Intel ME Bugfix

Post Reply
SirDigi
Posts: 3
Joined: Sun Jan 06, 2019 12:41 am
languages_spoken: english
Has thanked: 0
Been thanked: 0
Contact:

Intel ME Bugfix

Post by SirDigi »

Hello,

as already asked here: viewtopic.php?f=168&t=39987

When will you release an update for the critical bug mentioned by https://www.intel.com/content/www/us/en ... 00295.html ? It should be easiest for you to get the required information how to integrate the update blob into a new BIOS firmware. It looks very unprofessional that many months after a bugfix release from Intel there are no updated firmware files from your side.

I know there are many people that write now "Simple disable all ME options in the BIOS, problem solved", but this cannot be a fix for the bug.

Please don't let us standing in the rain.

BR
SirDigi

fvolk
Posts: 493
Joined: Sun Jun 05, 2016 11:04 pm
languages_spoken: english
ODROIDs: C2, C4, H2
Has thanked: 0
Been thanked: 48 times
Contact:

Re: Intel ME Bugfix

Post by fvolk »

Intel recommends that users of Intel® CSME, Intel® SPS, Intel® TXE, Intel® AMT, Intel® ISM and Intel® DAL update to the latest versions provided by the system manufacturer that address these issues.
I'm curious, how to check which technologies of these "Intel CSME, Intel SPS, Intel TXE, Intel AMT, Intel ISM and Intel DAL" technologies are actually part of the H2(+) BIOS/UEFI?

InsideJob
Posts: 63
Joined: Sat Mar 21, 2020 7:00 pm
languages_spoken: English, Greek, Spanish
Has thanked: 3 times
Been thanked: 10 times
Contact:

Re: Intel ME Bugfix

Post by InsideJob »

I was bored this morning so downloaded CSME_Version_Detection_Tool_Linux.tar.gz from Intel. It didn"t run correctly on Ubuntu, gave me some Python error -- I guess I'm missing a dependency. Worked fine on Fedora though:

Code: Select all

$ sudo ./intel_csme_version_detection_tool 
Intel(R) CSME Version Detection Tool
Copyright(C) 2017-2020, Intel Corporation, All rights reserved.

Application Version: 3.1.0.0
Scan date: 2020-10-06 15:52:20 GMT

*** Host Computer Information ***
Name: h2zoo
Manufacturer: HARDKERNEL
Model: ODROID-H2
Processor Name: Intel(R) Celeron(R) J4115 CPU @ 1.80GHz
OS Version: Fedora 32 (Workstation Edition) (5.6.6-300.fc32.x86_64)

*** Intel(R) ME Information ***
Engine: Intel(R) Trusted Execution Engine
Version: 4.0.0.1245

*** Risk Assessment ***
Based on the analysis performed by this tool: This system is vulnerable.
Explanation:
  The detected version of the Intel(R) Trusted Execution Engine firmware
  has a vulnerability listed in one or more of the public Security Advisories.
  Contact your system manufacturer for support and remediation of this system.

For more information refer to the Intel(R) CSME Version Detection Tool User Guide
or the related Intel Security Advisory list at:
https://www.intel.com/content/www/us/en/support/articles/000031784/technologies.html

User avatar
odroid
Site Admin
Posts: 35921
Joined: Fri Feb 22, 2013 11:14 pm
languages_spoken: English, Korean
ODROIDs: ODROID
Has thanked: 1325 times
Been thanked: 915 times
Contact:

Re: Intel ME Bugfix

Post by odroid »

We could get a slightly higher ME version.
But the system is still vulnerable. We need to learn more about ME things :( .

Code: Select all

*** Intel(R) ME Information ***
Engine: Intel(R) Trusted Execution Engine
Version: 4.0.20.1310

*** Risk Assessment ***
Based on the analysis performed by this tool: This system is vulnerable.
Explanation:
  The detected version of the Intel(R) Trusted Execution Engine firmware
  has a vulnerability listed in one or more of the public Security Advisories.
  Contact your system manufacturer for support and remediation of this system.

