36c3 preroll music Herald: Okay, let's go? You're ready? Let's hand for Cyrevolt, please. applause Cyrevolt: Alright, hello everyone. I am Daniel. You might have seen me before, I sometimes speak about open source firmware. And at some point I also had to start to look into more specific stuff. So this talk here is about the Intel Management Engine, sometimes also known as the unmanageability engine, it always depends on, you know, what website you find or what person you ask, you might get either response or both. So let's see. A little disclaimer first: I am not trying to blame Intel for anything they have done, or something. This year is not about whether we can trust Intel as a company or any other chip vendor or vendor in general, because I cannot read their minds. I don't know their intentions. What we can only do is see what they put out in the public or what we find in the machines that we buy. And on the other hand, we don't really know that much because especially with the Intel ME there is not very much public information. So people try to figure things out, there are forums, there are certain small projects, like analysis tools and stuff, but all of these are based on reverse engineering or educated guessing or whatever people could just figure out. And me especially I don't know very much about it, actually. So I'm just here because I'm interested in the field and at some point there was an event which made me look into it, but more about that later. The agenda for today: I will give a very brief introduction, it will be a very bold introduction, though, into the entire field around firmware, then I will be switching over to the open source firmware stuff we do, I will briefly try to explain the hardware we know as Intel's x86 platforms, then I will try to give you a motivation to also look into what I have been looking into and tell you what made me look into it, I will give you some entry points for analysis, and eventually we will just get a conclusion and start to think about what we just heard. So for the introduction: Who of you in the audience has already done something with microcontrollers? Please raise your hands. Okay, we see lots of hands here. And in fact we actually have like hundreds or thousands or millions of microcontrollers here, right, so all the lights we see over here, there are ESP8266, that board, you see in the middle there's Arduino and there's something which I like to call NOT - the network of things, because apparently you just need a network you don't really need the Internet for it. And we can connect all of those devices. We can remotely control them. And I'm now going to show you, that what you have in your laptop is actually the very same thing. Now this is lots of bullet points, and I'm very sorry for it, but this gives you a feeling of what we are dealing with here. In your laptop you have multiple such controllers which are very similar to the Arduino or ESP microcontrollers that you already know. Some of them are for very, very specific functionality - so everyone knows the USB controllers, we have USB controllers, we have PCI, where other devices are connected, we have GPUs, we have a whole lot more. But the very core - that's what is known as the chipset and the CPU. It can sometimes also be one single chip, like in this graphic here, which I have borrowed from Intel - just adjusted the colors a bit to make it fit with the slides - and here you can see lots of lines connecting all of those controllers. Now there's some other controllers which I also started to look into. They are called the embedded controller which is an additional microcontroller on your laptop for power management, for controlling the charging circuit. When you connect your charger to your battery you will see an LED, that's what this device is doing. It might be connected to a keyboard, to your mouse. And there is a very similar concept also for servers. It's called BMC or Baseboard Management Controller. It's purpose is to remotely control a server, so you don't have to actually go to a data center. Imagine you're administrating 5 data centers all across the world, you can't literally be in all of them at the same time. So that's why they came up with an interface to remotely control it and they've made a dedicated chip for it which is also connected to many devices on the server platform. Then there is one thing you might also have heard about: a so called TPM - a Trusted Platform Module - and it's main purpose is to give you a very small trust anchor from which you can run all of your top-level applications, below which is an operating system, which is actually running after a bootloader, which is actually started from your firmware, which is actually loaded from your chipset. And that's how deep the rabbit-hole goes. Now let's look at open source projects. We have projects for all sorts of features around the CPU. The CPU, before your laptop can even start up, it has to be initialized. It also has to know the RAM. When you boot up a machine it doesn't yet really know anything about RAM. That's what the coreboot project is doing. Now today we have a bit of a problem, because we don't have enough information to actually program coreboot for modern machines. So there is a different approach now. You know the UEFI or Unified Extensible Firmware Interface? It's a bit of a different approach also to initialize hardware but also to hand over to an operating system. But the thing is there is lots of drivers in there and stuff. So we want to replace that with the Linux kernel - that's what the LinuxBoot approach is doing - there're different implementations - there is Heads, there is u-root. And that's how we can start modern machines with a bit more knowledge. For embedded controllers we have the projects from Google for the Chromebooks. There's lots of open source implementations but they only apply