Group: Hardware/Restrictions/anti-freedom/Intel Management Engine

From LibrePlanet
< Group:Hardware‎ | Restrictions‎ | anti-freedom
Revision as of 09:35, 3 December 2019 by GNUtoo (talk | contribs) (Neutralizing the ME: The ME is not neutralized at all)
Jump to: navigation, search

TODO

This article has been imported from the old Coreboot wiki page on the Management Engine.

  • Clean it up

Uses of the Management Engine

The Intel Management Engine (abbreviated "ME") is a CPU which:

  • permits out of band management of the computer. See the Wikipedia AMT article for example use cases.
  • on recent versions:
    • initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).
    • DRM
    • TPM
    • Other applications

Freedom and security issues

  • The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).
  • The ME has access to a lot of things, see "physical capabilities" column below for more details.
  • In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.

Versions

ME firmware version Microarchitecture Chipset AMT versions ME firmware versions Applications Location Required modules Bit
N/A (ME predecessor) ICH7 1.0
  • AMT
82573E Gigabit Ethernet Controller[1] None ?
Q963[1] 2.0
  • AMT
Q965[1] 2.0 3.0[2]
  • AMT
  • No TPM
1st Gen Core:[3]
  • Nehalem?
  • Other?
  • AltMeDisable[5]
Nehalem[6] Q57 6.0[1] 6.0, 6.1 [7]
2nd Gen Core[3]
3rd Gen Core[3]
4th Gen Core[3]
5th Gen Core:[3]
  • Broadwell
  • Other?
Skylake
  • RBE
  • BUP
  • KERNEL
  • SYSLIB[4]
6th Gen Core[3]
7th Gen Core[3]

Where

Board Firmware Microarchitecture ME location and physical capabilities ME restrictions
Lenovo X60/X60s/X60T None. [8] I945 + ICH7
  • Inside the ethernet controller, disabled: no Ethernet controller fimrware. [8]
  • Disabled: No Ethernet controller fimrware. [8]
Lenovo T60
Lenovo x200 Me firmware with AMT and other modules GM45/GS45

The ME is inside the PCH, it:

  • Has access to the computer's memory/RAM
  • Controls the computer's original networking adapters
  • Signed firmware
  • The ME can be disabled (no Fimrware is run by it).
Lenovo x201 Me firmware with AMT and other modules Nehalem
  • Signed firmware
  • If ME firmware is absent, the computer freezes about 30min after boot.
Packard Bell EasyNote LM85 (MS2290) ?
Samsung Series 5 550 Chromebook me.bin Sandy Bridge
  • Signed firmware
Samsung Series 3 Chromebox me.bin
Lenovo t520 Me firmware with AMT and other modules
Google/HP Pavilion Chromebook 14 me.bin Ivy Bridge
  • Signed firmware
Google Chromebook Pixel me.bin
Google/Acer C7 Chromebook me.bin
Google/Lenovo Thinkpad X131e Chromebook me.bin
Lenovo t530 Me firmware with AMT and other modules
Lenovo x230 Me firmware with AMT and other modules
Kotron KTQM77/mITX ?
Google/Acer C720 Chromebook ? Haswell
  • Signed firmware
Google/HP Chromebook 14 ?

Why there is no replacement for it yet

Replacing the ME firmware is not that easy because:

  • The ME bootrom checks the firmware signature.
  • On recent chipset its RAM region is locked while it is allocated.
  • Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.

So even if some people partially documented some ME firmware format, there is very few probability of having a free software replacement for it one day.

However coreboot also support other systems than the ones with recent intel CPU/chipsets. The List of supported mainboard list some of them.

  • Some of theses don't have a management engine.
  • Some ships without it enabled(that means that the hardware is not used).
  • Some ships with it enabled, but it can be disabled not to use it at all, like on the Lenovo x200.

Using a smaller version of the Intel ME

Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the same chipset and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.

Research on removing the Management Engine OS

  • There are some interesting bugreports in the me_cleaner bug tracker. Some people have removed the Management Engine OS on computers with chipsets more recent than GM45, but Coreboot hasn't been ported yet on such computers.
  • There is a report of removing the Management Engine OS for an asus P55 Extreme, again Coreboot hasn't been ported yet to the computer.

To be added to Libreboot a computer would need at least:

  • To be supported in Coreboot or other boot software (u-boot, etc)
  • To be usable without nonfree software, like the CPU microcode

See also

References