Discussion:
Intel inside? - Head's up
Tony Su
2017-11-24 19:19:30 UTC
Permalink
In the news only this past week, and it's a doozy...

If you're running "any" "current" Intel CPU, apparently there is/are
some pretty serious vulnerabilities in the Intel Management Engine."

Affects all "versions" including the upcoming "version 8" on all
hardware platforms including mobile.
Articles I've read only go back to version 6 in 2015, but the general
description should cover all Intel CPUs going back to 2013.

Am waiting for my firmware update notification, in the meantime
apparently there is supposed to be some way to disable the Intel
Management Engine in the meantime...

http://fortune.com/2017/11/21/intel-core-cpu-security-minix/
https://www.pymnts.com/news/security-and-risk/2017/intel-admits-to-serious-security-flaw-in-pc-chips/

Tony
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
Dante Lanznaster
2017-11-25 05:52:22 UTC
Permalink
There's no way to disable it, and AMD has a similar engine, called PSP.
They've had it for a while, too.

Resistance is futile.
Post by Tony Su
In the news only this past week, and it's a doozy...
If you're running "any" "current" Intel CPU, apparently there is/are
some pretty serious vulnerabilities in the Intel Management Engine."
Affects all "versions" including the upcoming "version 8" on all
hardware platforms including mobile.
Articles I've read only go back to version 6 in 2015, but the general
description should cover all Intel CPUs going back to 2013.
Am waiting for my firmware update notification, in the meantime
apparently there is supposed to be some way to disable the Intel
Management Engine in the meantime...
http://fortune.com/2017/11/21/intel-core-cpu-security-minix/
https://www.pymnts.com/news/security-and-risk/2017/intel-
admits-to-serious-security-flaw-in-pc-chips/
Tony
--
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
David Brown
2017-11-25 07:11:06 UTC
Permalink
Post by Tony Su
If you're running "any" "current" Intel CPU, apparently there is/are
some pretty serious vulnerabilities in the Intel Management Engine."
Affects all "versions" including the upcoming "version 8" on all
hardware platforms including mobile.
Articles I've read only go back to version 6 in 2015, but the general
description should cover all Intel CPUs going back to 2013.
Am waiting for my firmware update notification, in the meantime
apparently there is supposed to be some way to disable the Intel
Management Engine in the meantime...
I found an updater on ASUS's website for my motherboard. However, it
seems to only be a windows executable, so I have no way of running it.
I sent a support request to ASUS to see if that gets me anywhere.

Intel's Linux tell tells me my system is vulnerable. Another tool I
have, though, tells me that as configured, it is not susceptible to an
attack over the ethernet, and I'm less worried about a local attack.
Hopefully this is true, since I'm not sure how I'd be able to run a
Windows-only updater.

I would imagine this kind of firmware is fairly common. ARM CPUs have
something called TrustZone which effectively isolates an execution
environment for some code, and there have been vulnerabilities
discovered there as well:
https://www.slashgear.com/android-soc-security-keys-extracted-qualcomm-trustzone-in-question-31442245/

These SoCs also generally have other lower-performance CPUs to perform
"management"-type tasks, such as power management, or even implement
other devices, such as networking.

I guess it is nifty to find out that Intel's management engine is
running Minix, but unfortunate that the security focus Minix has
didn't help this particular vulnerability. I long for the day when
writing firmware in C will be considered antequated, and people
regularly use safer langauges.

David
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
Tony Su
2017-11-27 17:45:56 UTC
Permalink
Depending on what kind of executable and what may be in the
executable, there are known procedures for extraction.

The following is a very brief description for different types of
Windows executables, if requires more than a general purpose unzip,
then you may need to find the detailed documentation for that piece

