On Sat, 02 Dec 2017 03:11:23 -0500
Post by Rupert Gallagher
IME (vPro) is included in Xeon and Core chips. Atom is clear of it. Just checked.
Perhaps the older ones but I doubt that. The latest Atom Apollo Lake E3s
even PROVIDE "Access to user memory". Which I believe means the entire
RAM and if so is quite ridiculous!!
I am sure it will change however the current working exploits require
access to a USB port, though the OS has access and could turn malware
into HW resident malware. OpenBSD is as good a protection as you will
get there though and probably even better for future exploits. I am
still unclear as to whether a properly setup Trusted Execution Engine
can protect the system. I guess from persistent firmware invasion but
not protect kernel memory access or prevent an attacker gaining
knowledge for gadgets (if can get to a Debug USB from userland) or
Reminds me of IPv6 to some degree but worse. Take a small problem and
expand it until you have potential for undermining everything.
The most ironic is Intels recent adverts for not trusting software
but HW instead. Can be true in an application specific fashion but
even then it has to be done right.
Unfortunately the lastest hardware is much cheaper so it isn't
necessarily as simple as just using some older stuff that may just be
less understood, unless you go further into obsolescence territory. AMD
is *maybe* an option but they are moving higher end not cheaper by the
looks of it.