[pcwalton]

Intel ME has a DRM app called "Protected Audio-Video Path" [1], which obviously has to be secret.

As to whether anything actually uses the PAVP functionality, I have no idea. I wouldn't be surprised if it was something Intel included to try to push Atom-based set top boxes or whatever.

[1]: https://www.slideshare.net/mobile/codeblue_jp/igor-skochinsk...

[Animats]

Intel ME has a DRM app called "Protected Audio-Video Path", which obviously has to be secret.

Which you don't need on a headless server. Which is what the "management engine" is supposed to be for.

[mjg59]

This is incorrect. The management engine is used for a wide variety of tasks, from DRM to providing a TPM to anti-theft code. The AMT functionality (which is where this vulnerability is) is intended for remote management of laptops and workstations. It's usually not present on anything but low-end servers.

[tyingq]

Digital signage boxes probably benefit from remote management too.

[angersock]

> Intel ME has a DRM app called "Protected Audio-Video Path" [1], which obviously has to be secret.

Does it, does it really?

I'm pretty sure security through obscurity is some bullshit.

[pcwalton]

Sure, but say you're Intel and pitching the technology to Hollywood. Open source would make the entertainment industry nervous. And Intel isn't in a bargaining position, since Hollywood would be more than happy to just shut x86 PCs out of content.

(Needless to say, I'm offering an explanation as to why the Intel ME is what it is, not defending it. I think it's pointless. After all, it's likely that PCs are just not going to get content in the future, given that consumers use set-top boxes that use embedded architectures instead of x86 PCs and Intel has failed in mobile.)

[qb45]

I'm pretty sure only its keys really need to be secret, but hiding the code may provide some extra security by obscurity if the code happens to have bugs.