System76 Will Disable Intel Management Engine On Its Linux Laptops (liliputing.com) 149
System76 is rolling out a firmware update for its recent laptops that will disable the Intel Management Engine altogether. The decision comes after a major security vulnerability was discovered that would allow an attacker with local access to execute arbitrary code. Liliputing reports: What's noteworthy in the System76 announcement is that the PC maker isn't just planning to disable Intel ME in computers that ship from now on. The company will send out an update that disables it on existing computers with 6th, 7th, or 8th-gen Intel Core processors. System76 also notes that Intel ME "provides no functionality for System76 laptop customers and is safe to disable." Right now the firmware update will only be available for computers running Ubuntu 16.04 or later or a related operating system with the System76 driver. But the company says it's working on developing a command line tool that should work on laptops running other GNU/Linux-based operating systems. System76 says it will also release an update for its desktop computers... but on those machines the update will patch the security vulnerability rather than disabling Intel ME altogether.
If it works (Score:1)
I'm glad that they are doing this, BUT, from what I know about the IME, it is extremely complicated and disabling it is not simple or straight forward -- otherwise someone would have done it a long time ago.
Re: (Score:3, Interesting)
I want to belieeeeeve!!! Save us system76 you're our only hope!!
Re:If it works (Score:5, Informative)
There was new-ish news about this from the summer. A few privacy-minded places are starting to shut the ME down in various ways, some by spoofing the flag the government uses to disable it on its own systems, others in other ways.
Re: (Score:3, Informative)
It gets worse. Some of them are probably still using Thinkpads, even though they're made by Lenovo. Now you'll say "No worries, if they re-image them they can avoid any spyware Lenovo put in there at the behest of the Chinese government".
Uh yeah, that won't help. Lenovo uses the WIndows Platform Binary feature to reinstall it. Basically you put an executable file into one of the ACPI tables. Windows copies it to disk and then runs it. With Administrator access. Probably more than Administrator access actual
Re: (Score:1)
Re: (Score:1)
You could probably infect a Linux or Android installation from the firmware if you wanted to. All you need to be able to do is to write one executable file into the filesystem and get the OS to run it each boot.
The basic problem is that you trust the people who write the firmware. And if the people who write the firmware can always be forced to install spyware if the government of the jurisdiction their company operates in tells them forcefully.
In the US a US company can be sent a National Security Letter.
Re: (Score:1)
And even though conventional wisdom says malware only targets WIndows because that's where the volume is, that doesn't apply in this case.
The problem with windows is that it makes this type of attack trivial once the basics are worked out. I'm pretty sure last I checked that Linux is a much more heterogenous system even within the kernel itself, and that no bets can be made with any one piece of information about the installed OS to own it whereas with Windows - hey, write a small DLL here, inject into System32.DLL there and insert into the registry file under the run once key - takeover complete, and you have 80-90% of the desktops in the wo
Re: If it works (Score:1)
Huh... If it's through the ACPI table, can't we bypass it similar to how the Daz Loader piracy tool works: run a "loader" binary before passing control to the usual Windows bootloader. The loader modifies the tables in memory to add or remove entries as needed, and the OS is none the wiser.
Re: (Score:2)
The problem was understanding what IME does as it is a encrypted black box piece of hunk.
But things are made quite a lot easier with the literal NSA bit that disables everything but the bare essentials to operate the machine.
Re:LOL! Not really (downmod me? I repost)... apk (Score:5, Interesting)
Your downmodded posts aren't hidden. They are correctly categorized as garbage. Some people will browse and see the 0 and -1 garbage, usually other mods or brave people with too much free time.
Reasons that APK deserves frequent downmoding:
1. lacks an account and always posts as AC
2. makes duplicate posts
3. admits to trying to avoid moderation
4. frequently posts off topic advertisements for his [free] products and services.
5. talks like a git. really his English phrasing is bizarre.
Re: (Score:1)
lacks an account and always posts as AC
So fucking what? This site allows anonymous posting. That is not a reason to downmod anything. Anonymous comments already start at 0. Just because you think everything online has to be tied to an account doesn't make it so.
Re: (Score:2)
So fucking what? This site allows anonymous posting. That is not a reason to downmod anything. Anonymous comments already start at 0. Just because you think everything online has to be tied to an account doesn't make it so.