https://technet.microsoft.com/en-us/library/dd759151(v=ws.11).aspx
Post by David Brown
Post by Tony Su
If you're running "any" "current" Intel CPU, apparently there is/are
some pretty serious vulnerabilities in the Intel Management Engine."
Affects all "versions" including the upcoming "version 8" on all
hardware platforms including mobile.
Articles I've read only go back to version 6 in 2015, but the general
description should cover all Intel CPUs going back to 2013.
Am waiting for my firmware update notification, in the meantime
apparently there is supposed to be some way to disable the Intel
Management Engine in the meantime...
I found an updater on ASUS's website for my motherboard. However, it
seems to only be a windows executable, so I have no way of running it.
I sent a support request to ASUS to see if that gets me anywhere.
Intel's Linux tell tells me my system is vulnerable. Another tool I
have, though, tells me that as configured, it is not susceptible to an
attack over the ethernet, and I'm less worried about a local attack.
Hopefully this is true, since I'm not sure how I'd be able to run a
Windows-only updater.
I would imagine this kind of firmware is fairly common. ARM CPUs have
something called TrustZone which effectively isolates an execution
environment for some code, and there have been vulnerabilities
https://www.slashgear.com/android-soc-security-keys-extracted-qualcomm-trustzone-in-question-31442245/
These SoCs also generally have other lower-performance CPUs to perform
"management"-type tasks, such as power management, or even implement
other devices, such as networking.
I guess it is nifty to find out that Intel's management engine is
running Minix, but unfortunate that the security focus Minix has
didn't help this particular vulnerability. I long for the day when
writing firmware in C will be considered antequated, and people
regularly use safer langauges.
David
--
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
David Brown
2017-11-27 18:41:24 UTC
Permalink
Post by Tony Su
Depending on what kind of executable and what may be in the
executable, there are known procedures for extraction.
The following is a very brief description for different types of
Windows executables, if requires more than a general purpose unzip,
then you may need to find the detailed documentation for that piece
There is quite a bit more going on. There seems to be a driver, an
update tool, and the firmware executable. But, even if I could
extract it, I'm not sure how I would program it.

David
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
Kevin Keane Subscription
2017-11-28 05:03:28 UTC
Permalink
I don’t know this particular updater, but most updaters of that nature will perform the actual update during a reboot. There are different methods for this. If you are very lucky, the updater is actually a DOS program – I that case, all you need to do is download FreeDOS, throw it on a USB stick, put the updater on it, reboot into FreeDOS, and run the updater.

 
The other method involves inserting the updater very early into the boot process.

 
Sent from Mail for Windows 10

 
From: David Brown <mailto:***@davidb.org>
Sent: Monday, November 27, 2017 10:42 AM
To: Main Discussion List for KPLUG <mailto:kplug-***@kernel-panic.org>
Subject: Re: Intel inside? - Head's up

 
Post by Tony Su
Depending on what kind of executable and what may be in the
executable, there are known procedures for extraction.
The following is a very brief description for different types of
Windows executables, if requires more than a general purpose unzip,
then you may need to find the detailed documentation for that piece
There is quite a bit more going on.  There seems to be a driver, an
update tool, and the firmware executable.  But, even if I could
extract it, I'm not sure how I would program it.

David


--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
David Brown
2017-11-28 05:23:53 UTC
Permalink
Post by Kevin Keane Subscription
I don’t know this particular updater, but most updaters of that nature will
perform the actual update during a reboot. There are different methods for
this. If you are very lucky, the updater is actually a DOS program – I that
case, all you need to do is download FreeDOS, throw it on a USB stick, put the
updater on it, reboot into FreeDOS, and run the updater.
It's an exe file, a bunch of dlls, a driver consisting of some sys
files and an ini file (and an installer executable). It has both
32-bit and 64-bit windows binaries for the updater itself. Pretty
sure it is only going to work under Windows.

David
Post by Kevin Keane Subscription
The other method involves inserting the updater very early into the boot process.
The normal updator for this firmware is builtin to the firmware. But,
the ME updater seems to be something special.

David
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
Gus Wirth
2017-11-28 05:54:17 UTC
Permalink
Post by David Brown
Post by Kevin Keane Subscription
I don’t know this particular updater, but most updaters of that nature will
perform the actual update during a reboot. There are different methods for
this. If you are very lucky, the updater is actually a DOS program – I that
case, all you need to do is download FreeDOS, throw it on a USB stick, put the
updater on it, reboot into FreeDOS, and run the updater.
It's an exe file, a bunch of dlls, a driver consisting of some sys
files and an ini file (and an installer executable). It has both
32-bit and 64-bit windows binaries for the updater itself. Pretty
sure it is only going to work under Windows.
David
Post by Kevin Keane Subscription
The other method involves inserting the updater very early into the boot process.
The normal updator for this firmware is builtin to the firmware. But,
the ME updater seems to be something special.
There might be two possibilities to making this work without an actual
MS Windows installation. The first would be to try the program under
Wine <https://www.winehq.org> running on Linux. I've had fairly good
success with some simpler Windows programs. The problem that I could see
arising with that is the requirement for some really low level bit
twiddling. I have no idea how it would react with the kernel.

