Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CABniQZMHPmmSSQ7de7TtxuB24iqA8uH4Tn4UEsKnFs-=3RbVaQ@mail.gmail.com>
Date: Thu, 7 Sep 2017 11:06:27 +0800
From: Shawn <citypw@...il.com>
To: Sandy Harris <sandyinchina@...il.com>
Cc: kernel-hardening@...ts.openwall.com, coreboot <coreboot@...eboot.org>
Subject: Re: ME and PSP

Hi Sandy,

On Thu, Sep 7, 2017 at 2:37 AM, Sandy Harris <sandyinchina@...il.com> wrote:
> Recently a few things have been revealed about how to disable the
> Intel Management Engine (ME).
>
> http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
> https://www.theregister.co.uk/2017/08/29/intel_management_engine_can_be_disabled/
>
> I have not seen anything on disabling the similar AMD feature called
> PSP. Either appears to be a huge security hazard -- a device you have
> little choice but to trust but that you have little control over, that
> operates below the level of the main CPU & OS, that has access to
> everything & that is Turing complete so it can do anything.
>
There's not much public research about AMD PSP yet. From the
SW/FW/HW's perspective, a hardened kernel is still important( that's
why PaX/Grsecurity matters a lot) to prevent some attack surfaces from
lower level( let's say Hypervisor( RING -1)/SMM( RING -2/ME( RING
-3)). But the lower level should be concerned as well. We've been
pushing this solution into our customer's production and it's looking
good so far:

https://github.com/hardenedlinux/hardenedlinux_profiles/blob/master/slide/hardening_the_core.pdf

> By the time a hardened kernel loads, it may be too late to prevent ME
> entirely, but are there other things the kernel could do? Issue a
> syslog warning? Monitor ME activity somehow? Restrict its access to
> the network so at least external attacks are blocked?
>
Intel ME has a OS kernel( ThreatdX/MINIX-based) running on a specific
CPU( < v11 is ARC, >=v12 is x86). There's not much kernel can do about
it except a few LKMs( mei/mei_me) can getting some info from the ME.

> There are several different utilities to reduce ME danger, though I
> have not looked at details & I have the impression most do not disable
> it completely. Will current hardened kernels run on a system with ME
> disabled? Is that tested?
>
There are two ways to "disable" ME:

1) Before Mark Ermolov and Maxim Goryachy disclosured this HAP
"secrects" to the public, what me_cleaner(
https://github.com/corna/me_cleaner/) does was removing more ME code
modules as possible and only keep those necessary ones( like
BUP/ROMP/etc). It's not 100% disable it but neutralization achieve the
similar goal. me_cleaner is a free/libre software, all you need to
prepare is a few cheap hardwares( external programmer):

https://hardenedlinux.github.io/firmware/2016/11/17/neutralize_ME_firmware_on_sandybridge_and_ivybridge.html

2) Thanks to Mark Ermolov and Maxim Goryachy, now me_cleaner added an
option( -s) can enabled the HAP bit but keep other code modules as
well. Plz note that some private OEM firmware implementation might
have some side-effects while coreboot is working perfectly( less SMIs
helps?) so far. There are some public test results you can find:

https://github.com/hardenedlinux/hardenedlinux_profiles/tree/master/coreboot
https://github.com/corna/me_cleaner/issues/53

> The best summary of the issue I have seen -- though it is neither
> up-to-date nor devoted to only the one issue is:
> https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf
>
> There has been discussion on the Qubes users list:
> https://groups.google.com/forum/#!forum/qubes-users
>
More fw/ME info:

https://github.com/hardenedlinux/firmware-anatomy/blob/master/hack_ME/me_info.md
https://github.com/hardenedlinux/firmware-anatomy/blob/master/hack_ME/firmware_security.md

> The only plausible solutions suggested there boil down to not using
> recent x86 chips at all. Either use older Intel/AMD parts without the
> feature or go to IBM Power CPUs.
>
IMOHO, RISC-V will be the long-term solution in the future;-)

btw: this might a little bit off-topic on kernel-hardening( I could be
wrong if it weren't). Or feel free to ask question on coreboot's
mailinglist: coreboot@...eboot.org



-- 
GNU powered it...
GPL protect it...
God blessing it...

regards
Shawn

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.