[ajxs]

I'll preface this question with the disclaimer that I'm a true believer in the mission of Coreboot/Libreboot. Playing devil's advocate, if Intel were to release the signing key for the ME, or Intel Boot Guard, wouldn't this increase the likelihood of a malicious vendor preinstalling a rootkit in hardware that uses Intel CPUs?

To answer in advance regarding the likelihood of this happening. There's already been enough instances of various hardware vendors using very nefarious means to extend the capabilities of their devices and peripheral device drivers. Also, what reason do we have to assume that Google's own interest in this area is any more trustworthy? I suppose it's a moot point for many whether or not google can get rootkit level access to people's devices when so many people are using Android.

Of course, I consider the presence of the ME to inherently constitute a rootkit for alphabet-soup US government agencies and the Mossad already.

[jchw]

Any big corporation with security competence is going to seriously care about the security of their corporate and production fleet; the stakes for securing systems only ever increases over time, and threats are only getting more sophisticated. So you don’t necessarily need to believe in the altruism of a corporation to see why their interest in secure computing at lower levels of the stack may actually line up with user’s interests more or less.

But honestly, the best argument here is don’t trust anyone; In theory anyone can inspect the source code and binaries for Corebooted devices. It’s not perfect and there’s obviously cases where you can never be 100% sure there’s no tricks, but IMO it’s still a lot better than the alternative of having roughly the same drawbacks but no visibility.

I’m not sure where this fits in in the grand scheme of things though, because in all honesty trust in computing seems like it’s an unending rabbit hole ripe for abuse. Intel ME may even have been born with genuinely good intentions, but I do think it’s secretive, blackbox nature is the absolute worst part of it all.

(Obligatory disclaimer, I work for Google, all of these opinions are just my personal opinions.)

[ajxs]

> ...you don’t necessarily need to believe in the altruism of a corporation to see why their interest in secure computing at lower levels of the stack may actually line up with user’s interests more or less.

Of course. We're not talking about just any corporation here though, not even just any hardware manufacturer. You're right that security is in everyone's interests. My mentioning Google is referencing a company whose business consists of collecting and marketing information on their users. I think this changes the risk profile somewhat.

> ...In theory anyone can inspect the source code and binaries for Corebooted devices...

Pardon me if there's a big hole in my understanding of firmware RE, In reference to the Coreboot'ed Chromebooks, it sounds like this should read "anyone can inspect the source code and binaries of Coreboot". We still have to take at face value what firmware is actually installed on a device. I don't mean to sound nitpicky or mean, I just think that Google's motivations warrant extra scrutiny. I agree with your sentiments overall.

> ...Intel ME may even have been born with genuinely good intentions...

This might be the case, but the way Intel has treated the topic could not possibly foster any kind of trust with its user-base. Also, these features offer extremely little to the average user. I'd like to be corrected on this if I'm wrong, what does Intel ME actually do for a user like myself? Surely it would lower costs in a non-trivial way to just remove it for non-corporate customers if the intentions were even the least bit genuine.

[ganzuul]

Is Google at risk because of this? I have consolidated all my private stuff to only Google instead of spreading it all over FB, MS, Apple, and other vendors.

[jchw]

At risk because of Intel ME/integrity based attacks? I simply don’t know. I assume the risk is managed some way or another, probably a lot with network security. I personally was more bothered by CPU vulnerabilities, and there’s also the looming threat of DRAM vulnerabilities, but for now it seems like almost anything can be effectively mitigated at some cost.

[iforgotpassword]

> There's already been enough instances of various hardware vendors using very nefarious means to extend the capabilities of their devices and peripheral device drivers.

Sadly enough I think this is a good point. You could say it's the same as saying closed source software and operating systems would be better for that reason, which I wouldn't agree with at all, but this would feel somewhat different.

You would have to force GPL like sharing of modified firmware, but it seems much more involved to verify this on a vendor to vendor basis than say, finding that Lenovo ships some nefarious Windows software preinstalled. As an enthusiast you can just reflash after purchase to be sure, but the average consumer might suffer.

It sucks but the only real solution I see is to just remove these things altogether again.

[bubblethink]

>wouldn't this increase the likelihood of a malicious vendor preinstalling a rootkit ?

Vendors already fuse their keys using bootguard. So if they want to install rootkits, they can do that now. Lenovo already did that with superfish. Bootguard doesn't make any assurances about the quality of the bios. It just says to the consumer that this machine's bios came from the vendor. Sort of like the https padlock.

I think what you mean to ask is how we could ensure the integrity of the boot flow up to the OS without bootguard. It can be done higher up in the stack. Chromebooks do it pretty well. There are other projects like heads that do it as well. Your chain of trust needs to extend into the OS for it to be meaningful.

[ajxs]

The points you make in your post are very valid. My post was made in the context of the Intel ME's wide range of invasive capabilities. If your purpose was to perform surveillance on your customers, the ME would grant you even more reach than BIOS firmware would. You've already addressed the fact that users need to trust the quality of their firmware at face value. This is hard enough already, let alone with hardware vendors being able to access the ME.

Just to clarify ( as if I haven't clarified this enough ), I'm in favor of Intel releasing the keys.

[Iolaum]

The ask is not to allow users to install firmware with the vendor's key but with their own key.

[ajxs]

Sure. This would seem to imply hardware vendors having prior access to the ME. The vast majority of users don't flash their BIOS with custom firmware, simply using whatever firmware the vendors give them. Users having the ability to install their own firmware would mitigate this risk, at the expense of a riskier overall ecosystem.