Intel vPro - What it can do, what it *can't* do, and what it means for your future hardware choices

This doesn’t achieve anything at all.

For example, there will be Matlab installed and the Matlab source code files .m will be first created and tested on another PC and then brought to “working machine” to be run on the data from database.
These files could be compromised. Outright backdoor in these files would be noticed but if it’s hidden like some calculations a+b c
d e/f then it’ll pass the checks.

Even for this scenario, whats stopping the attacker from attaching their own computer directly to the “network disk server” and extracting everything? Nothing. They don’t even need a magical backdoor on the “working machine”. This is just getting worse and worse lol.

I’ve mentioned this before:

This is such a ridiculous scenario that idk what is supposed to be the case anymore. By that logic why are you worried about some magical backdoor in the worker node? If you can detect intruders just like that you can just lock them inside of the room.

Like man, this is like… deliberately trying to come up with a scenario that will never happen in real life to justify having the setup that you mention in some hopes of fighting a magical CPU backdoor.

This stuff is not even remotely like how a server room or datacenter is like in real life.

It’s possible and not too hard to use some automated system to reliably detect the intrusion but it’s very hard and not so reliable to protect some place from unauthorized access since it’ll require guards 24/7 and you’ll have to trust these guards (and that is a bad idea to rely on humans instead of automatics).

Of course that’s not how common server room or datacenter is like in real life because they are not designed to be protected from CPU backdoors.
What about some state secrets? I’d assume they’d do anything possible to protect it.

Unfortunately, if your adversary has the resources to pay for a backdoor from Intel, they can do it for ARM too. This approach is not going to help

It won’t make it impossible (and I guess it’s impossible to make it impossible), but It’ll decrease the probability and that’s what matters.
Also ARM is just an example, RISC-V or something else can be considered as well since it’s not a workstation but a firewall/network storage and you can use some open architecture for it.

1 Like

I agree with the sentiment about RISC-V (seemingly becoming a messiah for us paranoid people who want to FOSS design in chips). I guess if you’re just tinkering/using it at home, you could in theory do something like this right now using Redhat’s Clevis/Tang (alt: Clevis/Tang by the Fedora magazine).

I might try something like this myself once I’ve confirmed that the RISC-V devices I’m looking at do not have backdoors and actually have one on hand/configured.

BTW you can use RISC-V VPSes now with Scaleway.

You can’t make sure that there is no backdoor in the chip since you don’t have control over its design/manufacturing process.
I guess the RISC-V in FPGA with your own design that you can check yourself is the most reasonable way you can make sure that there is no backdoor in the chip. But even then there still could be some kind of a backdoor in the FPGA itself (but the probability is very low).

Yeah well I’m going to have to trust someone because I’m not good enough to be able to create my own chip. But RISC-V and most ARM chips run U-boot as the bootloader (or some other FOSS bootloader like how Chrome runs Coreboot/SeaBIOS), which gives me a reasonable sense of security (unless news comes out that U-boot has been compromised xz-style). TBH if I could run Libreboot on most laptops I wouldn’t be complaining at all.

ChromeOS does not run CoreBoot/SeaBIOS. I have no clue where you even get that from.

It is using CoreBoot but the payload is definitely not SeaBIOS.

@TommyTran732 is right. There is definitely no SeaBIOS or Coreboot in ChromeOS when you get it straight from Google.

I wish they did, though. Would actually benefit Google, because they’d get more hardware sales (but we all know that’s not their big money-maker…)

You can, however, flash coreboot to some Chromebook models, and Mr. Chromebox’s infamous scripts (https://docs.mrchromebox.tech/) are good at doing this.

Maybe there was potential confusion because of documents like this (and others that came up with a quick Google search?

https://wiki.archlinux.org/title/Chrome_OS_devices

@TommyTran732 @alzer89

Other than the first three models, all Chromebooks run coreboot.[9] Code from Das U-Boot has been assimilated to enable support for processors based on the ARM instruction set.[10]

Source: coreboot - Wikipedia

So yes, technically it’s “based on Coreboot”. I should have clarified that.

What about people who trust Intel, but are concerned they could be compelled by law to introduce backdoors?

This isn’t that speculative. Companies have been compelled to be active participants in secret programs before. Why are you acting like people being fearful of unknowns is stupid or ignorant when there are actual examples of companies being forced to alter engineering, programming, or development methods based on state-level demands? How is being fearful surprising or irrational? It’s rational for people with lower trust in state level entities or higher threat models to be fearful and ask questions or be cautious with unknowns. It is also understandable to guess that it’s more than just 50/50 chance such backdoors exist when clandestine programs to infiltrate ordinary technology have previously been shown to be used.

