Intel Management Engine: Difference between revisions
(73 intermediate revisions by 5 users not shown) | |||
Line 1: | Line 1: | ||
== Uses of the Management Engine == | == Uses of the Management Engine == | ||
The | The Intel Management Engine (abbreviated "ME") is a CPU which: | ||
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases. | |||
* on recent versions: | |||
** initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...). | |||
** DRM | |||
** TPM | |||
** Other applications | |||
== Freedom and security issues == | == Freedom and security issues == | ||
* The code that is running inside the management engine is proprietary and signed | |||
* The | * The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents). | ||
* The ME has access to a lot of things, see "physical capabilities" column below for more details. | |||
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip. | |||
== Versions == | |||
{| class="wikitable" border="1" | |||
! ME firmware version | |||
! Microarchitecture | |||
! Chipset | |||
! AMT versions | |||
! ME firmware versions | |||
! Applications | |||
! Location | |||
! Required modules | |||
! Bit | |||
|- | |||
| N/A (ME predecessor) | |||
| | |||
| ICH7 | |||
| 1.0 | |||
| | |||
| | |||
* AMT | |||
| 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref> | |||
| rowspan="3" | None | |||
| rowspan="3" | ? | |||
|- | |||
| | |||
| | |||
|Q963<ref name=amt-versions/> | |||
| 2.0 | |||
| | |||
| | |||
* AMT | |||
|- | |||
| | |||
| | |||
|Q965<ref name=amt-versions/> | |||
| 2.0 | |||
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref> | |||
| | |||
* AMT | |||
* No TPM | |||
|- | |||
|- | |||
| | |||
* 6.0<ref name=Silent-Bob-is-Silent>https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075</ref> | |||
* 6.1<ref name=Silent-Bob-is-Silent/> | |||
* 6.2<ref name=Silent-Bob-is-Silent/> | |||
| 1st Gen Core:<ref name=Silent-Bob-is-Silent/> | |||
* Nehalem? | |||
* Other? | |||
| | |||
| | |||
| | |||
| | |||
| | |||
| rowspan="6"| | |||
* BUP<ref name=me_cleaner-how-does-it-work>https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F</ref> | |||
| rowspan="6"| | |||
* AltMeDisable<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref> | |||
|- | |||
| | |||
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref> | |||
| Q57 | |||
| 6.0<ref name=amt-versions/> | |||
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref> | |||
| | |||
|- | |||
| | |||
* 7.0<ref name=Silent-Bob-is-Silent/> | |||
* 7.1<ref name=Silent-Bob-is-Silent/> | |||
| 2nd Gen Core<ref name=Silent-Bob-is-Silent/> | |||
| | |||
| | |||
| | |||
| | |||
| | |||
|- | |||
| | |||
* 8.0<ref name=Silent-Bob-is-Silent/> | |||
* 8.1<ref name=Silent-Bob-is-Silent/> | |||
| 3rd Gen Core<ref name=Silent-Bob-is-Silent/> | |||
| | |||
| | |||
| | |||
| | |||
| | |||
|- | |||
| | |||
* 9.0<ref name=Silent-Bob-is-Silent/> | |||
* 9.1<ref name=Silent-Bob-is-Silent/> | |||
* 9.5<ref name=Silent-Bob-is-Silent/> | |||
| 4th Gen Core<ref name=Silent-Bob-is-Silent/> | |||
| | |||
| | |||
| | |||
| | |||
| | |||
|- | |||
| | |||
* 10.0<ref name=Silent-Bob-is-Silent/> | |||
| 5th Gen Core:<ref name=Silent-Bob-is-Silent/> | |||
* Broadwell | |||
* Other? | |||
| | |||
| | |||
| | |||
| | |||
| | |||
|- | |||
| | |||
* 11.x<ref name=me_cleaner-how-does-it-work/> | |||
| Skylake | |||
| | |||
| | |||
| | |||
| | |||
| | |||
| rowspan="3"| | |||
* RBE | |||
* BUP | |||
* KERNEL | |||
* SYSLIB<ref name=me_cleaner-how-does-it-work/> | |||
| | |||
* HAP<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref> | |||
|- | |||
| | |||
* 11.0<ref name=Silent-Bob-is-Silent/> | |||
| 6th Gen Core<ref name=Silent-Bob-is-Silent/> | |||
| | |||
| | |||
| | |||
| | |||
| | |||
|- | |||
|- | |||
| | |||
* 11.5<ref name=Silent-Bob-is-Silent/> | |||
* 11.6<ref name=Silent-Bob-is-Silent/> | |||
| 7th Gen Core<ref name=Silent-Bob-is-Silent/> | |||
| | |||
| | |||
| | |||
| | |||
| | |||
|} | |||
== Where == | == Where == | ||
Line 24: | Line 177: | ||
| Lenovo T60 | | Lenovo T60 | ||
|- | |- | ||
| [[Board:lenovo/ | | [[Board:lenovo/x200|Lenovo x200]] | ||
| [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] | | Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules | ||
| rowspan=" | | rowspan="1" | GM45/GS45 | ||
| rowspan=" | | rowspan="15" | | ||
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it: | The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it: | ||
* Has access to the computer's memory/RAM | * Has access to the computer's memory/RAM | ||
* Controls the computer's original networking adapters | * Controls the computer's original networking adapters | ||
| rowspan="1" | | |||
