Slashdot Mirror

Interesting thing is that PCID predates INVPCID. And you can get some of the effects of an INVPCID on a processor which only supports PCID.

I.e.

http://forum.osdev.org/viewtop...

MOV to CR3. The behavior of the instruction depends on the value of CR4.PCIDE:

If CR4.PCIDE = 0, the instruction invalidates all TLB entries associated with PCID 000H except those for global pages. It also invalidates all entries in all paging-structure caches associated with PCID 000H.

If CR4.PCIDE = 1 and bit 63 of the instructionâ(TM)s source operand is 0, the instruction invalidates all TLB entries associated with the PCID specified in bits 11:0 of the instructionâ(TM)s source operand except those for global pages. It also invalidates all entries in all paging-structure caches associated with that PCID. It is not required to invalidate entries in the TLBs and paging-structure caches that are associated with other PCIDs.

If CR4.PCIDE = 1 and bit 63 of the instructionâ(TM)s source operand is 1, the instruction is not required to invalidate any TLB entries or entries in paging-structure caches.

See
https://www.intel.com/content/... page 145

This chap tried it, and apparently it works

http://www.dumais.io/index.php...

I.e. with bit 63 and 0:11 set to PCID a write to CR3 works like INVPCID in processors which don't have INVPCID.

This actually makes a difference. My 2012 Macbook pro has a

machdep.cpu.brand_string: Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz
machdep.cpu.features: FPU VME DE PSE TSC MSR PAE MCE CX8 APIC SEP MTRR PGE MCA CMOV PAT PSE36 CLFSH DS ACPI MMX FXSR SSE SSE2 SS HTT TM PBE SSE3 PCLMULQDQ DTES64 MON DSCPL VMX EST TM2 SSSE3 CX16 TPR PDCM SSE4.1 SSE4.2 x2APIC POPCNT AES PCID XSAVE OSXSAVE TSCTMR AVX1.0 RDRAND F16C

I.e. assuming the patches know the bit 63 set in writes to cr3 trick, they should be able to do page table invalidation per PCID even on rather old chips.

It looks like KAISER on Linux supports/will support this

https://github.com/nathanchanc...

https://lkml.org/lkml/2017/11/... [currently down(!) but the title is "Subject [PATCH 4/6] x86/mm/kaiser: Support PCID without INVPCID"]

https://newsroom.intel.com/edi...
https://newsroom.intel.com/wp-...
i7 8700K Windows 10 SSD
SYSMark 2014 SE Responsiveness 88%

So even then it's a larger impact than 10%. On the latest processor. But the system used had their 600p SSD which is really slow. How about the 960 Pro or their Optane stuff?

As for what the responsiveness test actually test I don't know (may be possible to google that) but file-performance and virtualization may be worse.

There will be cases where the impact is beyond 10%, a 10% average would be pretty crappy. Mind you that you can get a B350 board and a Ryzen 5 1600 processor for about half the price of a Z370 board and an Intel i7 8700K.

https://newsroom.intel.com/edi...
https://newsroom.intel.com/wp-...
i7 8700K Windows 10 SSD
SYSMark 2014 SE Responsiveness 88%

So even then it's a larger impact than 10%. On the latest processor. But the system used had their 600p SSD which is really slow. How about the 960 Pro or their Optane stuff?

As for what the responsiveness test actually test I don't know (may be possible to google that) but file-performance and virtualization may be worse.

There will be cases where the impact is beyond 10%, a 10% average would be pretty crappy. Mind you that you can get a B350 board and a Ryzen 5 1600 processor for about half the price of a Z370 board and an Intel i7 8700K.

According to Intel the 100W TDP parts i7-8809G, https://ark.intel.com/products..., and i7-8709G, https://ark.intel.com/products..., are for mobile use.

Are they now trying to melt there CPU's literally?

According to Intel the 100W TDP parts i7-8809G, https://ark.intel.com/products..., and i7-8709G, https://ark.intel.com/products..., are for mobile use.

Are they now trying to melt there CPU's literally?

Looks like Intel might already have a solution:

https://software.intel.com/en-...

Thank you for noting that you're not 100% sure it's right, and for the excellent summary. There's a ton of misinformation going around, especially with 0100010001010011 dude on Slashdot repeatedly posting that Meltdown is INTEL ONLY, which is false, as some ARM products are affected. What is true is that Meltdown does not affect AMD and affects only a few of ARM's processors.

As you state, it's important to rely on the original sources. Here is each CPU vendor's response to the security issues:
https://www.amd.com/en/corpora...
https://www.intel.com/content/...
https://developer.arm.com/supp...

Here are two corrections to make:
1) Meltdown:
One of your bold statements "AMD and ARM are not affected" is untrue. See here, from ARM directly:
https://developer.arm.com/supp...

ARM has confirmed that A75 is vulnerable to Meltdown. In addition, A15, A57, and A72 are vulnerable to a variant of Meltdown (Variant 3a) which ARM has added. ARM has stated that they believe this variant is NOT exploitable, however, there is already userspace code out there that can do some limited exploits:
https://github.com/lgeek/spec_...

AMD is not affected by Meltdown, in any form. From AMD's press release:
https://www.amd.com/en/corpora...

2) Variant 1: While other vendors may require application changes to address this issue, AMD appears to be able to address this with an OS update, based on their post:
https://www.amd.com/en/corpora...


Summary:
Variant 1: Some manufacturers (ARM) appear to not be able to fix it and are recommending compiler changes, but AMD will fix this in OS updates. Unclear how Intel is addressing this vulnerability.
Variant 2: Correct, from what I can tell.
Variant 3 (Meltdown): Affects nearly all Intel (within the last 10 years) and ARM A75 chips. AMD not affected.
Variant 3a (Modified Meltdown): Affects a larger set of high performance ARM chips

Finally, Intel has done a terrible job (intentionally?) at conflating the two issues, which is unfair. These are 3 separate security issues, with their own priorities and impacts. If you read Intel's official press release for this issue, there's no differentiation between variants 1-3, like there is for AMD and ARM:
https://www.intel.com/content/...

Thank you for noting that you're not 100% sure it's right, and for the excellent summary. There's a ton of misinformation going around, especially with 0100010001010011 dude on Slashdot repeatedly posting that Meltdown is INTEL ONLY, which is false, as some ARM products are affected. What is true is that Meltdown does not affect AMD and affects only a few of ARM's processors.

As you state, it's important to rely on the original sources. Here is each CPU vendor's response to the security issues:
https://www.amd.com/en/corpora...
https://www.intel.com/content/...
https://developer.arm.com/supp...

Here are two corrections to make:
1) Meltdown:
One of your bold statements "AMD and ARM are not affected" is untrue. See here, from ARM directly:
https://developer.arm.com/supp...

