me_cleaner
Python script able to modify an Intel ME firmware image with the final purpose of reducing its ability to interact with the system.
https://github.com/corna/me_cleaner
Intel ME
Intel ME is a co-processor integrated in all post-2006 Intel boards, which is the base hardware for many Intel features like Intel AMT, Intel Boot Guard, Intel PAVP and many others. To provide such features, it requires full access to the system, including memory (through DMA) and network access (transparent to the user).
Unlike many other firmware components, the Intel ME firmware can't be neither disabled nor reimplemented, as it is tightly integrated in the boot process and it is signed.
This poses an issue both to the free firmware implementations like coreboot, which are forced to rely on a proprietary, obscure and always-on blob, and to the privacy-aware users, who are reasonably worried about such firmware, running on the lowest privilege ring on x86.
What can be done
Before Nehalem (ME version 6, 2008/2009) the ME firmware could be removed completely from the flash chip by setting a couple of bits inside the flash descriptor, effectively disabling it.
Starting from Nehalem the Intel ME firmware can't be removed anymore: without a valid firmware the PC shuts off forcefully after 30 minutes, probably as an attempt to enforce the Intel Anti-Theft policies.
However, while Intel ME can't be turned off completely, it is still possible to modify its firmware up to a point where Intel ME is active only during the boot process, effectively disabling it during the normal operation, which is what me_cleaner tries to accomplish.
#intel #me #mecleaner
Python script able to modify an Intel ME firmware image with the final purpose of reducing its ability to interact with the system.
https://github.com/corna/me_cleaner
Intel ME
Intel ME is a co-processor integrated in all post-2006 Intel boards, which is the base hardware for many Intel features like Intel AMT, Intel Boot Guard, Intel PAVP and many others. To provide such features, it requires full access to the system, including memory (through DMA) and network access (transparent to the user).
Unlike many other firmware components, the Intel ME firmware can't be neither disabled nor reimplemented, as it is tightly integrated in the boot process and it is signed.
This poses an issue both to the free firmware implementations like coreboot, which are forced to rely on a proprietary, obscure and always-on blob, and to the privacy-aware users, who are reasonably worried about such firmware, running on the lowest privilege ring on x86.
What can be done
Before Nehalem (ME version 6, 2008/2009) the ME firmware could be removed completely from the flash chip by setting a couple of bits inside the flash descriptor, effectively disabling it.
Starting from Nehalem the Intel ME firmware can't be removed anymore: without a valid firmware the PC shuts off forcefully after 30 minutes, probably as an attempt to enforce the Intel Anti-Theft policies.
However, while Intel ME can't be turned off completely, it is still possible to modify its firmware up to a point where Intel ME is active only during the boot process, effectively disabling it during the normal operation, which is what me_cleaner tries to accomplish.
#intel #me #mecleaner
GitHub
GitHub - corna/me_cleaner: Tool for partial deblobbing of Intel ME/TXE firmware images
Tool for partial deblobbing of Intel ME/TXE firmware images - corna/me_cleaner