For more information refer to the Intel(R) CSME Version Detection Tool User Guide
or the related Intel Security Advisory list at:
https://www.intel.com/content/www/us/en/support/articles/000031784/technologies.html

InsideJob
Posts: 63
Joined: Sat Mar 21, 2020 7:00 pm
languages_spoken: English, Greek, Spanish
Has thanked: 3 times
Been thanked: 10 times
Contact:

Re: Intel ME Bugfix

Post by InsideJob »

Well, if we're voting on it I'm still for disabling it. But from what I've gathered (from Purism) that requires setting those programmable fuses at time of manufacture, so I guess it's more of a suggestion for the H3.

User avatar
odroid
Site Admin
Posts: 35921
Joined: Fri Feb 22, 2013 11:14 pm
languages_spoken: English, Korean
ODROIDs: ODROID
Has thanked: 1325 times
Been thanked: 915 times
Contact:

Re: Intel ME Bugfix

Post by odroid »

Finally, we have a good news.
We will try to release a new BIOS update by early November after some compatibility/stability tests.

Code: Select all

joshua@joshua-ODROID-H2:~/Downloads/CSME_Version_Detection_Tool_Linux$ ./intel_csme_version_detection_tool 
Intel(R) CSME Version Detection Tool
Copyright(C) 2017-2020, Intel Corporation, All rights reserved.

Application Version: 3.1.0.0
Scan date: 2020-10-13 06:34:37 GMT

*** Host Computer Information ***
Name: joshua-ODROID-H2
Manufacturer: HARDKERNEL
Model: ODROID-H2
Processor Name: Intel(R) Celeron(R) J4105 CPU @ 1.50GHz
OS Version: Ubuntu 20.04.1 LTS (5.4.0-48-generic)

*** Intel(R) ME Information ***
Engine: Intel(R) Trusted Execution Engine
Version: 4.0.30.1386

*** Risk Assessment ***
Based on the analysis performed by this tool: This system is not vulnerable. It has already been patched.

For more information refer to the Intel(R) CSME Version Detection Tool User Guide
or the related Intel Security Advisory list at:
https://www.intel.com/content/www/us/en/support/articles/000031784/technologies.html
These users thanked the author odroid for the post (total 2):
domih (Tue Oct 20, 2020 2:14 pm) • puremind (Sun Oct 25, 2020 5:01 pm)

mad_ady
Posts: 8835
Joined: Wed Jul 15, 2015 5:00 pm
languages_spoken: english
ODROIDs: XU4, C1+, C2, C4, N1, N2, H2, Go, Go Advance
Location: Bucharest, Romania
Has thanked: 586 times
Been thanked: 531 times
Contact:

Re: Intel ME Bugfix

Post by mad_ady »

Great job!

domih
Posts: 328
Joined: Mon Feb 11, 2019 4:48 pm
languages_spoken: English, French
ODROIDs: UX4, HC2, N2, H2, C4, H2+
Location: San Francisco Bay Area
Has thanked: 114 times
Been thanked: 122 times
Contact:

Re: Intel ME Bugfix

Post by domih »

InsideJob wrote:
Wed Oct 07, 2020 1:01 am
I was bored this morning so downloaded CSME_Version_Detection_Tool_Linux.tar.gz from Intel. It didn"t run correctly on Ubuntu, gave me some Python error -- I guess I'm missing a dependency.
You were probably using Ubuntu 20.04 or a version that includes Python 3 but not Python 2.7.

Remedy:

sudo apt install python

Then intel_csme_version_detection_tool runs OK.

HTH

Best.

InsideJob
Posts: 63
Joined: Sat Mar 21, 2020 7:00 pm
languages_spoken: English, Greek, Spanish
Has thanked: 3 times
Been thanked: 10 times
Contact:

Re: Intel ME Bugfix

Post by InsideJob »

Some BIOSes give you the option of disabling it.

Image
Image

I guess they're using the NSA's secret bit to do it.

domih
Posts: 328
Joined: Mon Feb 11, 2019 4:48 pm
languages_spoken: English, French
ODROIDs: UX4, HC2, N2, H2, C4, H2+
Location: San Francisco Bay Area
Has thanked: 114 times
Been thanked: 122 times
Contact:

Re: Intel ME Bugfix

Post by domih »

InsideJob wrote:
Wed Oct 21, 2020 4:46 pm
Some BIOSes give you the option of disabling it.
.../...
I guess they're using the NSA's secret bit to do it.
I believe it is a little bit a more complicated story :( see https://en.wikipedia.org/wiki/Intel_Man ... ing_the_ME. Many details in the linked pages the article refers to show that not all agree on the effectiveness. I'm no expert, but it looks to me that the information to fully disable the various components of "Intel's backdoor" as the EFF calls it is as clear as the ass of a dead rhinoceros in a dark tunnel... and Intel wanted it that way.

