Intel Firmware Security Fix Policy?

Post Reply
arthur99
Posts: 6
Joined: Tue Aug 18, 2020 3:44 pm
languages_spoken: english
ODROIDs: XU4
Has thanked: 1 time
Been thanked: 1 time
Contact:

Intel Firmware Security Fix Policy?

Post by arthur99 »

Hello all,

What are the security support plans regarding Intel Management Engine (the name TXE should apply to the CPU model here)?

From time to time security flaws are found and fixed by Intel, but for ME firmware only the vendor can deliver updates (other than Microcode, which can be loaded early on boot by Linux). Latest versions are from June, see a security advisory from this series here:
https://www.intel.com/content/www/us/en ... 00295.html
Fixed Version: 4.0.25

Questions

1)
What is the TXE version in the current BIOS firmware for the Odroid-H2+?

2)
For how long in the future is Hardkernel going to publish Intel fixes in new BIOS files (a criteria for the technical lifetime of the product, hopefully long to avoid electronical waste)?

Unfortunately Intel puts this burden on the hardware manufacturers and also customers...


Kind regards,
Arthur

arthur99
Posts: 6
Joined: Tue Aug 18, 2020 3:44 pm
languages_spoken: english
ODROIDs: XU4
Has thanked: 1 time
Been thanked: 1 time
Contact:

Re: Intel Firmware Security Fix Policy?

Post by arthur99 »

The screenshot in another thread shows TXE version 4.0.0.1247 for the recent BIOS update.

So it looks like Hardkernel doesn't care about security.

Please respond if this impression is not accurate.

InsideJob
Posts: 59
Joined: Sat Mar 21, 2020 7:00 pm
languages_spoken: English, Greek, Spanish
Has thanked: 3 times
Been thanked: 10 times
Contact:

Re: Intel Firmware Security Fix Policy?

Post by InsideJob »

Intel ME is a backdoor so only way to "secure" it is by crippling it.
https://github.com/corna/me_cleaner

User avatar
odroid
Site Admin
Posts: 35591
Joined: Fri Feb 22, 2013 11:14 pm
languages_spoken: English, Korean
ODROIDs: ODROID
Has thanked: 1199 times
Been thanked: 877 times
Contact:

Re: Intel Firmware Security Fix Policy?

Post by odroid »

We've tried to understand how to update the ME part in the BIOS blob through the standard UEFI documents.
But it seems to be out of our knowledge. Do you have any experience?

InsideJob
Posts: 59
Joined: Sat Mar 21, 2020 7:00 pm
languages_spoken: English, Greek, Spanish
Has thanked: 3 times
Been thanked: 10 times
Contact:

Re: Intel Firmware Security Fix Policy?

Post by InsideJob »

I was trying to understand CPU Field Programmable Fuses and was hoping an electrical engineer could shed some light... Oh well, the people at Purism seem to have figured it out though:
https://puri.sm/learn/intel-me/
These users thanked the author InsideJob for the post:
odroid (Mon Aug 24, 2020 9:18 am)

arthur99
Posts: 6
Joined: Tue Aug 18, 2020 3:44 pm
languages_spoken: english
ODROIDs: XU4
Has thanked: 1 time
Been thanked: 1 time
Contact:

Re: Intel Firmware Security Fix Policy?

Post by arthur99 »

@odroid:
Thanks that you are investigating this!!! I'm not in the manufacturing business, so unfortunately I don't have any knowledge.

Doesn't Intel provide documents about provisioning those systems and dealing with the firmware?
Not likely that this information is publicly available, but manufacturers should be able to get it.
(Otherwise Intel would force you to spread their security leaks to the world, which should not be in their interest.)

