Management Engine and security/privacy issues on Intel-based Macs

Raging Dufus

macrumors 6502
Original poster
Aug 2, 2018
409
650
Kansas USA
This thread is a continuation of discussion starting on Page 2 of the "Backdrop - Distraction-free tool for classic Mac OS" thread, regarding the Management Engine (ME) included in firmware of x86/64 Intel (and possibly other?) CPU's. Many of these chips are running in early Intel-based Macs, and may affect security and privacy of these systems.

Please do carry on...
 

Raging Dufus

macrumors 6502
Original poster
Aug 2, 2018
409
650
Kansas USA
The ME was introduced with 965 chipsets, which is what the first sentence in the linked paragraph states.
While desktop variants of the 965 were indeed released in mid-2006, the mobile variants were released in May 2007 (according to Wikipedia).

Thus, all Intel iMacs, MacBooks, MacBook Pros, and Mac minis shipped before May 2007 cannot be based on 965.
The mini, in particular, was never updated to 965 and was 945-based right until the 2009 Nvidia refresh.
Given that list of affected hardware, can we also limit this by OS? A cursory perusal of everymac.com seems to show that if a Mac is natively supported by 10.8 Mountain Lion or later, it has the ME; but if it tops out at 10.7 Lion it doesn't. Is that correct?
 

z970mp

macrumors 68030
Jun 2, 2017
2,891
2,815
The Matrix
Here is a short summary of what we have since learned...

Actually, as I finished writing that post, I started asking myself if the Core Solo and Core Duo models were included. Looking it up again, although it got more tightly integrated in 2008+ with the 1st gen i3/5/7 series, it seems all mid-2006+ Intel desktops and laptops of all kinds are included. From CoreBoot's page on Intel ME: "Thus, the ME is present on all Intel desktop, mobile (laptop), and server systems since mid 2006." (Emphasis not mine.)

I'm not sure if i.e. May 2006 is early enough for the very very first MacBook (Core Duo) to be exempt from this, but maybe? Though the likes of the Core Solo 1.5GHz and Core Duo 1.66GHz Mac mini from February 2006 should indeed be safe.
Right in the first sentence, it says ME was added in the 965 chipsets. If this is true, then 945-based systems, regardless of the CPU, are "safe".
Any iMac, Mac mini, MacBook, or MacBook Pro that can not access more than 3 GB of RAM is 945-based. That includes the 2006 iMacs, 2006 MBPs, pre-"Late 2007" MBs and pre-2009 MMs.
The ME was introduced with 965 chipsets, which is what the first sentence in the linked paragraph states.
While desktop variants of the 965 were indeed released in mid-2006, the mobile variants were released in May 2007 (according to Wikipedia).

Thus, all Intel iMacs, MacBooks, MacBook Pros, and Mac minis shipped before May 2007 cannot be based on 965.
The mini, in particular, was never updated to 965 and was 945-based right until the 2009 Nvidia refresh.
[doublepost=1565714664][/doublepost]
Given that list of affected hardware, can we also limit this by OS? A cursory perusal of everymac.com seems to show that if a Mac is natively supported by 10.8 Mountain Lion or later, it has the ME; but if it tops out at 10.7 Lion it doesn't. Is that correct?
It would certainly make the job of narrowing down machines easier if taking into account the initial mobile/desktop instatement dates in mid '06 / '07 beside the 3GB RAM ceiling.

Also, we can now rule out the entire Mac Pro line as confirmed by one of the last posts in the prior thread.
 

Raging Dufus

macrumors 6502
Original poster
Aug 2, 2018
409
650
Kansas USA
Also, we can now rule out the entire Mac Pro line as confirmed by one of the last posts in the prior thread.
Yes, and that's so very sad. Such wonderful machines, I've been meaning to get one for a while now. Sigh :oops:

Seems my current 2007 MBP is affected as well. But on a brighter note, my 2007 Mini isn't!

Another tidbit - not surprisingly, https://ark.intel.com/content/www/us/en/ark/products/27665/intel-6321esb-i-o-controller.html confirms that the 2006 Mac Pro's chipset has the ME.
Seems in keeping with the whole "it's not a bug, it's a feature" trope. As such, it makes sense Intel would include it on their top-of-the-line pro Xeon, before it made its way into the consumer-grade hardware.
 

z970mp

macrumors 68030
Jun 2, 2017
2,891
2,815
The Matrix
Last edited:
  • Like
Reactions: Jubadub

z970mp

macrumors 68030
Jun 2, 2017
2,891
2,815
The Matrix
Alright, so according to the mobile ME release cutoff, these would be the final revisions without ME. None of them go higher than Lion, none of them can use more than 3 GB RAM without certain "limitations", and everything preceding them should be just as safe (if not more so), so there is a level of consistency here.

