Intel’s Management Engine, a full-fledged computer inside Intel CPUs, runs on MINIX, and after it was outed that Intel’s CPUs ran on it, multiple issues have been found with the approach, which has moved Intel towards outing a detection tool. Intel is seemingly poising to move towards a full hardware lock of the Management Engines’ capabilities, thus ensuring it can’t be disabled.



A recent confidential Intel Technical Advisory posted to GitHub stated that starting with ME version 12, the chip’s Security Version Number (SVN), which gets incremented with updates to prevent rollbacks, “will be saved permanently in Field Programmable Fuses (FPFs) as a means to mitigate physically downgrading Intel ME [firmware] to a lower SVN.”FPFs, once set, become read-only memory (ROM) and cannot be easily altered.

Discussion

Source: [H]ardOCP – Intel to Slap Hardware Lock on Management Engine Code to Thwart Downgrade Attacks