3

I have successfully removed Intel ME from the firmware by reflashing the BIOS using corna's tool:

However I am still concerned about SMM. Intel ME and AMT vulnerabilities are horrible and classified as ring -3, however the SMM module also has plenty of vulnerabilities and possible rootkits and are classified as ring -2 vulnerability.

I would like to remove or disable completely the SMM module as well. It is an Acer-Aspire laptop with an Insyde BIOS on it.

I don't know to what degree the removal of the ME system affected the SMM module, do I need to remove the SMM as well? Is it possible at all? If so please tell me whether there are any other similar tools like corna's tool for ME that can remove the SMM as well.

Jack567
  • 49

2 Answers2

1

The best solution is to buy hardware you trust. The primary example is CoreBoot. There are system integrators who sell CoreBoot based computers.

If you buy from System76 or Purism you are supporting people who are building free and open firmware so you don't have to go down the path you are on.

ADDITIONAL READING:

HackSlash
  • 5,015
0

System Management Mode (SMM):

SMM is entered via the SMI (system management interrupt), which is invoked by:

  • Motherboard hardware or chipset signaling via a designated pin SMI# of the processor chip. This signal can be an independent event.
  • Software SMI triggered by the system software via an I/O access to a location considered special by the motherboard logic (port 0B2h is common).
  • An I/O write to a location which the firmware has requested that the processor chip act on.

This means that triggering SMM is a motherboard function, so depending on the motherboard firmware to be either enabled or not. The motherboard firmware itself is digitally protected from modification. SMM is specifically not an Intel Management Engine (ME) function.

The SMM code that is triggered is part of the BIOS, which itself cannot be modified without possessing the manufacturer's digital key. SMM can however be subverted by changing the SMI interrupt address to point to code introduced by the attacker.

All these actions require the attacker to operate inside kernel mode in order to subvert the SMI address and SMM code, and exploits do exist for that, as you have noted above. However, beside the intellectual satisfaction of such an exploit, its utility is doubtful:

  • Any SMM exploit will not survive a reboot
  • Subverting SMM requires the attacker to operate in kernel space, therefore to already be in control of the computer
  • The SMI interrupt is not called by Windows, so subverting it is not useful.

My belief is that disabling or disactivating SMM is not possible, but its presence in your computer (if it's present) is not a vulnerability that an attacker would need (or bother) to attack.

Because SMM is opaque to the operating system, it is not possible to test in Windows its presence or its correct functionality. Microsoft requires motherboard vendors to deliver a robust and secure platform, where SMM code was carefully analyzed and protected. To that effect, the vendor must confirm to Windows via the ACPI that certain security best practices have been implemented in SMM.

For details see the article Understanding the Windows SMM Security Mitigation Table (WSMT).

harrymc
  • 498,455