Hello @OnePiece@Asus,

I have a question regarding the Intel Management Engine security vulnerability.

In december 2017 Asus made a statement: https://www.asus.com/us/support/FAQ/1034961/

In this FAQ statement from Asus, I fail to see my motherboard on the list (P8 Z77-V), to receive a security update regarding the Intel Management flaw.
But the P8 Z77-V motherboard uses IME version 11.0, which, according to Intel and Asus statement, is considered vulnerable. And Intel support says the motherboard manufacturer has to be adressed.

Is the P8Z77-V motherboard not going to receive the security patch for Intel Management Engine?
Regards
Mattersbro

Im a bit confused, hope someone can clarify. On the motherboard download page for my motherboard and in windows devicemanager it says IME driver version 11.0 .0.1155, but today I used the intel tool (INTEL-SA-00086) to detect whether my system is vulnerable, and it says IME firmware version is 8.0.2.1410.

Which is it? 11.0 or 8.0.2? Because 11.0 is considered vulerable. Or is driver version /= firmware version?

Mattersbro wrote:


Im a bit confused, hope someone can clarify. On the motherboard download page for my motherboard and in windows devicemanager it says IME driver version 11.0 .0.1155, but today I used the intel tool (INTEL-SA-00086) to detect whether my system is vulnerable, and it says IME firmware version is 8.0.2.1410.

Which is it? 11.0 or 8.0.2? Because 11.0 is considered vulerable. Or is driver version /= firmware version?

Ignore device manager, that's the driver version. You must patch

BogdanCiulei wrote:
Ignore device manager, that's the driver version. You must patch

So device manager version is not important? Its weird because the version number are so similar to the firmware numbers. How do I find out what version my IME is then, without the Intel tool?
Because according to Intel-tool everything is fine, it says IME version is 8.0 and doesn't require any patch. But as you can see on picture, motherboard driver download site it says IME Version 11.0.

I just want to know if the tool really has detected the correct IME version.

From my point of view, it is unacceptable for expensive high-performance Asus ROG G752VS laptop that:

1)
such a long time ELAN touchpad doesn't work ok in Windows, and doesn't work at all in Linux

[3.250831] i2c_hid i2c-ELAN1203:00: i2c-ELAN1203:00 supply vdd not found, using dummy regulator
[3.287631] hid-multitouch 0018:04F3:3043.0007: Ignoring the extra HID_DG_INPUTMODE
[3.287673] input: ELAN1203:00 04F3:3043 Touchpad as /devices/pci0000:00/0000:00:15.1/i2c_designware.1/i2c-2/i2c-ELAN1203:00/0018:04F3:3043.0007/input/input16
[3.287754] hid-multitouch 0018:04F3:3043.0007: input,hidraw6: I2C HID v1.00 Mouse [ELAN1203:00 04F3:3043] on i2c-ELAN1203:00

even if someone made an alternative touchpad firmware that fixes the problem both in Windows and Linux
https://rog.asus.com/forum/showthread.php?93405-G-752-VS-Touchpad-Gesture-Fix

2)
within BIOS settings no option exist to disable "USB charging"

3)
within BIOS settings no option exist to disable Intel Management Engine.

28 August 2017, Mark Ermolov and Maxim Goryachy
Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) chip and a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer. The ability to execute third-party code on Intel ME would allow for a complete compromise of the platform.
After unpacking the executable modules, our research team proceeded to examine the software and hardware internals of Intel ME.
A large number of XML files contain a lot of interesting information: the structure of ME firmware and description of the PCH strap, as well as special configuration bits for various subsystems integrated into the PCH chip. One of the fields, called "reserve_hap", drew our attention because there was a comment next to it: "High Assurance Platform (HAP) enable". Googling did not take long. The second search result said that the name belongs to a trusted platform program linked to the U.S. National Security Agency (NSA).

While we are waiting Asus announced reaction, here's another type of approach how to handle this most probably NSA back door:

- following the recent Intel Management Engine (ME) vulnerabilities combined with some engineering work the past few months on their end, System76 will begin disabling ME on their laptops;

- Purism has announced today (19 October 2017) all laptops to be shipping from their company will now have the Intel Management Engine (ME) disabled;

- Linux world: via an open-source, third-party tool called me_cleaner, it's now possible to disable & strip down Intel's ME blob.