Sun Nov 3 14:34:30 2024
EVENTS
 FREE
SOFTWARE
INSTITUTE

POLITICS
JOBS
MEMBERS'
CORNER

MAILING
LIST

NYLXS Mailing Lists and Archives
NYLXS Members have a lot to say and share but we don't keep many secrets. Join the Hangout Mailing List and say your peice.

DATE 2017-01-01

LEARN

2024-11-03 | 2024-10-03 | 2024-09-03 | 2024-08-03 | 2024-07-03 | 2024-06-03 | 2024-05-03 | 2024-04-03 | 2024-03-03 | 2024-02-03 | 2024-01-03 | 2023-12-03 | 2023-11-03 | 2023-10-03 | 2023-09-03 | 2023-08-03 | 2023-07-03 | 2023-06-03 | 2023-05-03 | 2023-04-03 | 2023-03-03 | 2023-02-03 | 2023-01-03 | 2022-12-03 | 2022-11-03 | 2022-10-03 | 2022-09-03 | 2022-08-03 | 2022-07-03 | 2022-06-03 | 2022-05-03 | 2022-04-03 | 2022-03-03 | 2022-02-03 | 2022-01-03 | 2021-12-03 | 2021-11-03 | 2021-10-03 | 2021-09-03 | 2021-08-03 | 2021-07-03 | 2021-06-03 | 2021-05-03 | 2021-04-03 | 2021-03-03 | 2021-02-03 | 2021-01-03 | 2020-12-03 | 2020-11-03 | 2020-10-03 | 2020-09-03 | 2020-08-03 | 2020-07-03 | 2020-06-03 | 2020-05-03 | 2020-04-03 | 2020-03-03 | 2020-02-03 | 2020-01-03 | 2019-12-03 | 2019-11-03 | 2019-10-03 | 2019-09-03 | 2019-08-03 | 2019-07-03 | 2019-06-03 | 2019-05-03 | 2019-04-03 | 2019-03-03 | 2019-02-03 | 2019-01-03 | 2018-12-03 | 2018-11-03 | 2018-10-03 | 2018-09-03 | 2018-08-03 | 2018-07-03 | 2018-06-03 | 2018-05-03 | 2018-04-03 | 2018-03-03 | 2018-02-03 | 2018-01-03 | 2017-12-03 | 2017-11-03 | 2017-10-03 | 2017-09-03 | 2017-08-03 | 2017-07-03 | 2017-06-03 | 2017-05-03 | 2017-04-03 | 2017-03-03 | 2017-02-03 | 2017-01-03 | 2016-12-03 | 2016-11-03 | 2016-10-03 | 2016-09-03 | 2016-08-03 | 2016-07-03 | 2016-06-03 | 2016-05-03 | 2016-04-03 | 2016-03-03 | 2016-02-03 | 2016-01-03 | 2015-12-03 | 2015-11-03 | 2015-10-03 | 2015-09-03 | 2015-08-03 | 2015-07-03 | 2015-06-03 | 2015-05-03 | 2015-04-03 | 2015-03-03 | 2015-02-03 | 2015-01-03 | 2014-12-03 | 2014-11-03 | 2014-10-03

Key: Value:

Key: Value:

MESSAGE
DATE 2017-01-23
FROM Ruben Safir
SUBJECT Subject: [Learn] anyone understand this - ME
From learn-bounces-at-nylxs.com Mon Jan 23 18:02:37 2017
Return-Path:
X-Original-To: archive-at-mrbrklyn.com
Delivered-To: archive-at-mrbrklyn.com
Received: from www.mrbrklyn.com (www.mrbrklyn.com [96.57.23.82])
by mrbrklyn.com (Postfix) with ESMTP id 4E9F3161312;
Mon, 23 Jan 2017 18:02:37 -0500 (EST)
X-Original-To: learn-at-nylxs.com
Delivered-To: learn-at-nylxs.com
Received: from [10.0.0.62] (flatbush.mrbrklyn.com [10.0.0.62])
by mrbrklyn.com (Postfix) with ESMTP id 39EE5161312;
Mon, 23 Jan 2017 18:02:34 -0500 (EST)
To: Hangout , "learn-at-nylxs.com"
From: Ruben Safir
Message-ID:
Date: Mon, 23 Jan 2017 18:02:34 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Thunderbird/45.5.1
MIME-Version: 1.0
Subject: [Learn] anyone understand this - ME
X-BeenThere: learn-at-nylxs.com
X-Mailman-Version: 2.1.17
Precedence: list
List-Id:
List-Unsubscribe: ,

