Intel Shows RealVNC Embedded In the BIOS

LWATCDR writes "At Intel Developer Forum, Intel and RealVNC demoed RealVNC integrated at the BIOS level. Using VNC, one can now power down, power up, reboot, go into the BIOS, and even mount disk images on the network. All of this has been available for a while using IPMI but now it can be done using the open standard VNC. It is available now on Q57 and Q67 motherboards. One can just imagine how useful this could be in a data center, school, or any other system with a large number of computers. Let's hope AMD joins in."

And how bad it becomes when a vuln is found

[djsmiley]

So..... we've had someone (I forget if it was AMD or Intel teaming up with trend micro to look for malware at the lowest possible hardware level) and then in teh same week an announcement about how you can have remote visuals for your WHOLE system from outside the O/S ?

While its useful if your server decides to hang and you don't know why - but this exists in DRAC cards and other forms of remote management for systems which NEED it. I don't think i've ever had to access the bios of a consumer level device remotely before, or even thought i'd be a wildly good idea...

So when a vuln is found, which it WILL be everyone has to update their bios now? I know of alot of people who are going to be very unhappy about that idea! - hey, at least they could do it remotely? (maybe!)

Re:And how bad it becomes when a vuln is found

[durrr]

Would it be possible that a vulnerability allowed normal bios patching to be blocked too? Meaning that the hardware could be more or less irreversibly compromised... Sounds like a brilliant stroke of stupid.

Re:And how bad it becomes when a vuln is found

[jhigh]

I don't think i've ever had to access the bios of a consumer level device remotely before, or even thought i'd be a wildly good idea...

You've obviously never worked in kiosks before - this would be endlessly useful for any company supporting a large number of kiosk computers. That being said, your point about possible vulnerabilities are well put. However, we can't let potential vulnerabilities get in the way of advancing technology. Just like I'm sure there will be some creative way for the bad guys to exploit this, I'm just as sure that there will be some equally creative way for the good guys to protect this.

Re:And how bad it becomes when a vuln is found

[Joce640k]

Look on the bright side: At least the Linux users won't be able to act all smug about how much more secure their machines are then Windows machines.

Re:And how bad it becomes when a vuln is found

[icebike]

You presume that is possible. And you presume the disableing is actually honored.
I looked at the bios screens very carefully and saw no such option.

Re:And how bad it becomes when a vuln is found

[LWATCDR]

Thanks for pointing that out. Wow I never knew how many people just read the summary. When I wrote that summary I covered that this was already available. That the abilities are not that new but have been around for a while on system using IPMI, and what chip sets supported it. I left out that it was encrypted front to back because I actually thought that everyone and their dog would just assume that it was or read the article if they didn't bother to watch the video.
You know I really made an effort to write a none inflammatory, informative, and factual summary. Oh well maybe next time.

Finally!

[jackb_guppy]

I suggested this and other ways of using VNC embedded hardware like this years ago. It will be great to have keyboard, mouse, video - hope they also add virtual CD/DVD or USB to get the machine loaded remotely.

It is shame that it maybe to late with VBLOCK and ESX system taking hold.

Re:Finally!

[asdfghjklqwertyuiop]

Why have you been waiting so long? If you've wanted to set up your servers incompetently this way it's been possible for decades with DRAC or ILO or LOM or IPMI... or hardware serial consoles for longer than there's been an Internet.

Re:Yeah, just great...

[felipekk]

Employers were able to do that for a long time already...

Re:REALLY useful

[Cylix]

More then likely this is integrated at the BMC (baseboard management controller). While the BMC may be integrated into the system and a few values override some of the DMI it is not technically the BIOS. I've run into several systems with dead BMCs and they will happily chug along and act mostly normal. (DMI values revert to the BIOS provided values)

You can obtain the source to the FRU and play with your hearts content. Unfortunately, these are typically available on their high end S5000 and above series boards. SuperMicro makes some cheap boards with IPMI, but I don't know if it is a similar BMC setup. Now, the kicker is the BMC is just linux on a chip managed through IPMI. You can obtain and modify this to your hearts content. Though I don't know if they left out any bits and the system firmware is still a binary blob I believe.

SSH?

[Kagetsuki]

Why VNC? Why not SSH?

By the way this was on SGI workstations and it was awesome. I still remember the first time I went into the SGI BIOS setup only to be greeted with a shell. That blew my mind.

Re:SSH?

[wagnerrp]

Agreed. VNC just seems like a stupid choice for such a system. VNC, Citrix, Windows Terminal Services, Remote Desktop... all of these things only exist as a crutch to allow remote use of programs not designed for remote operation. If you are designing the application from scratch, why not design it for remote use in the first place? Use a terminal or curses application. Use an embedded web server and a javascript application. Do something that actually makes sense rather than render a 2D interface, and then compress it for display over VNC.

Re:SSH?

[silas_moeckel]

Because it's not adding a new interface it's connecting to the existing one. You want a tech to be able to correct say broken nic drivers. It's not meant for application sharing etc.

Re:UltraVNC?

[l_bratch]

This probably just implements the standard RFB protocol, so any viewer (UltraVNC, RealVNC or whatever) can connect to it.