A few days back, the researchers form Positive Technologies described how they broke into Intel Management Engine. Although Intel fixed the vulnerabilities by releasing software patches, the researchers warned about the possibilities of a hacker downgrading the chip’s firmware and exploiting the bugs.
Current, Intel ME chips have software-based implementations to prevent firmware downgrade. Now, Intel has taken hardware-based measures to prevent such incidents from happening.
According to a confidential Technical Advisory posted on GitHub, the company plans to hardcode the chip’s SVN (Security Version Number) to a hardware called Field Programmable Fuses (FPFs) “as a means to mitigate physically downgrading the ME chip firmware.” The SVN increases with firmware upgrades.
The anti-rollback protection will be available for all Cannon Lake and Coffee Lake processors with Intel ME 12 and above. Further, Intel will make sure that a computer only boots when the value of SVN is greater than or equal to the SVN value stored on FPF hardware.
The feature is, however, disabled by default for now but it will be made default in the future. Intel asks OEMs to enable it using a tool called Intel Flash Image Tool (FIT). The Intel ME downgrade protection mechanism looks promising but, still, there could be some possibilities if someone has physical access to the machine.