[Dev] Management Engine, Was: The Theova Question

[Denis 'GNUtoo' Carikli]

On Mon, 25 Nov 2019 08:21:06 -0400
Freemor <freemor at freemor.ca> wrote:
> The IME is a local concern and not a remote one. Someone would have
> to be on your local network segment to Futz with the machine and that
> is only if you are using one of the "blessed" NICs (like the built in
> Ethernet or wifi).
[...]
> And as I said above to use it as a backdoor someone has to directly
> access the machine or be on the same network segment (LAN) while you
> are using one of the Blessed NICs

That depends on several things:
- AMT is typically found on computers for business but not on computers
  for consumers. The downside of laptops for consumers is that the
  display is often glossy, which is not fit for spending too much
  hours in front of it[1]. So many people doing work (including free
  software work) with computers end up with it.
- AMT enables to remotely administrate a computer with VNC and through
  the Internet[2].
- To work it needs an Internet connection on one of the compatible
  interfaces such as:
  - The built-in Intel Ethernet interface
  - The built-in Intel WiFi card
  - A compatible cellular network modem[2].

So it would be a good idea to check:
- if the computer is a laptop that has already been configured by a
  company's sysadmin. That may occur too if the laptop has been bought
  second hand.
- if the laptop has a SIM card and/or a cellular network modem.

> A lot has been made of the IME because of its ring -3 ness But any
> maliciousness is theoretical at best (bugginess has been proven. But
> no one has found code that would do thing all on its own).
Beside the fact that it's designed to remove users control over their
computers, which is enough to be a very serious attack on users
freedom, I think we should rather shift the narrative on things like
that: Weather it does or does not have a backdoor is not very
irrelevant.

Instead as part of the free software community, we should require from
the manufacturers and/or software projects like Libreboot or Replicant
that are dealing with things like that some serious proof or indication
that it cannot attack users or does not have any backdoors:
- In the case of Libreboot computers with an Intel GM45 chipset, the
  Management engine OS has been completely erased[3]. So while it's not
  perfect, as it has a ROM[3] you still have a way bigger assurance than
  if there was an OS running in it.
  In contrast, Intel cannot give us any proof to us that the Management
  Engine OS has no backdoor: We cannot review the source code and run
  the version we reviewed.
- All the smartphones and tablets currently supported by Replicant have
  either a modem that is isolated, or no modem. Again here it's not
  perfect as the bootloader is nonfree on all currently supported
  devices, but we get way better assurances as for instance the
  microphone is controlled by free software, whereas in some older
  smartphones like the HTC Dream, the microphone was controlled by
  nonfree software.

References:
-----------
[1]https://en.wikipedia.org/wiki/Glossy_display#Adverse_health_effects
[2]https://www.intel.com/content/dam/doc/white-paper/digital-signage-vpro-amt-3g-paper.pdf
[3]The Management Engine OS is located on the same flash chip(s) that
   stores the BIOS/EFI/UEFI. That flash chip has several partitions,
   and the Management Engine OS is on one of its partitions. The
   Management Engine has a rom which loads that OS from its flash
   partition. 
   With Libreboot on computers with the GM45 chipset, the flash
   partition table is configured to tell the Management Engine that
   there is no OS to load, and that's sufficient to have a functional
   computer.

Denis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20191126/bf55cbac/attachment.sig>