[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:18.07,Default,,0000,0000,0000,,{\i1}36c3 preroll music{\i0}
Dialogue: 0,0:00:18.07,0:00:27.75,Default,,0000,0000,0000,,Herald: Okay, let's go? You're ready?\NLet's hand for Cyrevolt, please.
Dialogue: 0,0:00:27.88,0:00:31.26,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:00:31.68,0:00:36.40,Default,,0000,0000,0000,,Cyrevolt: Alright, hello everyone. I am\NDaniel. You might have seen me before, I
Dialogue: 0,0:00:36.40,0:00:42.24,Default,,0000,0000,0000,,sometimes speak about open source\Nfirmware. And at some point I also had to
Dialogue: 0,0:00:42.24,0:00:48.56,Default,,0000,0000,0000,,start to look into more specific stuff. So\Nthis talk here is about the Intel
Dialogue: 0,0:00:48.56,0:00:54.16,Default,,0000,0000,0000,,Management Engine, sometimes also known as\Nthe unmanageability engine, it always depends
Dialogue: 0,0:00:54.16,0:00:57.92,Default,,0000,0000,0000,,on, you know, what website you find or\Nwhat person you ask, you might get either
Dialogue: 0,0:00:57.92,0:01:08.72,Default,,0000,0000,0000,,response or both. So let's see. A little\Ndisclaimer first: I am not trying to blame
Dialogue: 0,0:01:08.72,0:01:14.56,Default,,0000,0000,0000,,Intel for anything they have done, or\Nsomething. This year is not about whether
Dialogue: 0,0:01:14.56,0:01:20.40,Default,,0000,0000,0000,,we can trust Intel as a company or any\Nother chip vendor or vendor in general,
Dialogue: 0,0:01:21.44,0:01:27.52,Default,,0000,0000,0000,,because I cannot read their minds. I don't\Nknow their intentions. What we can only do
Dialogue: 0,0:01:27.52,0:01:33.76,Default,,0000,0000,0000,,is see what they put out in the public or\Nwhat we find in the machines that we buy.
Dialogue: 0,0:01:37.76,0:01:43.44,Default,,0000,0000,0000,,And on the other hand, we don't really\Nknow that much because especially with the
Dialogue: 0,0:01:43.44,0:01:49.12,Default,,0000,0000,0000,,Intel ME there is not very much public\Ninformation. So people try to figure
Dialogue: 0,0:01:49.12,0:01:54.80,Default,,0000,0000,0000,,things out, there are forums, there are\Ncertain small projects, like analysis
Dialogue: 0,0:01:54.80,0:02:02.16,Default,,0000,0000,0000,,tools and stuff, but all of these are\Nbased on reverse engineering or educated
Dialogue: 0,0:02:02.16,0:02:10.08,Default,,0000,0000,0000,,guessing or whatever people could just\Nfigure out. And me especially I don't know
Dialogue: 0,0:02:10.08,0:02:15.20,Default,,0000,0000,0000,,very much about it, actually. So I'm just\Nhere because I'm interested in the field
Dialogue: 0,0:02:15.20,0:02:20.88,Default,,0000,0000,0000,,and at some point there was an event which\Nmade me look into it, but more about that
Dialogue: 0,0:02:20.88,0:02:28.56,Default,,0000,0000,0000,,later. The agenda for today: I will give a\Nvery brief introduction, it will be a very
Dialogue: 0,0:02:28.56,0:02:36.24,Default,,0000,0000,0000,,bold introduction, though, into the entire\Nfield around firmware, then I will be
Dialogue: 0,0:02:36.24,0:02:43.52,Default,,0000,0000,0000,,switching over to the open source firmware\Nstuff we do, I will briefly try to explain
Dialogue: 0,0:02:44.32,0:02:53.60,Default,,0000,0000,0000,,the hardware we know as Intel's x86\Nplatforms, then I will try to give you a
Dialogue: 0,0:02:53.60,0:02:57.84,Default,,0000,0000,0000,,motivation to also look into what I have\Nbeen looking into and tell you what made
