CodeMirror/itpol
1
0
Fork 0
mirror of synced 2024-04-26 16:42:32 +12:00
Code Issues Projects Releases Wiki Activity

Add Intel ME recommendation (closing issue #12)

Browse source 
Preparing for end-of-2017 update to the recommendations.

Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
This commit is contained in:
Konstantin Ryabitsev 2017-11-13 19:24:16 -05:00
parent 8f1b807f37
commit 9cbd84f07d
No known key found for this signature in database
GPG key ID: 34BAB80AF9F247B8
1 changed files with 27 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
linux-workstation-security.md
View file

@ -1,6 +1,6 @@
# Linux workstation security checklist
Updated: 2017-01-23
Updated: 2017-11-15
### Target audience
@ -71,6 +71,7 @@ this section addresses core considerations when choosing a work system.
- [ ] System supports SecureBoot _(ESSENTIAL)_
- [ ] System has no firewire, thunderbolt or ExpressCard ports _(NICE)_
- [ ] System has a TPM chip _(NICE)_
- [ ] System has disabled Intel ME chip _(PARANOID)_
### Considerations
@ -104,6 +105,28 @@ security (such as to store full-disk encryption keys), but is not normally used
for day-to-day workstation operation. At best, this is a nice-to-have, unless
you have a specific need to use TPM for your workstation security.
#### Intel Management Engine (IME)
Almost every computer with an Intel processor ships with a fully integrated
management platform chip called the Intel Management Engine (IME). Its purpose
is to make it easier for device fleet administrators to provision and enroll
systems, remotely track the device's location, power and network status, and
even trigger such events as full remote system wipe in case of theft. This
chip runs a MINIX operating system and comes with a builtin web server.
Unfortunately, with great power come great vulnerabilities. Intel ME chips
have been demonstrated to be vulnerable to both [local and remote
attacks][26], allowing perpetrators to take full control over systems with
Intel ME engine available. Any system with an enabled IME chip should be
considered potentially vulnerable, especially if it has not received
manufacturer firmware updates.
There are [some laptop manufacturers][27] that have started providing systems
with the Intel ME chip disabled, and it may be possible to manually disable
the IME by using a tool such as [me_cleaner][25], though you should be mindful
that it is an involved process and that disabling the IME may void the
manufacturer support warranty (or even be against your employer policy).
## Pre-boot environment
This is a set of recommendations for your workstation before you even start
@ -870,3 +893,6 @@ This work is licensed under a
[22]: https://en.wikipedia.org/wiki/Universal_2nd_Factor
[23]: http://www.dongleauth.info/
[24]: https://subgraph.com/sgos/
[25]: https://github.com/corna/me_cleaner
[26]: https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Known_vulnerabilities_and_exploits
[27]: https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-management-engine/