Intel to slap hardware lock on Management Engine code to thwart downgrade attacks
From version 12 onward, ME-equipped chips will defend against patch rollbacks
Intel's Coffee Lake and Cannon Lake x86 processors can be fortified by computer manufacturers to prevent in hardware attempts to downgrade, exploit and potentially neuter Chipzilla's built-in creepy Management Engine.
In June, Positive Technologies security researchers Mark Ermolov and Maxim Goryachy privately reported to Intel a brace of exploitable bugs – CVE-2017-5705, 5706, and 5707 – in the powerful Management Engine's firmware.
Last month, in response and ahead of Ermolov and Goryachy's public presentation of their research at Black Hat Europe, Chipzilla published eight vulnerability notices: the tech giant admitted its Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE) could be attacked to give miscreants access to the controversial hidden administrative layer – effectively granting God-mode on the computer.
As such patches to kill off the security holes in the code are gradually being made available to organizations and people to download and install. Unfortunately, though, the ME's reliance on writeable firmware has meant any fixes can be reversed. Thus, it is possible for miscreants to reprogram flash chips on the motherboard to undo any changes.
It's pretty much game over if you can gain enough physical access to a machine to rewrite its solid-state storage, of course. However, it may be possible for Intel to thwart tools – such as me_cleaner – that forcibly neuter the Management Engine in later revisions of its firmware. And it may be impossible to roll back the firmware to a version that can be nuked.
A recent confidential Intel Technical Advisory posted to GitHub stated that starting with ME version 12, the chip's Security Version Number (SVN), which gets incremented with updates to prevent rollbacks, "will be saved permanently in Field Programmable Fuses (FPFs) as a means to mitigate physically downgrading Intel ME [firmware] to a lower SVN."
FPFs, once set, become read-only memory (ROM) and cannot be easily altered. And the presence of this immutable value provides Intel's security measures with a way to validate firmware versions in order to avoid a version rollback.
The cryptographic keys used to protect Intel ME data are also bound to the SVN, to deny an attacker access after a downgrade.
According to Intel's advisory, ME versions 8 through 11 can be physically downgraded using a flash programmer, such as DediProg, that has been connected to the chip's flash memory.
Intel's super-secret Management Engine firmware now glimpsed, fingered via USBREAD MORE
The FPF-based protection in version 12 and onward prevents that, though there's still room for physical tempering and fault injection attacks.
The anti-rollback feature is disabled by default; Intel hardware partners – PC and server makers – can enable it using Intel's Flash Image Tool (FIT) and ship the machines out to customers. Intel said it strongly recommends enabling the feature and may soon enable it by default.
In an email to The Register, Todd Weaver, founder and CEO of Purism, which makes privacy-focused Librem laptops in which the Intel Management Engine has been mostly disabled through unofficial means – mainly by wiping away a chunk of its data and activating what appears to be a hidden kill switch – said Chipzilla's software-based anti-rollback protection can be bypassed. The proposed Management Engine version 12 hardware-based protection is better, he said, but that doesn't change the fundamental problem with the technology.
"The ME [Management Engine] hardware still ships on all Intel CPUs; the ME firmware (where this Positive Technologies security exploit is at) is still required by Intel," he said. "If users do not want the ME at all, there is no current Intel based CPU option."
Weaver said his company petitioned Intel last year to sell chips without the ME and continues to advocate for that. Purism, he said, continues to work on reverse engineering the Management Engine because Intel has shown no interest in an ME-free option for its x86 processors.
"Mitigating risk with usable solutions is something Purism strives for, and currently a great way to remove this ME local access threat is by running TPM to measure the ME region, and have Coreboot + Heads to ensure the first bit can enter a proper measured boot process," he said.
The other option appears to be setting the ME's HAP bit, which disables but doesn't remove the ME in order to comply with the US government's high assurance program, an NSA-developed IT security framework.
Intel did not immediately respond to a request to clarify the range of chips affected its technical advisory. ®