Dialogue: 0,0:02:57.84,0:03:04.96,Default,,0000,0000,0000,,me look into it, I will give you some\Nentry points for analysis, and eventually
Dialogue: 0,0:03:04.96,0:03:12.73,Default,,0000,0000,0000,,we will just get a conclusion and start to\Nthink about what we just heard. So for the
Dialogue: 0,0:03:12.73,0:03:18.80,Default,,0000,0000,0000,,introduction: Who of you in the audience\Nhas already done something with
Dialogue: 0,0:03:18.80,0:03:25.68,Default,,0000,0000,0000,,microcontrollers? Please raise your hands.\NOkay, we see lots of hands here. And in
Dialogue: 0,0:03:25.68,0:03:30.00,Default,,0000,0000,0000,,fact we actually have like hundreds or\Nthousands or millions of microcontrollers
Dialogue: 0,0:03:30.00,0:03:38.64,Default,,0000,0000,0000,,here, right, so all the lights we see over\Nhere, there are ESP8266, that board, you
Dialogue: 0,0:03:38.64,0:03:45.12,Default,,0000,0000,0000,,see in the middle there's Arduino and\Nthere's something which I like to call NOT
Dialogue: 0,0:03:45.12,0:03:48.80,Default,,0000,0000,0000,,- the network of things, because\Napparently you just need a network you
Dialogue: 0,0:03:48.80,0:03:53.04,Default,,0000,0000,0000,,don't really need the Internet for it. And\Nwe can connect all of those devices. We
Dialogue: 0,0:03:53.04,0:04:00.16,Default,,0000,0000,0000,,can remotely control them. And I'm now\Ngoing to show you, that what you have in
Dialogue: 0,0:04:00.16,0:04:10.66,Default,,0000,0000,0000,,your laptop is actually the very same\Nthing. Now this is lots of bullet points,
Dialogue: 0,0:04:10.66,0:04:16.66,Default,,0000,0000,0000,,and I'm very sorry for it, but this gives\Nyou a feeling of what we are dealing with
Dialogue: 0,0:04:16.66,0:04:25.28,Default,,0000,0000,0000,,here. In your laptop you have multiple\Nsuch controllers which are very similar to
Dialogue: 0,0:04:25.28,0:04:32.40,Default,,0000,0000,0000,,the Arduino or ESP microcontrollers that\Nyou already know. Some of them are for
Dialogue: 0,0:04:32.40,0:04:38.48,Default,,0000,0000,0000,,very, very specific functionality - so\Neveryone knows the USB controllers, we
Dialogue: 0,0:04:38.48,0:04:46.16,Default,,0000,0000,0000,,have USB controllers, we have PCI, where\Nother devices are connected, we have GPUs,
Dialogue: 0,0:04:47.60,0:04:56.56,Default,,0000,0000,0000,,we have a whole lot more. But the very\Ncore - that's what is known as the chipset
Dialogue: 0,0:04:57.20,0:05:05.20,Default,,0000,0000,0000,,and the CPU. It can sometimes also be one\Nsingle chip, like in this graphic here,
Dialogue: 0,0:05:05.20,0:05:10.24,Default,,0000,0000,0000,,which I have borrowed from Intel - just\Nadjusted the colors a bit to make it fit
Dialogue: 0,0:05:10.24,0:05:14.40,Default,,0000,0000,0000,,with the slides - and here you can see\Nlots of lines connecting all of those
Dialogue: 0,0:05:14.40,0:05:22.00,Default,,0000,0000,0000,,controllers. Now there's some other\Ncontrollers which I also started to look
Dialogue: 0,0:05:22.00,0:05:28.08,Default,,0000,0000,0000,,into. They are called the embedded\Ncontroller which is an additional
Dialogue: 0,0:05:28.08,0:05:35.20,Default,,0000,0000,0000,,microcontroller on your laptop for power\Nmanagement, for controlling the charging
Dialogue: 0,0:05:35.20,0:05:41.84,Default,,0000,0000,0000,,circuit. When you connect your charger to\Nyour battery you will see an LED, that's
Dialogue: 0,0:05:41.84,0:05:45.76,Default,,0000,0000,0000,,what this device is doing. It might be\Nconnected to a keyboard, to your mouse.
