How do you rerate the Status of dissabling Intel ME with this https://twitter.com/rootkovska/status/939058475933544448 in mind?
We don’t just disable the ME, we neutralize it (remove the code) so it cannot function at all.
What about phyiscal access? The engineers of Possitive Technologies say that they could exploit a system by downgrading to an older version of Intel ME with a BIOS update and therefor still exploit Intel ME.
Would installing an older version of Intel ME on a Purism laptop be an option to still exploit it?
According to this article [https://www.golem.de/news/firmware-bug-codeausfuehrung-in-deaktivierter-intel-me-moeglich-1712-131543.html] The security issue is in the module called Bup which can not be removed in order to run the computer. Which should mean that the security issue is as well in Purism laptops with partially removed ME. Is this correct?
@mladen, please look into this. The vulnerability happens before the HAP bit is set. If I understand correctly, you would have to get the fixed firmware from Intel and then me_clean it…
The article linked Rutkowska’s twit which lists what’s needed for the hack:
(needs physical access or bug in BIOS)
If an attacker has physical access to your computer, that’s it: no matter what you do, the assumption is that a motivated attacker with proper tools/knowledge will eventually hack into your device/implant a spyware.
Without physical access we’re safe, because “Bug in BIOS” does not apply to us (coreboot ftw).
I am not an expert, so we will wait until our coreboot developer gives his opinion.
isn’t encryption+tpm supposed to protect from physical access (read - device seized by authorities). So this neutralization is no protection from this kind of threat?
@mladen Does the pursim laptops have usb ports with Direct Connect Interface (DCI) access ? This is needed to exploit Intel ME locally.
We will need confirmation from @kakaroto if he comes through the thread but my understanding is that TPM + Heads can be used to protect the computer against this kind of attack with physical access, by letting the user himself lock the boot sequence with a key that he owns.
Currently, we propose the TPM chip as an option on the laptops : https://puri.sm/posts/tpm-addon-for-librem-laptops/
Do you have link to a website / page that states this?
I don’t have a website link about this. It is just my understanding of researches our devs do on that issue. It is why I need @kakaroto to confirm (or not).
The ME is both disabled and neutralized.
DCI is not enabled and cannot be used (and the ME needs to be exploitable in order to enable JTAG over DCI).
In order to use the exploit on librems, you need physical access, or if your kernel has STRICT_IOMEM, you’d need root access and to reboot the computer with the ‘iomem=relaxed’ kernel parameter.
Using TPM +Heads would give an additional security layer to prevent the exploit from running.