Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Working To Remove MINIX-Based ME From Intel Platforms (tomshardware.com)

Posted by BeauHD on from the repeal-and-replace dept.

An anonymous reader quotes a report from Tom's Hardware: Intel's Management Engine (ME) technology is built into almost all modern Intel CPUs. At the Embedded Linux Conference, a Google engineer named Ronald Minnich revealed that the ME is actually running its own entire MINIX OS and that Google is working on removing it. Due to MINIX's presence on every Intel system, the barebones Unix-like OS is the most widely deployed operating system in the world. Intel's ME technology is a hardware-level system within Intel CPUs that consists of closed-source firmware running on a dedicated microprocessor. There isn't much public knowledge of the workings of the ME, especially in its current state. It's not even clear where the hardware is physically located anymore.

What's concerning Google is the complexity of the ME. Public interest in the subject piqued earlier this year when a vulnerability was discovered in Intel's Active Management Technology (AMT), but that's just a software that runs on ME--ME is actually an entire OS. Minnich's presentation touched on his team's discovery that the OS in question is a closed version of the open-source MINIX OS. The real focus, though, is what's in it and the consequences. According the Minnich, that list includes web server capabilities, a file system, drivers for disk and USB access, and, possibly, some hardware DRM-related capabilities. It's not known if all this code is explicitly included for current or future ME capabilities, or if it's because Intel simply saw more potential value in keeping rather than removing it.

8 of 181 comments (clear)

  1. Re:Obvious question by Anonymous Coward · · Score: 3, Informative

    ..no, actually, that's wrong. It's in the PCH. In fact there's more than one embedded processor in the PCH, they all do various things (like power management). The ME is just one of them.

  2. Most Widely Deployed OS? by iCEBaLM · · Score: 4, Informative

    Due to MINIX's presence on every Intel system, the barebones Unix-like OS is the most widely deployed operating system in the world.

    Hrmm, so some of these intel systems would have linux on it, and linux would be on some AMD x86 systems, and intel ME isn't on Qualcomm/ARM chips in mobiles that android (linux) runs on, or any of these IoT devices. I'm willing to wager there are more mobile phones in the world than intel ME enabled PCs at this point.

    1. Re:Most Widely Deployed OS? by G00F · · Score: 3, Informative

      Hrmm, so some of these intel systems would have linux on it, and linux would be on some AMD x86 systems, and intel ME isn't on Qualcomm/ARM chips in mobiles that android (linux) runs on, or any of these IoT devices. I'm willing to wager there are more mobile phones in the world than intel ME enabled PCs at this point.

      On top of that, I'm willingto be there are more linux VM's than intel ME enabled CPU's.

      --
      The spirit of resistance to government is so valuable on certain occasions that I wish it to be always kept alive
  3. It's in the SouthBridge not CPU dammit by Anonymous Coward · · Score: 1, Informative

    Guys, can you at least get your facts straight before doing another FUD piece on the Intel ME?

    1) The ME is not in the CPU, it's in the chipset, specificly it's loaded in the firmware of the firmware hub, and the "hidding processor" is in the chip we typically call the South Bridge.

    2) It's OFF BY DEFAULT.

    Go ahead and check it yourself:

    INTEL-SA-00075 Detection and Mitigation Tool
    https://downloadcenter.intel.com/download/26755

    1. Re:It's in the SouthBridge not CPU dammit by Anonymous Coward · · Score: 2, Informative

      2) If the ME isn't running or is running incorrectly, the platform will not power on. It may be completely unreachable from the network in some implementations, but it is the arbiter of whether the system will turn on or not. It's easier to describe it as 'disabled', but it certainly is running.

  4. Re:Lots of Problems With That Statement by Anonymous Coward · · Score: 2, Informative

    The idea that a GPLed operating system wouldn't be used for this doesn't make sense. There is nothing preventing a company like Intel from using a minimal GPLed OS for this task. In fact, companies have used GPLed kernels, like Linux, in the past for locked down or embedded devices. Just look at the TiVo issue.

    So not only can you use a GPLed kernel for this sort of thing, people have, GPL advocates have nothing to be proud of in this instance because there is nothing in the license which prevents a company like Intel from using their software for the same scenario they used MINIX.

  5. EFF analysis by Craggles · · Score: 5, Informative

    https://www.eff.org/deeplinks/...

  6. Re:Talk to Purism? by Keith_Beef · · Score: 4, Informative
    From https://puri.sm/posts/deep-div...

    Starting today, our second generation of laptops (based on the 6th gen Intel Skylake platform) will now come with the Intel Management Engine neutralized and disabled by default. Users who already received their orders can also update their flash to disable the ME on their machines

    First of all neutralized, then disabled. The next step is to completely remove it.