Sure, it's fine to post as AC. It's an integral part of this site. But mods are going to down mod ACs if they post horseshit. And in APK's case, he's not really anonymous. He's signed everything and chooses not to post under an account in an attempt to manipulate the comment system. He's done this for years with limited success.
PS - I've not spent a single mod point on this thread (obviously I cannot). This account is old enough that if I had multiple accounts I would more likely have the mod points on this
Re: (Score:1)
Re: (Score:2)
It's OK. I knew he'd bring out personal attacks when I responded to him with my account. Usually people reply AC to him and he ignores them after a while. He'll be fuming for a day or two before he finds something new to do. I've dealt with him before, and I've dealt with others on /. that were worse with boundaries than APK, to the point of filing police reports. At least APK usually only tries to discredit or embarrass me.
Re: (Score:2)
The GP was unkind to you. I don't think you deserve to be censored. You provide a very good service. Personally I enjoy a good APK post with a side of LSD. The resulting colours in the sentence structure are amazing.
Re: (Score:2, Insightful)
A trainwreak - for /.ers viewing pleasure (Score:2)
Guess what else I found? You EVEN complimented me on hosts being effective for you in your post history stopping ads in videostreams (I could've told you that - I never see YouTube ads, or rarely until I block the server serving them up, easy to find) - but NOW you give ME SHIT?
You don't seem to understand that one thing has nothing to do with the other. I can appreciate your persistence and technical abilities, while finding your posts inscrutable and bizarre.
You seem upset, but I gave you a very fair enumeration of why people tend to down mod your posts. I'm not orchestrating some down mod conspiracy against you, but I did draw a reasonably accurate picture of how mods independently come to the same conclusion.
If you want to take my old resume and do something with it. I'll let
Re: (Score:2)
OrangeTide you called me names 1st offtopic:
You've called me names and bullied me for YEARS. Also read carefully, I did not call you a git.
5. talks like a git. really his English phrasing is bizarre.
No Intel AMT/ME on my ARM, so it's not really a problem that I've looked into. Given my networking background and multi-system household I probably would have attacked the problem using routing tables rather than hosts file, certainly disadvantages to routing tables but easily centralized and it's what I am familiar with.
Good on you for finding a solution that anyone can make use of and for sharing it. But that do
Re:I will only buy non-Intel chips now (Score:5, Interesting)
At this point all AMD has to do is willingly release the information to provably disable their own management engine equivalent and they can sweep the market.
Re: (Score:2, Interesting)
Re: (Score:2)
Err no it's not.
I was quite surprised (and saddened) to discover that Win10 has been the most popular Windows OS in Western nations for several months now, including America [statcounter.com] and Europe [statcounter.com],overtaking Win7 around the beginning of 2017.
And sadly, Win10 is now only 2% behind Win7 [statcounter.com] as being the most popular Windows OS in the World.
If people are sheep-enough to let Google use them with Android / Chrome, then it makes sense why Microsoft following their spying strategy will also succeed.
People simply don't know / don'
Re: (Score:2)
Re: I will only buy non-Intel chips now (Score:5, Informative)
Too late, amd has psp.
Yawn (Score:1)
Wake me when they start shipping laptops with it physically removed or burned out.
Re: (Score:2, Interesting)
Re: (Score:2)
Oh, admit it, you're thinking of drilling some holes in a few motherboards as a test, too.
Re: (Score:2)
Re: (Score:2)
Technically what you found was a mirror.
Sounds like the right way to go (Score:2)
/ Yeah, I said 5 years. This thing is 3-4 years old
Having worked at Intel... (Score:5, Insightful)
most servers boards have ipmi with own nic (Score:2)
most servers boards have ipmi with own nic most boards have a setting for combined or own. If intel wants to kill ipmi and go to IME they will need have so it can be put on it's own nic.
Re: (Score:2)
They'll just embed the NIC controller in the CPU alongside the memory controller and the VGA garbage.
Re: (Score:2)
Isn't IME on desktops and laptops for when they're used in corporate environments? Remote provisioning, updates, etc.
It lets, for example, computers be removed from the network until OS patches have been applied.
