[News] Intel to Deploy Management Engine Lock to Prevent Disabling, Rollback

[StyM]

https://www.techpowerup.com/239677/i...bling-rollback

It's been an interesting month for users as we've discovered that the most widely-used OS in the world could be one most of us had never even heard anything about before. Intel's Management Engine, a full-fledged computer inside Intel CPUs, runs on MINIX, and after it was outed that Intel's CPUs ran on it, multiple issues have been found with the approach, which has moved Intel towards outing a detection tool.

Intel is seemingly poising to move towards a full hardware lock of the Management Engines' capabilities, thus ensuring it can't be disabled. And even if Intel does send out firmware fixes for its already deployed CPUs with ME integration, the fact remains that the memory pool where the firmware is written is, well, re-writable - given enough access, miscreants could simply re-flash the ME to an earlier, vulnerable version, and thus acquire God Mode access to a victim's computer. To tackle both issues, Intel is moving towards a hardware lock of their ME.

[iddqd]

GPUs have something similar. Vega, for example, has about a dozen microcontrollers inside it that control all sorts of things - clocks/power, voltage regulation, I/O, bus scheduling, etc. None of these are visible to the OS, of course. Probably, the biggest problem with Intel's ME is that it can actually affect the host OS, by using the same memory. This was probably an intentional design choice, though. Lots of reasons why you might want a back door into what the CPU is doing - whereas for a GPU? You don't really care.

[zanzabar]

GPUs have something similar. Vega, for example, has about a dozen microcontrollers inside it that control all sorts of things - clocks/power, voltage regulation, I/O, bus scheduling, etc. None of these are visible to the OS, of course. Probably, the biggest problem with Intel's ME is that it can actually affect the host OS, by using the same memory. This was probably an intentional design choice, though. Lots of reasons why you might want a back door into what the CPU is doing - whereas for a GPU? You don't really care.

ME was intended to be able to modify the host OS. the point was to replace the software part of the Q chipsets and raid controller management with hardware that would work even with a UEFI boot. The big problem was it being turned on by default for all chipsets, and being able to access a physical NIC on consumer products.