For people who have no clue about the Intel security alphabet soup, you can get a quick bird eye view there:
- https://en.wikipedia.org/wiki/Intel_Management_Engine,
- https://en.wikipedia.org/wiki/Intel_Act ... Technology.

The two articles contain enough links if you want to go further into learning about these out of band management tools. Headaches guaranteed!

Like BMC + IPMI in data centers that provide remote management to servers, IT people wanted a set of tools to enable them to remotely manage hundreds or thousands of corporate desktops and laptops. This means a "mini-system" not subjected to the OS installed on these machines. This also means that this mini-system has to be 100% foolproof and secure (*). The requirement is not totally absurd. Corporate users are notorious for not caring to install security updates, so if IT can do it for them this is a good thing. As a matter of fact the IT people usually lock everything on corporate PCs and laptops. The users can use the installed apps and that's it (no deep system configuration, no additional app installation...)

(*) However the concept of 100% secure does not exist in software (known vs. known unknown vs. unknown unknown). The latter being zero day exploits which the NSA, GCHQ, DGSE and so on are happy to buy for $$$ (your tax dollars at work) from specialized companies searching for them. The Russian and Chinese do the same but buy from different providers :-)

The history of Intel AMT, ME, CSME is a long story of CVEs where the keys to the barn and the ass of the farmer's wife were delivered to the crackers. Then security fixes come, then each board manufacturer has to update the BIOS/UEFI for integrating the fixes. Thank you Intel for passing the buck :( I believe Odroid was pretty fast in working on a fix once alerted of the problem and promising to deliver it in November. Horror stories from major motherboard manufacturers exist and good luck if your motherboard starts to be "old".

No matter what one thinks of Intel ME and associated technologies, upgrading the BIOS/UEFI of the H2 series is basically checking a check mark on the buyer must have list. So it helps.

InsideJob
Posts: 63
Joined: Sat Mar 21, 2020 7:00 pm
languages_spoken: English, Greek, Spanish
Has thanked: 3 times
Been thanked: 10 times
Contact:

Re: Intel ME Bugfix

Post by InsideJob »

I'm one of those IT guys who doesn't update firmware regularly and I run my kernel with mitigations=off. Why risk bricking my H2+ for a BIOS update that does nothing except fix some fan speed problems other people are having? If I were using this as a router I could potentially put myself out of business if the power went out in the middle of flashing. And retpolines are really fixes for cloud providers who might have data leak out of their supposedly "isolated" containers and does nothing for desktop users but slow down their computer. Lastly, I keep my so-called "zero-day" exploits secret as long as possible so I can keep using them as long as possible. Once they're discovered the game is over.

Anywho, point is it's mostly security theater that keeps security researchers employed and I really would rather opt-out by disabling nonsense like Intel ME. I'm not sure if setting the NSA's secret bit is enough but everyone agrees Purism's approach of giving it a lobotomy works.

domih
Posts: 328
Joined: Mon Feb 11, 2019 4:48 pm
languages_spoken: English, French
ODROIDs: UX4, HC2, N2, H2, C4, H2+
Location: San Francisco Bay Area
Has thanked: 114 times
Been thanked: 122 times
Contact:

Re: Intel ME Bugfix

Post by domih »

InsideJob wrote:
Thu Oct 22, 2020 6:22 pm
...security theater...
Yes, it is theater.

But in Sales / Marketing appearance is reality. For corporate accounts and prospects you want to be able to put a check mark in front of "Intel Security Maintenance", especially when the deal is about hundreds of units.