Re: (Score:1)
Yes, it's ridiculously useful OOB management, like having a KVM built right in. While I think there should be a simple and transparent way to completely and verifiably disable it, having used it for many years, I can't agree with the many reactionary Slashdot commenters that it serves no purpose other than a convenient NSA back door. If it were to go away tomorrow, a lot of businesses would be severely impacted.
It should be opt-in, not opt-out (Score:5, Insightful)
...I can't agree with the many reactionary Slashdot commenters...
...there should be a simple and transparent way to completely and verifiably disable it, ...
I think it’s a bit more than that. The feature may be useful, but the outrage is legitimate. Consumers, most of whom arguably have no need for such feature, fortuitously found out about its existence and that it is enabled in their computers. They had not been told about it, so they had no way to even try to use it. Other people (government, corporate, hackers) knew about it, so the malicious among those were in the position of abusing it (by exploiting its features and its security flaws). No wonder consumers are in arms over this. They are not over-reacting.
So, no, a way to disable it is not enough. This kind of feature requires full disclosure (before you buy), documentation (so that you can actually use the feature if you want) and, at least on systems sold to consumers who are unlikely to use it, it should be entirely disabled by default. Institutional customers who buy computers in quantity can (and indeed do) request the configuration that they want (including, for example, activation of Intel’s anti-theft protection).
Re: (Score:2)
You can't even disable it. There is a disable flag you can set, but the ME is still used to bring the CPU up from cold and then you have to trust that the flag does what it claims to do. You can try to sabotage the ME by deleting all the firmware modules except the early boot stuff, but then you are still vulnerable to any flaws in that boot code.
This is a general problem with CPUs. Most modern ones run microcode which is updated by the BIOS and comes as a binary blob. They all have hidden code, hidden feat
Re: (Score:2)
You can't even disable it. There is a disable flag you can set, but the ME is still used to bring the CPU up from cold and then you have to trust that the flag does what it claims to do. You can try to sabotage the ME by deleting all the firmware modules except the early boot stuff, but then you are still vulnerable to any flaws in that boot code.
Just as one is vulnerable to flaws in the transistor layout.
This is a general problem with CPUs. Most modern ones run microcode which is updated by the BIOS and comes as a binary blob. They all have hidden code, hidden features for testing and debugging, hidden op-codes.
X86 have to use microcode but most other do not.
Microcode in itself isn't a problem. The reason is simple: if you don't trust the designer/manufacturer of your processor then not having microcode doesn't make any difference. If you do then signed microcode updates isn't a problem.
Open source microcode updates would only lead to problems as they are part of the microprocessor design, the code is targeting a design that can vary even within a family
Re: (Score:2)
Microcode in itself isn't a problem. The reason is simple: if you don't trust the designer/manufacturer of your processor then not having microcode doesn't make any difference. If you do then signed microcode updates isn't a problem.
It is a problem, because unfixed microcode can change the behaviour of the CPU. Even if you do trust it, you can't be sure that it can't be backdoored by someone else. Signed updates help but are not bulletproof.
RISC V?
Maybe one day. For now the price/performance isn't there.
Re: (Score:2)
but I see no good reason for including this in laptops.
Is that because you think the only equipment which needs managing is servers? Hell as someone who has a mother with a computer I'm personally hoping they'll introduce a HCF instruction that can be triggered remotely.
Ok facetiousness aside, IME is a "feature" based product which is why they charge extra for chips that have more IME functionality. Management of remote machines is customer driven. It's the same justification for things like bitlocker to be included in Microsoft's OS. These companies look to se
Re:Having worked at Intel... (Score:5, Interesting)
No, it was brought into the main chips because servers have stuff like IPMI and ILO for remote management, but employee PCs do not. And the same reason servers can be remotely managed can be applied to employee PCs and laptops. The only difference is servers are usually concentrated in a few areas, so it's much easier for 10,000 servers to be locally managed than 10,000 PCs, making the case for remote management of PCs even more critical.
You can do bare metal bringups - perhaps the employee got to their desk and their PC is dead - it won't load the OS and there's lots of error messages. IT's effectively ILO or IPMI for consumer grade machines.
Of course, you can't "disable" IME - you can neuter it. The firmware that controls power and boot and startup and all that must still run in order for the main CPU to be brought up, so you need IME to do that part. Neutering basically disables all the remore management while leaving the power management code still active.