1 Like

Because under that assumption they can just backdoor everything and don’t have to target vPro.

The whole exercise of claiming Intel backdoor A, B and C then use lesser CPUs with fewer security features is counter productive. You need to have a coherent threat model.

1 Like

This reply first addresses the technologically deficient arguments before the personality problems (both egregious and abhorrent).

“Intel ME” and “Intel ME running on a dedicated separate CPU with arbitrary software (could be AMT modules or other) behaving with out-of-band access functionality” is loosely yet effectively synonymous herein.

Expecting Intel’s Minix to play nice with protocols as defined in an RFC is naive.

Government in Western countries dictate to ISPs how those ISPs will behave, and in turn how devices those ISPs provide to their customers behave.
Yes, malicious packets from very far away will reach the Intel AMT and there’s nothing “magical” about it.

The Intel ME stack is well-integrated with the featured CPU (the one that is advertised to the customer). All three are to blame: both processors (the one the Intel ME runs on, and the other) and the microcode.

The Intel ME is software stack running arbitrary code receiving arbitrary software updates with every firmware update. The upstream adversary possess the private cryptographic keys and the software update infrastructure for specific targets to receive custom updates.
The Intel ME is highly flexible and robust as “backdoor infrastructure” in a way that everything else categorically is not. The second best thing is microcode updates which are very brittle in comparison to a dedicated CPU and OS with higher hardware privilege outside of the CPU, hence they do not receive the same attention. Although microcode receives very focused attention by some people (and we let them do their thing and listen to them when they speak at BlackHat and CCC).

Those who are conscientious of the Intel ME intentionally replace the WiFi chip, this has been a common thing in the libre software community for a very long time. Intel WiFi has conventionally been required to access the Intel ME while a machine appears to the user to be powered off. However this has changed with subsequent Intel ME updates (observably in reaction to adaptation by some users).
Most SSDs distributed with Dell, Lenovo, and other brands are not made by Intel, so no.

Many CVEs which are either very severe or introduced danger, very real danger that other components never have, have been disclosed. To those of us with technical competency (ie: not you) it’s the very most obvious place that new “hidden functionality” will forever continue to show up.

These protections are backdoored beyond any reasonable doubt. AMD’s memory encryption was demonstrated to be trivial to break. Someone who doesn’t expect a sufficiently talented person to break such functionality for Intel’s consumer/prosumer class products, nor expects it was released only with the condition there be a backdoor, is very naive.

This “one component”, the processor that runs the Intel ME Minix+modules software stack, has its tentacles reaching into the entire board. Contrast to the Macbook M1 and Macbook M2 boards that have a sane architecture (as reported by some on the Asahi team who did the work) and do not have one processor with tentacles into the entire board.

The user has the option to perceive the Intel AMT (or equivalent functionality loaded in another software module) as disabled. That is, if the user can access the user interface to the Intel AMT in the first place, which in 99% of cases (as already decided by the OEM), the user cannot.
A very dangerous “vulnerability” (intentional backdoor) was made public before Dell was forced to provide the option that Intel AMT would be disabled in some models.

Hiding a web server behind a primitive port-knock, hiding that web server from what we call “script kiddie”, from someone like yourself, is not difficult.

The cost of the CPU and microcode to align the stars for exploits is far greater than a dedicated CPU running an operating system suitable for general purpose software (which Minix is) to act as a dedicated backdoor.

The ThinkPad T430 is a real-world example of “conquered territory”. To a ThinkPad T430 properly customized to the extent that the libre software community has been able to do so, Intel is effectively powerless.

The “specific component” is a dedicated processor plus dedicated operating system with its tentacles hooked into everything else on the board. There is not really “backdoor a specific component”, this “specific component” is a highly robust, highly flexible, highly optimized for plausible deniability, backdoor.
In the same way that Dell iDRAC and Supermicro IPMI are not “backdoored” (though sometimes they are), but are ipso facto a backdoor, the Intel ME is ipso facto a backdoor, as it was originally designed to be.

In reality this is “some kid trying to get emancipated and exit the government school system early found our previous software backdoor in the Intel ME, please install our new backdoor some other kid will find”.

The CPU dedicated to the Intel ME has full read access to memory. No “hidden circuitry” is required for the Intel ME stack to react to contents of memory populated by an actor with advanced knowledge. This right here not just highlights but exemplifies the disparity between you and other users of this forum.

There will never ever not be a working zero-click 0day for iMessage or Safari. Apple will forever make sure of this. One who thinks otherwise just doesn’t yet understand how the world really works.

There exists a very simple strategy. I’m not going to share it on this thread where you might see it because through your posts you have shown yourself to have been an insufferable C U Next Thursday.