ARM has confirmed that A75 is vulnerable to Meltdown. In addition, A15, A57, and A72 are vulnerable to a variant of Meltdown (Variant 3a) which ARM has added. ARM has stated that they believe this variant is NOT exploitable, however, there is already userspace code out there that can do some limited exploits:
https://github.com/lgeek/spec_...

AMD is not affected by Meltdown, in any form. From AMD's press release:
https://www.amd.com/en/corpora...

2) Variant 1: While other vendors may require application changes to address this issue, AMD appears to be able to address this with an OS update, based on their post:
https://www.amd.com/en/corpora...


Summary:
Variant 1: Some manufacturers (ARM) appear to not be able to fix it and are recommending compiler changes, but AMD will fix this in OS updates. Unclear how Intel is addressing this vulnerability.
Variant 2: Correct, from what I can tell.
Variant 3 (Meltdown): Affects nearly all Intel (within the last 10 years) and ARM A75 chips. AMD not affected.
Variant 3a (Modified Meltdown): Affects a larger set of high performance ARM chips

Finally, Intel has done a terrible job (intentionally?) at conflating the two issues, which is unfair. These are 3 separate security issues, with their own priorities and impacts. If you read Intel's official press release for this issue, there's no differentiation between variants 1-3, like there is for AMD and ARM:
https://www.intel.com/content/...

ARM (and AMD) may be susceptible to the lesser of the two [evil] exploits... but the impact for that second one is considerably less than Meltdown (which is specific to Intel only).

That's incorrect. Per Apple's statement, all of Apple's ARM designs except the watch are vulnerable to meltdown. Also, the Cortex-A75 is vulnerable to meltdown. I agree that the initial PR spin from Intel was pretty ridiculous, but the good news is it looks like some engineers at Intel released a actual technical response. Reading through the whitepaper, it looks like Intel has figured out how to patch both meltdown and spectre on existing chips using a combination of microcode updates and OS updates.

Is this a bug in Intel hardware or processor design?

No. This is not a bug or a flaw in Intel products. These new exploits leverage data about the proper operation of processing techniques common to modern computing platforms, potentially compromising security even though a system is operating exactly as it is designed to. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.

Intel says yours falls under 4th Generation Intel Core processors. The PC World article you point to says 4th Generation Intel Core processors are affected.

Where do you find that it is not affected ?

Funny thing is that this bug is almost an example of Intel throttling old hardware. The KPTI fix is apparently less of a performance hit if you have a new Intel CPU with PCIDs

https://www.theregister.co.uk/...

Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor model. More recent Intel chips have features - such as PCID - to reduce the performance hit. Your mileage may vary.

PCID - Process Context ID - means you can tag the TLB entries with a 11 bit process ID.

http://forum.osdev.org/viewtop...

Also, the Intel manual says bit 0-11 of CR3 is used as the PCID. Does it somehow related to the usual process id user mode code see? If yes, does it mean it imposes a limit on the # of user processes (4096) allowed ?

Which means you don't need to flush the whole TLB - you just invalidate the ones which belong to a process you're switching away from

http://linuxeco.com/?p=488

A PCID is a 12-bit identifier, and may be thought of as a "Process-ID" for TLBs. If CR4.PCIDE = 0 (but 17 of CR4), the current PCID is always 000H; otherwise, the current PCID is the value of bits 11:0 of CR3. Non-zero PCIDs are enabled by setting the PCIDE flag (bit 17 of CR4).

When a logical processor creates entries in the TLBs (Section 4.10.2 of the x86 prog reference manual) and paging structure caches (Section 4.10.3), it associates those entries with the current PCID (Oh ... such a loose association of PCID with PID). Note that this means that where the PGD is located is somehow being interpreted in the PID "process context". When using entries in the TLBs and paging-structure caches to translate a linear address, a logical processor uses only those entries associated with the current PCID, and hence flushes of the TLB are avoided.

Presumably you could have on PCID value for the kernel and the other 4095 for tasks and not need to go a TLB flush when switching until the PCID value wrapped.

Of course that means you need a sufficiently recent Intel CPU.

https://software.intel.com/sit...

FMA, AVX2, BMI1, BMI2, INVPCID, LZCNT, TSX - Haswell and later

I.e. you need a Haswell 4xxx processor or later

https://en.wikipedia.org/wiki/...

At least for the Linux KPTI fix it seems like it does support PCID

https://lwn.net/Articles/74060...

- Integrated all fixes and Peters rewrite of the PCID/TLB flush code.

So does the macOS fix

https://www.macrumors.com/2018...

Ionescu also says that performance drop on a system with PCID (Process-Context Identifiers), available on most modern Macs, is "minimal," so most users may not see an impact on day-to-day Mac usage.

Of course if you have an 2012 Macbook Pro you've got an i5-3210M so you don't have PCID so you'll either have an insecure machine or a performance hit.

Interesting thing is if there was a class action lawsuit, I wonder if you could get Intel to give you a new CPU with PCID to minimise the impact of the bug fix.

I like how they've weaseled out of the whole fiasco (why didn't /. post a link to the original press release?):

"Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time".

I'm not sure I can read between the lines properly but I guess new revisions of Coffee Lake/Kaby Lake/SkyLake(X) CPUs are coming and they will contain a hardware fix (though it still seems highly unlikely considering how difficult it's to deploy a new hardware design - however unlike other fabless companies, like AMD/NVIDIA/ARM/etc Intel has everything under control). After all they've known about this issue for almost half a year.

Meanwhile as for consumer workloads they are correct. Two German websites have already tested a Windows build with a fix and found very little performance losses.

Phoronix has also run a number of tests on Linux and found out that only few (mostly artificial) tasks are seriously affected.

Intel home users may sleep well. As for enterprise customers no one has run virtualization tests yet though - that's what truly important for large deployments (clouds).

Well you can still get these

https://www.newegg.com/Product...

Problem is look at the CPU

https://ark.intel.com/products...

A Cherry Trail Atom at 1.44 to 1.92 Ghz is going to be a bit underpowered even if all you want to do is run Chrome.

Honestly I wouldn't buy anything with less than an i5 M - I don't even like the U series Core i5s. Of course that means that you're probably looking at a 13 inch machine.

the only possible way Linux will gain ground is if you can run multiple OS's at the same time the same way we run applications at the same time. It has to be as easy as switching apps on a windows 8 taskbar. That would require a company like AMD to build it into the hardware/bios.

Would it be anything like Intel VT?

And if so, Microsoft would probably add a restriction forbidding virtualization of OEM licensed Windows. Oh wait: it already does. Pony up $119.99 if you want to run Windows other than on the metal.

