Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Working To Remove MINIX-Based ME From Intel Platforms (tomshardware.com)

Posted by BeauHD on from the repeal-and-replace dept.

An anonymous reader quotes a report from Tom's Hardware: Intel's Management Engine (ME) technology is built into almost all modern Intel CPUs. At the Embedded Linux Conference, a Google engineer named Ronald Minnich revealed that the ME is actually running its own entire MINIX OS and that Google is working on removing it. Due to MINIX's presence on every Intel system, the barebones Unix-like OS is the most widely deployed operating system in the world. Intel's ME technology is a hardware-level system within Intel CPUs that consists of closed-source firmware running on a dedicated microprocessor. There isn't much public knowledge of the workings of the ME, especially in its current state. It's not even clear where the hardware is physically located anymore.

What's concerning Google is the complexity of the ME. Public interest in the subject piqued earlier this year when a vulnerability was discovered in Intel's Active Management Technology (AMT), but that's just a software that runs on ME--ME is actually an entire OS. Minnich's presentation touched on his team's discovery that the OS in question is a closed version of the open-source MINIX OS. The real focus, though, is what's in it and the consequences. According the Minnich, that list includes web server capabilities, a file system, drivers for disk and USB access, and, possibly, some hardware DRM-related capabilities. It's not known if all this code is explicitly included for current or future ME capabilities, or if it's because Intel simply saw more potential value in keeping rather than removing it.

107 of 181 comments (clear)

  1. Obvious question by squiggleslash · · Score: 5, Funny

    ...has anyone figured out how to get a shell prompt in this MINUX system?

    --
    You are not alone. This is not normal. None of this is normal.
    1. Re:Obvious question by squiggleslash · · Score: 1
      (I meant MINIX not "MINUX", sorry, not myself right now. Not that "myself" is known for reliable spelling)


      --
      You are not alone. This is not normal. None of this is normal.
    2. Re:Obvious question by Anonymous Coward · · Score: 3, Informative

      ..no, actually, that's wrong. It's in the PCH. In fact there's more than one embedded processor in the PCH, they all do various things (like power management). The ME is just one of them.

    3. Re:Obvious question by TeknoHog · · Score: 4, Funny

      More generally, how can I install my own OS on this hardware I bought? It's not like we're talking about a game console or some other appliance you don't really own...

      --
      Escher was the first MC and Giger invented the HR department.
    4. Re:Obvious question by complete+loony · · Score: 5, Interesting

      What about JTAG?

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
    5. Re:Obvious question by GerryGilmore · · Score: 4, Insightful

      Thank you! TFS states that "Intel's Management Engine (ME) technology is built into almost all modern Intel CPUs" which is 100% pure, organic, dolphin-free BullShit!! The ME is NOT any part of the CPU itself, but built into the chipset surrounding the CPU. During my time there, it was limited to Xeon-level CPUs, but may be in later chipsets - I haven't kept up in a while, though I can still call out BS when I see it. C'mon /. - this is just sloppy!!

    6. Re:Obvious question by networkBoy · · Score: 1

      It is now in all chipsets and is the CSE/ME (converged security engine).

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    7. Re:Obvious question by slickwillie · · Score: 5, Funny

      I think a more obvious question is what are the odds that a guy named "Minnich" discovered "Minix" running on the CPUs?

    8. Re:Obvious question by mentil · · Score: 5, Funny

      Minimal

      --
      Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    9. Re:Obvious question by Anonymous Coward · · Score: 1

      Only Intel's selected partners have the shell prompt. What would be better business plan than selling the processor to every PC and remote access to them.

    10. Re:Obvious question by Anonymous Coward · · Score: 2, Funny

      A coincidence, Minnich discovered this while at Munich.

    11. Re: Obvious question by sajad0102 · · Score: 1

      Google has done a great job however Google also has done a good thing on pixel phones and that is their camera clarity.

    12. Re:Obvious question by nycsubway · · Score: 1

      Also, what is Minnich's problem with MINIX?

      --
      http://github.com/gbook/nidb
  2. Interested move? by alexhs · · Score: 4, Funny

    Google Working To Remove MINIX-Based ME From Intel Platforms

    ... and replacing it with Android. "Just how much juicy monetizable user data could we get that way?"
    (I believe I'm joking, but I'm not completely sure...)

    --
    I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
    1. Re:Interested move? by Anonymous Coward · · Score: 1

      I doubt it...Ron has long been a linuxBIOS/coreboot guy and he has always been very clear that true open hardware means you can build your firmware from source.

      I don't trust google at all any more but I'll gladly trust Ron to do it right....but maybe I trusted him a little more when he was a LANL or Sandia guy ;-) j/k Ron.

