Turn off Intel ME 11 using undocumented mode

During the study of the internal architecture of the Intel Management Engine (ME) version 11, a mechanism was discovered that disables this technology after the hardware is initialized and the main processor is started. We will talk about how we found this undocumented regime and its connection with the state program for building the High Assurance Platform (HAP) trust platform.

The authors warn that the use of this knowledge in practice can lead to damage to computers, and do not bear any responsibility for this, and also do not guarantee the performance or inoperability of something and do not recommend experimenting without an SPI programmer.
')

Introduction

The Intel Management Engine is a closed technology that is a microcontroller integrated into the Platform Controller Hub (PCH) chip with a set of embedded peripherals. It is through PCH that almost all communication between the processor and external devices takes place, therefore Intel ME has access to almost all data on the computer and the ability to execute third-party code allows you to completely compromise the platform. Such endless opportunities have attracted researchers for years and years, but now interest in Intel ME technology has grown significantly. One of the reasons for this is the transition of this subsystem to a new hardware (x86) and software (modified MINIX as an operating system) architecture. The use of the x86 platform makes it possible to use all the power of binary code analysis tools, which was previously difficult, since before the 11th version, the kernel with the rare command system, ARC, was used. Unfortunately, the analysis of Intel ME 11th version was made difficult by the fact that executable modules are packed with a Huffman code with unknown tables. But our research team (Dmitry Sklyarov, Mark Yermolov, Maxim Goryachiy) managed to restore them (the utility for unpacking images can be found on our page in GitHub ).

After unpacking the executable modules, we began to study the software and hardware "stuffing" of Intel ME. Our team has been doing this for quite a long time, and we have accumulated a large amount of materials that it was decided to publish. This is the first article in a series of articles on the internal design and features of the Intel ME, and we will describe how to disable the main functionality of the subsystem. This question is plagued by specialists, since turning it off would reduce the risk of data leakage, for example, if a zero-day vulnerability was detected in this technology.

How to turn off ME

How to turn off ME - this question is often asked by some owners of x86-based computers. The topic of deactivation has been raised repeatedly , including by researchers of our company .

The most recently discovered critical (9.8 out of 10) vulnerability in Intel Active Management Technology (AMT), a technology based on Intel ME, adds to this issue.

Immediately distress the reader - it is impossible to completely turn off ME on modern computers. This is primarily due to the fact that this technology is responsible for initialization, power management and launch of the main processor. The fact that part of the code is “hard-wired” inside the PCH chip, which performs the functions of a south bridge on modern motherboards, adds complexity. The main means of enthusiasts who are “struggling” with this technology is to remove all the “excess” from the flash-memory image while keeping the computer working. But this is not so easy to do, because if the code embedded in the PCH does not find ME modules in the flash memory or determines that they are damaged, the system will not start. For several years now , the me_cleaner project has been developing in the network, within which a special utility is available that allows you to remove most of the image and leave only the components vital for the main system. But even if the system has started, it’s too early to rejoice - after about 30 minutes an automatic shutdown may occur, as with some failures the ME goes into the Recovery mode in which it does not function longer than a certain fixed time. As a result, the cleaning process is complicated. For example, up to the 11th version, it was possible to reduce the size of the image to 90 KB, but in the 11th version it was possible only to 650 KB.



Figure 1. Support for Skylake + architectures in me_cleaner

Secrets in QResource

Intel gives motherboard manufacturers the ability to set a small number of ME parameters. To do this, the company provides equipment manufacturers with a special set of software, which includes utilities such as Flash Image Tool (FIT) for setting the ME and Flash Programming Tool (FPT) parameters, which support flash memory programming directly through the built-in SPI controller. These programs are not available to the end user, but they can easily be found on the Internet. From these utilities you can extract a large number of XML files (detailed Intel ME: The Way of theStatic Analysis ), the study of which allows you to learn a lot of interesting things: ME firmware structure and description of PCH strap - special configuration bits for various subsystems integrated into the PCH chip.



Figure 2. Packed XML files

We were interested in one of these fields named “reserve_hap”, since there was a comment opposite it - High Assurance Platform (HAP) enable.



Figure 3. PCH strap for High Assurance Platform

Google search was not long. Literally the second link says that such a name is a program for creating trust platforms related to the US National Security Agency (NSA). A presentation describing the program can be found here . Our first thought was to put this bit and see what would happen. This can be done by anyone if he has a SPI programmer or access to Flash Descriptor (on many motherboards, access rights to regions of flash memory are incorrectly set).



Figure 4. ME status after HAP bit activation

After loading the platform, the meinfo utility reports a strange status - Alt Disable Mode. A quick check revealed that ME does not respond to commands and does not respond to exposure from the operating system. We decided to figure out how the system goes into this mode and what it means. By this time, we have already analyzed the main part of the BUP module, which is responsible for the initial initialization of the platform and, based on the output of meinfo, establishes this status. To understand the algorithm of BUP, it is necessary to describe the Intel ME software environment in more detail.