I believe it's actually ECC RAM, which is much more expensive than the conventional desktop variety.

'Snot true

https://everymac.com/systems/a...

This model is powered by a 14 nm, 64-bit "Seventh Generation" Intel Mobile Core i5 "Kaby Lake" (I5-7360U) processor which includes two independent processor "cores" on a single silicon chip with 64 MB of eDRAM embedded on the processor die. Each core has a dedicated 256k level 2 cache, shares 4 MB of level 3 cache, and has an integrated memory controller (dual channel).

https://ark.intel.com/products...

Max Memory Size (dependent on memory type) : 32 GB
Memory Types : DDR4-2133, LPDDR3-1866, DDR3L-1600
Max # of Memory Channels : 2
Max Memory Bandwidth : 34.1 GB/s
ECC Memory Supported : No

"ME is turning into a colossal dumpster fire."

Or maybe the equivalent of a billion dollar ad campaign against Intel.

Customers don't want spyware. It seems that, if Intel continues to try to force spyware on customers, Intel will eventually go bankrupt. That would be a very, very bad conclusion to the very, very bad management by Intel.

It is EXTREMELY important for the entire world, in my opinion, that Intel stay healthy. (The world needs AMD to stay healthy, also.)

Did the present Intel managers lack the social ability to understand that providing hidden access for hidden invaders would damage Intel's reputation? Apparently Intel needs a new CEO. Maybe other Intel managers should be replaced, also. Most of the technology development parts of Intel has seemed healthy to me; it's the business management that is failing, apparently.

The world was told more than 3 years ago about the hidden control: Secret of Intel Management Engine by Igor Skochinsky. (Mar 12, 2014)

Intel was told that there would be problems: Intel's Management Engine is a security hazard, and users need a way to disable it. (May 8, 2017)

Did the present managers lack the social ability to understand that it was likely that hackers would find defects in the Intel Management Engine? One article: Intel Patches Major Flaws in the Intel Management Engine. (Nov 22, 2017) Intel's reaction: Intel Management Engine Critical Firmware Update (Intel-SA-00086). (Dec 5, 2017)

Dell has a program that will (allegedly) disable it in computers that have already been sold. Free.

Why not buy a Dell and then disable it with the free program?

Because by then, the damage may already have been done, perhaps.

A possibly helpful link: https://downloadcenter.intel.c...

Notice they don't compare performance to an x86 chip. And it'll suck. An Snapdragon 835 compares poorly for performance with x86/x64 chips even given native code

http://weborus.com/snapdragon-...

And Photoshop x86 probably uses a lot of SIMD code. Theoretically you could probably JIT x86 SSE to ARM NEON, but Intel posted this

https://newsroom.intel.com/edi...

Intel carefully protects its x86 innovations, and we do not widely license others to use them. Over the past 30 years, Intel has vigilantly enforced its intellectual property rights against infringement by third-party microprocessors. One of the earliest examples, was Intel's enforcement of its seminal "Crawford '338 Patent." In the early days of our microprocessor business, Intel needed to enforce its patent rights against various companies including United Microelectronics Corporation, Advanced Micro Devices, Cyrix Corporation, Chips and Technologies, Via Technologies, and, most recently, Transmeta Corporation. Enforcement actions have been unnecessary in recent years because other companies have respected Intel's intellectual property rights.

However, there have been reports that some companies may try to emulate Intel's proprietary x86 ISA without Intel's authorization. Emulation is not a new technology, and Transmeta was notably the last company to claim to have produced a compatible x86 processor using emulation ("code morphing") techniques. Intel enforced patents relating to SIMD instruction set enhancements against Transmeta's x86 implementation even though it used emulation. In any event, Transmeta was not commercially successful, and it exited the microprocessor business 10 years ago.

Only time will tell if new attempts to emulate Intel's x86 ISA will meet a different fate. Intel welcomes lawful competition, and we are confident that Intel's microprocessors, which have been specifically optimized to implement Intel's x86 ISA for almost four decades, will deliver amazing experiences, consistency across applications, and a full breadth of consumer offerings, full manageability and IT integration for the enterprise. However, we do not welcome unlawful infringement of our patents, and we fully expect other companies to continue to respect Intel's intellectual property rights. Strong intellectual property protections make it possible for Intel to continue to invest the enormous resources required to advance Intel's dynamic x86 ISA, and Intel will maintain its vigilance to protect its innovations and investments.

There's a helpful graph of Intel patents on new instructions going back to 1996. US patents since 1995 have a 20 year life. Which means anything after 1997 is still valid. It's fair to assume that Photoshop uses some recent SIMD instructions for performance. The patents on those have a lot of time left in them.

Microsoft's emulation is part of Windows on Windows, i.e. the code which runs 32 bit x86 binaries on 64 bit Windows. So it will only work for 32 bit x86 applications, not 64 bit x64 ones.
x64 has SSE2 as part of the ISA and ABI, i.e. you'd have to violate those SSE patents to JIT it to ARM NEON.

I.e. Intel's threat over SIMD makes it hard to get something like Photoshop to run well on an ARM. And the fact that the fastest ARM chips are still quite a bit slower than the fastest x86/x64 chips does too.

Most of that is simply false, and I have proven it myself with HP Compaq, EliteDesk, and EliteBook hardware.

You don't need access inside a network or on the physical machine, it has been proven to "call home" and receive orders much as botnets do, over unblocked HTTP requests.

Etherial shows nothing except ARP traffic while powered off, or powered on in any mode but provisioning mode.
In provisioning mode Etherial shows two TCP connections to my provisioning server, and neither are HTTP.

You can't stop it if it is plugged into a network

Until ME is enabled, it doesn't even perform ARP requests let alone is capable or tries to send packets anywhere.

and all of the benefits you listed already existed in other forms which didn't require a massive multi-million-dollar engineering effort to stick inside the chip undetected for years.

It was never hidden in the chip, you just didn't bother reading Intels documentation, which was publicly available on Intels website since before vPro and ME hit the market.

Yes management cards were available before, but they are equally closed source and not auditable, and cost extra per PC to deploy.

If it were legitimate it would have been public knowledge from the start,

Which is has been.

https://software.intel.com/en-us/articles/intel-active-management-technology-start-here-guide-intel-amt-9
https://www.intel.com/content/www/us/en/software/setup-configuration-software.html

Documentation goes back to 2008 when vPro, the software containing ME, was released.

not a secret projects the alphabet agencies recruited hardware developers for, required top secret clearance to undertake within the Intel team working on it, etc.

Any evidence for that claim? Other than Intels own website and documentation that disproves it was "secret"?

The justifications for the existence of it are like the shills

Oh, damn, wish I saw that sooner before actually providing you with facts you don't care about.
Yes, I use technology, that makes me a shill by your definition.
Continue on with your fantasies, I'll stop ruining them.