UEFI doesnt sound like the appropriate topic, because the ME initializes the system before boot (besides the features for running systems).
As some vendors can update the firmware from Linux, I guess that the ME can be levereged to do this, probably via this interface: https://www.kernel.org/doc/Documentatio ... ei/mei.txt

I agree with InsideJob that a deactivated ME would even be better (being an almost unique selling point - I only know 1 other than Purism offering this).
This has been discovered by Positive Technologies, see http://blog.ptsecurity.com/2017/08/disa ... el-me.html and https://github.com/corna/me_cleaner .
These users thanked the author arthur99 for the post:
odroid (Thu Aug 27, 2020 12:14 pm)

misaz
Posts: 79
Joined: Sat Jul 27, 2019 3:58 am
languages_spoken: english, czech
ODROIDs: H2+
Has thanked: 7 times
Been thanked: 14 times
Contact:

Re: Intel Firmware Security Fix Policy?

Post by misaz »

You are confusing two terms: microcode and ME (managemenent engine). ME is hardware part (= it is made from phasical transitors) and microcode is code that implements instruction set using micro instructions and can configure some other parts of CPU like ME.

@arthur99 thought that "UEFI is not appropriate topic for microcode" is incorrect (you said ME but I think that you mean microcode). Microcode is part of UEFI image and BIOIS (UEFI) loads it into CPU at very early stage of boot proces. But any other software that will runs on CPU later (usualy bootloader like GRUB and operating system like Linux) can replace microcode with whatever it wants. So at the begining of boot process is used microcode bundled with UEFI and later is replaced by another microcode provided by Linux.

There are no need to disable ME. It contains useful features like DCI debugger (it is something like JTAG over USB) and many other. All of them are documented and Intel provides documentation under NDA. It is possible to eliminate most of ME features using pathed microcode but this pathced microcode is not (as expected) provided by Intel and there are no recommendation to use microcode patched by some external hackers. In fact using that microcode can lead to much bigger security issues.

If Intel found some vulnerability in CPU they may patch execution of affected instruction and provide updated microcode containing that path. So Odroid need to retrieve latest microcode from Intel and consult with AMI how to replace micrcode in BIOS image. Probably some of AMI utility which you use to configure BIOS image can do that. That will patch all known and fixed vulnerabilities and maybe affcet performance. Also remember that microcode bundled with UEFI is usualy used only in time when computer is booting, than it is replaced by CPU driver which is part of operating system and most probably most of time your computer is using latest microcode regardles of microcode bundled with UEFI. Microcode bundled with UEFI is critical for example when you have enabled network boot. In that situation it may be taken in account to exploit some bug in complex BIOS code and remotely take control over system but relevance of that is still very low.

arthur99
Posts: 6
Joined: Tue Aug 18, 2020 3:44 pm
languages_spoken: english
ODROIDs: XU4
Has thanked: 1 time
Been thanked: 1 time
Contact:

Re: Intel Firmware Security Fix Policy?

Post by arthur99 »

misaz wrote:
Thu Aug 27, 2020 11:46 pm
You are confusing two terms: microcode and ME (managemenent engine). ME is hardware part (= it is made from phasical transitors) and microcode is code that implements instruction set using micro instructions and can configure some other parts of CPU like ME.

@arthur99 thought that "UEFI is not appropriate topic for microcode" is incorrect (you said ME but I think that you mean microcode). Microcode is part of UEFI image and BIOIS (UEFI) loads it into CPU at very early stage of boot proces. But any other software that will runs on CPU later (usualy bootloader like GRUB and operating system like Linux) can replace microcode with whatever it wants. So at the begining of boot process is used microcode bundled with UEFI and later is replaced by another microcode provided by Linux.

There are no need to disable ME. It contains useful features like DCI debugger (it is something like JTAG over USB) and many other. All of them are documented and Intel provides documentation under NDA. It is possible to eliminate most of ME features using pathed microcode but this pathced microcode is not (as expected) provided by Intel and there are no recommendation to use microcode patched by some external hackers. In fact using that microcode can lead to much bigger security issues.