    2. Re:Interested move? by eclectro · · Score: 1

      This actually came to my mind. Imagine the power of this. There can only be one here.

      --
      Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
  3. Most Widely Deployed OS? by iCEBaLM · · Score: 4, Informative

    Due to MINIX's presence on every Intel system, the barebones Unix-like OS is the most widely deployed operating system in the world.

    Hrmm, so some of these intel systems would have linux on it, and linux would be on some AMD x86 systems, and intel ME isn't on Qualcomm/ARM chips in mobiles that android (linux) runs on, or any of these IoT devices. I'm willing to wager there are more mobile phones in the world than intel ME enabled PCs at this point.

    1. Re:Most Widely Deployed OS? by G00F · · Score: 3, Informative

      Hrmm, so some of these intel systems would have linux on it, and linux would be on some AMD x86 systems, and intel ME isn't on Qualcomm/ARM chips in mobiles that android (linux) runs on, or any of these IoT devices. I'm willing to wager there are more mobile phones in the world than intel ME enabled PCs at this point.

      On top of that, I'm willingto be there are more linux VM's than intel ME enabled CPU's.

      --
      The spirit of resistance to government is so valuable on certain occasions that I wish it to be always kept alive
    2. Re:Most Widely Deployed OS? by Big+Hairy+Ian · · Score: 2

      Due to MINIX's presence on every Intel system, the barebones Unix-like OS is the most widely deployed operating system in the world.

      Finally I can declare this is the year of Linux on desktop :)

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    3. Re:Most Widely Deployed OS? by michael_wojcik · · Score: 1

      I'm willing to wager there are more mobile phones in the world than intel ME enabled PCs at this point.

      A quick, and entirely unverified, web search suggests Android devices (mostly not running on Intel ME-equipped CPUs) sell at a rate of around 1.4B per year, while Intel CPUs sell around 400M per year. So, yeah, MINIX is almost certainly way behind Android.

      I'm not sure who first came up with that "most widely deployed" claim - I've seen it in a number of articles about ME and MINIX - but I doubt it's based on anything more than someone's wild-ass supposition.

    4. Re:Most Widely Deployed OS? by thejynxed · · Score: 1

      It could be true if you remove the percentage of those mobile chip sales that are 1:1 replacements for something now going to a landfill, which is a high number. One of the things the mobile industry has been worried about for some time now is their market saturation.They aren't gaining new customers at nearly the same rate they did a decade ago, they are mainly selling upgrades/replacements. Once India really comes into the picture this will change for sure since it has a very high growth potential, Africa is also showing promise in this sector.

      It gets trickier when you try to analyze Intel's sales - some portion is replacement/upgrade, but a surprisingly high portion is new customer sales (new and expanding businesses, etc). People aren't upgrading nearly as often as they used to, because they frankly haven't needed to. For Intel to sell 400 million CPUs in a super matured and (over) saturated market like PC/Server, then they are doing pretty good. There are probably billions of Intel-based CPUs from the year 2006 onward still in operation (including how many Intel-based Macs that people don't replace constantly).

      The largest overall CPU growth (as a total portion) has been seen from Samsung and their ARM-based CPUs. They appear in everything from appliances and automobiles to tvs and cell phones, and yes, even specially customized servers. They are the "other" Chipzilla at this point in time, and quite frankly one that has shown tendencies to act just as bad as Intel in some cases and will probably do something similar to the IME in the ARM-CPU market at some point.

      And yes, most, but not all Android devices are running on ARM instead of Intel. Caveat: Many brands of Chromebooks, infotainment kiosks and some in-vehicle infotainment systems/center console controls. Docks are another example. The mobile device might be ARM-based, but the dock uses an Intel CPU.

      --
      @Mindless Drivel: 100% of Twitter posts ever Tweeted.
  4. It's in the SouthBridge not CPU dammit by Anonymous Coward · · Score: 1, Informative

    Guys, can you at least get your facts straight before doing another FUD piece on the Intel ME?

    1) The ME is not in the CPU, it's in the chipset, specificly it's loaded in the firmware of the firmware hub, and the "hidding processor" is in the chip we typically call the South Bridge.

    2) It's OFF BY DEFAULT.

    Go ahead and check it yourself:

    INTEL-SA-00075 Detection and Mitigation Tool
    https://downloadcenter.intel.com/download/26755

    1. Re:It's in the SouthBridge not CPU dammit by Z80a · · Score: 5, Insightful

      The remote management tools are off by default, but you still need the chip on to run the power management software on it, or the CPU turns off in 30 minutes.
      And as it is a black box, it might be doing several other tasks while doing the power management.