* Signed firmware | |||
* The ME can be disabled (no Fimrware is run by it). | |||
|- | |||
| [[Board:lenovo/x201|Lenovo x201]] | |||
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules | |||
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem] | |||
| rowspan="2" | | | rowspan="2" | | ||
* Signed firmware | * Signed firmware | ||
Line 36: | Line 196: | ||
|- | |- | ||
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]] | | [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]] | ||
| | | ? | ||
|- | |- | ||
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]] | | [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]] | ||
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin] | | [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin] | ||
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge] | | rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge] | ||
| rowspan="3" | | | rowspan="3" | | ||
* Signed firmware | * Signed firmware | ||
Line 52: | Line 208: | ||
|- | |- | ||
| [[Board:lenovo/t520| Lenovo t520]] | | [[Board:lenovo/t520| Lenovo t520]] | ||
| [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] | | Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules | ||
|- | |- | ||
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]] | | [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]] | ||
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin] | | [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin] | ||
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge] | | rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge] | ||
| rowspan="7" | | | rowspan="7" | | ||
* Signed firmware | * Signed firmware | ||
Line 74: | Line 226: | ||
|- | |- | ||
| [[Board:lenovo/t530| Lenovo t530]] | | [[Board:lenovo/t530| Lenovo t530]] | ||
| [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] | | Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules | ||
|- | |- | ||
| [[Board:lenovo/x230| Lenovo x230]] | | [[Board:lenovo/x230| Lenovo x230]] | ||
| [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] | | Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules | ||
|- | |- | ||
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]] | | [[Board:kontron/ktqm77| Kotron KTQM77/mITX]] | ||
| | | ? | ||
|- | |- | ||
| [[Board:google/peppy|Google/Acer C720 Chromebook]] | | [[Board:google/peppy|Google/Acer C720 Chromebook]] | ||
| ? | | ? | ||
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell] | | rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell] | ||
| rowspan="2" | | | rowspan="2" | | ||
* Signed firmware | * Signed firmware | ||
Line 100: | Line 248: | ||
Replacing the ME firmware is not that easy because: | Replacing the ME firmware is not that easy because: | ||
* The ME bootrom checks the firmware signature. | * The ME bootrom checks the firmware signature. | ||
* On recent chipset its RAM | * On recent chipset its RAM region is locked while it is allocated. | ||
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable. | * Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable. | ||
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day. | So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day. | ||
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them. | |||
* Some of theses don't have a management engine. | |||
* Some ships without it enabled(that means that the hardware is not used). | |||
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]]. | |||
== Neutralizing the ME == | |||
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER). | |||
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here]. | |||
== Using a smaller version of the Intel ME == | |||
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME. | |||
== See also == | == See also == | ||
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT] | |||
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions] | |||
* http://me.bios.io/ME:About | * http://me.bios.io/ME:About | ||
* http://me.bios.io/ME | * http://me.bios.io/ME | ||
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME] | * [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME] | ||
* [http://io. | * [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)] | ||
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode] | |||
* [http://flashrom.org/ME The respective flashrom page] | |||
== References == | == References == |
Latest revision as of 16:00, 12 January 2018
Uses of the Management Engine
The Intel Management Engine (abbreviated "ME") is a CPU which:
- permits out of band management of the computer. See the Wikipedia AMT article for example use cases.
