i have studied and read a lot of research papers and blogs and conference talks about this , i want to try summarize all the findings and points and discuss them here - please correct me in anything if i am wrong - i hope security professionals will give some of their knowledge and wisdom in this subject.
As i understood, when it comes to backdoors there are 3 ways that they could be implemented
1- Intel-ME or AMD-PSP (low level processors that works all the time) some can be neutered or soft disabled.
2- undocumented cpu gateways or registers (closed source ISA) to execute a payload when a - trigger event - happens. # there is no way to compat this on x86.
3- hardware spyware embedded on different chips on the motherboard done by manufacturers or in the fap. # hard to discover, cannot beat that either.
now for the 2nd and 3rd cases , in the end they cannot be secure we have to go back to trusting trust.
but we should do what can we do anyways. so i have the following questions and scenarios i want to discuss
about the first case (Intel_ME and AMD-PSP):
1- how can such an attack happen when i am behind a NAT connection , having an openwrt router with uboot compiled from source code
the default openwrt firewall doesn’t allow incoming connections. So how can they talk to the Intel_ME ?
Researchers Christian Werling, Alexander Eichner and Robert Buhren came to the conclusion that the AMD-PSP doesn’t have a network stack included and therefore no direct communication to the internet and that its just there for memory init and SEV(Secure Encrypted Virtualization)
system76 engineer Jeremy Soller who worked on coreboot for amd laptop says the same thing too
Does that make AMD better than a neutered Intel-ME device ?! i mean if that’s 100% true , why not everybody uses AMD ? in the end after a neutered Intel-ME , they are both vulnerable
to CPU-gateways spyware and embedded hardware spyware anyway, but at least AMD-PSP doesn’t have the network stack in the first place.
what am i missing ?
2- what if the laptop is connected to torified router , how can they connect to the ME through the torified connection that changes every 10 mins ?
speaking of tor , if they can communicate through NAT and firewall , how can we trust any tor relay or server , they would have passive access to all tor nodes, which will make it meaningless.
3- is there any logical proof that the HAP bit method or HECI message method actually work for disablement of Intel-ME , since the network stack blob is still there,
and because coreboot can’t see the ME device it shouldn’t mean its actually disabled , maybe its a mode that gives specific control for our glowy friends or am i completely wrong about this , i wouldn’t trust anything but libreboot with libgfxinit , where the network stack blob is actually removed.
i hope someone can shed light on these things.