Intel ME 11 software

Starting with the PCH 100 series, Intel has completely reworked this chip. A transition was made to the new architecture of embedded microcontrollers - from ARCompact of ARC to x86. The 32-bit Minute IA microcontroller (MIA), which is used in Intel Edison microcomputers and SoC Quark microcomputers, was chosen as the basis. It is based on the design of the very old, scalar microprocessor Intel 486 with the addition of a command system (ISA) from the Pentium processor. However, for PCH, the company manufactures this core using 22nm semiconductor technology, resulting in high energy efficiency of the microcontroller. There are three such cores in the new PCH: Management Engine (ME), Integrated Sensors Hub (ISH) and Innovation Engine (IE). The latter two can be activated and deactivated depending on the PCH model and target platform, and the ME core always works.



Figure 5. Three x86 processors in PCH

Such global changes required changes to the software component of ME. In particular, MINIX (formerly ThreadX RTOS) was chosen as the basis for the operating system. Now ME firmware includes a complete operating system with its own processes, threads, memory manager, hardware bus driver, file system, and much more. ME integrates a hardware crypto processor that supports SHA256, AES, RSA, HMAC algorithms. Access to equipment for user processes is done through a local descriptor table (LDT). The address space of the process is also organized through LDT - it is just a part of the global kernel address space, the boundaries of which are specified in the local descriptor. Thus, the kernel does not need to switch to the memory of different processes (changing page directories), as, for example, in Microsoft Windows or Linux.

This concludes the review of the Intel ME software environment and will take a closer look at how the operating system and modules are loaded.

Boot stages of Intel ME

The launch starts with the ROM program, which is contained in the static memory built into the PCH. Unfortunately, the general public doesn’t know how to read or rewrite this memory, but on the Internet you can find “pre-sale” versions of ME firmware with a ROMB section (ROM BYPASS), which, we suppose, duplicates the ROM functions. Thus, exploring such firmware, you can restore the basic functionality of the initialization program.

Studying ROMB allows you to understand the purpose of the ROM — performing initial initialization of equipment, such as an SPI controller, verifying the digital signature of the FTPR section header, loading the RBE module, which is already in flash memory. RBE, in turn, checks the checksums of the modules KERNEL, SYSLIB, BUP and transfers control to the kernel entry point.

It should be noted that these three entities - ROM, RBE and KERNEL - run at the zero privilege level (in ring-0) of the MIA core.



Figure 6. SYSLIB, KERNEL and BUP integrity checks in RBE

The first process that the kernel creates is BUP, which is already running in its address space, in ring-3. The kernel does not start other processes on its own initiative, BUP itself, as well as a separate LOADMGR module, are engaged in this, we will return to it later. The purpose of the BUP (platform BringUP) is to initialize the entire hardware environment of the platform (including the processor), perform the primary power management functions (for example, start the system by pressing the power button) and start all other ME processes. Thus, it is safe to say that PCH in the 100th series and above simply does not physically have the ability to run without the correct ME firmware. First, the BUP initializes the power management controller (PMC) and the ICC controller. Secondly, it starts a whole string of processes; Some of them are “hard-wired” in the code (SYNCMAN, PM, VFS), and the other part is contained in InitScript (an autorun analog), which is stored in the header of the FTPR volume and is digitally protected.



Figure 7. Starting SYNCMAN and PM

Thus, BUP reads InitScript and starts all processes that satisfy the ME startup type and are IBL processes.



Figure 8. InitScript handling



Figure 9. List of modules with IBL flag

In case the launch of the process failed, BUP will not start the system or transfer it to the Recovery mode, in which automatic power loss will occur after several tens of minutes . As you can see in the illustration, the last in the list of IBL processes is LOADMGR. It is the one that starts the remaining processes, but unlike BUP, if an error occurs during the module startup process, LOADMGR will simply proceed to the next one.

Thus, the first option to limit the functioning of Intel ME is to remove all modules that do not have the IBL flag in InitScript, which will significantly reduce the size of the firmware. But initially we wanted to find out what happens to ME in HAP mode. To do this, consider the program model BUP in more detail.



Figure 10. Module startup diagram in ME

Bringup

If you look at the algorithm of the BUP module, you can say that the classic finite state machine is implemented inside it. The execution is functionally divided into two components: the initialization stages (they represent the same state machine) and the execution of service requests of other processes after the system initialization. The number of initialization stages is different, depending on the platform and SKU (TXE, CSME, SPS, consumer, corporate), but the main ones, common to all versions, can still be distinguished.

First stage

At the initial stage, the internal diagnostic file system sfs is created (SUSRAM FS is a file system located in volatile memory), reads the configuration, and, most importantly, receives information from the PMC about what led to this start — powering up the platform, global restart the entire platform, restarting only ME or waking up from a state of sleep. This stage is called boot flow determination. It depends on the subsequent stages of the finite state machine initialization. In addition, several operating modes are supported: normal and a set of service modes in which ME is not functioning regularly - HAP, HMRFPO, TEMP_DISABLE, RECOVERY, SAFE_MODE, FW_UPDATE and FD_OVERRIDE.