Most of that is simply false, and I have proven it myself with HP Compaq, EliteDesk, and EliteBook hardware.

You don't need access inside a network or on the physical machine, it has been proven to "call home" and receive orders much as botnets do, over unblocked HTTP requests.

Etherial shows nothing except ARP traffic while powered off, or powered on in any mode but provisioning mode.
In provisioning mode Etherial shows two TCP connections to my provisioning server, and neither are HTTP.

You can't stop it if it is plugged into a network

Until ME is enabled, it doesn't even perform ARP requests let alone is capable or tries to send packets anywhere.

and all of the benefits you listed already existed in other forms which didn't require a massive multi-million-dollar engineering effort to stick inside the chip undetected for years.

It was never hidden in the chip, you just didn't bother reading Intels documentation, which was publicly available on Intels website since before vPro and ME hit the market.

Yes management cards were available before, but they are equally closed source and not auditable, and cost extra per PC to deploy.

If it were legitimate it would have been public knowledge from the start,

Which is has been.

https://software.intel.com/en-us/articles/intel-active-management-technology-start-here-guide-intel-amt-9
https://www.intel.com/content/www/us/en/software/setup-configuration-software.html

Documentation goes back to 2008 when vPro, the software containing ME, was released.

not a secret projects the alphabet agencies recruited hardware developers for, required top secret clearance to undertake within the Intel team working on it, etc.

Any evidence for that claim? Other than Intels own website and documentation that disproves it was "secret"?

The justifications for the existence of it are like the shills

Oh, damn, wish I saw that sooner before actually providing you with facts you don't care about.
Yes, I use technology, that makes me a shill by your definition.
Continue on with your fantasies, I'll stop ruining them.

Hate to defend an illegible spammer like APK, but he appears to be right in blocking certain ports used by Intel AMT.

The Ark confirms that your processor does not have vPro support. However, that does not necessarily mean that the Intel ME is completely inert (for example, on my laptop, I cannot get to the configuration menu of the ME, but I can still flash it with the ME firmware, and the vulnerability checker tool detects it). Based on what I have observed on all the computers at work that support ME, they reuse the MAC address of the network interface. All it does is redirect certain ports to ME when accessed from the network (on configured systems).

Technicolor sounds like a modem company. Perhaps your router is throwing that into the ARP table.

https://firmware.intel.com/sit... OS X /macOS has been IFI /UEFI for Decades so if you need a UNIX for Intel UEFI.... Look no futher/

As per the Intel 64 and IA-32 Architectures Software Developer's Manual on page 8-20 in Volume 3A, the boot processor comes up in real mode and begins executing whatever is in memory at 0xFFFF_FFF0h. On step 8 out of 15 it switches the processor into protected mode.

Turns out they've just added another level to the page tables, taking it to 5.

https://www.kernel.org/doc/Doc...

https://software.intel.com/sit...

  I.e. looking up a virtual address now needs a lookup in PML5, PML4, Page Directory, Page Table. Of course the TLB caches lookups but adding more layers increases the time taken to handle a TLB miss.

I was hoping either Intel or AMD would introduce a more advanced page table - hashed inverted page tables like the ones used in PowerPC, the UltraSPARC and the IA-64 for example

https://en.wikipedia.org/wiki/...

https://www.youtube.com/watch?...

Or maybe someone's invented a better way to do it now.

In the mean time, your malware continues to infect every USB device ever attached to the machine.

It doesn't quite work like that. DCI (along with traditional JTAG) is fused off before the system leaves the factory, per Windows hardware certification requirements. This guy somehow managed to acquire a part that didn't have DCI fused off yet. Special circuitry is required to interface with the JTAG scan chain... you need one of these: https://designintools.intel.com/Silicon_View_Technology_Closed_Chassis_Adapter_p/itpxdpsvt.htm. This DCI technology routes JTAG over the USB connector physically, it doesn't implement transfer of JTAG scan chains over the USB protocol. You can't just hack a USB flash drive... you would need a custom built USB device. Note that Intel will only sell you one of these things + the software to drive it if you sign a NDA with them.

Given that his screenshot has a window with the title "Administrator: Intel DAL Python CLI" I have a hard time believing that he has done anything more than gotten an un-fused Intel reference board + Intel debug tools under NDA from Intel and he managed to successfully follow the directions for enabling USB JTAG debug. If this is the case, his "success" in no way would translate to an actual exploit usable on your typical off the shelf laptop.

Actually some sources say that it has been in the "North Bridge", e.g. what has been known as "Platform Controller Hub" ( https://en.wikipedia.org/wiki/... ) for some time. For example, see ME references in https://www.intel.com/content/...

However, it is stated in the above Wikipedia article: "Beginning with ultra-low-power Broadwells and continuing with mobile Skylake processors, Intel incorporated the clock, PCI controller, and southbridge IO controllers into the CPU package, eliminating the PCH for a system on a chip (SOC) design." This makes it unclear whether also the ME component has been integrated into the CPU package in SoC style in these newer CPUs (assuming that it has been there in the first place.) ... I sure wish Intel themselves would explain all this. And also state their reasons for pushing this crap.

There has been a lot of talk about Qualcomm ARM chips taking over from Intel. The problem is when you look at the benchmarks they're rather underwhelming. Eg.

http://weborus.com/snapdragon-...

The Snapdragon 835 is a great device if you're running Android. If you're running something like Photoshop I predict performance is going to be disappointing. Microsoft's 'Windows on a Snapdragon' video shows Photoshop running. It doesn't mention performance

https://www.youtube.com/watch?...

It's the same with server stuff. And of course Intel have threatened people with a patent lawsuit on SIMD

https://newsroom.intel.com/edi...

Protecting x86 ISA Innovation

Intel invests enormous resources to advance its dynamic x86 ISA, and therefore Intel must protect these investments with a strong patent portfolio and other intellectual property rights. The following graph shows that relentless instruction set innovation translates into a deep and dynamic patent portfolio with over 1,600 patents worldwide relating to instruction set implementations.

https://imgur.com/a/x0K2V

New x86 Instructions and Related Patents

Intel carefully protects its x86 innovations, and we do not widely license others to use them. Over the past 30 years, Intel has vigilantly enforced its intellectual property rights against infringement by third-party microprocessors. One of the earliest examples, was Intelâ(TM)s enforcement of its seminal âoeCrawford â(TM)338 Patent.â In the early days of our microprocessor business, Intel needed to enforce its patent rights against various companies including United Microelectronics Corporation, Advanced Micro Devices, Cyrix Corporation, Chips and Technologies, Via Technologies, and, most recently, Transmeta Corporation. Enforcement actions have been unnecessary in recent years because other companies have respected Intelâ(TM)s intellectual property rights.