to very specific hardware. You could find all of those stuff on the web of course. And, then System76 is also currently working in that field for their laptops, and eventually for the BMCs I just introduced you to, there is also two projects there is the OpenBMC project and the euro project. Okay, so that's how far we are, but that's not what I'm talking about today, I'm talking about something else. And that's why we have to take a closer look at Intel x86 hardware. This here is an example of a platform which has a dedicated chipset and a processor.This is also a graphic I borrowed from Intel, once again. It shows you where all of those peripherals are connected, so, again, we have USB, we have Ethernet, but there is more to it, actually. And, you can clearly see that this chipset here, it's quite a large box and there is a reason for it, because that's where actually most of the chips are connecting. That's why Intel calls it the Platform Controller Hub, or a PCH for short. Now let's look closer at the Denverton platform. Denverton is one of those model names for the platforms - Intel always comes up with these names and here we have a very brief summary of what peripherals we have and if you look very closely in the upper right corner, there is two so- called engines mentioned: one of them is the Innovation Engine, the other one is the Management Engine, which we're dealing with today. The Innovation Engine has a very brief description, it says it's something about innovation, it's something about firmware, but actually I have not yet found any use for it but it's there in your hardware. So if you have a Denverton chip in your laptop, or wherever you might find it, you have some features there but I don't know what they are for. Okay, so let's look at the Management Engine, today. Because the thing is: Hardware is evolving. The Management Engine today is not the Management Engine from a few years ago. So with new hardware we get different chips over time, the y are attached to different other peripherals over time, and they're given different purposes. So basically the ME itself is just a microcontroller like Arduino and it's part of your chipset. If you have a combined chipset and main processor, it's in that one single chip and that's where it is. But that's not where it started. It actually started as the so called Active Management Technology. The idea was that you could remotely control a device and provision it, just like what I described you as the Baseboard Management Controller for servers. It's the same thing but for, let's say, laptops, desktop PCs. Imagine you're running a very huge company and you have hundreds of devices to maintain. Now, you have to this BMC thingy for servers and this thing here for your desktop devices. Now the question is: why is it actually connected to all of those peripherals? First of all there was a bit of a renaming recently: it's no longer just called the ME, it's called the CSME: Converged Security and Manageability or Management Engine. It can load your firmware and verify it and with that firmware we are now talking about the host CPU firmware. That thing that coreboot can be doing or what your vendors UEFI firmware is doing. If that firmware is not as expected, which means it's not signed with a certain key from either Intel or your OEM, the equipment manufacturer which can be HP or Asus or whatever, then your laptop might not boot. That's a feature it's a security feature. Now the problem is: if we want to legitimately replace the firmware with our own implementations we can't do it. If this certain feature is activated. It's also known as boot guard. But, again, this is not what we're talking about today, I want to look at something else. This here is how your machine boots up: On the left-hand you see the flow I just described you, what the ME is doing. You press the power button on your machine. The ME is coming up, it's initializing itself first with its own firmware, that's the RBE-phase - a bit more about that later. Then there is a bringup phase, which hands over to the ME operating system, if that version of your ME actually has an operating system, which is not necessarily the case. It will reset the CPU itself. It will trigger the firmware on the CPU to start, that's where coreboot could take over or your vendors UEFI firmware, it notes some microcode updates, it comes to the initialization phase where you get RAM and the CPU and eventually all the features you have in your chipset itself, until you can boot your host operating system. Now at the same time there is two more chips even being powered on: one is the PMC, the Power Management Controller, which also gets some updates or patches from the ME firmware, and the EC, the Embedded Controller, I already described you, which is just running in parallel. But in fact these are all connected to each other. And here's some of the features summarized which we have in ME: so the Active Management Technology is implemented for example in the Linux kernel, there is a driver for it. It could do hardware monitoring, it can monitor if your chips are overheating, it can have other sensors connected to it, it can do power control, that's why I just described you, just like a BMC you can power cycle your system through it. You could update your operating system out-of-band, so not like using apt-get upgrade or something. No, instead you would just do it from outside. So you could reformat an entire disk, replace it with a new image. You have a bit of storage and you even have a proxy for a keyboard and mouse and the video interface, so it's like VNC literally. That's what we know from the public documentation. Now the interface that is implemented in the Linux kernel has been extended a bit. Now we have a dedicated chip, which was pulled out of the ME, the ISH, or Integrated Sensor Hub. It just does the very basic things