List-Archive:
List-Post:
List-Help:
List-Subscribe: ,

Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: learn-bounces-at-nylxs.com
Sender: "Learn"

Why is the latest Intel hardware unsupported in libreboot? #intel

It is extremely unlikely that any post-2008 Intel hardware will ever be
supported in libreboot, due to severe security and freedom issues; so
severe, that the libreboot project recommends avoiding all modern Intel
hardware. If you have an Intel based system affected by the problems
described below, then you should get rid of it as soon as possible. The
main issues are as follows:
Intel Management Engine (ME) #intelme

Introduced in June 2006 in Intel's 965 Express Chipset Family of
(Graphics and) Memory Controller Hubs, or (G)MCHs, and the ICH8 I/O
Controller Family, the Intel Management Engine (ME) is a separate
computing environment physically located in the (G)MCH chip. In Q3 2009,
the first generation of Intel Core i3/i5/i7 (Nehalem) CPUs and the 5
Series Chipset family of Platform Controller Hubs, or PCHs, brought a
more tightly integrated ME (now at version 6.0) inside the PCH chip,
which itself replaced the ICH. Thus, the ME is present on all Intel
desktop, mobile (laptop), and server systems since mid 2006.

The ME consists of an ARC processor core (replaced with other processor
cores in later generations of the ME), code and data caches, a timer,
and a secure internal bus to which additional devices are connected,
including a cryptography engine, internal ROM and RAM, memory
controllers, and a direct memory access (DMA) engine to access the host
operating system's memory as well as to reserve a region of protected
external memory to supplement the ME's limited internal RAM. The ME also
has network access with its own MAC address through an Intel Gigabit
Ethernet Controller. Its boot program, stored on the internal ROM, loads
a firmware "manifest" from the PC's SPI flash chip. This manifest is
signed with a strong cryptographic key, which differs between versions
of the ME firmware. If the manifest isn't signed by a specific Intel
key, the boot ROM won't load and execute the firmware and the ME
processor core will be halted.

The ME firmware is compressed and consists of modules that are listed in
the manifest along with secure cryptographic hashes of their contents.
One module is the operating system kernel, which is based on a
proprietary real-time operating system (RTOS) kernel called "ThreadX".
The developer, Express Logic, sells licenses and source code for
ThreadX. Customers such as Intel are forbidden from disclosing or
sublicensing the ThreadX source code. Another module is the Dynamic
Application Loader (DAL), which consists of a Java virtual machine and
set of preinstalled Java classes for cryptography, secure storage, etc.
The DAL module can load and execute additional ME modules from the PC's
HDD or SSD. The ME firmware also includes a number of native application
modules within its flash memory space, including Intel Active Management
Technology (AMT), an implementation of a Trusted Platform Module (TPM),
Intel Boot Guard, and audio and video DRM systems.

The Active Management Technology (AMT) application, part of the Intel
"vPro" brand, is a Web server and application code that enables remote
users to power on, power off, view information about, and otherwise
manage the PC. It can be used remotely even while the PC is powered off
(via Wake-on-Lan). Traffic is encrypted using SSL/TLS libraries, but
recall that all of the major SSL/TLS implementations have had highly
publicized vulnerabilities. The AMT application itself has known
vulnerabilities, which have been exploited to develop rootkits and
keyloggers and covertly gain encrypted access to the management features
of a PC. Remember that the ME has full access to the PC's RAM. This
means that an attacker exploiting any of these vulnerabilities may gain
access to everything on the PC as it runs: all open files, all running
applications, all keys pressed, and more.

Intel Boot Guard is an ME application introduced in Q2 2013 with ME
firmware version 9.0 on 4th Generation Intel Core i3/i5/i7 (Haswell)
CPUs. It allows a PC OEM to generate an asymmetric cryptographic
keypair, install the public key in the CPU, and prevent the CPU from
executing boot firmware that isn't signed with their private key. This
means that coreboot and libreboot are impossible to port to such PCs,
without the OEM's private signing key. Note that systems assembled from
separately purchased mainboard and CPU parts are unaffected, since the
vendor of the mainboard (on which the boot firmware is stored) can't
possibly affect the public key stored on the CPU.

