The hidden possibility of disabling the Intel ME subsystem is revealed
By Prempal Singh
Researchers from Positive Technologies revealed an undocumented option to disable the Intel ME 11 (Management Engine) implemented using a separate microprocessor that runs independently of the CPU and performs tasks that must be separated from the OS, such as processing DRM, TPM (Trusted Platform Module) and low-level interfaces for monitoring and controlling equipment.
Intel ME is subject to criticism because of the possibility of organizing hidden access to user information flows bypassing the CPU, so the possibility of disabling Intel ME is perceived by some users as a desirable option that allows to get rid of the uncontrolled black box in the system and possible vulnerabilities in components based on it . For example, in May, a vulnerability in the AMT component (Active Management Technology) was detected, allowing an unprivileged attacker to gain access to remote management functions, including power management functions, traffic monitoring, BIOS settings change, firmware updates, disk cleaning, remote boot new OS (emulates USB-drive from which you can boot), console redirection (Serial Over LAN and KVM over the network), etc.
The result of the research allows to completely deactivate the main Intel ME controller in Intel chips by installing an undocumented bit in one of the firmware files. The specified bit controls the activation of HAP (High Assurance Platform) mode, which is associated with the ANB platform of the same name used to protect computer systems in US government agencies. Tuning is one of the options for disabling subsystems that can potentially create additional security threats.
Intel confirmed that the option was added at the request of some equipment manufacturers who are delivering under a contract with the US government. The undocumented nature of the option is explained by the fact that this mode has not yet passed the full scan cycle and is not yet officially supported.
It is noteworthy that earlier many security researchers have tried to find a way to disable Intel ME, but this was only partially achieved, as some initialization and management processes are tied to handlers in Intel ME. As a rule, the part of the Intel ME firmware was removed, leaving the minimum required for downloading the set. This approach led to various gaps with stability and was not widely spread.
As for the undocumented HAP mode, when it is activated, Intel ME performs all the initial steps necessary to initialize and start the CPU, after which it is transferred to an inactive state. To enable the mode, there is no need to perform any special manipulations with the firmware or patches – the HAP-related option can be changed in the Intel ME firmware interface, where it is presented under the name “Reserved” in the “Networking & Connectivity” section. After HAP mode is enabled as an additional precaution from the firmware, you can delete all modules except RBE, KERNEL, SYSLIB, ROM and BUP, and then adjust the checksum in the CPD header.
Researchers from Positive Technologies conducted an analysis of the possibility of exiting HAP mode, but did not find any code that would allow the activation of Intel ME, which was turned off.The completeness of the trip was also confirmed experimentally – the researchers damaged the parts of the firmware performed by the initial stage initialization salvo, and the system continued its correct operation (without interrupting Intel ME there was a malfunction). Finally, it was concluded that HAP mode can protect against vulnerabilities in all Intel ME modules, except for the RBE, KERNEL, SYSLIB, ROM and BUP modules used in the early initialization phase.