- on recent versions:
- initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).
- DRM
- TPM
- Other applications
Freedom and security issues
- The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).
- The ME has access to a lot of things, see "physical capabilities" column below for more details.
- In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.
Versions
ME firmware version | Microarchitecture | Chipset | AMT versions | ME firmware versions | Applications | Location | Required modules | Bit |
---|---|---|---|---|---|---|---|---|
N/A (ME predecessor) | ICH7 | 1.0 |
|
82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref> | None | ? | ||
Q963<ref name=amt-versions/> | 2.0 |
| ||||||
Q965<ref name=amt-versions/> | 2.0 | 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref> |
| |||||
|
1st Gen Core:<ref name=Silent-Bob-is-Silent/>
|
|
| |||||
Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref> | Q57 | 6.0<ref name=amt-versions/> | 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref> | |||||
|
2nd Gen Core<ref name=Silent-Bob-is-Silent/> | |||||||
|
3rd Gen Core<ref name=Silent-Bob-is-Silent/> | |||||||
|
4th Gen Core<ref name=Silent-Bob-is-Silent/> | |||||||
|
5th Gen Core:<ref name=Silent-Bob-is-Silent/>
|
|||||||
|
Skylake |
|
| |||||
|
6th Gen Core<ref name=Silent-Bob-is-Silent/> | |||||||
|
7th Gen Core<ref name=Silent-Bob-is-Silent/> |
Where
Board | Firmware | Microarchitecture | ME location and physical capabilities | ME restrictions |
---|---|---|---|---|
Lenovo X60/X60s/X60T | None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like AMT 1.0), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See Intel_82573_Ethernet_controller for more details.</ref> | I945 + ICH7 |
|
|
Lenovo T60 | ||||
Lenovo x200 | Me firmware with AMT and other modules | GM45/GS45 |
The ME is inside the PCH, it:
|
|
Lenovo x201 | Me firmware with AMT and other modules | Nehalem |
| |
Packard Bell EasyNote LM85 (MS2290) | ? | |||
Samsung Series 5 550 Chromebook | me.bin | Sandy Bridge |
| |
Samsung Series 3 Chromebox | me.bin | |||
Lenovo t520 | Me firmware with AMT and other modules | |||
Google/HP Pavilion Chromebook 14 | me.bin | Ivy Bridge |
| |
Google Chromebook Pixel | me.bin | |||
Google/Acer C7 Chromebook | me.bin | |||
Google/Lenovo Thinkpad X131e Chromebook | me.bin | |||
Lenovo t530 | Me firmware with AMT and other modules | |||
Lenovo x230 | Me firmware with AMT and other modules | |||
Kotron KTQM77/mITX | ? | |||
Google/Acer C720 Chromebook | ? | Haswell |
| |
Google/HP Chromebook 14 | ? |
Why there is no replacement for it yet
Replacing the ME firmware is not that easy because:
- The ME bootrom checks the firmware signature.
- On recent chipset its RAM region is locked while it is allocated.
- Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.
So even if some people partially documented some ME firmware format, there is very few probability of having a free software replacement for it one day.
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The List of supported mainboard list some of them.
- Some of theses don't have a management engine.
- Some ships without it enabled(that means that the hardware is not used).
- Some ships with it enabled, but it can be disabled not to use it at all, like on the Lenovo x200.
Neutralizing the ME
A collaborative effort to neutralize the ME has found some success, see here. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).
This can free up most of the space used by ME, allowing you to use a larger CBFS. See here.
Using a smaller version of the Intel ME
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the same chipset and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.
See also
- The Wikipedia article on the Intel AMT
- The Wikipedia article on the Intel AMT versions
- http://me.bios.io/ME:About
- http://me.bios.io/ME
- Igor Skochinsky Paper very good and detailed presentation about ME
- decompress ME v6.x through ME v10 (prior to skylake)
- Disabling Intel ME 11 via undocumented mode
- The respective flashrom page
References
<references/>