[Dev] Management Engine, Was: The Theova Question
Denis 'GNUtoo' Carikli
GNUtoo at cyberdimension.org
Tue Nov 26 08:15:47 GMT 2019
On Mon, 25 Nov 2019 08:21:06 -0400
Freemor <freemor at freemor.ca> wrote:
> The IME is a local concern and not a remote one. Someone would have
> to be on your local network segment to Futz with the machine and that
> is only if you are using one of the "blessed" NICs (like the built in
> Ethernet or wifi).
> And as I said above to use it as a backdoor someone has to directly
> access the machine or be on the same network segment (LAN) while you
> are using one of the Blessed NICs
That depends on several things:
- AMT is typically found on computers for business but not on computers
for consumers. The downside of laptops for consumers is that the
display is often glossy, which is not fit for spending too much
hours in front of it. So many people doing work (including free
software work) with computers end up with it.
- AMT enables to remotely administrate a computer with VNC and through
- To work it needs an Internet connection on one of the compatible
interfaces such as:
- The built-in Intel Ethernet interface
- The built-in Intel WiFi card
- A compatible cellular network modem.
So it would be a good idea to check:
- if the computer is a laptop that has already been configured by a
company's sysadmin. That may occur too if the laptop has been bought
- if the laptop has a SIM card and/or a cellular network modem.
> A lot has been made of the IME because of its ring -3 ness But any
> maliciousness is theoretical at best (bugginess has been proven. But
> no one has found code that would do thing all on its own).
Beside the fact that it's designed to remove users control over their
computers, which is enough to be a very serious attack on users
freedom, I think we should rather shift the narrative on things like
that: Weather it does or does not have a backdoor is not very
Instead as part of the free software community, we should require from
the manufacturers and/or software projects like Libreboot or Replicant
that are dealing with things like that some serious proof or indication
that it cannot attack users or does not have any backdoors:
- In the case of Libreboot computers with an Intel GM45 chipset, the
Management engine OS has been completely erased. So while it's not
perfect, as it has a ROM you still have a way bigger assurance than
if there was an OS running in it.
In contrast, Intel cannot give us any proof to us that the Management
Engine OS has no backdoor: We cannot review the source code and run
the version we reviewed.
- All the smartphones and tablets currently supported by Replicant have
either a modem that is isolated, or no modem. Again here it's not
perfect as the bootloader is nonfree on all currently supported
devices, but we get way better assurances as for instance the
microphone is controlled by free software, whereas in some older
smartphones like the HTC Dream, the microphone was controlled by
The Management Engine OS is located on the same flash chip(s) that
stores the BIOS/EFI/UEFI. That flash chip has several partitions,
and the Management Engine OS is on one of its partitions. The
Management Engine has a rom which loads that OS from its flash
With Libreboot on computers with the GM45 chipset, the flash
partition table is configured to tell the Management Engine that
there is no OS to load, and that's sufficient to have a functional
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the Dev