Dialogue: 0,0:05:47.12,0:05:53.12,Default,,0000,0000,0000,,And there is a very similar concept also\Nfor servers. It's called BMC or Baseboard
Dialogue: 0,0:05:53.12,0:06:00.48,Default,,0000,0000,0000,,Management Controller. It's purpose is to\Nremotely control a server, so you don't
Dialogue: 0,0:06:00.48,0:06:05.20,Default,,0000,0000,0000,,have to actually go to a data center.\NImagine you're administrating 5 data
Dialogue: 0,0:06:05.20,0:06:09.92,Default,,0000,0000,0000,,centers all across the world, you can't\Nliterally be in all of them at the same
Dialogue: 0,0:06:09.92,0:06:15.60,Default,,0000,0000,0000,,time. So that's why they came up with an\Ninterface to remotely control it and
Dialogue: 0,0:06:15.60,0:06:20.48,Default,,0000,0000,0000,,they've made a dedicated chip for it which\Nis also connected to many devices on the
Dialogue: 0,0:06:20.48,0:06:25.94,Default,,0000,0000,0000,,server platform. Then there is one thing\Nyou might also have heard about: a so
Dialogue: 0,0:06:25.94,0:06:33.92,Default,,0000,0000,0000,,called TPM - a Trusted Platform Module -\Nand it's main purpose is to give you a
Dialogue: 0,0:06:33.92,0:06:40.16,Default,,0000,0000,0000,,very small trust anchor from which you can\Nrun all of your top-level applications,
Dialogue: 0,0:06:40.16,0:06:47.20,Default,,0000,0000,0000,,below which is an operating system, which\Nis actually running after a bootloader,
Dialogue: 0,0:06:47.20,0:06:51.20,Default,,0000,0000,0000,,which is actually started from your\Nfirmware, which is actually loaded from
Dialogue: 0,0:06:51.20,0:06:59.28,Default,,0000,0000,0000,,your chipset. And that's how deep the\Nrabbit-hole goes. Now let's look at open
Dialogue: 0,0:06:59.28,0:07:08.64,Default,,0000,0000,0000,,source projects. We have projects for all\Nsorts of features around the CPU. The CPU,
Dialogue: 0,0:07:08.64,0:07:15.36,Default,,0000,0000,0000,,before your laptop can even start up, it\Nhas to be initialized. It also has to know
Dialogue: 0,0:07:15.36,0:07:20.64,Default,,0000,0000,0000,,the RAM. When you boot up a machine it\Ndoesn't yet really know anything about
Dialogue: 0,0:07:20.64,0:07:29.88,Default,,0000,0000,0000,,RAM. That's what the coreboot project is\Ndoing. Now today we have a bit of a
Dialogue: 0,0:07:29.88,0:07:35.80,Default,,0000,0000,0000,,problem, because we don't have enough\Ninformation to actually program coreboot
Dialogue: 0,0:07:35.80,0:07:43.96,Default,,0000,0000,0000,,for modern machines. So there is a\Ndifferent approach now. You know the UEFI
Dialogue: 0,0:07:43.96,0:07:52.47,Default,,0000,0000,0000,,or Unified Extensible Firmware Interface?\NIt's a bit of a different approach also to
Dialogue: 0,0:07:52.47,0:07:58.28,Default,,0000,0000,0000,,initialize hardware but also to hand over\Nto an operating system. But the thing is
Dialogue: 0,0:07:58.28,0:08:02.10,Default,,0000,0000,0000,,there is lots of drivers in there and\Nstuff. So we want to replace that with the
Dialogue: 0,0:08:02.10,0:08:06.07,Default,,0000,0000,0000,,Linux kernel - that's what the LinuxBoot\Napproach is doing - there're different
Dialogue: 0,0:08:06.07,0:08:12.36,Default,,0000,0000,0000,,implementations - there is Heads, there is\Nu-root. And that's how we can start modern
Dialogue: 0,0:08:12.36,0:08:18.92,Default,,0000,0000,0000,,machines with a bit more knowledge. For\Nembedded controllers we have the projects
Dialogue: 0,0:08:18.92,0:08:24.44,Default,,0000,0000,0000,,from Google for the Chromebooks. There's\Nlots of open source implementations but
Dialogue: 0,0:08:24.44,0:08:29.29,Default,,0000,0000,0000,,they only apply to very specific hardware.\NYou could find all of those stuff on the
Dialogue: 0,0:08:29.29,0:08:35.82,Default,,0000,0000,0000,,web of course. And, then System76 is also\Ncurrently working in that field for their
Dialogue: 0,0:08:35.82,0:08:43.60,Default,,0000,0000,0000,,laptops, and eventually for the BMCs I\Njust introduced you to, there is also two
Dialogue: 0,0:08:43.60,0:08:51.52,Default,,0000,0000,0000,,projects there is the OpenBMC project and\Nthe euro project. Okay, so that's how far
Dialogue: 0,0:08:51.52,0:08:56.72,Default,,0000,0000,0000,,we are, but that's not what I'm talking\Nabout today, I'm talking about something
Dialogue: 0,0:08:56.72,0:09:06.24,Default,,0000,0000,0000,,else. And that's why we have to take a\Ncloser look at Intel x86 hardware. This