The second would be to try and use ReactOS <http://reactos.org/>. I
haven't tried it in quite a while but it's probably still a bit shaky.

I guess the real question is, is there any way to recover from a botched
attempt to upgrade? I'm not familiar with what this thing even does. Can
it brick your motherboard if it doesn't work?

Gus
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
Tony Su
2017-11-29 18:20:32 UTC
Permalink
That does seem to be more than expected,
Typically firmware updates (ie BIOS/UEFI) are only C code, so are
cross platform.
If you see DLLs, then unless those have something to do with the
installer and not the actual update, it sounds like some kind of
Windows patch as well.

Tony
Post by David Brown
Post by Kevin Keane Subscription
I don’t know this particular updater, but most updaters of that nature will
perform the actual update during a reboot. There are different methods for
this. If you are very lucky, the updater is actually a DOS program – I that
case, all you need to do is download FreeDOS, throw it on a USB stick, put the
updater on it, reboot into FreeDOS, and run the updater.
It's an exe file, a bunch of dlls, a driver consisting of some sys
files and an ini file (and an installer executable). It has both
32-bit and 64-bit windows binaries for the updater itself. Pretty
sure it is only going to work under Windows.
David
Post by Kevin Keane Subscription
The other method involves inserting the updater very early into the boot process.
The normal updator for this firmware is builtin to the firmware. But,
the ME updater seems to be something special.
There might be two possibilities to making this work without an actual MS
Windows installation. The first would be to try the program under Wine
<https://www.winehq.org> running on Linux. I've had fairly good success with
some simpler Windows programs. The problem that I could see arising with
that is the requirement for some really low level bit twiddling. I have no
idea how it would react with the kernel.
The second would be to try and use ReactOS <http://reactos.org/>. I haven't
tried it in quite a while but it's probably still a bit shaky.
I guess the real question is, is there any way to recover from a botched
attempt to upgrade? I'm not familiar with what this thing even does. Can it
brick your motherboard if it doesn't work?
Gus
--
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
David Brown
2017-11-29 18:33:42 UTC
Permalink
Post by Tony Su
That does seem to be more than expected,
Typically firmware updates (ie BIOS/UEFI) are only C code, so are
cross platform.
If you see DLLs, then unless those have something to do with the
installer and not the actual update, it sounds like some kind of
Windows patch as well.
I'm sure the firmware itself is just a binary that gets installed into
an SPI flash somewhere. But, since a userspace program on Windows
won't be able to write to that device, they need a windows driver in
order to be able to do the write.

I'm sure I could figure out how to extract the update image out of the
updater, but I don't know if it would be useful to me, without writing
a Linux driver/tool to put that image into the proper SPI flash. Even
where the update lives will depend on the particular chipset involved,
and even decisions made by the motherboard/BIOS manufacturer.

I think the problem here is while UEFI updates are kind of expected,
and therefore there is already a tool within the UEFI to read new
images and update them, they probably didn't expect to ever have to
update the Management Engine firmware, and so there isn't a tool in
place to do that.

David
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
Tony Su
2017-11-29 18:46:18 UTC
Permalink
First, check whether your motherboard manufacturer or BIOS chip
manufacturer has a special standalone install tool.

If nothing special is provided or recommended, then the Linux Arch
Wiki is a common place I look next...

https://wiki.archlinux.org/index.php/Flashing_BIOS_from_Linux

(And, of course search for any prior discussions for anyone else who
have flashed that motherboard before you)

Tony
Post by David Brown
Post by Tony Su
That does seem to be more than expected,
Typically firmware updates (ie BIOS/UEFI) are only C code, so are
cross platform.
If you see DLLs, then unless those have something to do with the
installer and not the actual update, it sounds like some kind of
Windows patch as well.
I'm sure the firmware itself is just a binary that gets installed into
an SPI flash somewhere. But, since a userspace program on Windows
won't be able to write to that device, they need a windows driver in
order to be able to do the write.
I'm sure I could figure out how to extract the update image out of the
updater, but I don't know if it would be useful to me, without writing
a Linux driver/tool to put that image into the proper SPI flash. Even
where the update lives will depend on the particular chipset involved,
and even decisions made by the motherboard/BIOS manufacturer.
I think the problem here is while UEFI updates are kind of expected,
and therefore there is already a tool within the UEFI to read new
images and update them, they probably didn't expect to ever have to
update the Management Engine firmware, and so there isn't a tool in
place to do that.
David
--
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
Tony Su
2017-11-29 18:51:36 UTC
Permalink
Also,
A tool Windows Admins sometimes use is Windows PE (It's the official
Windows version LiveCD)

