All Intel processors and the associated chipsets contain a so-called Management Engine (ME), which Intel now calls Converged Security and Management Engine (CSME). The latest version CSME 15. 0 debuted in the current mobile processors “Tiger Lake” of the eleventh Core-i generation.

In the 15 – page “CSME Security Whitepaper” Intel now explains many functions of the CSME as well as the innovations of the version 15. 0, which among other things improves the protection against attacks and manipulation. Accordingly, some security algorithms have been strengthened in order to make decryption with future quantum computers more difficult (Post-Quantum Cryptography, PQC). This applies to AES (now 256 bit), RSA key (3072 Bit), Elliptic-Curve Cryptography (ECC – 384) and SHA-2 digests (also 384 Bit).

ODCA instead of EPID Intel has also built in new functions to be able to react reliably with firmware updates in the event of an attack on essential cryptographic signatures and certificates. This is one of the reasons why Intel is replacing the Enhanced Privacy ID (EPID) previously used in the CSME with an On-Die Certificate Authority (ODCA). With the help of the ODCA, after a firmware update, the CSME can generate new security certificates for internal firmware functions without establishing a server connection.

The CSME generates and manages numerous cryptographic Key.

(Image: Intel)

The CSME 15. 0 is also the basis of the Control-Flow Enforcement Technology (CET) introduced with Tiger Lake to protect against attacks with Return-Oriented Programming (ROP) through Shadow Stack (SHSTK) and Indirect Branch Tracking (IBT). In addition, the CSME manages the keys for Total Memory Encryption (TME).

With CSME 15. 0, Intel also isolates different internal CSME functions from each other even more in order to limit the effects of a successful attack on one of these functions. As usual, according to its own information, Intel tries to keep the code scope of the basic security functions (Trusted Computing Base, TCB) as small as possible in order to reduce the probability of errors (minimum TCB). The CSME uses the Minix operating system with microkernel architecture.

(ciw)