iMac 2.16 Core 2 Duo 17" / 20" / 24" (September 2006) -

https://everymac.com/systems/apple/imac/specs/imac-core-2-duo-2.16-24-inch-specs.html

Mac Mini 2.0 Core 2 Duo (August 2007) -

https://everymac.com/systems/apple/mac_mini/specs/mac-mini-core-2-duo-2.0-specs.html

MacBook 2.16 Core 2 Duo White / Black (May 2007) -

https://everymac.com/systems/apple/...-core-2-duo-2.16-white-13-mid-2007-specs.html

MacBook Pro 2.33 Core 2 Duo 15" / 17" (October 2006) -

https://everymac.com/systems/apple/macbook_pro/specs/macbook-pro-core-2-duo-2.33-15-specs.html

Summary:

All white iMacs are safe.

All Pre-2009 Mac Minis are safe.

All Pre-Santa Rosa MacBooks are safe.

All Pre-Santa Rosa MacBook Pros are safe.

Most machines that top out at 10.7.5 are safe.

Anything that officially supports 10.8+ contains ME.
 
Last edited:

Raging Dufus

macrumors 6502
Original poster
Aug 2, 2018
409
650
Kansas USA
Now how about this?

https://everymac.com/systems/apple/imac/specs/imac-core-2-duo-2.33-24-inch-specs.html

This was the last iMac before the Aluminum line, manufactured in late 2006, before the May 2007 cutoff. Although only 3 GB RAM is officially supported, people have gotten it to access 4 GB.

Therefore it is not 945-based?

I still say Core Duo should be the limit, bar perhaps the Mini.

Simplifies things.
Here are specs for my Mac Mini: https://everymac.com/systems/apple/mac_mini/specs/mac-mini-core-2-duo-2.0-specs.html

Note that it also says 4 GB max RAM, but Apple only ever officially supported 3 GB RAM on these. I think that's common to everything on @Amethyst1's list.

EDIT: seems you beat me to it.
 
Last edited:

Jubadub

macrumors regular
Nov 1, 2017
198
232
[...] Intel (and possibly other?) CPU's.
When the (nearly-confirmed) switch from Intel to ARM occurs, that's something to beware and investigate, as well. I forgot where I had read about it, but I think there was something similar on some ARM CPUs.

Also, for anyone who has an AMD-based Hackintosh (which only exists in Hackintosh form, as Apple never adopted their processors), there's their equivalent of Intel ME, called AMD Platform Security Processor (PSP), to beware. The year cut-off is quite further ahead (2013), but it's still worth mentioning.

Note: Seems libreboot.org went offline today. Odd timing. Google has it cached, though.

Outside of the Mac scope, for anyone interested in avoiding all the processor-level backdoors in future investments, there's the POWER9-based (PowerPC) Talos II, Talos II Lite and Blackbird by Raptor. On the less-expensive, but less-performant, x86/x64 front, computers that use the ASUS KGPE-D16 motherboard + a PSP-free AMD CPU ("Interlagos" family recommended, see also this). Those are the highest-end options for both architectures. (Note: for x86, Libreboot or, less-preferably, Coreboot is required for proper privacy on affected processors.)

Some websites sell the latter, like Technoethical. Raptor themselves sell the Talos family of computers.
If investing on the future of personal computing privacy, between the two options, it's better to buy a Talos family computer. (They are also absurdly powerful: the highest-end model is a 2-processor 44-core 196-thread computer (Talos II)! Lowest end is a single processor with 4 cores and 16 threads on Blackbird (some PC vendors would perhaps market that as "16-core"), which is still insanely powerful (120 MB of L3 cache, anyone? PCIe 4.0?).
 
Last edited:

Amethyst1

macrumors 68000
Oct 28, 2015
1,746
2,157
Now how about this?

https://everymac.com/systems/apple/imac/specs/imac-core-2-duo-2.33-24-inch-specs.html

This was the last iMac before the Aluminum line, manufactured in late 2006, before the May 2007 cutoff. Although only 3 GB RAM is officially supported, people have gotten it to access 4 GB.

Therefore it is not 945-based?

I still say Core Duo should be the limit, bar perhaps the Mini.

Simplifies things.
It is 945-based. It's just the regular 2006 24in iMac with a T7600 instead of a T7400.