Dialogue: 0,0:09:06.24,0:09:11.84,Default,,0000,0000,0000,,here is an example of a platform which has\Na dedicated chipset and a processor.This
Dialogue: 0,0:09:14.96,0:09:20.24,Default,,0000,0000,0000,,is also a graphic I borrowed from Intel,\Nonce again. It shows you where all of
Dialogue: 0,0:09:20.24,0:09:26.72,Default,,0000,0000,0000,,those peripherals are connected, so,\Nagain, we have USB, we have Ethernet, but
Dialogue: 0,0:09:26.72,0:09:32.96,Default,,0000,0000,0000,,there is more to it, actually. And, you\Ncan clearly see that this chipset here,
Dialogue: 0,0:09:32.96,0:09:38.72,Default,,0000,0000,0000,,it's quite a large box and there is a\Nreason for it, because that's where
Dialogue: 0,0:09:38.72,0:09:46.00,Default,,0000,0000,0000,,actually most of the chips are connecting.\NThat's why Intel calls it the Platform
Dialogue: 0,0:09:46.00,0:09:53.28,Default,,0000,0000,0000,,Controller Hub, or a PCH for short. Now\Nlet's look closer at the Denverton
Dialogue: 0,0:09:53.28,0:09:58.24,Default,,0000,0000,0000,,platform. Denverton is one of those model\Nnames for the platforms - Intel always
Dialogue: 0,0:09:58.24,0:10:05.20,Default,,0000,0000,0000,,comes up with these names and here we have\Na very brief summary of what peripherals
Dialogue: 0,0:10:05.20,0:10:11.84,Default,,0000,0000,0000,,we have and if you look very closely in\Nthe upper right corner, there is two so-
Dialogue: 0,0:10:11.84,0:10:20.00,Default,,0000,0000,0000,,called engines mentioned: one of them is\Nthe Innovation Engine, the other one is
Dialogue: 0,0:10:20.00,0:10:24.79,Default,,0000,0000,0000,,the Management Engine, which we're dealing\Nwith today. The Innovation Engine has a
Dialogue: 0,0:10:24.79,0:10:32.45,Default,,0000,0000,0000,,very brief description, it says it's\Nsomething about innovation, it's something
Dialogue: 0,0:10:32.45,0:10:37.07,Default,,0000,0000,0000,,about firmware, but actually I have not\Nyet found any use for it but it's there in
Dialogue: 0,0:10:37.07,0:10:41.83,Default,,0000,0000,0000,,your hardware. So if you have a Denverton\Nchip in your laptop, or wherever you might
Dialogue: 0,0:10:41.83,0:10:47.14,Default,,0000,0000,0000,,find it, you have some features there but\NI don't know what they are for. Okay, so
Dialogue: 0,0:10:47.14,0:10:53.56,Default,,0000,0000,0000,,let's look at the Management Engine,\Ntoday. Because the thing is: Hardware is
Dialogue: 0,0:10:53.56,0:11:01.56,Default,,0000,0000,0000,,evolving. The Management Engine today is\Nnot the Management Engine from a few years
Dialogue: 0,0:11:01.56,0:11:07.27,Default,,0000,0000,0000,,ago. So with new hardware we get different\Nchips over time, the y are attached to
Dialogue: 0,0:11:07.27,0:11:13.84,Default,,0000,0000,0000,,different other peripherals over time, and\Nthey're given different purposes. So
Dialogue: 0,0:11:13.84,0:11:21.51,Default,,0000,0000,0000,,basically the ME itself is just a\Nmicrocontroller like Arduino and it's part
Dialogue: 0,0:11:21.51,0:11:28.07,Default,,0000,0000,0000,,of your chipset. If you have a combined\Nchipset and main processor, it's in that
Dialogue: 0,0:11:28.07,0:11:32.54,Default,,0000,0000,0000,,one single chip and that's where it is.\NBut that's not where it started. It
Dialogue: 0,0:11:32.54,0:11:39.64,Default,,0000,0000,0000,,actually started as the so called Active\NManagement Technology. The idea was that
Dialogue: 0,0:11:39.64,0:11:45.45,Default,,0000,0000,0000,,you could remotely control a device and\Nprovision it, just like what I described
Dialogue: 0,0:11:45.45,0:11:51.96,Default,,0000,0000,0000,,you as the Baseboard Management Controller\Nfor servers. It's the same thing but for,
Dialogue: 0,0:11:51.96,0:11:57.36,Default,,0000,0000,0000,,let's say, laptops, desktop PCs. Imagine\Nyou're running a very huge company and you
Dialogue: 0,0:11:57.36,0:12:02.56,Default,,0000,0000,0000,,have hundreds of devices to maintain. Now,\Nyou have to this BMC thingy for servers
Dialogue: 0,0:12:03.20,0:12:06.83,Default,,0000,0000,0000,,and this thing here for your desktop\Ndevices. Now the question is: why is it
Dialogue: 0,0:12:06.83,0:12:16.63,Default,,0000,0000,0000,,actually connected to all of those\Nperipherals? First of all there was a bit
Dialogue: 0,0:12:16.63,0:12:24.86,Default,,0000,0000,0000,,of a renaming recently: it's no longer\Njust called the ME, it's called the CSME:
