Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Intel Encryption Controller
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
irenicus09
Tux's lil' helper
Tux's lil' helper


Joined: 07 Jun 2013
Posts: 118

PostPosted: Thu Feb 09, 2017 4:56 am    Post subject: Intel Encryption Controller Reply with quote

So I just read this article, seems kind of interesting:

http://boingboing.net/2016/06/15/intel-x86-processors-ship-with.html

I saw the modules 'mei_txe' being automatically loaded when I was using ArchLinux but I forgot to add support for those modules in the kernel after I switched to Gentoo so those modules didn't show up as being loaded.

At a much later stage I recompiled the kernel and enabled mei features and they seem to be loaded (which is before I read the article above).

Code:

lspci -nnk | G mei_txe -B2                                                                                                   
00:1a.0 Encryption controller [1080]: Intel Corporation Device [8086:2298] (rev 21)
   Subsystem: Acer Incorporated [ALI] Device [1025:100f]
   Kernel driver in use: mei_txe


So my question is, should I disable support for mei modules in the kernel and would that change anything? I mean if it is not helping the system in anyway, I don't feel comfortable with the idea of running a closed source binary blob on my system.

Trying to get more information about the modules fails

Code:

# systool -v -m mei_txe                                                                                                     
Error opening module mei_txe


Also does removing support from the kernel make any difference? I mean according to the article if that extra processor is running independently and has it's own firmware I'm not sure if having support in the kernel would change anything.

What do you guys recommend? I really don't have that much idea about the topic in question but you could say I'm a bit paranoid about security in general :P

Thanks.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Thu Feb 09, 2017 4:26 pm    Post subject: Re: Intel Encryption Controller Reply with quote

irenicus09 wrote:
Also does removing support from the kernel make any difference? I mean according to the article if that extra processor is running independently and has it's own firmware I'm not sure if having support in the kernel would change anything.

irenicus09 ... no, it wouldn't make any difference. Due to the loader checking against a key there is nothing you can do in terms of it being there, or running (as the article points out, if its tamperd with or corrupt, the machine doesn't boot).

As for the module I expect this just provides hooks, it doesn't effect it running, or doing whatever it can do, and I would expect that intel developers provided the code so that such hooks are there.

best ... khay
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2516

PostPosted: Thu Feb 09, 2017 5:25 pm    Post subject: Reply with quote

Having read the article and knowing something about service processors, it's my non-expert opinion that the guy writing the article is a bit of an alarmist.

This sort of device is hardly a secret. It's just the next iteration of service processors. I haven't validated the claims he made either to prove or disprove them, with regards to it being a mystery blob of proprietary code we can't turn off. If you want to be technical about it, the system ROM qualifies as such too.

I have a system with a pretty advanced IPMI controller on it in my house. I think it's awesome. It is necessarily outside of the operating system's control because it gives you, to paraphrase it, "remote physical access" to your box. This includes power button (on or off), remote console, remote device access, you name it. I think the last time I physically touched this box is when I installed the motherboard, RAM, hard drives and network cables. I didn't touch it to install Gentoo, all that was through my desktop pc. The service processor has a different IP address than the OS has, again this is a necessity. I guess I may have jiggled wires in the event of an outage.

In my case, the service processor is only available on one network interface, and that interface is not accessible except from my workstation. My workstation does not route packets through that NIC. The box has 7 nics.

I imagine that if this service processor code were not trusted or were compromised with no built-in safeguards then the article you quoted could be at least mostly correct. That said, most of the boxes which contain this sort of processor are in the enterprise and as such the IT staff in question probably not only know about it but rely on it, and understand how to control access using their routers and firewalls.
Back to top
View user's profile Send private message
irenicus09
Tux's lil' helper
Tux's lil' helper


Joined: 07 Jun 2013
Posts: 118

PostPosted: Tue Mar 14, 2017 7:31 am    Post subject: Reply with quote

Thanks for the feedback guys, I found something that might be related :P

https://www.youtube.com/watch?v=wnt7OK8OPYU

Let me know what you guys think. Call me paranoid or whatever but I feel pretty vulnerable when I think about the fact that there's an extra core running on my computer that can talk to the network independently, running closed source firmware, has access to section of memory on my computer...and yet I can not do anything about it.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2516

PostPosted: Tue Mar 14, 2017 7:40 pm    Post subject: Reply with quote

Do you feel vulnerable China, which is known to be heavily into electronic espionage, manufactured most smart TVs in the world and that hiding a microphone is much easier than hiding speakers that sound good?