ME firmware versions 4.0 and later (Intel 4 Series and later chipsets)
include an ME application for audio and video DRM called "Protected
Audio Video Path" (PAVP). The ME receives from the host operating system
an encrypted media stream and encrypted key, decrypts the key, and sends
the encrypted media decrypted key to the GPU, which then decrypts the
media. PAVP is also used by another ME application to draw an
authentication PIN pad directly onto the screen. In this usage, the PAVP
application directly controls the graphics that appear on the PC's
screen in a way that the host OS cannot detect. ME firmware version 7.0
on PCHs with 2nd Generation Intel Core i3/i5/i7 (Sandy Bridge) CPUs
replaces PAVP with a similar DRM application called "Intel Insider".
Like the AMT application, these DRM applications, which in themselves
are defective by design, demonstrate the omnipotent capabilities of the
ME: this hardware and its proprietary firmware can access and control
everything that is in RAM and even everything that is shown on the screen.

The Intel Management Engine with its proprietary firmware has complete
access to and control over the PC: it can power on or shut down the PC,
read all open files, examine all running applications, track all keys
pressed and mouse movements, and even capture or display images on the
screen. And it has a network interface that is demonstrably insecure,
which can allow an attacker on the network to inject rootkits that
completely compromise the PC and can report to the attacker all
activities performed on the PC. It is a threat to freedom, security, and
privacy that can't be ignored.

Before version 6.0 (that is, on systems from 2008/2009 and earlier), the
ME can be disabled by setting a couple of values in the SPI flash
memory. The ME firmware can then be removed entirely from the flash
memory space. libreboot does this on the Intel 4 Series systems that it
supports, such as the Libreboot X200 and Libreboot T400. ME firmware
versions 6.0 and later, which are found on all systems with an Intel
Core i3/i5/i7 CPU and a PCH, include "ME Ignition" firmware that
performs some hardware initialization and power management. If the ME's
boot ROM does not find in the SPI flash memory an ME firmware manifest
with a valid Intel signature, the whole PC will shut down after 30 minutes.

Due to the signature verification, developing free replacement firmware
for the ME is basically impossible. The only entity capable of replacing
the ME firmware is Intel. As previously stated, the ME firmware includes
proprietary code licensed from third parties, so Intel couldn't release
the source code even if they wanted to. And even if they developed
completely new ME firmware without third-party proprietary code and
released its source code, the ME's boot ROM would reject any modified
firmware that isn't signed by Intel. Thus, the ME firmware is both
hopelessly proprietary and "tivoized".

In summary, the Intel Management Engine and its applications are a
backdoor with total access to and control over the rest of the PC. The
ME is a threat to freedom, security, and privacy, and the libreboot
project strongly recommends avoiding it entirely. Since recent versions
of it can't be removed, this means avoiding all recent generations of
Intel hardware.

More information about the Management Engine can be found on various Web
sites, including me.bios.io, unhuffme, coreboot wiki, and Wikipedia. The
book Platform Embedded Security Technology Revealed describes in great
detail the ME's hardware architecture and firmware application modules.

If you're stuck with the ME (non-libreboot system), you might find this
interesting:
http://hardenedlinux.org/firmware/2016/11/17/neutralize_ME_firmware_on_sandybridge_and_ivybridge.html

Also see (effort to disable the ME):
https://www.coreboot.org/pipermail/coreboot/2016-November/082331.html -
look at the whole thread
--
--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com

Being so tracked is for FARM ANIMALS and and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013
_______________________________________________
Learn mailing list
Learn-at-nylxs.com
http://lists.mrbrklyn.com/mailman/listinfo/learn