If Intel found some vulnerability in CPU they may patch execution of affected instruction and provide updated microcode containing that path. So Odroid need to retrieve latest microcode from Intel and consult with AMI how to replace micrcode in BIOS image. Probably some of AMI utility which you use to configure BIOS image can do that. That will patch all known and fixed vulnerabilities and maybe affcet performance. Also remember that microcode bundled with UEFI is usualy used only in time when computer is booting, than it is replaced by CPU driver which is part of operating system and most probably most of time your computer is using latest microcode regardles of microcode bundled with UEFI. Microcode bundled with UEFI is critical for example when you have enabled network boot. In that situation it may be taken in account to exploit some bug in complex BIOS code and remotely take control over system but relevance of that is still very low.
The reader might be confused about what people are referring to. Odroid asked about ME and UEFI, and I replied to this with my understanding, that it comes before UEFI parts are relevant.

I'm concerned about the ME firmware (maybe AMI could also assist here?), as an update can't be done by end users. As you mention, for CPU microcode a solution exists by loading from disk by kernels during boot, resulting to a lower priority of this part.

@Odroid: Thank you for looking into this, and I hope that things are progressing. Any solution - update or disable - would be fine for me. For the latter you could provide an alternate BIOS file (naming it "archive" could possibly more appropriate for all it contains), leaving the choice to the people.

Is there any news?

Kind regards, Arthur

misaz
Posts: 79
Joined: Sat Jul 27, 2019 3:58 am
languages_spoken: english, czech
ODROIDs: H2+
Has thanked: 7 times
Been thanked: 14 times
Contact:

Re: Intel Firmware Security Fix Policy?

Post by misaz »

I'm concerned about the ME firmware (maybe AMI could also assist here?), as an update can't be done by end users.
This is true only partialy. End users with sufficient knowledge of course can build (opr modify) BIOS image manually. Both AMI utilities and Intel microcode are leaked. If you are interested in it you can see win-raid.com forum where peoples does reverse engineering of BIOS images and have tools to modify BIOSes in lot of ways including changing microcode. Note that modifying BIOS image may brick your Odroid and make it nonbootable. You do it on your own risk. It is needed to backup content of flash containing BIOS to be able unbrick your Odroid in case of malfunctional image flashed.

Some usefull link:
https://www.win-raid.com/t18f16-Guide-M ... dding.html
https://www.win-raid.com/t154f16-Tool-G ... t-UBU.html
Last edited by misaz on Mon Sep 07, 2020 3:05 pm, edited 1 time in total.

InsideJob
Posts: 59
Joined: Sat Mar 21, 2020 7:00 pm
languages_spoken: English, Greek, Spanish
Has thanked: 3 times
Been thanked: 10 times
Contact:

Re: Intel Firmware Security Fix Policy?

Post by InsideJob »

It a MINIX OS that Intel has more access to than I do. I'd call it a backdoor actually. Here's a letter from the guy Intel ripped off... though I'm sure the the theft of his intellectual property was perfectly legal:
https://www.cs.vu.nl/~ast/intel/

mad_ady
Posts: 8582
Joined: Wed Jul 15, 2015 5:00 pm
languages_spoken: english
ODROIDs: XU4, C1+, C2, C4, N1, N2, H2, Go, Go Advance
Location: Bucharest, Romania
Has thanked: 578 times
Been thanked: 486 times
Contact:

Re: Intel Firmware Security Fix Policy?

Post by mad_ady »

Andrew Tanembaum is not just "a guy". I recommend his comprehensive books on networking and operating systems.

arthur99
Posts: 6
Joined: Tue Aug 18, 2020 3:44 pm
languages_spoken: english
ODROIDs: XU4
Has thanked: 1 time
Been thanked: 1 time
Contact:

Re: Intel Firmware Security Fix Policy?

