Verifiable turning of intel me or amd psp?
- Vous devez vous identifier ou créer un compte pour écrire des commentaires
On irc libreboot I read some messages about turning off thinkpad x220's intel meas a second option, if libreboot does not manage to install libreboot on the thinkpad x220 .
Can that be done such that it is verifiable the intel me has no control about the computer?
If intel wanted, they could enable verifiable turning off of the intel me while keeping the intel me software secret, which apparently is important to intel?
https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it
It is arrogant of intel to persist on having full control about the computer.
It might be possible, but I suspect not.
The issue here is that "turning off" the ME is not yet possible. Indeed, it's doubtful anything but a massive leak/mistake from Intel could let that happen, because the code will only run if they have digitally signed it- the very same technology we rely on for practically unbreakable security turned against us.
What's actually happened is that some hackers in this area have found it can be "neutralized". It's still there- and still running- but most of it is gone, meaning it is severely crippled in its capabilities. That's definitely an achievement to celebrate, and one which gives hope for the previously 'unfreeable' successors of the X200, but not a final success. I'm reasonably certain that means the ME could still be a menace in a number of ways (though the reduced size of the code gives hope).
Regardless, Intel can liberate the ME to some degree. They might not directly be able to remove code signing- as I understand it, that's directly baked into the hardware or ROM- or even release the signing key if it's used for other things, but they can certainly release the source code (and commit to sign any modifications requested). They could also definitely stop baking in code-signing with their confidential key, thus allowing future generations to hack on the firmware.
As for Intel being "arrogant", or placing any value on the ME code, that's not (necessarily) entirely clear. Beyond perhaps any wealth earned through control of AMT, we don't know whether they care in the slightest. Perhaps they even want to liberate their chips, but other parties (business or even spy agencies) are making it hard for them. The point is that, although this is undeniably wrong, we can't accuse the master of being malicious or evil. The injustice is in the existence of such a master.
Thanks.
I likely cannot write anything correct on this matter because the matter is difficult. What I wrote was not thought trough well. https://www.youtube.com/watch?v=rcwngbUrZNg
I came to think if there could be a half way solution. Intel and amd get to keep their secret software on the computer and the computer owner gets an option to verifiable turn of the secret software. But how should that be possible? The secret software would still be on the computer. Secret software you do not know what it can do. Furthermore being non libre software, it would not be able to get fsf's approval?
About arrogance. If you ask intel or amd, they will probably say that the intel me and amd psp are secure. If that is what they believe, it is an arrogant answer, watching what gets public on computer security.
- Vous devez vous identifier ou créer un compte pour écrire des commentaires