Joanna herself formulated and posted the earliest known post providing a reasonable defense.

They’ll be reasonably useful when the software stack called “Intel ME” that is running on the dedicated ARC (or whatever it is these days) CPU comes in source code form along with complete documentation to what that CPU interfaces with. Intel can keep what is behind the surface layer interfaces proprietary for all anyone cares (so long as it is completely stateless).

A lot of important stuff is handled by IBM POWER CPUs on totally different motherboard architectures that don’t have one small CPU with its tentacles in everything.
Where Intel/AMD is used, the software image of Intel ME or PSP received by NSA and others (anything in that tier) most certainly has a working HAP bit because if not then some people are going to be staring at a concrete wall for a decade instead of seeing their families.

personality problems

@TommyTran732 , you have shown yourself to be a total clown and you are very clearly not competent to argue this subject. There is very little doubt that you have been punched in the face and probably had your shit wrecked beyond that a couple of times. If not already, it’s an inevitability, and will be the best thing that ever happens for your much needed character development.

The others on this forum have been very generously patient with you. Not a single one has posted with the presentation of that of an insufferable midwit brat like yourself.

This response here has been for the integrity of the subject matter and nothing else (I can spot a waste of time like yourself from behind seven proxies).
You made a colossal waste of everyone’s time and your participation in this forum has meaningfully degraded the quality of the forum overall.

2 Likes
2 Likes

@de_dust2 Thank you for the nice technical replies to TommyTran732. They all look like a helpful addition to the discussion.

This is because we follow the CoC and avoid personal attacks, and you should too. I’ve put your personal comments to TommyTran732 behind the Spoiler to keep the discussion tidy.

1 Like

As usual I think this is another discussion where where people have over complicated everything by going too deep into the details and ended up lost. It’s funny in a way because the reason this happens is because you are all incredibly smart and experienced about these topics. But I must remind you all now to zoom out every now and then again.

Because if you zoom out a bit it’s actually very simple.

If I was a OEM. I could build a little IoT device you can hold in your hand. It has my own proprietary firmware and OS. You can’t know what it does, only what I show you on the screen. And even if I was nice to not put any mass surveillance in the device when you bought it, I can push it in a firmware update whenever I want.

That’s how dangerous Intel ME is. Intel ME and AMT has total control of your computer with the minix OS. And it’s all proprietary. They can do ANYTHING. This is not a problem exclusive to PCs. It’s with basically all IoT devices. They all have firmware and often a proprietary OS, they have total control of your IoT devices.

That’s all that has to be said really. Reading intel’s public docs on AMT doesn’t really mean much. They can write anything there and then do something else in their proprietary firmware.

This is one of the first things you learn when you learn about trusted computing and root of trust. We have no choice but to put our trust in intel or amd until there is some day in the future a foss cpu.

And USA’s deep state are rather blunt in their strategies to put backdoors and do mass surveillance. They have the total power and its proprietary so they can just deny and call us conspiracy theorists, say we’re spreading misinformation and call us tin foil. The code is proprietary and we have no proof. They don’t need to do any finessing when they have all the power. So even if AMT is the obvious backdoor for them to use, it doesn’t matter, they’ll use it anyway because it’s such a great backdoor we can’t do anything about it.

So remember to just zoom out sometimes because it keeps things simple and effective.

2 Likes

@capsizebacklog Yes, exactly. Comprehension of the problem introduced by Intel ME is comp sci 101 tier.

1 Like

Intel vPro, ME, AMT is of course terrible but unfortunately only scratches the surface.

Let’s scratch the very surface, how to build a CPU. A plan is needed to build a CPU. The production of hardware requires software - source code. That is hardware description language (HDL).

A Intel CPU - I couldn’t find good estimates since Intel’s HDL is a well protected business secret - but found some discussions.

So let’s say it’s 1 million lines of source code (HDL), the instructions that can be sent to a fab (silicon fabricator) such as TSMC, who will then among other things, use lithography machines (such as by ASML) to print the processor.

The process can be simplified to: complex source code → even more crazy complex machines → super complex end result (CPU).

At any step of the software development or manufacturing process of the CPU, bugs or backdoors can be introduced (by the chip designer, the fab or anyone in the supply chain).

The illustrate that point, the blog post Antenna diodes in the Pentium processor manages to pinpoint a software bug from the physical world. See also this simplified summary.

Even if the HDL of a CPU was completely Open Source and audited, we still very much wouldn’t know if the manufactured CPU would be free of backdoors.

One example might be what some called the iPhone backdoor, but it can also be framed as undocumented Apple feature.

Joanna shared some thoughts about CPU backdoors outside the context of firmware (vPro, ME, AMT):

Also interesting:

I’ve written about this before:

3 Likes