summaryrefslogtreecommitdiffstats
path: root/site/faq
diff options
context:
space:
mode:
Diffstat (limited to 'site/faq')
-rw-r--r--site/faq/index.php44
1 files changed, 22 insertions, 22 deletions
diff --git a/site/faq/index.php b/site/faq/index.php
index 4f11c3e..bed4378 100644
--- a/site/faq/index.php
+++ b/site/faq/index.php
@@ -125,20 +125,20 @@
located in the (G)MCH chip. In Q3 2009, the first generation of Intel Core
i3/i5/i7 (Nehalem) CPUs and the 5 Series Chipset family of Platform Controller
Hubs, or PCHs, brought a more tightly integrated ME (now at version 6.0) inside
- the PCH chip, which itself replaced the ICH. Thus, the ME is <em>present on all
- Intel desktop, mobile (laptop), and server systems since mid 2006</em>.
+ the PCH chip, which itself replaced the ICH. Thus, the ME is <b><i>present on all
+ Intel desktop, mobile (laptop), and server systems since mid 2006</i></b>.
</p>
<p>
The ME consists of an ARC processor core (replaced with other processor cores in
later generations of the ME), code and data caches, a timer, and a secure
internal bus to which additional devices are connected, including a cryptography
- engine, internal ROM and RAM, memory controllers, and a <em>direct memory access
- (DMA) engine</em> to access the host operating system's memory as well as to
+ engine, internal ROM and RAM, memory controllers, and a <b><i>direct memory access
+ (DMA) engine</i></b> to access the host operating system's memory as well as to
reserve a region of protected external memory to supplement the ME's limited
- internal RAM. The ME also has <em>network access</em> with its own MAC address
+ internal RAM. The ME also has <b><i>network access</i></b> with its own MAC address
through an Intel Gigabit Ethernet Controller. Its boot program, stored on the
internal ROM, loads a firmware "manifest" from the PC's SPI flash chip. This
- manifest is <em>signed with a strong cryptographic key</em>, which differs
+ manifest is <b><i>signed with a strong cryptographic key</i></b>, which differs
between versions of the ME firmware. If the manifest isn't signed by a specific
Intel key, the boot ROM won't load and execute the firmware and the ME processor
core will be halted.
@@ -146,12 +146,12 @@
<p>
The ME firmware is compressed and consists of modules that are listed in the
manifest along with secure cryptographic hashes of their contents. One module
- is the operating system kernel, which is based on a <em>proprietary real-time
- operating system (RTOS) kernel</em> called "ThreadX". The developer, Express
+ is the operating system kernel, which is based on a <b><i>proprietary real-time
+ operating system (RTOS) kernel</i></b> called "ThreadX". The developer, Express
Logic, sells licenses and source code for ThreadX. Customers such as Intel are
forbidden from disclosing or sublicensing the ThreadX source code. Another
- module is the Dynamic Application Loader (DAL), which consists of a <em>Java
- virtual machine</em> and set of pre-installed Java classes for cryptography,
+ module is the Dynamic Application Loader (DAL), which consists of a <b><i>Java
+ virtual machine</i></b> and set of pre-installed Java classes for cryptography,
secure storage, etc. The DAL module can load and execute additional ME modules
from the PC's HDD or SSD. The ME firmware also includes a number of native
application modules within its flash memory space, including Intel Active
@@ -163,12 +163,12 @@
Active Management Technology (AMT)</a> application, part of the Intel "vPro"
brand, is a Web server and application code that enables remote users to power
on, power off, view information about, and otherwise manage the PC. It can
- be <em>used remotely even while the PC is powered off</em> (via Wake-on-Lan).
+ be <b><i>used remotely even while the PC is powered off</i></b> (via Wake-on-Lan).
Traffic is encrypted using SSL/TLS libraries, but recall that all of the major
SSL/TLS implementations have had highly publicized vulnerabilities. The AMT
- application itself has <em><a
+ application itself has <b><i><a
href="https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Known_vulnerabilities_and_exploits">
- known vulnerabilities</a></em>, which have been exploited to develop rootkits
+ known vulnerabilities</a></i></b>, which have been exploited to develop rootkits
and keyloggers and covertly gain encrypted access to the management features of
a PC. Remember that the ME has full access to the PC's RAM. This means that an
attacker exploiting any of these vulnerabilities may gain access to everything
@@ -181,7 +181,7 @@
Intel Core i3/i5/i7 (Haswell) CPUs. It allows a PC OEM to generate an
asymmetric cryptographic keypair, install the public key in the CPU, and prevent
the CPU from executing boot firmware that isn't signed with their private key.
- This means that <em>coreboot and libreboot are impossible to port</em> to such
+ This means that <b><i>coreboot and libreboot are impossible to port</i></b> to such
PCs, without the OEM's private signing key. Note that systems assembled from
separately purchased mainboard and CPU parts are unaffected, since the vendor of
the mainboard (on which the boot firmware is stored) can't possibly affect the
@@ -189,9 +189,9 @@
</p>
<p>
ME firmware versions 4.0 and later (Intel 4 Series and later chipsets) include
- an ME application for <em>audio and video <a
+ an ME application for <b><i>audio and video <a
href="https://defectivebydesign.org/what_is_drm_digital_restrictions_management">
- DRM</a></em> called "Protected Audio Video Path" (PAVP). The ME receives from
+ DRM</a></i></b> called "Protected Audio Video Path" (PAVP). The ME receives from
the host operating system an encrypted media stream and encrypted key, decrypts
the key, and sends the encrypted media decrypted key to the GPU, which then
decrypts the media. PAVP is also used by another ME application to draw an
@@ -202,8 +202,8 @@
DRM application called "Intel Insider". Like the AMT application, these DRM
applications, which in themselves are defective by design, demonstrate the
omnipotent capabilities of the ME: this hardware and its proprietary firmware
- can access and control everything that is in RAM and even <em>everything that is
- shown on the screen</em>.
+ can access and control everything that is in RAM and even <b><i>everything that is
+ shown on the screen</i></b>.
</p>
<p>
The Intel Management Engine with its proprietary firmware has complete access to
@@ -239,21 +239,21 @@
ROM would reject any modified firmware that isn't signed by Intel. Thus, the ME
firmware is both hopelessly proprietary and "tivoized".
</p>
- <p><strong>
+ <p><b>
In summary, the Intel Management Engine and its applications are a backdoor with
total access to and control over the rest of the PC. The ME is a threat to
freedom, security, and privacy, and the libreboot project strongly recommends
avoiding it entirely. Since recent versions of it can't be removed, this means
avoiding all recent generations of Intel hardware.
- </strong></p>
+ </b></p>
<p>
More information about the Management Engine can be found on various Web sites,
including <a href="http://me.bios.io/Main_Page">me.bios.io</a>, <a
href="http://io.smashthestack.org/me/">the smashthestack network</a>, <a
href="http://www.coreboot.org/Intel_Management_Engine">coreboot wiki</a>, and <a
href="https://en.wikipedia.org/wiki/Intel_Active_Management_Technology">
- Wikipedia</a>. The book <em><a href="https://www.apress.com/9781430265719">
- Platform Embedded Security Technology Revealed</a></em> describes in great
+ Wikipedia</a>. The book <b><i><a href="https://www.apress.com/9781430265719">
+ Platform Embedded Security Technology Revealed</a></i></b> describes in great
detail the ME's hardware architecture and firmware application modules.
</p>
<h3 id="fsp">Firmware Support Package (FSP) <span class="ref">(<a href="#fsp">#fsp</a>)</span></h3>