However, there have been reports that some companies may try to emulate Intelâ(TM)s proprietary x86 ISA without Intelâ(TM)s authorization. Emulation is not a new technology, and Transmeta was notably the last company to claim to have produced a compatible x86 processor using emulation (âoecode morphingâ) techniques. Intel enforced patents relating to SIMD instruction set enhancements against Transmetaâ(TM)s x86 implementation even though it used emulation. In any event, Transmeta was not commercially successful, and it exited the microprocessor business 10 years ago.

Only time will tell if new attempts to emulate Intelâ(TM)s x86 ISA will meet a different fate. Intel welcomes lawful competition, and we are confident that Intelâ(TM)s microprocessors, which have been specifically optimized to implement Intelâ(TM)s x86 ISA for almost four decades, will deliver amazing experiences, consistency across applications, and a full breadth of consumer offerings, full manageability and IT integration for the enterprise. However, we do not welcome unlawful infringement of our patents, and we fully expect other companies to continue to respect Intelâ(TM)s intellectual property rights. Strong intellectual property protections make it possible for Intel to continue to invest the enormous resources required to advance Intelâ(TM)s dynamic x86 ISA, and Intel will maintain its vigilance to protect its innovations and investments.

If Microsoft can't transform SSE instructions into an ARM SIMD instruction set due to patents on SSE, Photoshop will suck if it's run through Microsoft's x86 to ARM64 JIT engine. And the odds are something like Photoshop is using bits of SSE which are still patented and will be for some time.

Even if you don't emulate and run code nati

The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

What we know about Intel CPU backdoors so far:

TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.

The backdoor hardware is in the CPU/Bridge, and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
@21m43s, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
[Video Link] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
[Quotes] Vortrag:
"DAGGER exploits Intel's Manageability Engine (ME), that executes firmware code such as Intel's Active Management Technology (iAMT), as well as its OOB network channel."

"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker. Our presentation consists of three parts. The first part addresses how to find valuable data in the main memory of the host. The second part exploits the ME's OOB network channel to exfiltrate captured data to an external platform and to inject new attack code to target other interesting data structures available in the host runtime memory. The last part deals with the implementation of a covert network channel based on JitterBug."

"We have recently improved DAGGER's capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code."

"To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME)."

"We can permanently monitor the keyboard buffer on both operating system targets."

Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Useful links:
The Intel ME subsystem can take over your machine, can't be audited
REcon 2014 - Intel Management Engine Secrets
Untrusting the CPU (33c3)
Towards (reasonably) trustworthy x86 laptops
30C3 To Protect And Infect - The militarization of the Internet
30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software

1. Introduction, what is Intel ME

Short version, from Intel staff:

Re: What Intel CPUs lack Intel ME secondary processor?
Amy_Intel Feb 8, 2016 9:27 AM

The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current Intel chipsets, I even checked with t

It's just a standard fad for the new guard just now getting into the world of computers.

Quoting the publicly available documentation as news is just what they do.

I suppose it's because a headline of "children learn of stuff that's 20 years old" isn't quite as scary sounding.

They mentioned the ME runs a web server. Just wait for the updated article tomorrow when they learn the AMT runs a full VNC server, let's you redirect cd/dvd block level commands for remote boot, and the serial port interface to the BIOS over a tv terminal!

It's just a standard fad for the new guard just now getting into the world of computers.

Quoting the publicly available documentation as news is just what they do.

I suppose it's because a headline of "children learn of stuff that's 20 years old" isn't quite as scary sounding.

They mentioned the ME runs a web server. Just wait for the updated article tomorrow when they learn the AMT runs a full VNC server, let's you redirect cd/dvd block level commands for remote boot, and the serial port interface to the BIOS over a tv terminal!

No Qual Comm would mean no CDMA.

Qualcomm doesn't have monopoly power over CDMA anymore if it ever did -- its foundational patents expired years ago, and any live patents that are truly necessary to later CDMA standards are likely subject to FRAND licensing. The proof in the pudding is that multiple other chipset manufacturers like MediaTek and HiSilicon have sold chips with CDMA support for some time, and Intel just released one of its own.

All Intel did was added another hidden switch only they know how to switch on, like a unique wifi signal or magic packet on the onboard nic.

The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

What we know about Intel CPU backdoors so far:

TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.

The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
@21m43s, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
[Video Link] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
[Quotes] Vortrag:
"DAGGER exploits Intel's Manageability Engine (ME), that executes firmware code such as Intel's Active Management Technology (iAMT), as well as its OOB network channel."

"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker. Our presentation consists of three parts. The first part addresses how to find valuable data in the main memory of the host. The second part exploits the ME's OOB network channel to exfiltrate captured data to an external platform and to inject new attack code to target other interesting data structures available in the host runtime memory. The last part deals with the implementation of a covert network channel based on JitterBug."

"We have recently improved DAGGER's capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code."

"To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME)."

"We can permanently monitor the keyboard buffer on both operating system targets."

Backdoor removal:
The backdoor firmware can be removed by following this guide [github.io] using the me_cleaner [github.com] script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

If you are skilled in these areas, download Intel ME firmwares from this collection [win-raid.com] and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Useful links:
The Intel ME subsystem can take over your machine, can't be audited
REcon 2014 - Intel Management Engine Secrets
Untrusting the CPU (33c3)
Towards (reasonably) trustworthy x86 laptops
30C3 To Protect And Infect - The militarization of the Internet
30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software

1. Introduction, what is Intel ME

Short version, from Intel staff:

Re: What Intel CPUs lack Intel ME secondary processor?
Amy_Intel Feb 8, 2016 9:27 AM

The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current Intel chipsets, I even checked with the engineering department and they confirmed it.

Long version:

IMO Roku makes the best hardware box specifically because they have no significant streaming service, so it's in their best interest to ensure it works well (or at least acceptably) with all the streaming services that matter.

Absolutely agree. Other than an Intel Compute Stick and Kodi, the Roku is the better/best option as it's cheaper, works really well, comes with a remote and a great interface, and doesn't require your credit card number for roping you into one preferred source of content. Bonus, it is friendly to lots of paid content if you want it, like Sling or HBO. And as the Roku platform becomes more popular, there's more incentive for Roku apps to work well (as opposed, unfortunately, to Kodi apps which are often hit-and-miss).

But to a lot of investor-people, the real money is in subscriptions, not in a one-time sale of a device that might last years. This sucks for consumers who just want to buy something and just use it. And how many content subscriptions can a person have anyway, until they're paying as much or more than they would for full-out cable or satellite TV?

