Neutralizing ME firmware on SandyBridge and IvyBridge

[Eric Shelton]

This might be of interest, since Intel ME-related issues seem to be an obstacle for Qubes-certified hardware:

http://hardenedlinux.org/firmware/2016/11/17/neutralize_ME_firmware_on_sandybridge_and_ivybridge.html

Discussion on Hacker News: https://news.ycombinator.com/item?id=13056997

A couple of things from the Hacker News discussion:

- Suggested that the same technique works for Skylake (and I assume Haswell).

- Someone successfully applied the cleaner tool to the BIOS on their random desktop motherboard (Asus Z68) they had sitting around.  Perhaps this can be applied across a lot of systems.

Hopefully this facilitates moving past using Core 2 Duos for ME-less systems.

Anyone know if more recent CPU generations, like Haswell or Skylake, have an in-CPU ME ROM that still allows ME to have significant functionality even if the BIOS is neutralized?

Eric

[Trammell Hudson]

On Wed, Nov 30, 2016 at 01:59:26PM -0800, Eric Shelton wrote:
> [...]

> - Suggested that the same technique works for Skylake (and I assume
> Haswell).

It works for Skylake without Bootguard, such as the Chell Chromebook.
I haven't tested on other systems.

Based on conversations I've had with the various engineers, the ME BUP
phase is supposed to communicate the Bootguard profile bits and hash to
the CPU microcode prior to starting the ACM. This would indicate that
bootguard would still prevent free firmware from being installed, even if
the ME ROM is greatly reduced.

> [...]

> Anyone know if more recent CPU generations, like Haswell or Skylake, have
> an in-CPU ME ROM that still allows ME to have significant functionality
> even if the BIOS is neutralized?

It's not clear how large the on-die ROM image is. My guess is not large
at all, since they do not fall-back to using it if the entire ME region
of the flash chip is erased.

--
Trammell

[Jean-Philippe Ouellet]

On Wed, Nov 30, 2016 at 5:25 PM, Trammell Hudson <hud...@trmm.net> wrote:
> It works for Skylake without Bootguard, such as the Chell Chromebook.
> I haven't tested on other systems.

Does "without bootguard" mean "without bootguard enabled" or "without
bootguard feature present"?

[Trammell Hudson]

To the best of my knowledge, all Skylake CPUs have bootguard support,
but not all OEMs set the ME fuse bits for a bootguard profile before
exiting ME manufacturing mode.

There five defined profiles in the fitc tool, shown in this screenshot:

https://twitter.com/qrs/status/786697104488030210

The T450 and T550 Thinkpads that I've looked at use profile 4,
which forces the bootguard ACM to run and refuses to start if the
hashes/signature do not match. This Verified Boot mode is the one
that is hostile to user freedom since it prevents coreboot
from being installed.

Ideally OEMs would use FME, which would force the signed ACM to
run, measure the bootblock and protect the BIOS environment (by
copying the bootblock into the i-cache). While the ACM is provided
by Intel and not open source, it is at least auditable and can be
included in the measurements of the state. I haven't seen any systems
that use this Measured Boot mode.

The Chell Chromebook has profile 0, which does not force the ACM nor
does it measure the boot. This is good for user freedom, not great
for the platform security.

--
Trammell