  1. 2017-01-09 James E Keenan <jkeen-at-verizon.net> Subject: [Learn] Perl Conference 2017: June 18-23: Call for Proposals
  2. 2017-01-09 From: "David H. Adler" <dha-at-panix.com> Subject: [Learn] [MEETING] New year, new meetings.
  3. 2017-01-10 IEEE Engineering in Medicine and Biology Society <noreply-at-embs.org> Subject: [Learn] BHI 2017 -Important Reminders
  4. 2017-01-12 mrbrklyn <mrbrklyn-at-panix.com> Subject: [Learn] Fwd: [Accu-contacts] C/C++ Engineer Roles - YouView set-top
  5. 2017-01-16 mrbrklyn <mrbrklyn-at-panix.com> Subject: [Learn] openscience this year
  6. 2017-01-19 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Learn] (fwd) Re: Keith Hernandez should be coaching,
  7. 2017-01-19 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Learn] (fwd) Keith Hernandez should be coaching,
  8. 2017-01-19 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Learn] (fwd) Re: Keith Hernandez should be coaching,
  9. 2017-01-19 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Learn] (fwd) Re: Keith Hernandez should be coaching,
  10. 2017-01-19 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Learn] (fwd) Re: Keith Hernandez should be coaching,
  11. 2017-01-19 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Learn] (fwd) Re: Keith Hernandez should be coaching,
  12. 2017-01-19 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Learn] (fwd) Re: Keith Hernandez should be coaching,
  13. 2017-01-19 Rick Moen <rick-at-linuxmafia.com> Subject: [Learn] [Hangout-NYLXS] RAM and RAM-testing
  14. 2017-01-19 Rick Moen <rick-at-linuxmafia.com> Subject: [Learn] [Hangout-NYLXS] RAM and RAM-testing
  15. 2017-01-20 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Learn] Follow up conversation
  16. 2017-01-20 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Learn] Fwd: cs691 notes and task
  17. 2017-01-20 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Learn] Alumni Publications
  18. 2017-01-20 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Learn] Follow up conversation
  19. 2017-01-20 ruben safir <ruben-at-mrbrklyn.com> Subject: [Learn] Fwd: Re: threads and exit() woes
  20. 2017-01-20 ruben safir <ruben-at-mrbrklyn.com> Subject: [Learn] Fwd: threads and exit() woes
  21. 2017-01-21 Ruben Safir <ruben.safir-at-my.liu.edu> Subject: [Learn] Fwd: Re: Nueral Networks
  22. 2017-01-21 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Learn] Nice project to learn from
  23. 2017-01-23 IEEE Engineering in Medicine and Biology Society <noreply-at-embs.org> Subject: [Learn] 8th International IEEE EMBS Conference on Neural
  24. 2017-01-23 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Learn] anyone understand this - ME
  25. 2017-01-23 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Learn] compiler job
  26. 2017-01-23 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Learn] Fwd: Re: Nueral Networks
  27. 2017-01-23 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Learn] Parse Tree theory
  28. 2017-01-24 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Learn] Computational evolution
  29. 2017-01-25 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Learn] (fwd) Felsenstein Phylogenies
  30. 2017-01-25 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Learn] R Programming Workshop
  31. 2017-01-26 ruben safir <ruben-at-mrbrklyn.com> Re: [Learn] Felsenstein Phylogenies
  32. 2017-01-26 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Learn] [Hangout-NYLXS] librepalnet
  33. 2017-01-26 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Learn] (fwd) Felsenstein Phylogenies
  34. 2017-01-26 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Learn] (fwd) Re: Felsenstein Phylogenies
  35. 2017-01-26 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Learn] (fwd) Re: Felsenstein Phylogenies
  36. 2017-01-26 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Learn] (fwd) Re: Felsenstein Phylogenies
  37. 2017-01-26 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Learn] (fwd) Re: Felsenstein Phylogenies
  38. 2017-01-26 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Learn] (fwd) Re: Felsenstein Phylogenies
  39. 2017-01-26 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Learn] (fwd) Re: Felsenstein Phylogenies
  40. 2017-01-26 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Learn] (fwd) Re: Felsenstein Phylogenies
  41. 2017-01-26 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Learn] Installfest at LIU Brooklyn
  42. 2017-01-26 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Learn] librepalnet
  43. 2017-01-27 Christopher League <league-at-contrapunctus.net> Subject: [Learn] P vs NP
  44. 2017-01-28 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Learn] P vs NP
  45. 2017-01-28 ruben safir <ruben-at-mrbrklyn.com> Subject: [Learn] Fwd: Re: Felsenstein Phylogenies
  46. 2017-01-30 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Learn] R Programming Workshop
  47. 2017-01-30 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Learn] R workshop
  48. 2017-01-30 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Learn] [Hangout-NYLXS] Installfest for Lunch
  49. 2017-01-30 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Learn] [ruben-at-mrbrklyn.com: [Hangout-NYLXS] Installfest for Lunch]
  50. 2017-01-31 ruben <ruben-at-mrbrklyn.com> Subject: [Learn] Fwd: [dinosaur] Collagen preserved in Early Jurassic
  51. 2017-01-31 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Learn] Fwd: [isoc-ny] FCC Seeks Diverse Stakeholders for Broadband

NYLXS are Do'ers and the first step of Doing is Joining! Join NYLXS and make a difference in your community today!