If Roku continues to make great boxes that don't come with strings attached like Apple TV or FireStick, then I don't care what else they do. Otherwise, you may be best off just pulling an older PC out of the closet and hooking it to your TV with a wireless mouse and keyboard.

Look again at the PDF you linked to, HDMI is listed on the second page, left hand column, first paragraph.

You'll also note that the document I linked to, as well as the one you linked to, are both from 2016, after Thunderbolt 3 co-opted the port. If you look at what was supported prior to that, the USB-C spec itself, you have USB, DP, and power distribution. HDMI Licensing did release a standard for HDMI over USB-C in 2016, as well, which is separate from the Thunderbolt 3 standard which already included HDMI over DisplayPort. It is also worth noting that the Thunderbolt 3 standard includes 8 DisplayPort lanes while the USB-C standard includes only 4.

The way HDMI works, using all four data lanes in the spec, makes me wonder if a USB-C port could support both Thunderbolt and HDMI at the same time like Thunderbolt and DisplayPort can share data lines.

Since USB-C itself provides only 4 DisplayPort lanes, HDMI uses them all, and the port cannot be in both USB and Thunderbolt mode simultaneously, I would posit that this is not possible. It may be possible to slip some USB data in with the HDMI stream if the resolution or framerate is reduced sufficiently; I honestly don't know enough about HDMI to know if it frees up some of those lanes when it doesn't need the bandwidth. That said, as Thunderbolt 3 provides 8 DisplayPort lanes, a USB-C port operating in Thunderbolt mode can provide display and data transfer simultaneously, even at 4K@60Hz. If you have Thunderbolt available, that's what you'd want to use.

It was my understanding that Apple supported HDMI on USB-C and the adapters they offer for HDMI are passive, but I may be mistaken.

There was no HDMI over USB-C spec until 2016 and the current MacBook models still have the same chipset as the 2015 models. Additionally, the USB-C port, when not operating in Thunderbolt 3 mode (which these models lack) can't pass video and USB at the same time, thus why Apple sells a USB-C to DisplayPort cable (which, in theory, should work with a passive DP->HDMI adapter, as well) and USB-C adapters which include a second USB-C port, a USB-A port, and either HDMI or VGA. If the adapters were simple passive circuits, the USB-C and USB-A ports on them would be nonfunctional while video was being passed.

Intel does license Thunderbolt to others, AMD included.

Since when? The article you linked to, published less than 6 months ago, states that "Intel hasn't made the specification available to other companies" and "Intel has unveiled plans to not only build the technology into its processors, but to open the spec through a non-exclusive, royalty-free license." I see no indication that either of those things has happened yet. That might be why AMD does not take advantage of it. In fact, this article, published by Intel the very same day as the one you linked to, states "ntel is announcing that it plans to drive large-scale mainstream adoption of Thunderbolt by integrating Thunderbolt 3 into future Intel CPUs and by releasing the Thunderbolt protocol specification to the industry next year." That pretty much confirms why AMD hasn't taken them up on the offer yet; and time will tell whether Intel will make good on their word.

I hope they will, but I've had business dealings with Intel before and, let's just say their word is only as good as the legally binding contract it's written on, and that article is not legally binding.

I'm not saying it's not a problem, only that it's not something I'm going to be terribly concerned about now that I know some more about the issues.

I'm not terribly concern

An Intel inside iPhone would be an interesting development.

Already happening. Fortune

Intel is working on much more than that and is trying hard to break into the phone market in a really big way, not just with atom based arch. Even though they have been out of the running for 16 years it seems this time they are coming back and are really looking for the brainz this time. Like I said either they are paying Qualcomm to not sue them or we might see a major tech merger. Say perhaps Qualcomm and Intel in a joint venture with a mind to squash Samsung once and for all?

Either way there are interesting times ahead in the cell chip sector and there will be blood on the floor with the introduction of the new high end Note by Samsung. The iPhone 8 has some serious competition this time around and I think Apple knows it. If the new 8 series from Samsung starts to take over a huge section of the market the way the original galaxy did you can bet the bullshit American protectionist law suits will fly again. Like the Boeing bombers now flying over Quebec Canada the tariff(s) on Samsung phones will be enormous.

The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

What we know about Intel CPU backdoors so far:

TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.

The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
@21m43s, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
[Video Link] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
[Quotes] Vortrag:
"DAGGER exploits Intel's Manageability Engine (ME), that executes firmware code such as Intel's Active Management Technology (iAMT), as well as its OOB network channel."

"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker. Our presentation consists of three parts. The first part addresses how to find valuable data in the main memory of the host. The second part exploits the ME's OOB network channel to exfiltrate captured data to an external platform and to inject new attack code to target other interesting data structures available in the host runtime memory. The last part deals with the implementation of a covert network channel based on JitterBug."

"We have recently improved DAGGER's capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code."

"To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME)."

"We can permanently monitor the keyboard buffer on both operating system targets."

Backdoor removal:
The backdoor firmware can be removed by following this guide [github.io] using the me_cleaner [github.com] script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

If you are skilled in these areas, download Intel ME firmwares from this collection [win-raid.com] and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Useful links:
The Intel ME subsystem can take over your machine, can't be audited
REcon 2014 - Intel Management Engine Secrets
Untrusting the CPU (33c3)
Towards (reasonably) trustworthy x86 laptops
30C3 To Protect And Infect - The militarization of the Internet
30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software

1. Introduction, what is Intel ME

Short version, from Intel staff:

Re: What Intel CPUs lack Intel ME secondary processor?
Amy_Intel Feb 8, 2016 9:27 AM

The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current Intel chipsets, I even checked with the engineering department and they confirmed it.

Long version:

ME: Management Engine

The Intel Management Engine (ME) is a separate computing environment physically loca

• It's great for speeding up small, frequently-accessed files. Like the files needed to boot the OS or start a program. Hard drives suck at reading or writing these - typically 0.75 to 1.5 MB/s. A small SSD can typically read these at around 10-30 MB/s. This is the only thing it speeds up.
• It doesn't do anything for large files because the NAND cache is too small to hold large files, and hard drives are already pretty fast at large files (typically 75-150 MB/s, though newer ones can surpass 200 MB/s).
• The NAND size is too small to hit the blazing-fast 500+ MB/s speeds of real SSDs. You need multiple NAND dies operating in parallel for that, and the NAND sizes in SSHDs are too small for that.
• It doesn't do anything for infrequently accessed small files because they're not loaded into cache.
• It doesn't do anything for writes because that could compromise data integrity if the drive loses power before it's written to the HDD. So writes are sent straight to the HDD portion and proceed at HDD speeds.