Second stage

At the next stage, initialization of the ICC controller and loading of the ICC profile (responsible for the clock frequencies of the main consumers), initialization of the Boot Guard and the beginning of the cyclic polling of the processor start confirmation occur.

Third stage

BUP expects a message from the PMC that the main processor has started. After that, the BUP starts the PMC asynchronous polling cycle for power events (restarting or shutting down the platform) and proceeds to the next stage. If such an event occurs, the BUP will perform the requested action at the time of the transition between the initialization stages.

Fourth stage

At this stage, the internal hardware is initialized. BUP also launches the heci polling cycle (a special device designed to receive commands from the BIOS or the operating system) to receive a DID (DRAM Init Done message) from the BIOS. This message allows ME to understand that the main BIOS initialized the RAM and reserved a special region for ME, UMA, and then proceed to the next stage.

Fifth stage

As soon as the DID is received, BUP, depending on the operation mode, which is determined by different components, either starts IBL processes from InitScript (during normal operation), or hangs in a loop, from which it can only exit when it receives a message from PMC, for example, as a result of a request to restart or shut down the system.

It is at this stage that we find the HAP processing, and in this mode BUP does not execute InitScript, but hangs. Thus, the rest of the sequence of actions during normal operation is not related to HAP and will not be considered by us. The main thing that I want to note: in the HAP mode, the BUP performs all platform initialization (ICC, Boot Guard), but does not start the main ME processes.



Figure 11. Determining HAP mode



Figure 12. Transfer ME to the fifth stage, which is equivalent to hanging



Figure 13. Fifth Stage

HAP bit setting

Based on the foregoing, the second disconnect option is to install the HAP bit and remove or damage all modules except those that are needed by the BUP to start - RBE, KERNEL, SYSLIB, BUP. You can do this simply by removing them from the FTPR CPD section and recalculating the checksum of the CPD header (the structure of the ME firmware is described here ).

One more question remains: how to set this bit? You can use the FIT configuration files and determine where it is located in the image, but there is an easier way. If you open FIT, then in the ME Kernel section you can find a certain parameter Reserved. It is this bit that is responsible for enabling the HAP mode.



Figure 14. HAP Mode Activation Bit

HAP and Boot Guard

We also found the code in BUP, which, when HAP mode is activated, sets an extra bit in the Boot Guard policies. Unfortunately, we have not yet managed to figure out what controls this bit.



Figure 15. Setting the extra bit for Boot Guard

ME 11 support in me_cleaner

While this article was being prepared for printing, the developers updated me_cleaner, as a result of which it also began to remove from the images all modules except RBE, KERNEL, SYSLIB and BUP, but without setting the HAP bit, which introduces ME into “TemporaryDisable” mode. We were curious about what happens with this approach.

We found that deleting partitions with the ME file system results in an error when reading the cfg_rules file. This file contains a number of different system settings. Among them, we believe, is a flag, which we called “bup_not_temporary_disable”. If it is not set, the entire subsystem is transferred to the TemporaryDisable mode, and since this flag is a global variable initialized by default to zero, the read error is regarded as a configuration requiring shutdown.

Note also that we also checked the firmware from the server and mobile versions of ME (SPS 4.x and TXE 3.x). In the server version, this flag is always set to 1, and is not analyzed in the mobile. It follows from the above that this method will not work on server and mobile versions (Apollo Lake) ME.



Figure 16. Reading the cfg_rules file

Instead of conclusion

Thus, we have found an undocumented PCH strap, which allows Intel ME ME to go into shutdown mode at an early stage. Although the physical removal of modules from the image while preserving their working capacity implicitly proves that this mode turns off ME, binary analysis leaves no doubt. With a great deal of confidence, we can say that Intel ME is no longer able to get out of this mode, since no code has been found in the RBE, KERNEL and SYSLIB modules that would allow this. We also believe that ROM integrated into PCH is almost the same as ROMB, in which nothing similar was found either. Thus, HAP will protect against vulnerabilities present in all modules except RBE, KERNEL, SYSLIB, ROM and BUP, but, unfortunately, this mode will not protect against the exploitation of errors at earlier stages.

We introduced Intel representatives to the study details. Their response confirmed our conjecture about the relationship of the undocumented regime to the High Assurance Platform program. With the permission of the company we give an excerpt from the answer:

Mark / Maxim,
Requirements for customers or customers. In the case of the United States government’s High Assurance Platform program, the modifications were made. These modifications are under officially limited configuration.

We believe that this mechanism is the satisfaction of the usual request of any government service that wants to reduce the likelihood of leakage through side channels. But the main question remains: how does HAP affect the functioning of Boot Guard? Due to the closed nature of this technology, it is not yet possible to answer this question, but we hope that we will succeed in the near future.

Authors : Hot Maxim, Ermolov Mark