14 DAY TRIAL // Intel vulnerabilities are slowly but surely becoming something that’s very common nowadays, with researchers recently coming across a new issue that could allow a malicious actor to extract the hardware signing keys from a computer.
Needless to say, the security flaw, which is tracked as CVE-2019-0090, is worrying for everyone whose devices might be impacted, especially as the number of exploits launched by attackers with local access could grow in the short term.
But if you’re using a Librem Linux laptop launched by Purism, you’re perfectly safe, as the company says its implementation of the Intel ME doesn’t allow an attacker to exploit the flaw on its Intel-based computers.
“The reason our hardware isn’t vulnerable to this ME vulnerability is similar to why we haven’t been vulnerable to past ME exploits like a recent AMT vulnerability,” Purism explains.
“For starters, we disable and neutralize the ME to remove all but the most essential modules, which for past exploits (such as AMT vulnerabilities) has meant there was nothing to exploit. For CVE-2019-0090, the attack is against a core and fundamental module we do include, however because we do not use Intel hardware signing keys for root of trust at all, it attacks features we don’t use.”
Full protection
And this doesn’t stop here. Not only that Librem Intel-based computers, including here both the mini-PC, laptops, and servers, aren’t affected because the vulnerability targets a feature Purism doesn’t use in the first place, but additional protections have also been put in place through the PureBoot firmware.
“This is because the contents of the ME is part of the PureBoot firmware image and is among the things that PureBoot tests for tampering. Someone who could modify the ME with an exploit would trigger a PureBoot alert the next time the user turns on the computer,” Purism notes.
While the Librem lineup of hardware is not affected by this security flaw, it doesn’t mean Linux systems are all protected. The vulnerability affects all computers running on the vulnerable Intel platform.