Don't get me wrong, it's a substantial speedup in boot times off a slow HDD. I played around with it on a Thinkpad (had a HDD and a 16 SSD configured as cache). Even when I reduced the caching partition down to 8 GB, it was still booting up Windows in about 20 seconds, vs over a minute with the cache disabled. But (1) you don't get the blazing fast SSD speeds (500 MB/s to 2 GB/s) with large files, (2) It doesn't get you these fast speeds with infrequently accessed files, and (3) it doesn't give you these fast speeds with writes. Once you factor in these drawbacks, the performance improvement simply isn't worth the additional cost compared to a SSD + HDD setup.

I only recommend SSHDs if you have a laptop (which typically use 5400 RPM drives), you need the large storage of a HDD, but the laptop can only take a single drive (i.e. doesn't have a separate M.2 slot for a real SSD). On laptop with a M.2 slot you can run with both SSD + HDD. On a desktop a 7200 RPM HDD is tolerable, and you can install a real SSD. In fact on a desktop, you can toss in a small spare used SSD, install Intel Rapid Storage Technology, and configure that SSD to cache all your HDDs.

Apple uses these SSHDs in their all-in-ones (iMac line) and Mac Mini basically because they're too much of a control freak to add a M.2 slot to let you add your own SSD. The iMacs which do allow you to add a smaller M.2-type SSD use a proprietary interface, forcing you to buy the SSD from Apple. The whole thing is a racket designed to extract obnoxious sums of money from their customers for the same features PC users get as standard. And yet somehow Apple users are proud that Apple has the highest profit margin in the PC industry? Talk about Stockholm syndrome.

You can thank Intel for that. Not Microsoft. Remember USB 3.0 wasn't even invented yet when Windows 7 was made.

It is a so difficult problem that even Intel (without access to the OS source code) has created its own solution.

Microsoft gets paid by the seat licenses either way so it makes no difference.

Because all what they did before with this stupidly imposing attitude made sense, right? Windows 10 seems to be a good version, perhaps even better than Windows 7; why not letting the product speak for itself? Why trying to force clients by scaring lots of them? Why they had everything on their side to have an excellent medium-/long-term evolution and they did what they did? Perhaps because they got nervous? Because the initial targets weren't met and some manager thought that forcing clients was a better idea than just being patient? A stupid decision. It doesn't make sense; exactly the same than Intel providing ways to use USB 3.0 with Windows 7, but not enabling it in their new machines. In any case and as said, I don't care about the final responsible, the underlying reason was Microsoft's decision of unilaterally imposing Windows 10 to everyone.

The concept had its uses(though, without some wireless charging arrangement, the utility of a 'dock' that made your laptop battery drain a bit faster(because running that multi-Gb wireless link isn't free) was always a bit troublesome.

For the things that already have reasonably sane and standardized 'over-IP' or bluetooth flavors; a wireless dock doesn't make a whole lot of sense because 'no dock' is pretty close to a wireless dock: you just dump your laptop on your desk, wifi connection handles network, file shares, printers; bluetooth peripherals reconnect in pretty short order when you come into range and you are 'docked'.

The Intel 60GHz thing(it was a pair of SKUs, one card for adding support to the client system, plus the W13100 "Wireless Gigabity Sink" part designed to build a docking station around) was aimed mostly at shoving the interfaces without good wireless abstractions over a wireless link: video(yes, 'airplay', 'miricast', etc. can do an OK job of 'wireless display' by sending an H.264 stream to a device that expects it; but they don't work with dumb monitors; and don't tend to work with software that isn't explicitly expecting them; so they aren't really an option for the "dump laptop in dock, receive dual monitors" use case) USB(there are various vendor specific hacks; but unless the USB device can be shared out at a higher level, like a printer or a mass storage device, there isn't really network-transparent USB support; the USB network extenders that do exist can be pretty dodgy and generally require fiddly drivers) and ethernet(probably the least useful for end users; since wifi is a direct substitute; but when IT wants to PXE boot...)

Even so, the niche was pretty limited, when you could get the same features, plus charging, for less money(and without a fan in your docking station; most models had a nice noisy 60mm, users loved that) in exchange for going to slightly more effort and mechanically docking. Plus, while fast, the WiGig link wasn't fast enough for fully transparent transport of things like video; and range was severely compromised if line of sight wasn't available. Plus, there were some very unpleasant Gen1 quirks and power management bugs, depending on the model.

Not really a surprise that it didn't do so well. It did offer capabilities that other things didn't(and still don't); but wired docks were doing all of that better and cheaper, with charging; and since the arrangement relied on the 60GHz radio(I'm not sure if falling back to the more usual wifi bands just wasn't implemented, or didn't offer nearly enough bandwidth to handle things like dock video without egregious compression; either way it wasn't an option); you had to be pretty close to the docking station for it to work, so the extra effort of mechanical docking was limited.

If it had gained broader acceptance; it probably could have been a winning 'enterprise' equivalent of miricast/airplay for conference room video and the like; but since those work with mostly cheap and common hardware at the expense of some relatively minor H.264 artifacts, they are a hard target for an expensive, model specific, fancy interconnect to compete with. For docking; things were bad enough with the various proprietary(but mostly functional) docks sold with 'business' laptops since forever; and they are worse now that TB3 and USB-C allow you to get full dock bandwidth out of a single connector.

New Atom chips just came out.
https://ark.intel.com/products...

The 4 core and weaker ones sound like what you're after. I suspect we'll see some very competent little HTPC boxes soon.

Most all mobile apps are just dumbed down re-inventions of the good 'ol regular computer programs.. dumbed down but also 10x more bloated..

Personally I think they telecom industry made deals with all the big computer/phone manufacturers NOT to build phone size x86, Windows/Linux compatible computers.. And they were all for it, to create their own walled garden(enslaved) ecosystems. OQO. Flipstart, Sony UX and many others were 'right on the door' but they all seemed to give up when Android and Iphones came out!?!?!

I think if there were a fully functional phone sized x86 PC (pinch zoom, WinXP-7 UI) people might not necessarily even use 'voice services', wifi and or VOip tech would be most common.

Their are plenty of Intel Compute sticks /knockoffs, and the modern x86 chips are just as, if not better power management than arm... So I know they can be made to the Droid3 form factor.. but no-one is doing it? I'd pay 2x the price of an iphone for one if some #$%#$ would make one properly.
x86, runs legacy x86 OS's/software, slideout kb. 2 micro-usb(one for power), MicroSD, hdmi,removable battery, yada yad.

Seriously, both Iphone and Android are #$%$# ing terrible vs regular old Windows/Linux desktop apps.. Some say traditional desktop is not usable on a phone, I've tried it through VNC, works great.. The problem is the industry is keeping these off the market for some reason.(keep programmers busy? Rewriting the same old thing I presume).

https://www.intel.com/content/...

