It seems that Intel has more headaches than there is excedrin. The latest mess involves the Converged Security and Manageability Engine (CSME).
It has its own CPU, its own RAM, its own code in a boot ROM, and access to the rest of the machine. The most recent iterations are using an 40486 class processor. The operating system software is derived from the free microkernel operating system MINIX.
Ordinarily the CSME provides boot services, TPM services and IOMMU data structures. The CSME provides, among other things, something called Enhanced Privacy ID, or EPID. This is used for things like providing anti-piracy DRM protections, and Internet-of-Things attestation.
The boot ROM is read-only. The IOMMU’s reset defaults can’t be changed either without replacing the silicon. So, Intel chipsets out in people’s computers are stuck with the vulnerability.
Generally while a poor design, there is a key stored in the logic that is of concern. If that key is extracted it could become a dangerous malware hole that would be a grin on even the more cynical NSA agent.
Only the most recent 10th gen processors are safe rom this problem. A BIOS update can mitigate most of the problems as long as the secret key is not broken.
Most motherboards have a header for a TPM module, one of these would replace the security of bitlocker to a known safe device. This will eliminate the risk of data decryption. The TPM chip can tell if it has been tampered with as well by design. The TPM chip is widely used with mobile machines used by government agencies.
CVE-2019-0090 is the assigned case. Intel has a page on this as well. A report from Positive Technologies suggested Intel’s fixes have not completely eliminated the weaknesses.
The only real solution is to replace old machines with new ones using the Intel 10th gen processors.