Nov 14, 2020
#1
For almost two years now, I have avoided all Intel systems with the 965 chipset and newer, instead opting to stay with the 945 chipset and older in order to bypass the security issues surrounding the Intel Management Engine within the unclear 2006 to 2008 general period of initiation. However, in the time since I have acquired a Dell XPS 410, I have been forced to fully sort out the mess, misinformation, and confusion that is the 965+ chipset, the Intel Management Engine, and Intel Active Management technology, just to feel comfortable operating it.

As with a prior Wiki I have compiled, I initially wrote the following information with the intention that it be used as a personal reference. But, seeing as how there have been past examples where this particular group of people have expressed interest and concern in the subject matter (https://forums.macrumors.com/thread...y-privacy-issues-on-intel-based-macs.2193645/, and on a semi-related note, https://forums.macrumors.com/thread...n-the-new-announcements.2267073/post-29238209), along with the fact that, as far as I am aware, there does not presently exist any centralized information resource on the Internet detailing which chipsets are truly affected, which chipsets can be remotely compromised, and what exactly can be done to mitigate a vulnerable chipset should the user come into possession of one, I have decided to publish it here for future public reference.



Preventing Security Vulnerabilities from Intel Active Management Technology within Pre-Nehalem Systems



The Intel Management Engine was introduced with the Intel Q965 chipset, and is present in the subsequent Q35 and P/G/GM/Q45 chipsets, each introduced in 2006, 2007, and 2008, respectively. It has full access to the processor interface, DRAM controller, internal graphics controller, graphics interfaces, and the I/O Controller Hub, but can only send and receive data over the network if the motherboard supports Intel vPro, or more specifically Intel Active Management Technology (itself a subset of vPro). The Intel ME should not be confused with Intel AMT, as only AMT is capable of interfacing with the Intel-manufactured onboard Network Interface Controller and thus presenting a security risk. The ME and its vPro / AMT subset was later carried over to mobile platforms via Centrino Pro, and the subsequent Centrino 2 vPro in 2007 and 2008, respectively.

AMT should also not be confused with the open Alert Standard Format, as ASF is OS-dependent via software, cannot transmit the same breadth of data, is not exclusive to Q965+, and cannot run when the system is powered off.

On mobile systems, AMT is only supported if the system is branded as compatible with Centrino Pro or Centrino 2 vPro. On desktop systems, vPro, and therefore AMT, is only supported if the motherboard contains the Q965, Q35, or Q45 business-class chipsets, which can be identified by the printed model number of the ICH, otherwise commonly known as the southbridge (refer to the large Intel-branded chip on the system motherboard):

82801HO (Q965, Digital Office, contains both ME and AMT)

82801IO (Q35, Digital Office, contains both ME and AMT)

82801JO (Q45, Digital Office, contains only AMT)

All Core 2 Solo, Core 2 Duo, Core 2 Quad, and Core 2 Extreme-based desktop boards lacking the above ICH chips do not have AMT, as vPro / AMT (as well as the ME on Q965 and Q35 chipsets) are not built into any desktop chipsets free of the 'Q' designation prefix, rendering the ME on P/G/GM45 chipsets as presumptively benign.

Alternatively, mei-amt-check (https://github.com/mjg59/mei-amt-check) can be used on Linux systems to determine the presence of the ME and AMT. If the 'mei_me' module is not automatically loaded upon boot, then the system lacks the ME, and by extension AMT, and thus does not require manual circumvention.

Further, the user can also run ls /dev | grep mei to check for the presence of the ME in an even faster fashion. In the event the command returns mei and thus confirms the presence of the ME, this method unfortunately still cannot check for the presence of AMT, whereas usage of the aforementioned mei-amt-check tool will be necessary to draw a final conclusion.

Although the ME was introduced with the Q965 chipset, AMT made its debut slightly beforehand on 945-based systems with the Intel 82573E Gigabit Ethernet Controller, which can be confirmed with lspci | grep Ethernet, whereas the following mitigation steps would apply.

As a preventative measure on affected, usually Q-based chipsets, disable the integrated NIC via the system BIOS and replace it with an alternative network interface that does not contain a central NIC chip designed by Intel, which will prevent AMT (and potentially the ME itself on P55 systems and up) from communicating with the Internet because it only contains drivers for the onboard NIC (as of P55). Examples include non-Intel USB Wi-Fi adapters, USB Ethernet adapters, and internal PCI or PCIe network cards. This action can also effectively render the ME and AMT on applicable systems as presumptively benign.

As with Core 2-based systems, vPro / AMT appears to only be present on Core iX-based systems with Q-prefixed chipsets. However, it is currently unknown what exact relationship the ME has with the NIC of all Core iX-based chipsets, and how it differs from its relationship with those of Core 2-based chipsets in preceding versions. Therefore, NICs on Nehalem-based systems and up are potentially unsafe by default without manual circumvention through alternative hardware.


AMD Platform Security Processor Notes


o The PSP has full access to all hardware components, as with the ME.

o The PSP is located exclusively on the CPU die, whereas the ME is located on the motherboard southbridge.

o Last safe CPUs are anything in the FX (Bulldozer) family using the AM3+ CPU socket.

o Fastest FX CPU is FX-9590 / overclocked FX-8370. Motherboard should have the FX990 chipset for best performance.


Resources

-- The above was not written by me, it was coppied but I no longer remember from where.

== My own notes ==
	The processor that I have been using, is from 2007 Core2Quad @ 2.4 GHz
	There are other processors before 2008 that could be used, but not that many
	almost all of them of the core2duo family. Since 2008, intel has put the management engine
	into their processors which is supposedly a backdoor. It is safer to use processors
	before the year 2008