Re: [Libreboot] Blocking Intel ME ?

[Denis 'GNUtoo' Carikli]

On Sat, 16 Jan 2016 14:10:00 +0530
Jay Aurabind <address@hidden> wrote:

> Hi,
> 
> I was going through the page at libreboot on Intel Management
> Engine[1].
> 
> Assume that somebody is indeed planning to attack a user through Intel
> ME, and send some information remotely through its separate ethernet
> interface.
> 
> Is it possible to detect that MAC id of the independent ME unit and
> block it in my router so that even if ME is activated I can block all
> communication to the outside world ? Any possibilities with arp or
> something like that ?
I've already though of doing that, but in a different way.
Assuming you have a dedicated link (to prevent spoofing), you could
block (or record) all packets from that link and force the host software
to use OpenVPN for instance.

But since the ME has access to the main processor's RAM, and that you
have no way of checking what it really does, you cannot really know if
it really blocked everything.

To be really sure you would have to treat a computer with an ME as
totally compromised, and look at:
- Everything that is sent/received
- Information (such as a LUKS password) can also be transmitted in
  "timing". You delay packets, and encode the information in the length
  of that delay. On the other end the information is statistically
  reconstructed.

So this is a nightmare. At the end it's not worth the effort.
Even if you were to treat the RAM as hostile, since the ME is in the
chipset, and now in the same processor, we don't know what other tricks
it could do. The ME is very highly undocumented.

I don't think that spending that huge amount of time in that direction
is something desirable.
Spending potentially less time to avoid that issue altogether would be better.

This can be done by making it possible to have computers that don't
have an ME, or by deactivating it, like this is done for GM45 laptops
in libreboot.

Denis.

pgpKkAsfaKGxP.pgp
Description: OpenPGP digital signature