Post by arthur99 »

This issue got attention in c't (biggest IT/tech magazine in Europe) issue 21/2020 p. 45, also online here https://www.heise.de/select/ct/2020/21/ ... 3458145178

Excerpt (translated to English):
Some manufacturers react slowly or not at all to Intel security advisories: They don't provide BIOS updates with fixes. This even affects available devices in the market ZBox nano CI329 from Zotac and Odroid H2/H2+ from Hardkernel.
[...]
Hardkernel responded clumsy in the own support forum.
So asking again:

[1) What is your security fix policy?

(2) What is your strategy - disable the ME (to the extent possible, means all functions beside platform initialization at boot), or deliver updated firmware (or both options)?

(3) Could the BIOS vendor help you, or is Odroid trying alone, and what is the current status?

I didn't buy your otherwise very interesting model yet. This topic is blocking.


Kind regards,
Arthur

InsideJob
Posts: 59
Joined: Sat Mar 21, 2020 7:00 pm
languages_spoken: English, Greek, Spanish
Has thanked: 3 times
Been thanked: 10 times
Contact:

Re: Intel Firmware Security Fix Policy?

Post by InsideJob »

Security fixes for an insecure backdoor seems like a waste of time. But if it makes people feel like they're safe and secure from the l33t al-Qaeda h@X0rs that are conspiring in caves.... 🙄

Anywho, apparently the NSA wanted a way to disable Intel ME themselves, so there's a secret bit you can set: http://blog.ptsecurity.com/2017/08/disa ... e.html?m=1

TL;DR version
Intel allows motherboard manufacturers to set a small number of ME parameters. For this, the company provides hardware manufacturers with special software, including utilities such as Flash Image Tool (FIT) for configuring ME parameters and Flash Programming Tool (FPT) for programming flash memory directly via the built-in SPI controller. These programs are not provided to end users, but they can be easily found on the Internet.

From these utilities, you can extract a large number of XML files (detailed description of the process). These files contain a lot of interesting information: the structure of ME firmware and description of the PCH strap, as well as special configuration bits for various subsystems integrated into the PCH chip. One of the fields, called "reserve_hap", drew our attention because there was a comment next to it: "High Assurance Platform (HAP) enable".

Googling did not take long. The second search result said that the name belongs to a trusted platform program linked to the U.S. National Security Agency (NSA). A graphics-rich presentation describing the program can be found here. Our first impulse was to set this bit and see what happens. Anyone with an SPI programmer or access to the Flash Descriptor can do this (on many motherboards, access rights to flash memory regions are set incorrectly).

After the platform is loaded, the MEInfo utility reports a strange status: "Alt Disable Mode." Quick checks showed that ME did not respond to commands or react to requests from the operating system.
These users thanked the author InsideJob for the post:
domih (Sat Oct 17, 2020 7:10 am)

User avatar
odroid
Site Admin
Posts: 35591
Joined: Fri Feb 22, 2013 11:14 pm
languages_spoken: English, Korean
ODROIDs: ODROID
Has thanked: 1199 times
Been thanked: 877 times
Contact:

Re: Intel Firmware Security Fix Policy?

Post by odroid »

We have a good news here.
viewtopic.php?f=168&t=40473
These users thanked the author odroid for the post:
arthur99 (Wed Oct 14, 2020 2:17 am)

arthur99
Posts: 6
Joined: Tue Aug 18, 2020 3:44 pm
languages_spoken: english
ODROIDs: XU4
Has thanked: 1 time
Been thanked: 1 time
Contact:

Re: Intel Firmware Security Fix Policy?

Post by arthur99 »

odroid wrote:
Tue Oct 13, 2020 5:14 pm
We have a good news here.
viewtopic.php?f=168&t=40473
Sounds like you want to be independent and are determinedly working. Great!

So I'm curious, but take the necessary time for the tests. Budget for a H2+ is saved ;-)

@InsideJob:
I somewhat second your waste of time argument, but - if not on the disable track - the least what should be done is to provide available fixes (as common in almost all areas with software).

Post Reply

Return to “General Topics”

Who is online

Users browsing this forum: No registered users and 0 guests