New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kernel 4.14 has intel mei_me module re-enabled #3916

Open
mvermaes opened this Issue May 22, 2018 · 6 comments

Comments

Projects
None yet
4 participants
@mvermaes

Qubes OS version:

R4.0

Affected component(s):

Kernel


Steps to reproduce the behavior:

lsmod | grep mei

Expected behavior:

No output from above command

Actual behavior:

mei_me and mei modules are loaded

General notes:


Related issues:

@lunarthegrey

This comment has been minimized.

Show comment
Hide comment
@lunarthegrey

lunarthegrey May 23, 2018

Same module is loaded for me. Running kernel 4.14.35-1.

Same module is loaded for me. Running kernel 4.14.35-1.

@lunarthegrey

This comment has been minimized.

Show comment
Hide comment
@lunarthegrey

lunarthegrey Jun 15, 2018

The mei and mei_me modules are still loaded with the 4.14.41-1 kernel (latest stable as of now). Is there any specific reason why the modules were added back @HW42 ?

The mei and mei_me modules are still loaded with the 4.14.41-1 kernel (latest stable as of now). Is there any specific reason why the modules were added back @HW42 ?

@lunarthegrey

This comment has been minimized.

Show comment
Hide comment
@lunarthegrey

lunarthegrey Jul 21, 2018

Still wondering why. Maybe @andrewdavidwong can help?

Still wondering why. Maybe @andrewdavidwong can help?

@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Jul 22, 2018

Member

Still wondering why. Maybe @andrewdavidwong can help?

I haven't the foggiest, but I bet @marmarek does.

Member

andrewdavidwong commented Jul 22, 2018

Still wondering why. Maybe @andrewdavidwong can help?

I haven't the foggiest, but I bet @marmarek does.

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 22, 2018

Member

The reason is simple and not very technical - we try to avoid maintaining custom kernel configuration as much as possible, as we don't have much resources for that (including testing configurations for new drivers etc). For this reason we reuse Fedora kernel configuration as a base.

Disabling mei_me module doesn't really disable ME. It only means that kernel wouldn't be able to ask nicely ME for some information (and the same user space daemons - but we don't have any for this device). ME will still be able to extract whatever information it want, because it has full access to system memory at CPU level, sadly.

Anyway, if you like to help to disable it, send a pull request to adjust custom options for the kernel. Please test it first.

Member

marmarek commented Jul 22, 2018

The reason is simple and not very technical - we try to avoid maintaining custom kernel configuration as much as possible, as we don't have much resources for that (including testing configurations for new drivers etc). For this reason we reuse Fedora kernel configuration as a base.

Disabling mei_me module doesn't really disable ME. It only means that kernel wouldn't be able to ask nicely ME for some information (and the same user space daemons - but we don't have any for this device). ME will still be able to extract whatever information it want, because it has full access to system memory at CPU level, sadly.

Anyway, if you like to help to disable it, send a pull request to adjust custom options for the kernel. Please test it first.

@lunarthegrey

This comment has been minimized.

Show comment
Hide comment
@lunarthegrey

lunarthegrey Jul 22, 2018

Thanks for explaining @marmarek. It's probably easier for us to just add mei, mei_me, and mei_wdt modules to the blacklist in /etc/modprobe.d/blacklist.conf and dracut -f to rebuild initramfs.

I know it doesn't disable ME, but preventing any type of communication between the kernel and ME may lower the attack surface (maybe?). It is dom0 after all, so if dom0 is compromised all hope is lost anyways.

Thanks for explaining @marmarek. It's probably easier for us to just add mei, mei_me, and mei_wdt modules to the blacklist in /etc/modprobe.d/blacklist.conf and dracut -f to rebuild initramfs.

I know it doesn't disable ME, but preventing any type of communication between the kernel and ME may lower the attack surface (maybe?). It is dom0 after all, so if dom0 is compromised all hope is lost anyways.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment