you are viewing a single comment's thread.

view the rest of the comments →

[–]wizzwizz4 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (4 children)

This isn't a backdoor, though. (And if you're talking about IME, it probably isn't intended to be a backdoor (despite being able to easily function as one) and there are several ways to mostly disable it. Still pretty rubbish, though.)

[–]magnora7 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (3 children)

Good points, but I think it was intentional. https://www.eteknix.com/nsa-may-backdoors-built-intel-amd-processors/

[–]wizzwizz4 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (0 children)

That article makes the claim:

  • A system that makes sure Intel's the only person allowed to write code for the IME allows Intel to write code that's accepted by the IME…
  • Therefore, Intel's allowed the NSA to write backdoors that are then given the Intel seal of approval and allowed on the IME.

This is faulty logic. Yes, the whole malware-prevention system is flawed if Intel releases IME software containing a backdoor (as they kind of accidentally did, by releasing buggy IME software without providing a way to invalidate that seal of approval, so an updated less-buggy IME system can just be replaced with the buggy one and then exploited as usual – which is only an issue if the attacker has IME-flashing ability, but is still a larger attack surface than strictly necessary) but that doesn't mean they're deliberately introducing backdoors into IME-signed code.

I think Intel should be making IME-free processors or making the code more open, but you're already trusting Intel when you buy their chips and install their microcode patches.

What I'd really like is if there was some mechanism like this:

  • You include a ROM chip (yes, ROM!) at a certain address space containing data like "I hereby trust /u/wizzwizz4 with the power to write to my IME".
  • You give Intel my public key and that data.
  • Intel gives you a certificate that links my public key and that data in such a way that my public key is only accepted if the ROM space contains that data.
  • I can then compile and sign IME code that, when provided in tandem with Intel's certificate, is accepted by the IME system.
  • (optional) Either Intel's certificate or my certificate is locked to a specific period of time according to the BIOS clock. This is the easy way to invalidate buggy code (wait until the certificate expires, then code signed with it isn't accepted any more) but since the clock isn't trusted it's also pretty much just smoke and mirrors.
  • (almost mandatory) The code that checks / loads the IME code is open source and the result of a deterministic compilation process (i.e. can be recompiled to produce a byte-for-byte identical result). This should be stored on ROM, not EEPROM, since nothing's checking to make sure it isn't overwritten.

This allows anyone to write code for the IME system in their device (so Puri.sm could just include an extra ROM chip and write their own IME code, then release updates to that IME system when bugs are found without having to go through Intel) without making it insecure.

[–]zyxzevn 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (1 child)

I think that Intel and AMD will have gotten quite a donation for backdooring all PCs. But we will probably not really know, until it is too late.

[–]magnora7 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (0 children)

I think you are almost certainly correct. It's probably part of that $60 billion per year additional "black budget" the CIA gets that no one gets to know anything about.