I haven't used it for flashing, so don't know for sure if there are
issues but it'll do any common stuff a Windows SysAdmin could
want(although really, really slow).

https://technet.microsoft.com/en-us/library/dn613860.aspx

Tony
Post by Tony Su
First, check whether your motherboard manufacturer or BIOS chip
manufacturer has a special standalone install tool.
If nothing special is provided or recommended, then the Linux Arch
Wiki is a common place I look next...
https://wiki.archlinux.org/index.php/Flashing_BIOS_from_Linux
(And, of course search for any prior discussions for anyone else who
have flashed that motherboard before you)
Tony
Post by David Brown
Post by Tony Su
That does seem to be more than expected,
Typically firmware updates (ie BIOS/UEFI) are only C code, so are
cross platform.
If you see DLLs, then unless those have something to do with the
installer and not the actual update, it sounds like some kind of
Windows patch as well.
I'm sure the firmware itself is just a binary that gets installed into
an SPI flash somewhere. But, since a userspace program on Windows
won't be able to write to that device, they need a windows driver in
order to be able to do the write.
I'm sure I could figure out how to extract the update image out of the
updater, but I don't know if it would be useful to me, without writing
a Linux driver/tool to put that image into the proper SPI flash. Even
where the update lives will depend on the particular chipset involved,
and even decisions made by the motherboard/BIOS manufacturer.
I think the problem here is while UEFI updates are kind of expected,
and therefore there is already a tool within the UEFI to read new
images and update them, they probably didn't expect to ever have to
update the Management Engine firmware, and so there isn't a tool in
place to do that.
David
--
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
David Brown
2017-11-29 19:01:43 UTC
Permalink
Post by Tony Su
A tool Windows Admins sometimes use is Windows PE (It's the official
Windows version LiveCD)
I haven't used it for flashing, so don't know for sure if there are
issues but it'll do any common stuff a Windows SysAdmin could
want(although really, really slow).
https://technet.microsoft.com/en-us/library/dn613860.aspx
Is that going to work, though, with a GUI windows executable?

Frankly, at this point, I'm not really going to worry about it. My
motherboard apparently doesn't configure ME well enough for it to be
able to get packets over ethernet, so my machine shouldn't be
externally vulnerable.

David
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
Tony Su
2017-12-01 18:02:25 UTC
Permalink
Windows PE is a full Windows OS running as a LiveCD.
Forgot off the top of my head the popular 3rd party way of creating a
Windows LiveCD about a decade ago... But Windows PE is the official
such thing, used to be found as a Windows Admin tool on certain
Windows ISOs, but nowadays I think can only be downloaded (haven't
looked it up for a long time, it's one of those things I hardly have
ever used but "good to know").

So, as a full Windows OS would not have any problems running Windows
executables of all types.

Tony
Post by David Brown
Post by Tony Su
A tool Windows Admins sometimes use is Windows PE (It's the official
Windows version LiveCD)
I haven't used it for flashing, so don't know for sure if there are
issues but it'll do any common stuff a Windows SysAdmin could
want(although really, really slow).
https://technet.microsoft.com/en-us/library/dn613860.aspx
Is that going to work, though, with a GUI windows executable?
Frankly, at this point, I'm not really going to worry about it. My
motherboard apparently doesn't configure ME well enough for it to be
able to get packets over ethernet, so my machine shouldn't be
externally vulnerable.
David
--
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
David Brown
2017-12-01 19:38:25 UTC
Permalink
Post by Tony Su
Windows PE is a full Windows OS running as a LiveCD.
Forgot off the top of my head the popular 3rd party way of creating a
Windows LiveCD about a decade ago... But Windows PE is the official
such thing, used to be found as a Windows Admin tool on certain
Windows ISOs, but nowadays I think can only be downloaded (haven't
looked it up for a long time, it's one of those things I hardly have
ever used but "good to know").
So, as a full Windows OS would not have any problems running Windows
executables of all types.
Looking online, I got mixed results as to whether PE was just a
command prompt, or could run GUIS (and would allow drivers to be
installed).

