Announcement

Collapse
No announcement yet.

Intel Quietly Released A Redistributable, Lightweight ME "Ignition Firmware" Binary

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Intel Quietly Released A Redistributable, Lightweight ME "Ignition Firmware" Binary

    Phoronix: Intel Quietly Released A Redistributable, Lightweight ME "Ignition Firmware" Binary

    Towards the end of last year Intel quietly released an "ignition firmware" for the Management Engine (ME) on their Cascade Lake platform that is also their first ME firmware release to be under a license permitting redistribution...

    http://www.phoronix.com/scan.php?pag...ition-Firmware

  • #2
    Would this allow for coreboot on newer machines with partially neutered ME, kind of like what me_cleaner can do for older CPUs?

    Comment


    • #3
      Interesting; haven't heard about this until now. I wonder if there's any chance of offering ignition firmware for older platforms (or specifically Cannon Lake)?

      At the moment I'm on such a platform, but used me_cleaner to set the HAP bit. If I understand right, it's the same concept (only enough of ME to initialize hardware), just with some now useless extra partitions?

      Comment


      • #4
        Knowing Intel, it's full of bugs.

        Y'all should wait for the remix of Ignition, when it's hot and fresh out the kitchen.

        Comment


        • #5
          I don't trust ME, I consider hardware is zero trust. They can't lie me.

          Use your hardware as it's your worst enemy, plagued of dangers and enemies. Then consider layering and using even ancient hardware between them. Use custom DIY hardware if you can too.

          Intel sucks, Nvidia sucks, AMD sucks...

          Comment


          • #6
            Originally posted by timofonic View Post
            I don't trust ME, I consider hardware is zero trust. They can't lie me.

            Use your hardware as it's your worst enemy, plagued of dangers and enemies. Then consider layering and using even ancient hardware between them. Use custom DIY hardware if you can too.

            Intel sucks, Nvidia sucks, AMD sucks...
            Did you ever hear the joke about the vacuum?

            Comment


            • #7
              Meanwhile, while Intel and AMD both keep you locked out of full control of "your" hardware (news flash, these are still Intel signed binaries, you can't change a single byte in them and still have the hardware accept it, even without the license prohibitions!), OpenPOWER, RISC-V, and even ARM systems are available that don't have any of these closed source signed concerns.

              Intel and AMD are still playing like it's the 1990s and customers stealing IP is the primary concern vs. overall system security. It's now the 2020s; no organization that is aware of the threats posed by persistent vendor control without an active SLA would willingly choose the Intel/AMD parts for anything business critical or where compliance fines may come into play (GDPR etc.). Especially when there's no IP to steal at the firmware / OS level, considering most (if not all) of it as used by their largest customers is already open source.

              Both AMD and Intel are legacy CPU vendors running purely on inertia*, trying to stay relevant to hyperscalers and cloud with feeble attempts like this one to muddy the waters with a tailored sound bite to the management level. Most interestingly, they don't even seem realize that they're being left behind in long term planning anyway, given the "more of the same" approach shown here.

              Oh, and 0.5MB is more than enough to include some fairly nasty exploits, or purposeful weaknesses in complex software that would be publicly classified as accidental bugs upon third-party discovery. Consider that vulnerabilities in large well known systems can be exploited with well under 64 (properly placed) bytes and a network connection, or that entire OSes (e.g. MenuetOS) can fit in well under 1MB of storage. This "Ignition" firmware does very little to actually reassure organizations that would require high security, except for the aforementioned (IMO misleading) management-directed sound bite.

              * Yes, consumers will keep choosing them, up until the rest of their apps move to cloud and suddenly client side Windows isn't relevant any more. Consumer markets are also very low margin compared to what they're used to.
              Last edited by madscientist159; 02-02-2020, 07:08 PM.

              Comment


              • #8
                Originally posted by madscientist159 View Post
                Oh, and 0.5MB is more than enough to include some fairly nasty exploits, or purposeful weaknesses in complex software that would be publicly classified as accidental bugs upon third-party discovery.
                This reminds me of checkm8, the silicon-level jailbreak in iOS chips. It's in the USB stack of the in-silicon firmware; I seem to recall the total size of this firmware being somewhere in the 64kB range.

                Originally posted by madscientist159 View Post
                * Yes, consumers will keep choosing them, up until the rest of their apps move to cloud and suddenly client side Windows isn't relevant any more. Consumer markets are also very low margin compared to what they're used to.
                Microsoft is already heavily pushing Windows on Arm. The newest Lenovo laptops are Arm. I'm seeing the PineBook Pro on the desks of more and more libre devs, and PPC equipment on the high-end. x86 is dead, mark my words.