User avatar
odroid
Site Admin
Posts: 35921
Joined: Fri Feb 22, 2013 11:14 pm
languages_spoken: English, Korean
ODROIDs: ODROID
Has thanked: 1325 times
Been thanked: 915 times
Contact:

Re: Intel ME Bugfix

Post by odroid »

We still need a couple of more weeks to solve the eMMC booting issue in the new BIOS.
Sorry for the delay.

domih
Posts: 328
Joined: Mon Feb 11, 2019 4:48 pm
languages_spoken: English, French
ODROIDs: UX4, HC2, N2, H2, C4, H2+
Location: San Francisco Bay Area
Has thanked: 114 times
Been thanked: 122 times
Contact:

Re: Intel ME Bugfix

Post by domih »

odroid wrote:
Tue Nov 03, 2020 10:25 am
We still need a couple of more weeks to solve the eMMC booting issue in the new BIOS.
Sorry for the delay.
Don't be feel bad and sorry about it.

The tragic-comedic Intel CSME continues to be attackers BFF. See today's https://www.phoronix.com/scan.php?page= ... re-Playpus

If an appropriate chisel and hammer existed the best way to solve the CSME open barn door problem would be to "de-engrave" all CSME parts from the CPU die :mrgreen: :D :o
These users thanked the author domih for the post:
odroid (Wed Nov 11, 2020 9:59 am)

joshua.yang
Posts: 465
Joined: Fri Sep 22, 2017 5:54 pm
languages_spoken: Korean, English
ODROIDs: XU4, XU4Q + Cloudshell2, H2, N2
Has thanked: 32 times
Been thanked: 127 times
Contact:

Re: Intel ME Bugfix

Post by joshua.yang »

Hi.

Finally, we have made the new BIOS binary that includes the updated Intel CSME version.

Here's the version information for the new BIOS.
- Version: GLK-SF 1.22
- Build date: 11/13/2020 09:30:30
201119_intel_csme_detection.png
201119_intel_csme_detection.png (110.8 KiB) Viewed 254 times
https://dn.odroid.com/ODROID-H2/bios/tr ... l_csme.zip

This is a trial version for now. Please test this and let us know the results. :)
It will be released in a few days if it hasn't any noticeable issue.
These users thanked the author joshua.yang for the post (total 3):
odroid (Thu Nov 19, 2020 7:48 pm) • keil (Thu Nov 19, 2020 10:24 pm) • arthur99 (Wed Dec 02, 2020 9:21 am)

puremind
Posts: 58
Joined: Wed Nov 21, 2018 2:27 am
languages_spoken: english
ODROIDs: Odroid H2 Rev B
Has thanked: 5 times
Been thanked: 12 times
Contact:

Re: Intel ME Bugfix

Post by puremind »

Just installed 1.22 and seems that everything is ok
These users thanked the author puremind for the post:
odroid (Thu Nov 19, 2020 7:48 pm)
Odroid H2 Rev B, 16GB Ripjaws, MP510 Corsair 512GB Nvme

keil
Posts: 2
Joined: Thu Nov 19, 2020 9:10 pm
languages_spoken: english
ODROIDs: ODROID-H2+
Has thanked: 4 times
Been thanked: 1 time
Contact:

Re: Intel ME Bugfix

Post by keil »

Installed now, no problems in my case till now.

Odroid-H2+ with one Crucial CT4G4SFS824A 4GB

Boot opnsense from SSD over USB3.0
m.2 to PCIe x4 works the same as before

Thanks
These users thanked the author keil for the post:
odroid (Fri Nov 20, 2020 9:02 am)

p37
Posts: 34
Joined: Sat Jun 30, 2018 5:32 pm
languages_spoken: german
ODROIDs: odroid c2 odroid h2
Has thanked: 0
Been thanked: 1 time
Contact:

Re: Intel ME Bugfix

Post by p37 »

Hello,

All good with the new bios_v1.22 on Odroid H2 Rev B!

But I have to reinstall systemd-boot in my first Arch Linux installation on nvme after the update,
otherwise it is not present in the BIOS.

The second Arch Linux on emmc is as always on UEFI OS and Windows is also present.
But this is probably due to systemd-boot (or probably at me) which is not really suitable for 2 x Linux.

For me the Odroid H2 is a wonderful working PC,
even for times a video convert or games that appeared until 2014
and this with minimal power consumption.


Thanks for this wonderful board
P37

Sorry I don't speak English
Translated with www.DeepL.com
These users thanked the author p37 for the post:
odroid (Fri Nov 20, 2020 9:02 am)

Post Reply

Return to “General Topics”

Who is online

Users browsing this forum: No registered users and 0 guests