News

Intel will prevent hardware downgrade of Management Engine firmware

By admin
Spread the love

Intel will prevent a hardware downgrade to previous version numbers in a new version of its Management Engine, number 12. Enabling the feature is optional for manufacturers, but strongly recommended by Intel.

Intel describes its plans in a confidential document discovered by The Register on the tool’s GitHub page to disable the Management Engine, or ME. The chip manufacturer writes that the current protection against installing an older version of the ME firmware allows a new version to be flashed, through physical access. This is possible, for example, with a flash tool from manufacturer DediProg, according to Intel. To prevent such a physical downgrade, the company wants to use hardware protection.

The manufacturer does this by means of a so-called svn, which is stored in field programmable fuses. This is memory that can be written on once and can no longer be easily adjusted afterwards. The svn is raised every time a vulnerability is patched, Intel said. From version 12 of the Management Engine, the new value of the number is stored. The ME rom checks every time on startup whether the firmware has a correct svn. In addition, all cryptographic keys are associated with the number, so an attacker cannot gain access to the keys through a physical downgrade attack.

A system will only start if the ME firmware version number is greater than or equal to the number stored in the fpfs. A system that does not start for that reason can only be recovered by flashing the correct version of the firmware. Manufacturers have the choice of turning on the protection measure in Coffee Lake or Cannon Lake processors, but Intel writes that it is “highly recommended.” The default setting is that the feature is turned off, but according to the chipmaker, this may change in the future. In that case, manufacturers have the option of an opt-out.

The plans follow Intel’s publication of a number of vulnerabilities in version 11 of its Management Engine, which is present in CPUs from the Skylake generation. An attacker could exploit the vulnerabilities to execute code without users noticing, the chipmaker warned in late November. Intel discovered the leaks after its own analysis, which it conducted in response to discoveries made by researchers at security firm Positive Technologies. This discovered, among other things, that the ME can be switched off. Several manufacturers, such as Purism and System76, make use of this option. Critics call the ME a backdoor because it provides far-reaching access to the system.

You might also like
News

EU Council determines position on security requirements for digital products

News

Zeeland power grid is full, grid operator stops new requests from major consumers

News

Samsung develops first GDDR7 chips, mentions bandwidths of up to 32Gbit/s per pin

News

ASUS will produce and support NUC mini PCs after Intel exit

News

Meta introduces open source language model Llama 2, works on PCs and phones

News

Nvidia releases GeForce RTX 4060 Ti variant with 16GB memory