Hi, I just heard about this today and did a bit of research on it, but the things I found were too technically savvy for me, and some were quiet ambiguous in their explanations. Before I ask the question, I would like to say that I do understand technical terms relating to computers and their hardware, but I might not fully get some of the acronyms. That being said, my main questions are:
What the hell is Intel ME and also AMDs PSP? What do they do – what’s the point of having them? Why can’t we just integrate all the management software onto the CPU and must rely on a separate independent processor (is that what it is)? What protection ring would it be classified as (might help to explain how the layers may interact with one another)? Finally, how big of a security risk does it pose?
I know those are a bunch of questions and they will implicit a large and thought-out response, but to anyone who has knowledge about this specific niche and has the time, I would greatly appreciate it.
Thanks again.
In: 58
There are two things to differentiate here, the firmware/software component of the Management Engine and the hardware component.
The hardware for the ME nowadays is basically its own x86 processor sitting inside of the Intel Platform Controller Hub (PCH, or just chipset). It is in a way completely separate from the CPU and in fact runs in states where the CPU isn’t even powered. It’s connected to pretty much all peripherals the PCH is connected to (so a lot, think drives, USB, certain PCIe devices that aren’t directly CPU attached).
The main role of this subsystem and the primary reason it was created is Intel Active Management Technology (but since other posts have already talked about this I’ll skip that). It has other important functions though, it acts as a “Root of Trust” for the platform; on a modern Bootguard enabled platform it is the ME that verifies that the firmware the CPU is running is signed by the OEM the device was manufactured by. This is done by the OEM “fusing” their specific public key into the PCH at time of manufacturing, essentially making it an unchangeable key embedded into the hardware. Only firmware signed with the corresponding private key can then be executed on the device. This is to prevent injecting malicious code into the firmware (which would then be able to modify the OS, and anything running on it).
The PSP is similar in that it also acts as a Root of Trust.
Edit: I’ve written a little bit about the ME and Bootguard (mostly quoting research by Trammell Hudson that is linked in the Further Reading section) here: https://github.com/ISpillMyDrink/UEFI-Repair-Guide/wiki/Intel-Converged-Security-and-Manageability-Engine
Latest Answers