Whenever a security vulnerability comes out one of the first questions that come to many peoples’ minds is: am I affected? The last couple of years in particular have seen a lot of hardware-based vulnerabilities in Intel processors and in those cases generally it’s a matter of looking at the affected list of hardware and comparing it against your own hardware.
More recently a vulnerability (CVE-2019-0090) was announced in the Intel CSME that can allow an attacker with local access to potentially extract secret Intel hardware signing keys from a system. There are a number of different analyses out there on this vulnerability from the very dry CVE report itself to “sky is falling” reports that contain a lot more hype. If you want more technical details on the vulnerability itself, I’ve found this report to have a good balance of measured technical information on impact without the hype.
We’ve gotten a lot of questions recently about whether Librem hardware is affected by this vulnerability, given that the CVE includes a wide range of hardware (including chips in our own systems). After looking into the issue we feel confident in answering that Librem Intel-based computers (our laptops, servers, and the new Librem Mini) are not affected by CVE-2019-0090, due to how we use (and don’t use) the ME. Beyond that, PureBoot users will have extra protection including the ability to detect someone attempting to exploit this vulnerability.
The reason our hardware isn’t vulnerable to this ME vulnerability is similar to why we haven’t been vulnerable to past ME exploits like a recent AMT vulnerability. For starters, we disable and neutralize the ME to remove all but the most essential modules, which for past exploits (such as AMT vulnerabilities) has meant there was nothing to exploit. For CVE-2019-0090, the attack is against a core and fundamental module we do include, however because we do not use Intel hardware signing keys for root of trust at all, it attacks features we don’t use.
Since this attack exploits features we don’t use, customers who use our default coreboot firmware don’t have anything to worry about, and customers who use our PureBoot firmware have an extra level of protection including detecting the exploit. This is because the contents of the ME is part of the PureBoot firmware image and is among the things that PureBoot tests for tampering. Someone who could modify the ME with an exploit would trigger a PureBoot alert the next time the user turns on the computer.
It’s been encouraging to see how many of our customers are informed on and concerned with the latest security issues out there. I hope this brief explanation helps you understand why our unique approach to security also often offers us special immunity to common security issues.