Overclock.net banner

1 - 20 of 25 Posts

·
Ooh, custom titles :D
Joined
·
1,250 Posts
Discussion Starter · #1 ·
Source: Click
ME Cleaner: Click

Good news I guess
biggrin.gif

Quote:
Security researchers at Moscow-based Positive Technologies have identified an undocumented configuration setting that disables Intel Management Engine 11, a CPU control mechanism that has been described as a security risk.
 

·
Iconoclast
Joined
·
30,810 Posts
Interesting.

I've been trying to mitigate any potential risks of Intel's ME by never installing functional drivers for it so most software can't interface with it, but actually being able to knock out most of it in firmware and still have the board work correctly is pretty neat.

Will have to give a shot later.
 

·
Registered
Joined
·
4,223 Posts
Quote:
Originally Posted by Blameless View Post

Interesting.

I've been trying to mitigate any potential risks of Intel's ME by never installing functional drivers for it so most software can't interface with it, but actually being able to knock out most of it in firmware and still have the board work correctly is pretty neat.

Will have to give a shot later.
What
 

·
Joined
·
2,327 Posts
I'm sure NSA and other agencies get special secure BIOS from Intel with ME already disabled while leaving the backdoor open for everyone else.
 

·
Registered
Joined
·
2,754 Posts
Quote:
Originally Posted by Particle View Post

If you could be more specific about which part doesn't make sense, one of us could explain it more verbosely.
From what I remember reading, drivers have zero impact on ME. The only thing that it does is remove an unidentified device from your device manager. The level of control that be gain through me is not impacted.
 

·
New to OCN?
Joined
·
26,919 Posts
Quote:
Originally Posted by Blameless View Post

Interesting.

I've been trying to mitigate any potential risks of Intel's ME by never installing functional drivers for it so most software can't interface with it, but actually being able to knock out most of it in firmware and still have the board work correctly is pretty neat.

Will have to give a shot later.
Windows still doesnt use generic drivers?
 

·
⤷ αC
Joined
·
11,239 Posts
AFAIK the Vpro technology isn't present on the "K" CPUs and many other CPUs.

For example: i5-2500K & i7-2600k, i5-3570K & i7-3770K, i5-4670K & i7-4770K, i5-4690K & i7-4790K, i5-6600k & i7-6700k , i5-7600k & i7-7700k

https://www.intel.com/content/www/us/en/architecture-and-technology/vpro/vpro-technology-general.html
"Intel® AMT out-of-band capabilities will help keep you in control-no matter if the computer is on or off, regardless of its location, or in case of total OS failure."

Compare the non-K CPUs:
https://ark.intel.com/products/97128/Intel-Core-i7-7700-Processor-8M-Cache-up-to-4_20-GHz
" Intel® vPro™ Technology ‡ Yes "
 

·
New to OCN?
Joined
·
26,919 Posts
Quote:
Originally Posted by AlphaC View Post

AFAIK the Vpro technology isn't present on the "K" CPUs and many other CPUs.

For example: i5-2500K & i7-2600k, i5-3570K & i7-3770K, i5-4670K & i7-4770K, i5-4690K & i7-4790K, i5-6600k & i7-6700k , i5-7600k & i7-7700k

https://www.intel.com/content/www/us/en/architecture-and-technology/vpro/vpro-technology-general.html
"Intel® AMT out-of-band capabilities will help keep you in control-no matter if the computer is on or off, regardless of its location, or in case of total OS failure."

Compare the non-K CPUs:
https://ark.intel.com/products/97128/Intel-Core-i7-7700-Processor-8M-Cache-up-to-4_20-GHz
" Intel® vPro™ Technology ‡ Yes "
7350k?
 

·
New to OCN?
Joined
·
26,919 Posts
Quote:
Originally Posted by one-shot View Post

2700k?
2700k is basically the same as the 2600k but I mean the 7350k doesnt have an equivalent from any other generation and that is the only i3 with unlocked multiplier i dont know if an i3 gets same level of feature of an i5 or i7 when they are unlocked
 

·
Iconoclast
Joined
·
30,810 Posts
Quote:
Originally Posted by axiumone View Post

From what I remember reading, drivers have zero impact on ME. The only thing that it does is remove an unidentified device from your device manager. The level of control that be gain through me is not impacted.
The potential backdoor you'd need to cripple the firmware to fix isn't affected by drivers, but applications running locally do need the driver to interface with the ME. There is a dummy driver that just removes the unidentified device from device manager that's usually included with the chipset inf, but the standard/standalone ME driver does much more.