                Comment


                • #9
                  "Intel may open up the FSP" Yeah, yeah. And Lisa Su said AMD might open source Agesa and the PSP. We see how that went.

                  I fully expect Intel and AMD to continue proprietary bullshit at this level until the competition Madscientist is speaking of forces them to change. That said, I don't hate x86 as an achitecture. If Intel had simply told the RIAA and other muppets like them to go to hell, there would be no ME, AMD wouldn't have followed, and there would be a lot less reason to push for change.

                  ME was introduced during the period when Intel was reckless regarding security, and may eventually be seen as in the same category as Meltdown/Spectre/etc: self-inflicted security flaws that led to the decline of x86 dominance.

                  Comment


                  • #10
                    Originally posted by madscientist159 View Post
                    Meanwhile, while Intel and AMD both keep you locked out of full control of "your" hardware (news flash, these are still Intel signed binaries, you can't change a single byte in them and still have the hardware accept it, even without the license prohibitions!), OpenPOWER, RISC-V, and even ARM systems are available that don't have any of these closed source signed concerns.

                    Intel and AMD are still playing like it's the 1990s and customers stealing IP is the primary concern vs. overall system security. It's now the 2020s; no organization that is aware of the threats posed by persistent vendor control without an active SLA would willingly choose the Intel/AMD parts for anything business critical or where compliance fines may come into play (GDPR etc.). Especially when there's no IP to steal at the firmware / OS level, considering most (if not all) of it as used by their largest customers is already open source.

                    Both AMD and Intel are legacy CPU vendors running purely on inertia*, trying to stay relevant to hyperscalers and cloud with feeble attempts like this one to muddy the waters with a tailored sound bite to the management level. Most interestingly, they don't even seem realize that they're being left behind in long term planning anyway, given the "more of the same" approach shown here.

                    Oh, and 0.5MB is more than enough to include some fairly nasty exploits, or purposeful weaknesses in complex software that would be publicly classified as accidental bugs upon third-party discovery. Consider that vulnerabilities in large well known systems can be exploited with well under 64 (properly placed) bytes and a network connection, or that entire OSes (e.g. MenuetOS) can fit in well under 1MB of storage. This "Ignition" firmware does very little to actually reassure organizations that would require high security, except for the aforementioned (IMO misleading) management-directed sound bite.

                    * Yes, consumers will keep choosing them, up until the rest of their apps move to cloud and suddenly client side Windows isn't relevant any more. Consumer markets are also very low margin compared to what they're used to.
                    You're seriously living in a conspiracy theorist fantasy world there. First off there's not a single entirely open ARM system in production useful for desktop or mobile. Not a damned one. They all use proprietary blobs for booting, GPU, RAM management, or network access. No, neither is Pineboard, and you'd know that if you read their hardware sales caveats. They and others of the same design ideas go to great lengths to isolate the bad bits, but they're still there and they won't go away. It's literally impossible to make them fully go away in the ARM ecosystem.

                    RISC-V has promise, but it's ONLY an ISA. It's not a product and there's literally nothing in the license that prevents proprietary extensions that would actually make it useful in the real world. It's almost a guarantee that's what's going to happen.

                    OpenPOWER, has potential but it's expensive, power hungry, and on the desktop it's pretty much a dead end without a reliably working web browser. Fixable? Certainly, but few are going to spend 5x the $ on a CPU that's not performing with a comparable increase in performance without a HUGE incentive to do so. For what it's worth, and I doubt you're fanboism here is going to acknowledge it, POWER is vulnerable to the same SPECTRE exploits as AMD & Intel and it's already been proven that there's no fix for SPECTRE class attacks. The mitigations in Linux and windows don't fully work if at all. There's also side channel and caching attacks that can be carried out on any shared resource multicore CPU including POWER.

                    NO shared resource paradigm computer is immune to side channel attacks because all of them share resources as they are designed to do. You can clean up the firmware all you want, but in the end, you've not bought much of anything because the entire computing paradigm is broken for multi-user multi-processing systems because it was never designed for security. It was designed to be cheap, and the people at Burroughs and other companies that were actually building secure computers back in the early 70s were pointing out the problems. No one listened, everyone wanted cheap, and now those decisions back in the 1970s have come home to roost.

                    Client side Windows not relevant any more? 95%+ of the desktop market isn't relevant with a valuation in the tens of billions? What rock are you living under?? Just because your high school friends are carrying around mobile phones for everything doesn't mean that nearly everyone else in the world doesn't use Windows them to get their daily work done.
                    Last edited by stormcrow; 02-03-2020, 01:22 AM.

                    Comment

                    Working...
                    X