Re: (Score:2)
Unfortunately, the homebuilt Asus sabertooth system I assembled uses Intel ME due to Raid I need for running Hyper-V and VMWare Workstation Vms.
I use Intel RST for storage which uses the IME for my fakeRaid. I am hooked on it so to speak. Also Wake on LAN and certain UEFI functions that need to work when you disable BIOS emulation( CSM ) for fast booting need that horrible Intel ME/Minix to run properly.
So even on PC's some of it's functionality is used. AMD has zonetrust. My hunch is maybe something in the
Not really your laptop (Score:1)
if you can't control what's in it.
Minix more popular on laptops than Linux (Score:5, Interesting)
(The management engine runs custom version of Minix)
Re: (Score:2)
Please write Minix 3 as it isn't the same as previous versions, designed for different goals and with different design features.
Have seen many supposedly technical people being confused already, thinking that the ME runs what Linus Torvalds once used before making Linux.
Re: (Score:1)
Re: (Score:2)
Good job (Score:1)
System76 seems to be one of very, very few American manufacturers that can be trusted. But one issue still remains - have they received any NSA court orders, compelling them to subvert the systems they sell?
EZ way to cripple Intel AMT/ME (Score:2, Interesting)
Stop it's ability to send info. outward via router port filtering ports 16992-16995 + 623-625 Intel AMT/ME uses in a modem/router external to OS/PC.
Intel ME/AMT operates from your motherboard but has NO CONTROL OF YOUR MODEM/ROUTER!
(This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)
Additionally, once you disable the AMT engine's software interface (ez via software articles note)? A malware to 'repatch' this
Comment removed (Score:3)
Re: (Score:3)
The only real add they have is a small crack driver support team and a little customization before shipping it to you.
That said, it's guaranteed to work with the hardware, and I've had several s76 laptops both personally and purchased on my behalf at the workplace. Not really sure how I feel about them, but I do like their mobile workstations (a 'special' kind of laptop).
Inadequate fix (Score:2, Informative)
Intel CPUs still run a blob at initialization called the FSP. This is sometimes entangled with the ME, but is separate and is not getting disabled. The blob is usually writable for updates and must run before any user-supplied code, so it's an ideal spot to put persistent malware to evade verified boot anti-persistence schemes. The AMD equivalent is called the PSP [twitter.com].
How will this affect HDCP? (Score:3)
Re: (Score:1)
Tuxedo did it months ago... (Score:2)
When we migrated from macs to linux laptops one year ago, I first considered buying System76 machines. I quickly understood they'd never offer the non-US keyboard in use here (I went up to asking them if a separate procurement would be feasible... no)
Then I discovered, much closer to my home, the German guys from Tuxedo. Smaller company, not the same surface on internet. But brilliant products. And localized keyboards.
Well, when the Intel-mgt-bug was discussed (first on LWN, months and months ago) I contact
Re: (Score:1)
Second time I've seen this post, and I want to believe it's accurate and complete. Can any 3rd party verify this information in any way with a citation?
Re: (Score:2)
It's APK, and I don't trust APK at all due to the spamming.
Trust my technique being upmodded then... apk (Score:1)
See subject & https://it.slashdot.org/comments.pl?sid=11050927&cid=55109115/ [slashdot.org] & spam? See https://slashdot.org/comments.pl?sid=11424811&cid=55655675/ [slashdot.org] , https://slashdot.org/comments.pl?sid=11424811&cid=55655691/ [slashdot.org] & https://slashdot.org/comments.pl?sid=11424811&cid=55655719/ [slashdot.org] where our /. peers shut you down speaking FOR me against your bs outnumbering you by MANY orders of magnitude as they both LIKE & USE my work - not yours - you're not capable of being useful, troll.
* Period!
Re: (Score:2)
Hate to defend an illegible spammer like APK, but he appears to be right in blocking certain ports used by Intel AMT [intel.com].
Re: (Score:1)
Yea, the monitoring time is the real question I have here. Weeks... eh, slight confidence boost. Months... better. YEARS (multiple) and maybe we have reasonable confidence there isn't some timeout that waits before trying other outbound ports.
Re: (Score:2)
Are clandestine services staging servers pushing very direct requests over 16992-16995 to an ip that get detected time to time?
Huge malware scans up and down ip ranges in a random attempt to find the hardware that responds as cover? Ty.
Re: (Score:2)