Some of the links in the source explain more.
Quote:
Originally Posted by AlphaC View Post

AFAIK the Vpro technology isn't present on the "K" CPUs and many other CPUs.
ME is more than ATM and vPro and exists on essentially every Intel platform released in the last fifteen years or so.
Quote:
Originally Posted by PontiacGTX View Post

Windows still doesnt use generic drivers?
Windows 7 doesn't, and I normally just let the chipset inf package install the dummy driver. Windows 10/Server 2016 installs drivers default on some of my boards, but I can disable those.
 

·
⤷ αC
Joined
·
11,239 Posts

·
New to OCN?
Joined
·
26,919 Posts
Quote:
Originally Posted by AlphaC View Post

No vPro per datasheet, but Blameless believes that CPUs without vPro still have the Management engine (since it's based on the chipset)?
https://ark.intel.com/products/97527/Intel-Core-i3-7350K-Processor-4M-Cache-4_20-GHz
" Intel® vPro™ Technology ‡ No "

https://ark.intel.com/products/61275/Intel-Core-i7-2700K-Processor-8M-Cache-up-to-3_90-GHz
"Intel® vPro™ Technology ‡ No "
well usually drivers for IME(Intel Management Engine) Come from motherboard manufcturer's page which could be working for the motherboard

I still was curious about the 7350k since it is an i3
tongue.gif


but I found that the i3 7300/7320 doesnt have VPRO technology

https://ark.intel.com/compare/97129,97128,97123,97150,97144,97458,97484,97527

no i3 has that enabled
https://ark.intel.com/compare/97458,97484,97527,90729,90733,90731
 

·
Indentified! On the Way!!
Joined
·
2,970 Posts
A bit off topic, but does anyone know if AMD has implemented a similar device on their boards/chipsets?
 

·
⤷ αC
Joined
·
11,239 Posts
Quote:
Originally Posted by LancerVI View Post

A bit off topic, but does anyone know if AMD has implemented a similar device on their boards/chipsets?
Maybe the DASH management protocol?
Quote:
First off, the Ryzen PRO platforms support the DASH management protocol, allowing PRO systems to be remotely managed using tools based on this industry standard (and typically developed by the individual computer vendors). AMD Pro-series processors have supported DASH for years, so for AMD this is a continuating of status quo.
http://www.anandtech.com/show/11591/amd-launches-ryzen-pro-cpus-enhanced-security-longer-warranty-better-quality
Quote:
Originally Posted by http://techreport.com/review/32175/ryzen-pro-platform-brings-a-dash-of-epyc-to-corporate-desktops
To counter Intel's proprietary vPro remote manageability suite, the Ryzen Pro platform will offer support for the open DASH remote management platform. Like vPro, DASH offers out-of-band management tools for system administrators across their corporate networks. According to the Distributed Management Task Force standards body, DASH offers KVM and console redirection, media redirection, software and firmware update capabilities, and more.
 

·
Iconoclast
Joined
·
30,810 Posts
Quote:
Originally Posted by AlphaC View Post

No vPro per datasheet, but Blameless believes that CPUs without vPro still have the Management engine (since it's based on the chipset)?
Way back when, it was part of Intel's NICs, then they started putting in on the MCH, then ICH, then on PCHes. Currently, the Management Engine does things as basic as controlling the clock generator (most software OC tools require the ME drivers to be installed), power management, hardware security features, and a slew of other stuff that give it very fundamental access to the system (which is why I don't like having the interface driver running if I'm not doing anything that would require it).

https://rog.asus.com/forum/showthread.php?23823-quot-Intel-Management-Engine-quot-quot-Intel-Active-Management-Technology-quot-!&p=167531&viewfull=1#post167531

The exploit in the OP seems to appear to be dependent on the actual ATM firmware:

https://nvd.nist.gov/vuln/detail/CVE-2017-5689

https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it
 
1 - 20 of 25 Posts
Top