Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable more Intel ME kernel modules #236

Merged
merged 2 commits into from
Jul 17, 2024
Merged

Disable more Intel ME kernel modules #236

merged 2 commits into from
Jul 17, 2024

Conversation

raja-grewal
Copy link
Contributor

Disable more Intel Management Engine (ME) kernel modules.

Changes

Add some Intel ME modules to the list of disabled kernel modules.

Mandatory Checklist

  • Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements:

Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

Optional Checklist

The following items are optional but might be requested in certain cases.

  • I have tested it locally
  • I have reviewed and updated any documentation if relevant
  • I am providing new code and test(s) for it

@raja-grewal
Copy link
Contributor Author

https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/38

@adrelanos
Copy link
Member

adrelanos commented Jul 15, 2024
edited
Loading

What is the threat model for disabling these?

Based on any security researcher's recommendation?

mei was already disabled. That might have slipped through. Computer security enthusiast people dislike Intel ME to say to the least. So who would not want to disable Intel ME in any way possible? Obviously. But not so fast...

The suggestion of adding more and more Intel ME related kernel modules makes me reconsider this. As much as we dislike Intel ME, it is a reality.

For example, mei_pxp is related to Runtime Power Management according to https://docs.kernel.org/gpu/i915.html.

I don't know if anyone's power management will be broken by disabling that kernel module.

Some quotes based on AI:

mei_hdcp: HDCP (High-Bandwidth Digital Content Protection) support for MEI. Blacklisting might affect DRM (Digital Rights Management) capabilities.

I don't like DRM either but it's not the task of security-misc to break it for users who wish to use it.

mei-txe: MEI driver for Trusted Execution Environment. Blacklisting may affect MEI operations related to security.

If it was used on a phone, this might break some applications using the hardware keystore.

microread_mei: MEI driver for Microread NFC devices. Blacklisting may affect NFC functionality if using Microread devices.

Could break NFC in case this gets used on a phone?

I haven't seen any Intel based mobile devices yet. Or Intel based devices with hardware keystore / NFC. But the existence of these kernel modules implies that such devices exist.

related discussion on general criteria for kernel module blacklisting / disabling:

@adrelanos adrelanos mentioned this pull request Jul 15, 2024
Merged
4 tasks
@adrelanos adrelanos changed the title Disable more Intel ME modules Disable more Intel ME kernel modules Jul 15, 2024
@adrelanos adrelanos mentioned this pull request Jul 15, 2024
Open
@raja-grewal
Copy link
Contributor Author

On my device all these (except one) are superfluous as they call the already disabled mei and/or mei-me kernel modules.

These are the outputs I get when only disabling mei and/or mei-mei (note I do not use disabled-intelme-by-security-misc hence the errors):

[a@x]$ doas modprobe microread_mei
sh: line 1: /usr/bin/disabled-intelme-by-security-misc: No such file or directory
modprobe: ERROR: Error running install command '/usr/bin/disabled-intelme-by-security-misc' for module mei: retcode 127
modprobe: ERROR: could not insert 'microread_mei': Invalid argument

[a@x]$ doas modprobe mei-gsc
sh: line 1: /usr/bin/disabled-intelme-by-security-misc: No such file or directory
modprobe: ERROR: Error running install command '/usr/bin/disabled-intelme-by-security-misc' for module mei: retcode 127
modprobe: ERROR: could not insert 'mei_gsc': Invalid argument

[a@x]$ doas modprobe mei-gsc_proxy
sh: line 1: /usr/bin/disabled-intelme-by-security-misc: No such file or directory
modprobe: ERROR: Error running install command '/usr/bin/disabled-intelme-by-security-misc' for module mei: retcode 127
modprobe: ERROR: could not insert 'mei_gsc_proxy': Invalid argument

[a@x]$ doas modprobe mei-hdcp
sh: line 1: /usr/bin/disabled-intelme-by-security-misc: No such file or directory
modprobe: ERROR: Error running install command '/usr/bin/disabled-intelme-by-security-misc' for module mei: retcode 127
modprobe: ERROR: could not insert 'mei_hdcp': Invalid argument

[a@x]$ doas modprobe mei-phy
sh: line 1: /usr/bin/disabled-intelme-by-security-misc: No such file or directory
modprobe: ERROR: Error running install command '/usr/bin/disabled-intelme-by-security-misc' for module mei: retcode 127
modprobe: ERROR: could not insert 'mei_phy': Invalid argument

[a@x]$ doas modprobe mei-pxp
sh: line 1: /usr/bin/disabled-intelme-by-security-misc: No such file or directory
modprobe: ERROR: Error running install command '/usr/bin/disabled-intelme-by-security-misc' for module mei: retcode 127
modprobe: ERROR: could not insert 'mei_pxp': Invalid argument

[a@x]$ doas modprobe mei-txe
sh: line 1: /usr/bin/disabled-intelme-by-security-misc: No such file or directory
modprobe: ERROR: Error running install command '/usr/bin/disabled-intelme-by-security-misc' for module mei: retcode 127
modprobe: ERROR: could not insert 'mei_txe': Invalid argument

[a@x]$ doas modprobe mei-vsc
sh: line 1: /usr/bin/disabled-intelme-by-security-misc: No such file or directory
modprobe: ERROR: Error running install command '/usr/bin/disabled-intelme-by-security-misc' for module mei: retcode 127
modprobe: ERROR: could not insert 'mei_vsc': Invalid argument

[a@x]$ doas modprobe mei-vsc-hw

[a@x]$ doas modprobe mei-wdt
sh: line 1: /usr/bin/disabled-intelme-by-security-misc: No such file or directory
modprobe: ERROR: Error running install command '/usr/bin/disabled-intelme-by-security-misc' for module mei: retcode 127
modprobe: ERROR: could not insert 'mei_wdt': Invalid argument

The only one that loads for me is mei-vsc-hw.

So I guess that leaves (at least) three questions.

Do we explicitly show all the related modules that are already disabled (as shown in the PR)?

Do we want to disable mei-vsc-hw which appears [1, 2] to have do with Intel SPI transport driver between host and Intel visual sensing controller (IVSC) device? If the visual sensing controller (mei-vsc) is already implicitly disabled, should we keep the driver that communicates the hardware enabled?

Should we consider rolling back the disabling of mei and/or mei-me in order to address your usability concerns above?

@adrelanos
Copy link
Member

I am collecting similar examples now here: Intel ME Disabling Disadvantages

@adrelanos
Copy link
Member

adrelanos commented Jul 16, 2024 via email

@raja-grewal
Copy link
Contributor Author

As much as we dislike Intel ME, it is a reality.

Yes, its integration is becoming more and more essential for modern computing.

I suppose we can always provide the list of kernel modules for optional disabling.

However, I anticipate that re-enabling ME modules by default will probably lead to (justified of not) user complaints.

@adrelanos
Copy link
Member

Will merge and then out-comment as well as open a separate issue for this.

@adrelanos adrelanos merged commit a4ba6e4 into Kicksecure:master Jul 17, 2024
@adrelanos adrelanos mentioned this pull request Jul 17, 2024
Closed
@adrelanos
Copy link
Member

@raja-grewal raja-grewal deleted the intel_me branch July 17, 2024 13:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@raja-grewal @adrelanos