David
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
David Brown
2017-11-29 19:00:04 UTC
Permalink
Post by Tony Su
First, check whether your motherboard manufacturer or BIOS chip
manufacturer has a special standalone install tool.
If nothing special is provided or recommended, then the Linux Arch
Wiki is a common place I look next...
https://wiki.archlinux.org/index.php/Flashing_BIOS_from_Linux
(And, of course search for any prior discussions for anyone else who
have flashed that motherboard before you)
The point here is that I'm not flashing the BIOS. That is perfectly
doable by putting an image on a USB drive and selecting the menu from
the BIOS setup screen. In fact, with the wired ethernet connected, it
can even download it itself.

This is an update to the Management Engine firmware. I don't think
they were expecting to ever have to update this firmware.

The only tool the motherboard manufacturer provides is this windows
utility to upgrade the ME firmware.

David
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
Kevin Keane Subscription
2017-12-02 17:42:23 UTC
Permalink
Since it’s a LiveCD it is rather unlikely that anything you install would survive a reboot. That probably means that you can’t install a driver except by manipulating the CD itself.

 
Sent from Mail for Windows 10

 
From: David Brown <mailto:***@davidb.org>
Sent: Friday, December 1, 2017 11:39 AM
To: Main Discussion List for KPLUG <mailto:kplug-***@kernel-panic.org>
Subject: Re: Intel inside? - Head's up

 
Post by Tony Su
Windows PE is a full Windows OS running as a LiveCD.
Forgot off the top of my head the popular 3rd party way of creating a
Windows LiveCD about a decade ago... But Windows PE is the official
such thing, used to be found as a Windows Admin tool on certain
Windows ISOs, but nowadays I think can only be downloaded (haven't
looked it up for a long time, it's one of those things I hardly have
ever used but "good to know").
So, as a full Windows OS would not have any problems running Windows
executables of all types.
Looking online, I got mixed results as to whether PE was just a
command prompt, or could run GUIS (and would allow drivers to be
installed).

David


--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
Tony Su
2017-12-04 04:17:02 UTC
Permalink
A WinPE is used no differently than how you'd use a Linux LiveCD to
repair a system...

When you boot a WinPE, you're running a full Windows in memory, looks
no different than if the Windows was running from a HDD, only a lot
slower.
You then mount the drives of the system that needs to be repaired and
do whatever needs to be done to those files.

Tony

On Sat, Dec 2, 2017 at 9:42 AM, Kevin Keane Subscription
Post by Kevin Keane Subscription
Since it’s a LiveCD it is rather unlikely that anything you install would survive a reboot. That probably means that you can’t install a driver except by manipulating the CD itself.
Sent from Mail for Windows 10
Sent: Friday, December 1, 2017 11:39 AM
Subject: Re: Intel inside? - Head's up
Post by Tony Su
Windows PE is a full Windows OS running as a LiveCD.
Forgot off the top of my head the popular 3rd party way of creating a
Windows LiveCD about a decade ago... But Windows PE is the official
such thing, used to be found as a Windows Admin tool on certain
Windows ISOs, but nowadays I think can only be downloaded (haven't
looked it up for a long time, it's one of those things I hardly have
ever used but "good to know").
So, as a full Windows OS would not have any problems running Windows
executables of all types.
Looking online, I got mixed results as to whether PE was just a
command prompt, or could run GUIS (and would allow drivers to be
installed).
David
--
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
--
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
David Brown
2017-12-04 06:00:54 UTC
Permalink
Post by Tony Su
A WinPE is used no differently than how you'd use a Linux LiveCD to
repair a system...
When you boot a WinPE, you're running a full Windows in memory, looks
no different than if the Windows was running from a HDD, only a lot
slower.
You then mount the drives of the system that needs to be repaired and
do whatever needs to be done to those files.
Well, except that this ME firmware upgrade software has a driver that
you have to install, which won't with an install that is on a DVD.

The two differences I could think of from Linux would be that: 1. Most
Linux LiveCDs run an overlay type filesystem and allow modifications
to the running system in ram, and 2. can add drivers without a reboot.

If anyone feels like playing with this further:
https://www.asus.com/us/Motherboards/ROG-STRIX-Z270E-GAMING/HelpDesk_BIOS/
and look for the ME update tool (its the first one I get at the time I
wrote this).

ASUS never got back to me as to how I might be able to do this upgrae.

David
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
Loading...