Intel Management Engine


Hi, I just heard about this today and did a bit of research on it, but the things I found were too technically savvy for me, and some were quiet ambiguous in their explanations. Before I ask the question, I would like to say that I do understand technical terms relating to computers and their hardware, but I might not fully get some of the acronyms. That being said, my main questions are:

What the hell is Intel ME and also AMDs PSP? What do they do – what’s the point of having them? Why can’t we just integrate all the management software onto the CPU and must rely on a separate independent processor (is that what it is)? What protection ring would it be classified as (might help to explain how the layers may interact with one another)? Finally, how big of a security risk does it pose?

I know those are a bunch of questions and they will implicit a large and thought-out response, but to anyone who has knowledge about this specific niche and has the time, I would greatly appreciate it.

Thanks again.

In: 58

Intel ME is, in fact, a completely separate processor running its own operating system stored in a firmware chip on your bios. The features are that it makes its own decisions regardless of the opinions of your host OS for the most part, and can run even when the system is sleeping. It can be considered to have *more* control and permissions than even your operating system of the hardware. For protection ring, it’s usually colloquially referred to as ring -3, with -1 being a hypervisor and 0 being the kernel itself.

Now, what does it use these powers to do? DRM. That’s probably the biggest. Letting the OS handle that allows things like pesky users trying to circumvent DRM. It also provides some sort of built-in anti-theft. There are probably other security features it does as well, and it can be used by the processors for other cases like deciding what runs where, but it’s not open source and is pretty much a black box. I’m sure some security people have tried to reverse parts of it.

I’d like to address the point of Management Engine. Yeah, it can be used for DRM, but it’s actually intended to be used for, you know, management.

If you work with a lot of server-grade hardware, they have something called an IPMI (Intelligent Platform Management Interface, goes by different names with different manufacturers). This lets you manage the machine remotely regardless of the state of the machine. For example, you can power the machine on and off through this interface. You can also look at the “screen” (these systems usually don’t have a monitor plugged in). You can also do a lot of hardware diagnostics and other setup.

Intel’s Management Engine brings this to “regular” PCs. If you manage a lot of desktops, this can be a _huge_ plus for your support infrastructure.

Its a piece of junk that’s what it is, it broke for me one day and leads to windows booting up very slowly.

Disable MEI from device manager if you’re having a similar issue on an older cpu. It solves the slow boot issue.

To quell some concerns people have, this is a business-class feature intended for businesses to manage their fleets of computers. It requires integration with the motherboard firmware.

It’s not a secret back door built into every home computer. Most consumer machines don’t even support it, and most vendors won’t enable it unless you ask for it when ordering.

Given that you have to ask for it, then you have to enable it, then you have to configure it, it isn’t something you really need to worry about being done to you on your personal machine, unless you buy refurbished business

There are two things to differentiate here, the firmware/software component of the Management Engine and the hardware component.

The hardware for the ME nowadays is basically its own x86 processor sitting inside of the Intel Platform Controller Hub (PCH, or just chipset). It is in a way completely separate from the CPU and in fact runs in states where the CPU isn’t even powered. It’s connected to pretty much all peripherals the PCH is connected to (so a lot, think drives, USB, certain PCIe devices that aren’t directly CPU attached).

The main role of this subsystem and the primary reason it was created is Intel Active Management Technology (but since other posts have already talked about this I’ll skip that). It has other important functions though, it acts as a “Root of Trust” for the platform; on a modern Bootguard enabled platform it is the ME that verifies that the firmware the CPU is running is signed by the OEM the device was manufactured by. This is done by the OEM “fusing” their specific public key into the PCH at time of manufacturing, essentially making it an unchangeable key embedded into the hardware. Only firmware signed with the corresponding private key can then be executed on the device. This is to prevent injecting malicious code into the firmware (which would then be able to modify the OS, and anything running on it).

The PSP is similar in that it also acts as a Root of Trust.

Edit: I’ve written a little bit about the ME and Bootguard (mostly quoting research by Trammell Hudson that is linked in the Further Reading section) here: