5 Jan
2024
5 Jan
'24
12:26 a.m.
On Thu, Jan 4, 2024 at 1:42 AM <arnold(a)skeeve.com> wrote:
Things have wandered a little far afield... :-)
"Theodore Ts'o" <tytso(a)mit.edu> wrote:
I have tried out the AMT stuff for OS development and it is a mess. I
am skeptical anyone seriously uses it. Laptops already have
microcontrollers for various functionality so it is hard to see why
the already standardized NC-SI and IPMI couldn't be applied to the
problem space in some way that is secure, standardized, and doesn't
significantly change the BOM cost.
For whatever reason, intel makes it difficult to impossible to remove
the ME in later generations. It seems more than accidental
incompetence since people have figured out how to force it into a
brain dead state (coreboot with me_cleaner). It is doubly suspicious
that the US government has a killswitch for it that the commercial and
general public do not.
Which are the intel CPUs without the ME? Just because a CPU doesn't
have vPro licensed doesn't mean the ME isn't there.
Or there's something running on a completely
different x86 core with
unpatched securiy bugs in the Minix and Apache cores that you can't
even disable (unless you are the National Security Agency).... Sadly,
Intel refuses to make it available the magic bits to disable the Intel
ME to anyone else. :-(
I worked for a number of years in the design center where the firmware
and software for the ME were develped. Although it's possible that
the firmware developers were sworn to secrecy, I never heard anything
about back doors for the NSA or anyone else.
Intel took security and code quality in the ME very seriously,
and during my tenure the quality of the ME firmware improved a lot.
ISTR that the BIOS had settings for disabling the ME. Is that
no longer true?
I know there are lots of people who despise the ME, which I never
understood. It was designed to solve the very real problem of remote
PC management, and for that it works. My own feeling is, if you don't
want the ME, buy a processor without it; there are plenty from Intel
and AMD. Quite seriously, and with no animosity, I'd be
happy to learn what
I'm missing here.
https://en.wikipedia.org/wiki/Intel_Management_Engine has a good
enough survey and links to other soruces.
It's a complete mess on the NIC too, the firmware on e1000 NICs has
all sorts of issues and much of it is related to the insane errata and
complexity of transitioning to and fro Management mode and different
interpretations of who is responsible for power management.
Thanks,
Arnold