From 9cbd84f07d14c2f27881c92f365d571d3ec91ba0 Mon Sep 17 00:00:00 2001 From: Konstantin Ryabitsev Date: Mon, 13 Nov 2017 19:24:16 -0500 Subject: [PATCH] Add Intel ME recommendation (closing issue #12) Preparing for end-of-2017 update to the recommendations. Signed-off-by: Konstantin Ryabitsev --- linux-workstation-security.md | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/linux-workstation-security.md b/linux-workstation-security.md index aa8c610..a449c4e 100644 --- a/linux-workstation-security.md +++ b/linux-workstation-security.md @@ -1,6 +1,6 @@ # Linux workstation security checklist -Updated: 2017-01-23 +Updated: 2017-11-15 ### Target audience @@ -71,6 +71,7 @@ this section addresses core considerations when choosing a work system. - [ ] System supports SecureBoot _(ESSENTIAL)_ - [ ] System has no firewire, thunderbolt or ExpressCard ports _(NICE)_ - [ ] System has a TPM chip _(NICE)_ +- [ ] System has disabled Intel ME chip _(PARANOID)_ ### Considerations @@ -104,6 +105,28 @@ security (such as to store full-disk encryption keys), but is not normally used for day-to-day workstation operation. At best, this is a nice-to-have, unless you have a specific need to use TPM for your workstation security. +#### Intel Management Engine (IME) + +Almost every computer with an Intel processor ships with a fully integrated +management platform chip called the Intel Management Engine (IME). Its purpose +is to make it easier for device fleet administrators to provision and enroll +systems, remotely track the device's location, power and network status, and +even trigger such events as full remote system wipe in case of theft. This +chip runs a MINIX operating system and comes with a builtin web server. + +Unfortunately, with great power come great vulnerabilities. Intel ME chips +have been demonstrated to be vulnerable to both [local and remote +attacks][26], allowing perpetrators to take full control over systems with +Intel ME engine available. Any system with an enabled IME chip should be +considered potentially vulnerable, especially if it has not received +manufacturer firmware updates. + +There are [some laptop manufacturers][27] that have started providing systems +with the Intel ME chip disabled, and it may be possible to manually disable +the IME by using a tool such as [me_cleaner][25], though you should be mindful +that it is an involved process and that disabling the IME may void the +manufacturer support warranty (or even be against your employer policy). + ## Pre-boot environment This is a set of recommendations for your workstation before you even start @@ -870,3 +893,6 @@ This work is licensed under a [22]: https://en.wikipedia.org/wiki/Universal_2nd_Factor [23]: http://www.dongleauth.info/ [24]: https://subgraph.com/sgos/ +[25]: https://github.com/corna/me_cleaner +[26]: https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Known_vulnerabilities_and_exploits +[27]: https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-management-engine/