    2. Re:It's in the SouthBridge not CPU dammit by Anonymous Coward · · Score: 5, Insightful

      2) It's OFF BY DEFAULT.

      We don't believe Intel's claims. After the Edward Snowden revelations, after the way that an exploitable backdoor was hidden in the Dual_EC_DRBG standard, after news that Microsoft works to provide backdoors in its Windows operating system, and after government officials have insisted that backdoors must be provided, we just don't trust Intel. The ME has the potential to be the most perfect backdoor in almost every computer. And if the Intel ME is a backdoor, then most of our computers are vulnerable if anyone (anywhere in the world) learns how to exploit it.

    3. Re:It's in the SouthBridge not CPU dammit by Anonymous Coward · · Score: 2, Informative

      2) If the ME isn't running or is running incorrectly, the platform will not power on. It may be completely unreachable from the network in some implementations, but it is the arbiter of whether the system will turn on or not. It's easier to describe it as 'disabled', but it certainly is running.

    4. Re:It's in the SouthBridge not CPU dammit by Anonymous Coward · · Score: 3, Insightful

      we just don't trust Intel.

      Fair enough, but why would you trust Google?

    5. Re:It's in the SouthBridge not CPU dammit by Anonymous Coward · · Score: 3, Insightful

      It is not in the CPU, but that hardly makes a real difference. I'm not sure why people are getting all pedantic about whether it is in the CPU or in some part that is always paired with the CPU to run. The ME seems to be able to make out-of-band requests to the CPU to do potentially anything (including read memory locations). Sure it may not be able to be super high performance over DMI compared to being on CPU, but it's plenty good enough to be worried about it.

    6. Re:It's in the SouthBridge not CPU dammit by eclectro · · Score: 1

      Yea nope. Read the previous slashdot article on this. Minix is running even with your desktop pc powered down. Which makes this doubly pernicious for even those just casually concerned with security.

      --
      Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
    7. Re:It's in the SouthBridge not CPU dammit by Anonymous Coward · · Score: 3, Interesting

      why would you trust Google?

      I don't trust Google. But it certainly is interesting news that Google doesn't trust Intel, either.

    8. Re:It's in the SouthBridge not CPU dammit by Anonymous Coward · · Score: 1

      Trust is so easy to loose and so hard to regain, they have some history of making shaddy things, remember their compilers tampering code to run bad on non-Intel processors? or that time when they shipped "Windows vista ready" GPUs that weren't (Microsoft had to lower their requirements)
      https://www.theinquirer.net/inquirer/news/1558372/intel-caught-dodgy-gpu-drivers
      Or all those laughs accounting had when the Pentium's FDIV bug appeared.
      Well, sometimes they fix problems fast: https://www.pcworld.com/article/2464880/intel-finds-specialized-tsx-enterprise-bug-on-haswell-broadwell-cpus.html
      Others need more than 10 years.
      What most people seem to forget is that Intel many times have cheated customers:
      https://wccftech.com/intel-settles-15-year-class-action-lawsuit-faking-benchmarks
      https://www.theinquirer.net/inquirer/news/1558372/intel-caught-dodgy-gpu-drivers
      https://slashdot.org/story/16/08/17/1342222/nvidia-calls-out-intel-for-cheating-in-xeon-phi-vs-gpu-benchmarks
      and the list can grow...

      The thing is that companies do these kind of things some times but Intel sells the most expensive processors in the market, they should be more careful.

    9. Re:It's in the SouthBridge not CPU dammit by ccr · · Score: 1

      Actually some sources say that it has been in the "North Bridge", e.g. what has been known as "Platform Controller Hub" ( https://en.wikipedia.org/wiki/... ) for some time. For example, see ME references in https://www.intel.com/content/...

      However, it is stated in the above Wikipedia article: "Beginning with ultra-low-power Broadwells and continuing with mobile Skylake processors, Intel incorporated the clock, PCI controller, and southbridge IO controllers into the CPU package, eliminating the PCH for a system on a chip (SOC) design." This makes it unclear whether also the ME component has been integrated into the CPU package in SoC style in these newer CPUs (assuming that it has been there in the first place.) ... I sure wish Intel themselves would explain all this. And also state their reasons for pushing this crap.

    10. Re:It's in the SouthBridge not CPU dammit by fisted · · Score: 1

      Come to think about it, the one thing I'd want even less than an Intel-run ME is a Google-run ME...

      --
      CLI paste? paste.pr0.tips!
    11. Re:It's in the SouthBridge not CPU dammit by Waccoon · · Score: 2

      I agree. Supposedly it's built into every Intel chipset, which means they spent money reserving the silicon and firmware real estate to have it there.