I just described you about sensors just in a dedicated chip. That's a good development actually because now we don't have a single point of failure which has everything, we have a single point of failure which has everything but this part. There is BIOS extensions. In your host firmware there can also be certain libraries or drivers which are connecting to the ME. You can control the ME through it. If you have a business laptop you might be running the corporate version of the ME firmware and then you might press F6 or Ctrl+P when booting up, and you might get a prompt. If you are still in the manufacturing mode or you just bought the machine very fresh, just type "admin" that's the default password - that's publicly documented by the way it's not something I found somewhere but in Intels own documentation. And then you can start using that feature. So this might apply, I haven't confirmed it, but it might apply to the HP EliteBooks for example which are for business use or certain Lenovo ThinkPads from the T-series. You could try it on your machines, maybe. Now I've already described you that there are lots of different variants and versions of the Management Engine. We have a very, very long timeline here, we are talking about years starting from 2004 until now, so it's 15 years since the Active Management Yechnology was announced until today where we have version 12 of the Management Engine. The problem with this timeline here is, again the disclaimer, I cannot really verify all of this information. I have mostly gathered it from different sources, so don't take all of this for granted. Some of this might also just include some educated guessing from my side. If you find any errors, you will get the links later, you can file me bugs or send your pull requests. So we're at version 12 now. For each version of the Management Engine there's release notes, they are public. So in ME 12 they just dropped version 1 for TLS, 1.2 is now in and we have a few other features. Some of them I don't even know but you can look it up on Intels documentation. Those are the variants we already know, consumer, corporate, a slim version apparently, there's the SPS version which was made for servers and now there is something called Ignition. Which actually brings us to our motivation here. This is an email from the EDK to non-osi mailing list. They announced a version of the ME binary which can finally be distributed. So you can give it to other people. You couldn't do that before. Well, at least not officially. Of course when you get firmware updates from your supplier, you get those binaries in a way, but it's not like you download them from Intel directly. Which means that now we can offer full images of custom firmware based on coreboot, based on this ME binary here and whatever we want to tailor it for. So let's follow the yellow-brick road. This is the license. The license allows basically only redistribution, you may not make any changes, you may not reverse it, you may not decompile it, you may not disassemble it. Now how do we actually verify, that it works as desired and as promised? Pay no attention to the man behind the curtain! If you have seen The Wizard of Oz, you know the scene. That's literally what they want. Their philosophy is kind of a shallow thing, so they don't really want to be very open with information. This here is from a training slide, it's an official training that Intel is giving at certain events. They tell people: "Well, we have lots of firmware developers, we want to support them in a way, but not too much actually." I have to be a bit quick because I have more slides than time.Here's the vendor's perspective from Intel's FSP white paper. FSP is the Firmware Support Package.They're saying they're working towards, well, releasing something, but actually not. So if you have a binary and it works as desired then it's okay, otherwise, well, not so much but they promise it works. And the same applies for ME, I guess. Which is where Dexter's law applies, which is saying that only proprietary software vendors actually want proprietary software. And now that's the issue, if somebody is attacking your system, they do not play by the rules. Let's take some first steps into that direction. There are some analysis tools, there's the me_cleaner, MEAnalyzer and more. There has been some reverse engineering, not from my side, because of course the license doesn't allow it. More information can be found in other talks. There was the Plundervolt attack, just recently, which was actually based on reverse engineering. And now I'm afraid I have to cut it here. We have security issues. We want to analyze firmwaer. Here's a bit of data structures, I will just briefly skim through those now. You can approach me later for more. And I want to briefly come to this conclusion because this is the important part. So for security all firmware has to be open source. Here's the list of acronyms, some other talks to refer to again. Thanks to everyone who has actually helped me with this, that's all the hacker spaces, I hang out at, the Chaos West team and the stage here, of course, and the open source firmware projects. Please come to our assembly, it's right over there, if you want to know more. So thanks, first. If you have any questions, please approach me now or, well, just in a bit at the assembly. I guess we have time for one very small question, now. Herald: Yeah, thank you very much, let's have a hand. Applause Herald: There'll be two mics, they're lit. We have time for one question or maybe two but short ones. Anybody has a question? No? About all the fun you can have and not supposed to have. Okay. Thank you very much. Okay, in which case let's close it and take your trash, please, and be excellent to each. Thank you very much. Applause 36c3 postroll music Subtitles created by c3subtitles.de in the year 2020. Join, and help us!