"I got rid of Intel ME thanks to LibreBoot."
-
Well, that's exactly how I read it.
Someone I read about claimed that it was possible to disable Intel ME through the modified LibreBoot BIOS/UEFI project.
So what's the point of all this now?
The problem that was being addressed was the latent vulnerabilities in Intel processors, which as we know are fundamentally located in the firmware of their module within the processor.
According to what he said, he found a way to disable Intel ME in LibreBoot.Is there any truth to this?
To begin with, we must differentiate between software and firmware (I won't be the one to explain it, the notion is quite basic). So, while our friend did manage to disable the "Intel ME" service on his computer (from there I questioned whether to continue with the topic) thanks to the aforementioned project, I wanted to know to what extent we could manage to bypass the firmware and the processor's microcodes.
The truth is that what he achieves (when he achieves it) is to "derive" the Intel ME instructions, that is, it doesn't nullify it, it simply allows some control over its operation. And I say "when he achieves it" because the compatibility table of the project is so limited, that I really doubt that anyone will manage to get anything clear.
But then, can it be done or not?
The most solvent alternative, CoreBoot, also warns that everything depends on the motherboard: since these projects do not alter in any way either Intel ME or its AMD equivalent, the "Platform Security Processor" (PSP), they depend on how the instructions of the modified BIOS/UEFI can be compatible with those of different motherboards and processor generations.
The conclusion I come to is that the statement in the title is purely sensationalist (you would have to read the rest of the good man's entry), because to this day only Intel / AMD can disable those instructions; which leaves these projects outside the interest of the common user.
That's not to mention the many possibilities of ending up turning the device/computer into a brick.
There are rumors that a certain research group has achieved some success in disabling Intel ME, but with an undocumented procedure... who knows.
Has anyone messed around with LibreBoot/CoreBoot equivalents?
What and how has been your experience? -
I've been a bit out of touch with the latest developments on these topics for months. There are some entries on the front page for those interested:
· Intel ME, the well-known backdoor of Intel
· Coreboot, the free BIOS
· The x86 platform, harmful according to a security expert
· The current state of security at boot
· Unfixable security problems on the x86 platform
· AMD's security problems
· Open letter to Intel from Andrew Tenenbaum
· AMD is considering releasing the PSP code (As far as I know, this has never happened and this entry is from a year ago)
· Important vulnerability discovered in Intel processors (Nothing to do with Meltdown/Spectre and company)
· Security flaw detected in Intel ME
· Secret switch found for Intel ME
· Intel ME practically bypassedBasically, they are trying to dissect ME through reverse engineering and thus be able to bypass it. The reason why it's not possible to install an alternative BIOS is that both Intel and AMD have security mechanisms where the firmware is digitally signed and compared with a key written in hardware. This is done because malware that takes control of a machine with ME or PSP has direct access to all the hardware, with everything that implies and without the possibility of detection. That's why, as far as I know, the latest motherboards that can be supported by Coreboot are Intel's 775 platform (and not all of them).
With this topic, as with so many others, it's a niche. People don't care about security at these levels. If this advances, it's because of the work of volunteers who do it out of love for the art and who have to fight against the protection systems of the big manufacturers. There are warnings from experts and renowned developers who have been saying for years that ME and PSP are reckless.
Meltdown/Spectre has been talked about for months and months and has been a scandal that has even changed the stock prices of the big ones, even though they are vulnerabilities that affect very limited areas and whose execution is technically complicated. The day some serious hole in ME or PSP is exploited, the chaos will be of biblical proportions.
Toda la actualidad en la portada de Hardlimit
Mis cacharros -
Precisely because I read all those links back in the day (and some of them again) my ears perked up when I read that someone had ME disabled and I wanted to investigate the matter.
Certainly, as you rightly say, these are very marginalized projects, both in popularity and in resources, and the worst part is that bridging it is the only alternative in the absence of a third manufacturer in dispute (I think my grandchildren will see the ZhaoXin thing) that does not implement its control module in the processor.
Regarding whether people care, of course most users do not even know what ME/PSP consists of, or that it even exists; but it is also true that I do not know to what extent it is healthy to worry about something that you cannot avoid or correct.
