal shutdown. For high-value targets, the latter is obviously far preferable.)
Does the blackbox ME have the functionality to retrieve updates for itself (as regular software does)? I don’t know. If it does, that is a significant security exposure i.e. if it were able to be exploited by a third party.
I don’t think there’s much value in speculating what exploits a threat will use. You just want to rid your computer of as many exploits as possible. You may well be right that most targets will be targeted using the most expeditious exploit. If that’s not ME then some other approach.
I don’t think it would cost the US government big $$ to utilise the ME as an exploit. They go to Intel. Intel does what it’s told. Because national security. The US government would provide the necessary unique identifiers so that you are targeted, rather than everyone.
1 Like
You say a lot of wise things.
The point in my post where I wrote, I probably should stop here. I meant, this forum is about Librem Computers, and they have mitigated the threat to us. Surely Librems update system will continue to take all that into account.
I actually come at this issue from mostly the Qubes OS forum and github, where folks write about how to deal with Intel Management Engine (well the negative feature) with any other computer besides Librem.
Such as, those computers which have fixes to be called Qubes OS Certified Computers have firmware changed, Core Boot, Heads. to prevent the operation of the negative features of the Intel ME. In addition, on the Lenovo X-230 changing the basic firmware with either Core Boot/Heads, or 1vyrain (and one can not use them together. One can change the WiFi chip card to another, install an alternate keyboard besides the model provided by IBM, and can use a Battery besides one of the IBM models. As those items, in the original IBM Lenovo Firmware are whitelisted to must be there to boot up.
The excellent note is written by the fellow on a previous post here, that is far beyond my limited knowledge.
Intel provides security updates for the Intel Processor. These are to prevent newly discovered malware holes. I read about whether I should install those fixes around security sites on the internet. To verify Intel has not installed something I would not like.
Now I read that the third generation Intel processors will not be receiving more security updates. To old.
I also read that some on the Qubes Forum, who are very experienced with using the Certified versions of the Lenovo X-230, or Lenovo T430, are having hangs. probably due to the later Intel security updates, and perhaps the latest version of Qubes (maybe overheating?) I am not doing those things.
Just it is time to move on to using Librem for a secure laptop. If one has the cash that is.
I thought Intel was going to provide a patch to disable the negative features of the Intel management engine, also to provide a little tool to verify it was disabled.
But everyone has also moved on to not just disabling the negative features of Intel ME. But I am concerned with the full security provided by a Certified Computer. To verify the computer has not been tampered with in either Firmware or OS. Which one can do with a Librem Key, Nitro Key, Verify against tampering with either Pure Boot, or Heads.
I doubt I have said anything that [irvinewade] did not know.
I did want to acknowledge the points where you are correct, and I was either wrong or not well stated.
Yes, While, I am not, say a traveling Journalist who is concerned with my computer not being tampered with.
I am still concerned with creating a maximum secure computer.
I have one or two things to say, but I should PM them to you, as their is only so much Mods here should or will tolerate.
I think [irvinewade], and some of the earlier posters information is much more correct and clearly stated than some of what I wrote.
Good you guys are around to keep things clear.
1 Like
I wonder if Purism provides such a tool. (edit: according to Coreboot’s utility, “working state” 15 is optimal https://puri.sm/projects/coreboot/#Verifying_the_Intel_ME_is_Neutralized)
I wonder if the Librem Key detects ME reenablement.
If creating is learning by doing, and security is knowing, then maybe creating and security are inseparable.
That might be ironic considering the non-profit being behind the subject.
It would seem to me that you don’t just want to disable the management engine. You want to destroy it so that it can not be re-enabled.
Good idea.
1 Like