The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

What we know about Intel CPU backdoors so far:

TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.

The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
[Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
@21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.

[Quotes] Vortrag:
"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".

"We can permanently monitor the keyboard buffer on both operating system targets."

Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Useful links:
The Intel ME subsystem can take over your machine, can't be audited
REcon 2014 - Intel Management Engine Secrets
Untrusting the CPU (33c3)
Towards (reasonably) trustworthy x86 laptops
30C3 To Protect And Infect - The militarization of the Internet
30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software

1. Introduction, what is Intel ME

Short version, from Intel staff:

Re: What Intel CPUs lack Intel ME secondary processor?
Amy_Intel Feb 8, 2016 9:27 AM

The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current Intel chipsets, I even checked with the engineering department and they confirmed it.

Long version:

ME: Management Engine

The Intel Management Engine (ME) is a separate computing environment physically located in the MCH chip or PCH chip replacing ICH.

The ME consists of an individual processor core, code and data caches, a timer, and a secure internal bus to which additional devices are connected, including a cryptography engine, internal ROM and RAM, memory controllers, and a direct memory access (DMA) engine to access the host operating system's memory as well as to reserve a region of protected external memory to supplement the ME's limited internal RAM. The ME also has network access with its own MAC address through the Intel Gigabit Ethernet Controller integrated in the southbridge (ICH or

I don't have to point out what an idiot you are, all I have to do is provide this link.

https://www.intel.com/content/...

Now go buy a new laptop at Best Buy that has a 3168 or 7260 wifi chip (which is fairly common) and come back to tell us all about the fun you had getting it to work with CentOS/RHEL. Since you probably don't even know: those distros ship at best with a 3.10 kernel.

The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

What we know about Intel CPU backdoors so far:

TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.

The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
[Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
@21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.

[Quotes] Vortrag:
"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".

"We can permanently monitor the keyboard buffer on both operating system targets."

Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Useful links:
The Intel ME subsystem can take over your machine, can't be audited
REcon 2014 - Intel Management Engine Secrets
Untrusting the CPU (33c3)
Towards (reasonably) trustworthy x86 laptops
30C3 To Protect And Infect - The militarization of the Internet
30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software

1. Introduction, what is Intel ME

Short version, from Intel staff:

Re: What Intel CPUs lack Intel ME secondary processor?
Amy_Intel Feb 8, 2016 9:27 AM

The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current Intel chipsets, I even checked with the engineering department and they confirmed it.

Long version:

ME: Management Engine

The Intel Management Engine (ME) is a separate computing environment physically located in the MCH chip or PCH chip replacing ICH.

The ME consists of an individual processor core, code and data caches, a timer, and a secure internal bus to which additional devices are connected, including a cryptography engine, internal ROM and RAM, memory controllers, and a direct memory access (DMA) engine to access the host operating system's memory as well as to reserve a region of protected external memory to supplement the ME's limited internal RAM. The ME also has network access with its own MAC address through the Intel Gigabit Ethernet Controller integrated in the southbridge (ICH or

The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

What we know about Intel CPU backdoors so far:

TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.

The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
[Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
@21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.

[Quotes] Vortrag:
"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".

"We can permanently monitor the keyboard buffer on both operating system targets."

Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Useful links:
The Intel ME subsystem can take over your machine, can't be audited
REcon 2014 - Intel Management Engine Secrets
Untrusting the CPU (33c3)
Towards (reasonably) trustworthy x86 laptops
30C3 To Protect And Infect - The militarization of the Internet
30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software

1. Introduction, what is Intel ME

Short version, from Intel staff:

Re: What Intel CPUs lack Intel ME secondary processor?
Amy_Intel Feb 8, 2016 9:27 AM

The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current Intel chipsets, I even checked with the engineering department and they confirmed it.

Long version:

ME: Management Engine

The Intel Management Engine (ME) is a separate computing environment physically located in the MCH chip or PCH chip replacing ICH.

The ME consists of an individual processor core, code and data caches, a timer, and a secure internal bus to which additional devices are connected, including a cryptography engine, internal ROM and RAM, memory controllers, and a direct memory access (DMA) engine to access the host operating system's memory as well as to reserve a region of protected external memory to supplement the ME's limited internal RAM. The ME also has network access with its own MAC address through the Intel Gigabit Ethernet Controller integrated in the southbridge (ICH or

Mantis entry https://caml.inria.fr/mantis/v...

Spec update https://www3.intel.com/content...

From the mantis page: OCaml toolkit users noted that compilation was failing on skylake processors, when multiple concurrent processes were running. Additional testing found that test systems were producing incorrect results when running compiled code on skylake systems with HT enabled.

Close the N.S.A.'s Back Doors. (New York Times, Sept. 21, 2013)

NSA's own Hardware Backdoors May Still Be a "Problem from Hell". (MIT Technology Review, Oct. 8, 2013)

This 'Demonically Clever' Backdoor Hides In a Tiny Slice of a Computer Chip. (Wired.com, June 1, 2016)

Expert Says NSA Have Backdoors Built Into Intel And AMD Processors. (Eteknix, 2014)

When spyware is detected, that particular vulnerability is fixed:

Red alert! Intel patches remote execution hole that's been hidden in chips since 2010. (The Register, May 1, 2017)

Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege (Intel Corporation, May 5, 2017 ) Quote: "Severity rating: Critical"

The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

What we know about Intel CPU backdoors so far:

TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.

The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
[Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
@21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.

[Quotes] Vortrag:
"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".

"We can permanently monitor the keyboard buffer on both operating system targets."

Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Useful links:
The Intel ME subsystem can take over your machine, can't be audited
REcon 2014 - Intel Management Engine Secrets
Untrusting the CPU (33c3)
Towards (reasonably) trustworthy x86 laptops
30C3 To Protect And Infect - The militarization of the Internet
30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software

1. Introduction, what is Intel ME

Short version, from Intel staff:

Re: What Intel CPUs lack Intel ME secondary processor?
Amy_Intel Feb 8, 2016 9:27 AM

The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current Intel chipsets, I even checked with the engineering department and they confirmed it.

Long version:

ME: Management Engine

The Intel Management Engine (ME) is a separate computing environment physically located in the MCH chip or PCH chip replacing ICH.

The ME consists of an individual processor core, code and data caches, a timer, and a secure internal bus to which additional devices are connected, including a cryptography engine, internal ROM and RAM, memory controllers, and a direct memory access (DMA) engine to access the host operating system's memory as well as to reserve a region of protected external memory to supplement the ME's limited internal RAM. The ME also has network access with its own MAC address through the Intel Gigabit Ethernet Controller integrated in the southbridge (ICH or