Before Nehalem, the ME was entirely a "feature" of the chipset, regardless of the CPU. A limit to Core Duo isn't necessary.
[doublepost=1565730428][/doublepost]
Outside of the Mac scope, for anyone interested in avoiding all the processor-level backdoors in future investments, there's the POWER9-based (PowerPC) Talos II, Talos II Lite and Blackbird by Raptor. On the less-expensive, but less-performant, x86/x64 front, computers that use the ASUS KGPE-D16 motherboard + a PSP-free AMD CPU ("Interlagos" family recommended, see also this). Those are the highest-end options for both architectures. (Note: for x86, Libreboot or, less-preferably, Coreboot is required for proper privacy on affected processors.)
PSP or not, I would never go for a Bulldozer-based CPU. Hot-running, power-hungry and lacking in performance - in a word, horrible. I'd rather pick an older Opteron 6100 (Magny Cours). 12 real cores (not that SMT pseudo-core ****) per CPU anyone?
 
Last edited:

vddrnnr

macrumors 6502
Jan 23, 2017
430
573
Hi Jubadub,

I read the libreboot page and if I understood correctly it is only able to use
PCI/PCI-e devices USB is none and also the software for those devices
is not like in windows where it is recognised as a true wireless device
in OSX they simulate an ethernet device but inside it is different because
it uses the wireless stack but not the way apple does it ( it's not airport ).

I think at least it will not allow for such an easy control by the CPU.

I also found this which as some more information on ME vulnerabilities.

https://apple.stackexchange.com/questions/306959/intel-management-engine-is-macos-vulnerable

Best regards,
voidRunner
 

Amethyst1

macrumors 68000
Oct 28, 2015
1,746
2,157
Most machines that top out at 10.7.5 are safe.
Elaborating, the Late 2007/Early 2008 white MacBooks and the Early 2008 MacBook Air top out at 10.7.5 due to the GMA X3100 yet have the ME.
 
Last edited:
  • Like
Reactions: z970mp

sparty411

macrumors 6502
Nov 13, 2018
483
405
It is 945-based. It's just the regular 2006 24in iMac with a T7600 instead of a T7400.

Before Nehalem, the ME was entirely a "feature" of the chipset, regardless of the CPU. A limit to Core Duo isn't necessary.
[doublepost=1565730428][/doublepost]

PSP or not, I would never go for a Bulldozer-based CPU. Hot-running, power-hungry and lacking in performance - in a word, horrible. I'd rather pick an older Opteron 6100 (Magny Cours). 12 real cores (not that SMT pseudo-core ****) per CPU anyone?
Aren't the Opteron 6xxx series all Bulldozer parts?
 

556fmjoe

macrumors 68000
Apr 19, 2014
1,928
1,669
Regarding Libreboot: yes, running Libreboot will keep you safe from Intel's ME security mess, but you will not get firmware updates that could fix other vulnerabilities, such as the Spectre and Meltdown family, as well as others.

(this is coming from someone who runs Libreboot on an X200)
 

Jubadub

macrumors regular
Nov 1, 2017
198
232
Regarding Libreboot: yes, running Libreboot will keep you safe from Intel's ME security mess, but you will not get firmware updates that could fix other vulnerabilities, such as the Spectre and Meltdown family, as well as others.

(this is coming from someone who runs Libreboot on an X200)
I thought the Linux/BSD kernel itself addressed those vulnerabilities? Though, again, memory is foggy on that one. It could very well be a firmware-level fix. I remember IBM working on addressing it for POWER9 etc., afterall, in some way.

Oh well, that means the only true option is indeed PowerPC with Raptor!
 
  • Like
Reactions: z970mp

556fmjoe

macrumors 68000
Apr 19, 2014
1,928
1,669
I thought the Linux/BSD kernel itself addressed those vulnerabilities? Though, again, memory is foggy on that one. It could very well be a firmware-level fix. I remember IBM working on addressing it for POWER9 etc., afterall, in some way.

Oh well, that means the only true option is indeed PowerPC with Raptor!
A little bit of both. Intel did issue microcode updates and most operating systems did something to address the issue, with varying degrees of success. We are still seeing both CVEs and fixes rolled out every few months, so things are very much in flux. OpenBSD actually disabled SMT outright (there is a sysctl knob to turn it back on if you want it).

Alternative architectures like PowerPC and modern POWER systems are interesting because they were not the targets of most of the research, but could be susceptible. IBM did issue fixes for some vulnerabilities in the Power family (https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/). Even older PowerPC CPUs may be vulnerable, though somewhat less so than modern amd64 stuff from Intel and AMD: https://tenfourfox.blogspot.com/2018/01/more-about-spectre-and-powerpc-or-why.html
 
  • Like
Reactions: Jubadub
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.