The Computer in your Computer — The Intel Management Engine
Intel is one of the biggest semiconductors in the world and inventor of the x86 architecture. In the last years, Intel invented a couple of Trust Technologies. One of the first was the Intel Management Engine, called Intel ME.
Intel Management Engine
The Intel Management Engine is an autonomous part within the Platform Controller Hub (PCH) on your mainboard, which can control everything: Turning your computer on/off and log into your computer regardless if an operating system is installed or not. The Intel ME firmware resides in the internal flash which sits on each mainboard. When the CPU starts, it loads the firmware into the PCH. Without the Intel ME, your computer or server system will not be able to boot. There are some ways to disable or reduce the functionality of the Intel ME.
In the Ring Terminology, it lives in Ring -3. But what are these Rings about?
The Ring Terminology
The Linux Kernel Privilege Levels are normally described in rings. These protection rings are mechanisms to protect the user and are formally named hierarchical protection domains.
The most important rings are:
- Ring 3: Ring 3 is the userspace. It is most restricted and has the least amount of privileges.
- Ring 0: Ring 0 is the operating system kernel. It has the most amount of privileges (you might think)
In the last decades, a couple of functionality has been added, such that the normal ring model does not apply anymore. Thus rings from -1 to -3 have been introduced:
- Ring -1: Ring -1 is the hypervisor. The hypervisor like Xen or KVM has more access right than the operating system which runs in the container started by the hypervisor — naturally.
- Ring -2: Ring -2 is the System Management Mode (SMM). The SMM is proprietary code that is used to handle system-wide functionalities like power management.
- Ring -3: Ring -3 is the Management Engine. This means it has more access…