Dialogue: 0,0:12:24.86,0:12:33.10,Default,,0000,0000,0000,,Converged Security and Manageability or\NManagement Engine. It can load your
Dialogue: 0,0:12:33.10,0:12:40.12,Default,,0000,0000,0000,,firmware and verify it and with that\Nfirmware we are now talking about the host
Dialogue: 0,0:12:40.12,0:12:46.42,Default,,0000,0000,0000,,CPU firmware. That thing that coreboot can\Nbe doing or what your vendors UEFI
Dialogue: 0,0:12:46.42,0:12:54.32,Default,,0000,0000,0000,,firmware is doing. If that firmware is not\Nas expected, which means it's not signed
Dialogue: 0,0:12:54.32,0:13:03.24,Default,,0000,0000,0000,,with a certain key from either Intel or\Nyour OEM, the equipment manufacturer which
Dialogue: 0,0:13:03.24,0:13:12.14,Default,,0000,0000,0000,,can be HP or Asus or whatever, then your\Nlaptop might not boot. That's a feature
Dialogue: 0,0:13:12.14,0:13:19.96,Default,,0000,0000,0000,,it's a security feature. Now the problem\Nis: if we want to legitimately replace the
Dialogue: 0,0:13:19.96,0:13:26.52,Default,,0000,0000,0000,,firmware with our own implementations we\Ncan't do it. If this certain feature is
Dialogue: 0,0:13:26.52,0:13:31.80,Default,,0000,0000,0000,,activated. It's also known as boot guard.\NBut, again, this is not what we're talking
Dialogue: 0,0:13:31.80,0:13:41.52,Default,,0000,0000,0000,,about today, I want to look at something\Nelse. This here is how your machine boots
Dialogue: 0,0:13:41.52,0:13:49.64,Default,,0000,0000,0000,,up: On the left-hand you see the flow I\Njust described you, what the ME is doing.
Dialogue: 0,0:13:49.64,0:13:55.23,Default,,0000,0000,0000,,You press the power button on your\Nmachine. The ME is coming up, it's
Dialogue: 0,0:13:55.23,0:14:01.67,Default,,0000,0000,0000,,initializing itself first with its own\Nfirmware, that's the RBE-phase - a bit
Dialogue: 0,0:14:01.67,0:14:10.40,Default,,0000,0000,0000,,more about that later. Then there is a\Nbringup phase, which hands over to the ME
Dialogue: 0,0:14:10.40,0:14:16.00,Default,,0000,0000,0000,,operating system, if that version of your\NME actually has an operating system, which
Dialogue: 0,0:14:16.00,0:14:25.76,Default,,0000,0000,0000,,is not necessarily the case. It will reset\Nthe CPU itself. It will trigger the
Dialogue: 0,0:14:25.76,0:14:32.00,Default,,0000,0000,0000,,firmware on the CPU to start, that's where\Ncoreboot could take over or your vendors
Dialogue: 0,0:14:32.00,0:14:39.12,Default,,0000,0000,0000,,UEFI firmware, it notes some microcode\Nupdates, it comes to the initialization
Dialogue: 0,0:14:39.12,0:14:44.72,Default,,0000,0000,0000,,phase where you get RAM and the CPU and\Neventually all the features you have in
Dialogue: 0,0:14:44.72,0:14:51.60,Default,,0000,0000,0000,,your chipset itself, until you can boot\Nyour host operating system. Now at the
Dialogue: 0,0:14:51.60,0:14:56.72,Default,,0000,0000,0000,,same time there is two more chips even\Nbeing powered on: one is the PMC, the
Dialogue: 0,0:14:56.72,0:15:02.00,Default,,0000,0000,0000,,Power Management Controller, which also\Ngets some updates or patches from the ME
Dialogue: 0,0:15:02.00,0:15:07.04,Default,,0000,0000,0000,,firmware, and the EC, the Embedded\NController, I already described you, which
Dialogue: 0,0:15:07.04,0:15:15.52,Default,,0000,0000,0000,,is just running in parallel. But in fact\Nthese are all connected to each other. And
Dialogue: 0,0:15:15.52,0:15:20.48,Default,,0000,0000,0000,,here's some of the features summarized\Nwhich we have in ME: so the Active
Dialogue: 0,0:15:20.48,0:15:25.04,Default,,0000,0000,0000,,Management Technology is implemented for\Nexample in the Linux kernel, there is a
Dialogue: 0,0:15:25.04,0:15:33.04,Default,,0000,0000,0000,,driver for it. It could do hardware\Nmonitoring, it can monitor if your chips
Dialogue: 0,0:15:33.04,0:15:40.24,Default,,0000,0000,0000,,are overheating, it can have other sensors\Nconnected to it, it can do power control,
Dialogue: 0,0:15:40.96,0:15:44.80,Default,,0000,0000,0000,,that's why I just described you, just like\Na BMC you can power cycle your system
Dialogue: 0,0:15:44.80,0:15:49.92,Default,,0000,0000,0000,,through it. You could update your\Noperating system out-of-band, so not like
Dialogue: 0,0:15:49.92,0:15:55.28,Default,,0000,0000,0000,,using apt-get upgrade or something. No,\Ninstead you would just do it from outside.
