From be9985e1a665cdc5a1182c9e11ab7f1d40d455bd Mon Sep 17 00:00:00 2001 From: Francis Rowe Date: Sun, 13 Sep 2015 18:21:04 -0400 Subject: FAQ: use simpler tags for highlighting --- (limited to 'site/faq/index.php') diff --git a/site/faq/index.php b/site/faq/index.php index 4f11c3e..bed4378 100644 --- a/site/faq/index.php +++ b/site/faq/index.php @@ -125,20 +125,20 @@ located in the (G)MCH chip. In Q3 2009, the first generation of Intel Core i3/i5/i7 (Nehalem) CPUs and the 5 Series Chipset family of Platform Controller Hubs, or PCHs, brought a more tightly integrated ME (now at version 6.0) inside - the PCH chip, which itself replaced the ICH. Thus, the ME is present on all - Intel desktop, mobile (laptop), and server systems since mid 2006. + the PCH chip, which itself replaced the ICH. Thus, the ME is present on all + Intel desktop, mobile (laptop), and server systems since mid 2006.

The ME consists of an ARC processor core (replaced with other processor cores in later generations of the ME), code and data caches, a timer, and a secure internal bus to which additional devices are connected, including a cryptography - engine, internal ROM and RAM, memory controllers, and a direct memory access - (DMA) engine to access the host operating system's memory as well as to + engine, internal ROM and RAM, memory controllers, and a direct memory access + (DMA) engine to access the host operating system's memory as well as to reserve a region of protected external memory to supplement the ME's limited - internal RAM. The ME also has network access with its own MAC address + internal RAM. The ME also has network access with its own MAC address through an Intel Gigabit Ethernet Controller. Its boot program, stored on the internal ROM, loads a firmware "manifest" from the PC's SPI flash chip. This - manifest is signed with a strong cryptographic key, which differs + manifest is signed with a strong cryptographic key, which differs between versions of the ME firmware. If the manifest isn't signed by a specific Intel key, the boot ROM won't load and execute the firmware and the ME processor core will be halted. @@ -146,12 +146,12 @@

The ME firmware is compressed and consists of modules that are listed in the manifest along with secure cryptographic hashes of their contents. One module - is the operating system kernel, which is based on a proprietary real-time - operating system (RTOS) kernel called "ThreadX". The developer, Express + is the operating system kernel, which is based on a proprietary real-time + operating system (RTOS) kernel called "ThreadX". The developer, Express Logic, sells licenses and source code for ThreadX. Customers such as Intel are forbidden from disclosing or sublicensing the ThreadX source code. Another - module is the Dynamic Application Loader (DAL), which consists of a Java - virtual machine and set of pre-installed Java classes for cryptography, + module is the Dynamic Application Loader (DAL), which consists of a Java + virtual machine and set of pre-installed Java classes for cryptography, secure storage, etc. The DAL module can load and execute additional ME modules from the PC's HDD or SSD. The ME firmware also includes a number of native application modules within its flash memory space, including Intel Active @@ -163,12 +163,12 @@ Active Management Technology (AMT) application, part of the Intel "vPro" brand, is a Web server and application code that enables remote users to power on, power off, view information about, and otherwise manage the PC. It can - be used remotely even while the PC is powered off (via Wake-on-Lan). + be used remotely even while the PC is powered off (via Wake-on-Lan). Traffic is encrypted using SSL/TLS libraries, but recall that all of the major SSL/TLS implementations have had highly publicized vulnerabilities. The AMT - application itself has - known vulnerabilities, which have been exploited to develop rootkits + known vulnerabilities, which have been exploited to develop rootkits and keyloggers and covertly gain encrypted access to the management features of a PC. Remember that the ME has full access to the PC's RAM. This means that an attacker exploiting any of these vulnerabilities may gain access to everything @@ -181,7 +181,7 @@ Intel Core i3/i5/i7 (Haswell) CPUs. It allows a PC OEM to generate an asymmetric cryptographic keypair, install the public key in the CPU, and prevent the CPU from executing boot firmware that isn't signed with their private key. - This means that coreboot and libreboot are impossible to port to such + This means that coreboot and libreboot are impossible to port to such PCs, without the OEM's private signing key. Note that systems assembled from separately purchased mainboard and CPU parts are unaffected, since the vendor of the mainboard (on which the boot firmware is stored) can't possibly affect the @@ -189,9 +189,9 @@

ME firmware versions 4.0 and later (Intel 4 Series and later chipsets) include - an ME application for audio and video audio and video - DRM called "Protected Audio Video Path" (PAVP). The ME receives from + DRM called "Protected Audio Video Path" (PAVP). The ME receives from the host operating system an encrypted media stream and encrypted key, decrypts the key, and sends the encrypted media decrypted key to the GPU, which then decrypts the media. PAVP is also used by another ME application to draw an @@ -202,8 +202,8 @@ DRM application called "Intel Insider". Like the AMT application, these DRM applications, which in themselves are defective by design, demonstrate the omnipotent capabilities of the ME: this hardware and its proprietary firmware - can access and control everything that is in RAM and even everything that is - shown on the screen. + can access and control everything that is in RAM and even everything that is + shown on the screen.

The Intel Management Engine with its proprietary firmware has complete access to @@ -239,21 +239,21 @@ ROM would reject any modified firmware that isn't signed by Intel. Thus, the ME firmware is both hopelessly proprietary and "tivoized".

-

+

In summary, the Intel Management Engine and its applications are a backdoor with total access to and control over the rest of the PC. The ME is a threat to freedom, security, and privacy, and the libreboot project strongly recommends avoiding it entirely. Since recent versions of it can't be removed, this means avoiding all recent generations of Intel hardware. -

+

More information about the Management Engine can be found on various Web sites, including me.bios.io, the smashthestack network, coreboot wiki, and - Wikipedia. The book - Platform Embedded Security Technology Revealed describes in great + Wikipedia. The book + Platform Embedded Security Technology Revealed describes in great detail the ME's hardware architecture and firmware application modules.

Firmware Support Package (FSP) (#fsp)

-- cgit v0.9.1