Hello,
To make some precisions:
-The "High Assurance Platform" belongs to a trusted platform program
linked to the U.S. National Security Agency (NSA). A graphics-rich
presentation describing the program can be found here.
http://fm.csl.sri.com/LAW/2009/dobry-law09-HAP-Challenges.pdf
note: the link is dead but I have a backup of the pdf.
If someone needs it just ask.
-More parts of the ME can be removed thanks to this discovery.
-The removed part makes the ME go into "TemporaryDisable mode" which is
undocumented, like a lot of of undocumented instructions
https://github.com/xoreaxeaxeax/sandsifter/raw/master/references/domas_breaking_the_x86_isa_wp.pdf.
-This "TemporaryDisable mode" allows the CPU to initialize without the
ME activated.
-This hack doesn't work on Apollo Lake platforms.
So it doesn't remove the ME it "neutralises" it and for what remains we
can only hope that nothing reinitialise it afterwards since the
instruction is called Temporary Disable mode.
Imo seeing the awful state of X86 platforms, POWER is our only hope to
own what we buy.
Le 05/09/2017 12:34, Alessandro Selli a écrit :
> On Sun, 3 Sep 2017 at 07:32:10 -0400
> zap <calmstorm@???> wrote:
>
>>
>> On 09/03/2017 05:26 AM, Alessandro Selli wrote:
>>> On 01/09/2017 at 20:36, zap wrote:
>>>>> I doubt it will be owner controlled, as their laptops aren't - they
>>>>> still haven't even gotten a blobbed version of coreboot working
>>>>> (blobbed init code + ME enabled as they insisted on a crappy intel soc)
>>>>> Purism isn't a trustworthy company.
>>>> Gee, I thought purism was a trustworthy company, I mean they claim you
>>>> can get the latest and the greatest without intel me
>>> This is *not* what they claim:
>>>
>>> https://puri.sm/learn/intel-me/
>>>
>>> "Freeing the ME is a challenge, but not impossible"
>>>
>>> "By working with Intel, motherboard design developers, as well as our
>>> coreboot developers, Purism has put in motion a solid approach on how to
>>> run a freed Intel ME *in the future*."
>> Sorry, but have you talked to libreboot or coreboot about this? and
>> also, not even google with all their money can convince intel to give
>> their secrets to them. That for me is a solid reason why I said this.
>
> The secret is no more a secret:
>
> http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
>
> August 28, 2017
> Disabling Intel ME 11 via undocumented mode
>
> "Our team of Positive Technologies researchers has delved deep into the
> internal architecture of Intel Management Engine (ME) 11, revealing a
> mechanism that can disable Intel ME after hardware is initialized and the
> main processor starts. In this article, we describe how we discovered this
> undocumented mode and how it is connected with the U.S. government's High
> Assurance Platform (HAP) program."
>
>
> Good hacking! :-)
>
>
--
Librement
BERNARD
FR: Veuillez s'il vous plaît utiliser GPG pour nos futures conversations:
https://emailselfdefense.fsf.org/fr/
Si c'est email n'est pas signer, il ne vient pas de moi.
ENG: Please be kind enough to use GPG for our future conversations:
https://emailselfdefense.fsf.org/en/
If this email isn't PGP signed then it isn't mine.
-If you can't compile it dump it.