Dialogue: 0,0:15:57.52,0:16:03.60,Default,,0000,0000,0000,,So you could reformat an entire disk,\Nreplace it with a new image. You have a
Dialogue: 0,0:16:03.60,0:16:09.84,Default,,0000,0000,0000,,bit of storage and you even have a proxy\Nfor a keyboard and mouse and the video
Dialogue: 0,0:16:09.84,0:16:16.64,Default,,0000,0000,0000,,interface, so it's like VNC literally.\NThat's what we know from the public
Dialogue: 0,0:16:16.64,0:16:23.52,Default,,0000,0000,0000,,documentation. Now the interface that is\Nimplemented in the Linux kernel has been
Dialogue: 0,0:16:23.52,0:16:29.84,Default,,0000,0000,0000,,extended a bit. Now we have a dedicated\Nchip, which was pulled out of the ME, the
Dialogue: 0,0:16:29.84,0:16:35.92,Default,,0000,0000,0000,,ISH, or Integrated Sensor Hub. It just\Ndoes the very basic things I just
Dialogue: 0,0:16:35.92,0:16:39.84,Default,,0000,0000,0000,,described you about sensors just in a\Ndedicated chip. That's a good development
Dialogue: 0,0:16:39.84,0:16:45.39,Default,,0000,0000,0000,,actually because now we don't have a\Nsingle point of failure which has
Dialogue: 0,0:16:45.39,0:16:51.01,Default,,0000,0000,0000,,everything, we have a single point of\Nfailure which has everything but this
Dialogue: 0,0:16:51.01,0:16:58.36,Default,,0000,0000,0000,,part. There is BIOS extensions. In your\Nhost firmware there can also be certain
Dialogue: 0,0:16:58.36,0:17:06.10,Default,,0000,0000,0000,,libraries or drivers which are connecting\Nto the ME. You can control the ME through
Dialogue: 0,0:17:06.10,0:17:13.04,Default,,0000,0000,0000,,it. If you have a business laptop you\Nmight be running the corporate version of
Dialogue: 0,0:17:13.04,0:17:19.42,Default,,0000,0000,0000,,the ME firmware and then you might press\NF6 or Ctrl+P when booting up, and you
Dialogue: 0,0:17:19.42,0:17:25.76,Default,,0000,0000,0000,,might get a prompt. If you are still in\Nthe manufacturing mode or you just bought
Dialogue: 0,0:17:25.76,0:17:30.13,Default,,0000,0000,0000,,the machine very fresh, just type "admin"\Nthat's the default password - that's
Dialogue: 0,0:17:30.13,0:17:34.84,Default,,0000,0000,0000,,publicly documented by the way it's not\Nsomething I found somewhere but in Intels
Dialogue: 0,0:17:34.84,0:17:40.02,Default,,0000,0000,0000,,own documentation. And then you can start\Nusing that feature. So this might apply, I
Dialogue: 0,0:17:40.02,0:17:45.20,Default,,0000,0000,0000,,haven't confirmed it, but it might apply\Nto the HP EliteBooks for example which are
Dialogue: 0,0:17:45.20,0:17:50.18,Default,,0000,0000,0000,,for business use or certain Lenovo\NThinkPads from the T-series. You could try
Dialogue: 0,0:17:50.18,0:17:59.20,Default,,0000,0000,0000,,it on your machines, maybe. Now I've\Nalready described you that there are lots
Dialogue: 0,0:17:59.20,0:18:05.84,Default,,0000,0000,0000,,of different variants and versions of the\NManagement Engine. We have a very, very
Dialogue: 0,0:18:05.84,0:18:11.20,Default,,0000,0000,0000,,long timeline here, we are talking about\Nyears starting from 2004 until now, so
Dialogue: 0,0:18:11.20,0:18:20.72,Default,,0000,0000,0000,,it's 15 years since the Active Management\NYechnology was announced until today where
Dialogue: 0,0:18:20.72,0:18:25.24,Default,,0000,0000,0000,,we have version 12 of the Management\NEngine. The problem with this timeline
Dialogue: 0,0:18:25.24,0:18:32.73,Default,,0000,0000,0000,,here is, again the disclaimer, I cannot\Nreally verify all of this information. I