How about your phone? There has been known experimentation hacking cell phones to turn on the microphone without any visible indication on the device.

Or your microwave? Certain people in the White House assert that microwave ovens are part of an espionage ring.

For that matter, how much of the code running on your computer have you personally code reviewed for security and stability?
Back to top
View user's profile Send private message
irenicus09
Tux's lil' helper
Tux's lil' helper


Joined: 07 Jun 2013
Posts: 118

PostPosted: Wed Mar 15, 2017 2:20 am    Post subject: Reply with quote

Hmm...True that.

You just made me realize why I should abandon all technology and go live in a cave :P

Anyway, moving on...what if I decide to flash laptop with core boot. Do you think that would prevent the hardware backdoors (if any) or do I need to purchase open source hardware with core boot installed?

Open source software has taken off in a big way and that often makes me wonder as to why open source hardware hasn't evolved as much. Could it be that hardware manufacturers are afraid that adopting open source hardware specs or making their designs open source would strain their competitive edge? Or do they have other agendas on mind, one which doesn't align with consumer privacy? :twisted:
Back to top
View user's profile Send private message
Roman_Gruber
Advocate
Advocate


Joined: 03 Oct 2006
Posts: 3806
Location: Austro Bavaria

PostPosted: Wed Mar 15, 2017 3:05 pm    Post subject: Reply with quote

Quote:
So my question is, should I disable support for mei modules in the kernel and would that change anything? I mean if it is not helping the system in anyway, I don't feel comfortable with the idea of running a closed source binary blob on my system.


Sorry i did not real the hole posts.

There is no real open hardware.

There are binary blobs and even "hidden" processors running in these days hardware, which are invisible to the operating system and the user. Summary check libreboot.

--

Basically anything recent is untrusted, except maybe arm boxes when you use software gpu rendering than.

Quote:
Do you think that would prevent the hardware backdoors (if any) or do I need to purchase open source hardware with core boot installed?


AFAIK what i have read recently. Only those arm boxes may be free of junk.
There is no real privacy when you use a network node.
Full privacy was in the old days when my box was not connected to the net and not accessable by others.

Quote:
Open source software has taken off in a big way and that often makes me wonder as to why open source hardware hasn't evolved as much. Could it be that hardware manufacturers are afraid that adopting open source hardware specs or making their designs open source would strain their competitive edge? Or do they have other agendas on mind, one which doesn't align with consumer privacy?


check libreboot statements.
The ordinary "human", politely said, does not really care for certain things: Right to repair, right to get schematics, diagnostic software, source code for the binary the hardware is running on (e.g. gpu code, mainboard chip code, and such).

You should blame the consumers to feed those companies money so they can stay on their statement for hidden intelligence property.

I do still remember television sets which came with full schematics. These days lcds / tft television come with nothing and break quite soon, 3 years average.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2516

PostPosted: Wed Mar 15, 2017 3:18 pm    Post subject: Reply with quote

Arm processors are no better. Raspberry pi, for example, has lots of proprietary hardware and no complete documentation on the arm chip. Each manufacturer adds their own junk to an arm chip, it is after all a "system on a chip."

And even free software, even the Linux kernel is suspect: http://thehackernews.com/2016/05/android-kernal-exploit.html This link shows that many tablets, set-top-boxes and such have insanely easy root hacks that absolutely anyone could exploit.

So again, have you code reviewed all the code on your box? The kernel? Who you gonna trust?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5594

PostPosted: Wed Mar 15, 2017 10:20 pm    Post subject: Reply with quote

1clue wrote:
Do you feel vulnerable China, which is known to be heavily into electronic espionage, manufactured most smart TVs in the world and that hiding a microphone is much easier than hiding speakers that sound good?

Why would China spend 2 cents extra per unit on a hidden bug when they can flip a bit in Intel's wonderful HDA codec and listen through the speakers at any time?
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2516

PostPosted: Thu Mar 16, 2017 2:40 pm    Post subject: Reply with quote

Ant P. wrote:
1clue wrote:
Do you feel vulnerable China, which is known to be heavily into electronic espionage, manufactured most smart TVs in the world and that hiding a microphone is much easier than hiding speakers that sound good?

Why would China spend 2 cents extra per unit on a hidden bug when they can flip a bit in Intel's wonderful HDA codec and listen through the speakers at any time?


Interesting, I hadn't seen that one. At any rate, sending "rootmydevice" to built-in kernel code can hardly be difficult either, and gives full access to the system rather than just listening ability.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum