Management Engine and security/privacy issues on Intel-based Macs

Discussion in 'PowerPC Macs' started by Raging Dufus, Aug 13, 2019.

  1. Raging Dufus macrumors 6502

    Raging Dufus

    Joined:
    Aug 2, 2018
    Location:
    Kansas USA
    #1
    This thread is a continuation of discussion starting on Page 2 of the "Backdrop - Distraction-free tool for classic Mac OS" thread, regarding the Management Engine (ME) included in firmware of x86/64 Intel (and possibly other?) CPU's. Many of these chips are running in early Intel-based Macs, and may affect security and privacy of these systems.

    Please do carry on...
     
  2. Raging Dufus thread starter macrumors 6502

    Raging Dufus

    Joined:
    Aug 2, 2018
    Location:
    Kansas USA
    #2
    Given that list of affected hardware, can we also limit this by OS? A cursory perusal of everymac.com seems to show that if a Mac is natively supported by 10.8 Mountain Lion or later, it has the ME; but if it tops out at 10.7 Lion it doesn't. Is that correct?
     
  3. z970mp macrumors 68000

    z970mp

    Joined:
    Jun 2, 2017
    Location:
    A UNIX System
    #3
    Here is a short summary of what we have since learned...

    --- Post Merged, Aug 13, 2019 ---
    It would certainly make the job of narrowing down machines easier if taking into account the initial mobile/desktop instatement dates in mid '06 / '07 beside the 3GB RAM ceiling.

    Also, we can now rule out the entire Mac Pro line as confirmed by one of the last posts in the prior thread.
     
  4. Raging Dufus thread starter macrumors 6502

    Raging Dufus

    Joined:
    Aug 2, 2018
    Location:
    Kansas USA
    #4
    Yes, and that's so very sad. Such wonderful machines, I've been meaning to get one for a while now. Sigh :oops:

    Seems my current 2007 MBP is affected as well. But on a brighter note, my 2007 Mini isn't!

    Seems in keeping with the whole "it's not a bug, it's a feature" trope. As such, it makes sense Intel would include it on their top-of-the-line pro Xeon, before it made its way into the consumer-grade hardware.
     
  5. z970mp, Aug 13, 2019
    Last edited: Aug 13, 2019

    z970mp macrumors 68000

    z970mp

    Joined:
    Jun 2, 2017
    Location:
    A UNIX System
    #5
  6. z970mp, Aug 13, 2019
    Last edited: Aug 13, 2019

    z970mp macrumors 68000

    z970mp

    Joined:
    Jun 2, 2017
    Location:
    A UNIX System
    #6
    Alright, so according to the mobile ME release cutoff, these would be the final revisions without ME. None of them go higher than Lion, none of them can use more than 3 GB RAM without certain "limitations", and everything preceding them should be just as safe (if not more so), so there is a level of consistency here.

    iMac 2.16 Core 2 Duo 17" / 20" / 24" (September 2006) -

    https://everymac.com/systems/apple/imac/specs/imac-core-2-duo-2.16-24-inch-specs.html

    Mac Mini 2.0 Core 2 Duo (August 2007) -

    https://everymac.com/systems/apple/mac_mini/specs/mac-mini-core-2-duo-2.0-specs.html

    MacBook 2.16 Core 2 Duo White / Black (May 2007) -

    https://everymac.com/systems/apple/...-core-2-duo-2.16-white-13-mid-2007-specs.html

    MacBook Pro 2.33 Core 2 Duo 15" / 17" (October 2006) -

    https://everymac.com/systems/apple/macbook_pro/specs/macbook-pro-core-2-duo-2.33-15-specs.html

    Summary:

    All white iMacs are safe.

    All Pre-2009 Mac Minis are safe.

    All Pre-Santa Rosa MacBooks are safe.

    All Pre-Santa Rosa MacBook Pros are safe.

    Most machines that top out at 10.7.5 are safe.

    Anything that supports 10.8+ contains ME.
     
  7. Raging Dufus, Aug 13, 2019
    Last edited: Aug 13, 2019

    Raging Dufus thread starter macrumors 6502

    Raging Dufus

    Joined:
    Aug 2, 2018
    Location:
    Kansas USA
    #7
    Here are specs for my Mac Mini: https://everymac.com/systems/apple/mac_mini/specs/mac-mini-core-2-duo-2.0-specs.html

    Note that it also says 4 GB max RAM, but Apple only ever officially supported 3 GB RAM on these. I think that's common to everything on @Amethyst1's list.

    EDIT: seems you beat me to it.
     
  8. Jubadub, Aug 13, 2019
    Last edited: Aug 13, 2019

    Jubadub macrumors regular

    Jubadub

    Joined:
    Nov 1, 2017
    #8
    When the (nearly-confirmed) switch from Intel to ARM occurs, that's something to beware and investigate, as well. I forgot where I had read about it, but I think there was something similar on some ARM CPUs.

    Also, for anyone who has an AMD-based Hackintosh (which only exists in Hackintosh form, as Apple never adopted their processors), there's their equivalent of Intel ME, called AMD Platform Security Processor (PSP), to beware. The year cut-off is quite further ahead (2013), but it's still worth mentioning.

    Note: Seems libreboot.org went offline today. Odd timing. Google has it cached, though.

    Outside of the Mac scope, for anyone interested in avoiding all the processor-level backdoors in future investments, there's the POWER9-based (PowerPC) Talos II, Talos II Lite and Blackbird by Raptor. On the less-expensive, but less-performant, x86/x64 front, computers that use the ASUS KGPE-D16 motherboard + a PSP-free AMD CPU ("Interlagos" family recommended, see also this). Those are the highest-end options for both architectures. (Note: for x86, Libreboot or, less-preferably, Coreboot is required for proper privacy on affected processors.)

    Some websites sell the latter, like Technoethical. Raptor themselves sell the Talos family of computers.
    If investing on the future of personal computing privacy, between the two options, it's better to buy a Talos family computer. (They are also absurdly powerful: the highest-end model is a 2-processor 44-core 196-thread computer (Talos II)! Lowest end is a single processor with 4 cores and 16 threads on Blackbird (some PC vendors would perhaps market that as "16-core"), which is still insanely powerful (120 MB of L3 cache, anyone? PCIe 4.0?).
     
  9. Amethyst1, Aug 13, 2019
    Last edited: Aug 13, 2019

    Amethyst1 macrumors 6502

    Amethyst1

    Joined:
    Oct 28, 2015
    #9
    It is 945-based. It's just the regular 2006 24in iMac with a T7600 instead of a T7400.

    Before Nehalem, the ME was entirely a "feature" of the chipset, regardless of the CPU. A limit to Core Duo isn't necessary.
    --- Post Merged, Aug 13, 2019 ---
    PSP or not, I would never go for a Bulldozer-based CPU. Hot-running, power-hungry and lacking in performance - in a word, horrible. I'd rather pick an older Opteron 6100 (Magny Cours). 12 real cores (not that SMT pseudo-core ****) per CPU anyone?
     
  10. vddrnnr macrumors member

    vddrnnr

    Joined:
    Jan 23, 2017
    #10
    Hi all,

    Maybe using only a USB Wireless dongle?

    Best regards,
    voidRunner
     
  11. Jubadub macrumors regular

    Jubadub

    Joined:
    Nov 1, 2017
    #11
    ? What do you mean, exactly? Using a USB WiFi dongle in some way that prevents being exploited by processor-level backdoors? I'm not sure I follow. o_O
     
  12. vddrnnr macrumors member

    vddrnnr

    Joined:
    Jan 23, 2017
    #12
    Hi Jubadub,

    I read the libreboot page and if I understood correctly it is only able to use
    PCI/PCI-e devices USB is none and also the software for those devices
    is not like in windows where it is recognised as a true wireless device
    in OSX they simulate an ethernet device but inside it is different because
    it uses the wireless stack but not the way apple does it ( it's not airport ).

    I think at least it will not allow for such an easy control by the CPU.

    I also found this which as some more information on ME vulnerabilities.

    https://apple.stackexchange.com/questions/306959/intel-management-engine-is-macos-vulnerable

    Best regards,
    voidRunner
     
  13. Amethyst1, Aug 14, 2019
    Last edited: Aug 14, 2019

    Amethyst1 macrumors 6502

    Amethyst1

    Joined:
    Oct 28, 2015
    #13
    Elaborating, the Late 2007/Early 2008 white MacBooks and the Early 2008 MacBook Air top out at 10.7.5 due to the GMA X3100 yet have the ME.
     
  14. sparty411 macrumors regular

    sparty411

    Joined:
    Nov 13, 2018
    #14
    Aren't the Opteron 6xxx series all Bulldozer parts?
     
  15. Amethyst1 macrumors 6502

    Amethyst1

    Joined:
    Oct 28, 2015
    #15
    The 6100 series isn't. :)
     
  16. 556fmjoe macrumors 68000

    556fmjoe

    Joined:
    Apr 19, 2014
    #16
    Regarding Libreboot: yes, running Libreboot will keep you safe from Intel's ME security mess, but you will not get firmware updates that could fix other vulnerabilities, such as the Spectre and Meltdown family, as well as others.

    (this is coming from someone who runs Libreboot on an X200)
     
  17. Jubadub macrumors regular

    Jubadub

    Joined:
    Nov 1, 2017
    #17
    I thought the Linux/BSD kernel itself addressed those vulnerabilities? Though, again, memory is foggy on that one. It could very well be a firmware-level fix. I remember IBM working on addressing it for POWER9 etc., afterall, in some way.

    Oh well, that means the only true option is indeed PowerPC with Raptor!
     
  18. 556fmjoe macrumors 68000

    556fmjoe

    Joined:
    Apr 19, 2014
    #18
    A little bit of both. Intel did issue microcode updates and most operating systems did something to address the issue, with varying degrees of success. We are still seeing both CVEs and fixes rolled out every few months, so things are very much in flux. OpenBSD actually disabled SMT outright (there is a sysctl knob to turn it back on if you want it).

    Alternative architectures like PowerPC and modern POWER systems are interesting because they were not the targets of most of the research, but could be susceptible. IBM did issue fixes for some vulnerabilities in the Power family (https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/). Even older PowerPC CPUs may be vulnerable, though somewhat less so than modern amd64 stuff from Intel and AMD: https://tenfourfox.blogspot.com/2018/01/more-about-spectre-and-powerpc-or-why.html
     

Share This Page

17 August 13, 2019