Dialogue: 0,0:18:32.73,0:18:38.08,Default,,0000,0000,0000,,have mostly gathered it from different\Nsources, so don't take all of this for
Dialogue: 0,0:18:38.08,0:18:43.29,Default,,0000,0000,0000,,granted. Some of this might also just\Ninclude some educated guessing from my
Dialogue: 0,0:18:43.29,0:18:48.97,Default,,0000,0000,0000,,side. If you find any errors, you will get\Nthe links later, you can file me bugs or
Dialogue: 0,0:18:48.97,0:18:54.41,Default,,0000,0000,0000,,send your pull requests. So we're at\Nversion 12 now. For each version of the
Dialogue: 0,0:18:54.41,0:19:00.31,Default,,0000,0000,0000,,Management Engine there's release notes,\Nthey are public. So in ME 12 they just
Dialogue: 0,0:19:00.31,0:19:08.17,Default,,0000,0000,0000,,dropped version 1 for TLS, 1.2 is now in\Nand we have a few other features. Some of
Dialogue: 0,0:19:08.17,0:19:11.31,Default,,0000,0000,0000,,them I don't even know but you can look it\Nup on Intels documentation. Those are the
Dialogue: 0,0:19:11.31,0:19:22.52,Default,,0000,0000,0000,,variants we already know, consumer,\Ncorporate, a slim version apparently,
Dialogue: 0,0:19:22.52,0:19:28.28,Default,,0000,0000,0000,,there's the SPS version which was made for\Nservers and now there is something called
Dialogue: 0,0:19:28.28,0:19:36.88,Default,,0000,0000,0000,,Ignition. Which actually brings us to our\Nmotivation here. This is an email from the
Dialogue: 0,0:19:36.88,0:19:44.16,Default,,0000,0000,0000,,EDK to non-osi mailing list. They\Nannounced a version of the ME binary which
Dialogue: 0,0:19:44.16,0:19:48.88,Default,,0000,0000,0000,,can finally be distributed. So you can\Ngive it to other people. You couldn't do
Dialogue: 0,0:19:48.88,0:19:54.40,Default,,0000,0000,0000,,that before. Well, at least not\Nofficially. Of course when you get
Dialogue: 0,0:19:54.40,0:19:59.84,Default,,0000,0000,0000,,firmware updates from your supplier, you\Nget those binaries in a way, but it's not
Dialogue: 0,0:19:59.84,0:20:05.84,Default,,0000,0000,0000,,like you download them from Intel\Ndirectly. Which means that now we can
Dialogue: 0,0:20:05.84,0:20:12.80,Default,,0000,0000,0000,,offer full images of custom firmware based\Non coreboot, based on this ME binary here
Dialogue: 0,0:20:13.44,0:20:22.72,Default,,0000,0000,0000,,and whatever we want to tailor it for. So\Nlet's follow the yellow-brick road. This
Dialogue: 0,0:20:22.72,0:20:30.80,Default,,0000,0000,0000,,is the license. The license allows\Nbasically only redistribution, you may not
Dialogue: 0,0:20:30.80,0:20:37.04,Default,,0000,0000,0000,,make any changes, you may not reverse it,\Nyou may not decompile it, you may not
Dialogue: 0,0:20:37.04,0:20:42.72,Default,,0000,0000,0000,,disassemble it. Now how do we actually\Nverify, that it works as desired and as
Dialogue: 0,0:20:42.72,0:20:48.56,Default,,0000,0000,0000,,promised? Pay no attention to the man\Nbehind the curtain! If you have seen The
Dialogue: 0,0:20:48.56,0:20:55.01,Default,,0000,0000,0000,,Wizard of Oz, you know the scene. That's\Nliterally what they want. Their philosophy
Dialogue: 0,0:20:55.01,0:21:04.64,Default,,0000,0000,0000,,is kind of a shallow thing, so they don't\Nreally want to be very open with
Dialogue: 0,0:21:04.64,0:21:09.68,Default,,0000,0000,0000,,information. This here is from a training\Nslide, it's an official training that
Dialogue: 0,0:21:09.68,0:21:14.56,Default,,0000,0000,0000,,Intel is giving at certain events. They\Ntell people: "Well, we have lots of
Dialogue: 0,0:21:14.56,0:21:18.56,Default,,0000,0000,0000,,firmware developers, we want to support\Nthem in a way, but not too much actually."
Dialogue: 0,0:21:21.92,0:21:28.08,Default,,0000,0000,0000,,I have to be a bit quick because I have\Nmore slides than time.Here's the vendor's
Dialogue: 0,0:21:28.08,0:21:32.56,Default,,0000,0000,0000,,perspective from Intel's FSP white paper.\NFSP is the Firmware Support
Dialogue: 0,0:21:32.56,0:21:39.68,Default,,0000,0000,0000,,Package.They're saying they're working\Ntowards, well, releasing something, but
Dialogue: 0,0:21:39.68,0:21:43.92,Default,,0000,0000,0000,,actually not. So if you have a binary and\Nit works as desired then it's okay,
Dialogue: 0,0:21:43.92,0:21:50.32,Default,,0000,0000,0000,,otherwise, well, not so much but they\Npromise it works. And the same applies for
Dialogue: 0,0:21:50.32,0:21:56.64,Default,,0000,0000,0000,,ME, I guess. Which is where Dexter's law\Napplies, which is saying that only
Dialogue: 0,0:21:56.64,0:22:04.00,Default,,0000,0000,0000,,proprietary software vendors actually want\Nproprietary software. And now that's the
Dialogue: 0,0:22:04.00,0:22:08.64,Default,,0000,0000,0000,,issue, if somebody is attacking your\Nsystem, they do not play by the rules.
Dialogue: 0,0:22:11.04,0:22:15.14,Default,,0000,0000,0000,,Let's take some first steps into that\Ndirection. There are some analysis tools,
Dialogue: 0,0:22:15.14,0:22:21.33,Default,,0000,0000,0000,,there's the me_cleaner, MEAnalyzer and\Nmore. There has been some reverse
Dialogue: 0,0:22:21.33,0:22:26.11,Default,,0000,0000,0000,,engineering, not from my side, because of\Ncourse the license doesn't allow it. More
Dialogue: 0,0:22:26.11,0:22:30.63,Default,,0000,0000,0000,,information can be found in other talks.\NThere was the Plundervolt attack, just
Dialogue: 0,0:22:30.63,0:22:38.16,Default,,0000,0000,0000,,recently, which was actually based on\Nreverse engineering. And now I'm afraid I
Dialogue: 0,0:22:38.16,0:22:41.88,Default,,0000,0000,0000,,have to cut it here. We have security\Nissues. We want to analyze firmwaer.
Dialogue: 0,0:22:41.88,0:22:54.20,Default,,0000,0000,0000,,Here's a bit of data structures, I will\Njust briefly skim through those now. You
Dialogue: 0,0:22:54.20,0:23:03.92,Default,,0000,0000,0000,,can approach me later for more. And I want\Nto briefly come to this conclusion because
Dialogue: 0,0:23:03.92,0:23:08.96,Default,,0000,0000,0000,,this is the important part. So for\Nsecurity all firmware has to be open
Dialogue: 0,0:23:08.96,0:23:17.04,Default,,0000,0000,0000,,source. Here's the list of acronyms, some\Nother talks to refer to again. Thanks to
Dialogue: 0,0:23:17.04,0:23:20.80,Default,,0000,0000,0000,,everyone who has actually helped me with\Nthis, that's all the hacker spaces, I hang
Dialogue: 0,0:23:20.80,0:23:25.60,Default,,0000,0000,0000,,out at, the Chaos West team and the stage\Nhere, of course, and the open source
Dialogue: 0,0:23:25.60,0:23:30.72,Default,,0000,0000,0000,,firmware projects. Please come to our\Nassembly, it's right over there, if you
Dialogue: 0,0:23:30.72,0:23:39.68,Default,,0000,0000,0000,,want to know more. So thanks, first. If\Nyou have any questions, please approach me
Dialogue: 0,0:23:39.68,0:23:45.52,Default,,0000,0000,0000,,now or, well, just in a bit at the\Nassembly. I guess we have time for one
Dialogue: 0,0:23:45.52,0:23:49.42,Default,,0000,0000,0000,,very small question, now.\NHerald: Yeah, thank you very much, let's
Dialogue: 0,0:23:49.42,0:23:53.10,Default,,0000,0000,0000,,have a hand.\N{\i1}Applause{\i0}
Dialogue: 0,0:23:53.10,0:24:00.66,Default,,0000,0000,0000,,Herald: There'll be two mics, they're lit.\NWe have time for one question or maybe two
Dialogue: 0,0:24:00.66,0:24:08.55,Default,,0000,0000,0000,,but short ones. Anybody has a question?\NNo? About all the fun you can have and not
Dialogue: 0,0:24:08.55,0:24:21.28,Default,,0000,0000,0000,,supposed to have. Okay. Thank you very\Nmuch. Okay, in which case let's close it
Dialogue: 0,0:24:22.64,0:24:30.47,Default,,0000,0000,0000,,and take your trash, please, and be\Nexcellent to each. Thank you very much.
Dialogue: 0,0:24:30.47,0:24:33.57,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:24:33.57,0:24:35.72,Default,,0000,0000,0000,,{\i1}36c3 postroll music{\i0}
Dialogue: 0,0:24:35.72,0:24:59.00,Default,,0000,0000,0000,,Subtitles created by c3subtitles.de\Nin the year 2020. Join, and help us!