      Its existence is default, even in low-end chipsets aimed at the consumer market, but 99.99% of the time it's disabled and simply a total waste of money and resources. Honest!

      I don't buy it.

    12. Re:It's in the SouthBridge not CPU dammit by infolation · · Score: 2

      The trustworthyness of Intel or Google is not important. The current Intel firmware code is complex, compiled blobs that are closed-source and unknown. The Google solution is much simpler, open-source GO that can be compiled on the fly. The creator of the replacement code can be untrustworthy, provided that code can be audited.

      And... why are Intel unwilling to sell a CPU without the ME, when a client like Google - who build 1 million+ machines running their CPUs - don't want it?

    13. Re:It's in the SouthBridge not CPU dammit by RockDoctor · · Score: 1

      Just to square that circle, is there any reason at all for Intel to trust Google? Do they count the money, and remain prepared to spit?

      --
      Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
    14. Re:It's in the SouthBridge not CPU dammit by thejynxed · · Score: 1

      It's two-fold: An ARM-based processor (it used to be another architecture) baked into the Northbridge, that processes all of the logic and commands for the ME, that works in conjunction with everything they moved from the Southbridge into the main CPU die.

      Moving all of that on-die was actually rather clever of Intel, it means that the ME can't be hardware disabled by companies like Purism from here on out. They can only do it with the older models of ME implemented in earlier Core, Atom, and Xeon series CPUs.

      --
      @Mindless Drivel: 100% of Twitter posts ever Tweeted.
  5. More instances of MINIX than Linux! by Anonymous Coward · · Score: 5, Funny

    Tanenbaum gets the last laugh over Torvalds.

    1. Re:More instances of MINIX than Linux! by Bruce+Perens · · Score: 2

      Tanenbaum gets the last laugh over Torvalds.

      Yes. We should put Andy in the hall of fame with the guy who invented stock derivatives. He wasn't responsible for the way others used it, either. :-)

      Insert your story of unwitting engineers facilitating people who do really bad stuff here.

      --
      Bruce Perens.
    2. Re:More instances of MINIX than Linux! by michael_wojcik · · Score: 1

      Perhaps, if the "most widely deployed" claim were in any way even close to being true.

      But it isn't. It's complete crap. MINIX's footprint in embedded controllers is still probably less than Linux's, and its overall footprint is dwarfed by Android.

  6. Its official by viperidaenz · · Score: 4, Funny

    It's the year of the Minix desktop!

  7. Talk to Purism? by Checkered+Daemon · · Score: 3, Funny

    Google might want to talk to Purism, who claim to have completely disabled Intel's ME in their secure Linux based laptops.

    1. Re:Talk to Purism? by Keith_Beef · · Score: 4, Informative
      From https://puri.sm/posts/deep-div...

      Starting today, our second generation of laptops (based on the 6th gen Intel Skylake platform) will now come with the Intel Management Engine neutralized and disabled by default. Users who already received their orders can also update their flash to disable the ME on their machines

      First of all neutralized, then disabled. The next step is to completely remove it.

    2. Re:Talk to Purism? by rahvin112 · · Score: 1

      It's not disabled, it's "neutralized". In other words they believe they've cut it's access but they can't be certain. You can't disable it completely as severing it's connection to the main CPU kills the CPU.

      Google is a major computer purchaser, rather than trying to disable the ME they should use their market power to force intel to sell CPU's without the ME. It should be trivial for Intel to spin up die without the ME integrated or fully disabled. Hell they should have the knowledge on how to disable the one currentley on the die if they don't want to do another tape-out.

      It's ridiculous when we get to a place where a major purchaser can't strong arm the CPU maker into removing an anti-feature they don't want. Google has the market power here to force Intel.

  8. Re:Twisted facts... by G00F · · Score: 3, Interesting

    If ever notice that when thigns are powered off they are still using 1-10wats? Or that LED's are still lit or blinking?

    This is the case with PC's, Microwaves, Dumb TV, VCR's, your name it.

    PC's no longer have an on/off button. It's now a button that asks the CPU to shutdown. Power is not cut removed, and some parts stay powered on. Can't ask the CPU to power on, if there's no power for it to reconize the input.

    --
    The spirit of resistance to government is so valuable on certain occasions that I wish it to be always kept alive
  9. slashdot by Spaham · · Score: 1

    You should peruse this great website which talked about this three days ago...
    https://tech.slashdot.org/stor...

  10. Cue the skeptics by Anonymous Coward · · Score: 5, Insightful

    It seems like just a day ago, there was a Slashdot posting about this, and several highy-rated comments amounting to "naw man, there's no way this could be a problem!"

    So with all the verifiable, proven news of backdoors being built-in to software and hardware over the past decade, and all the news of vulnerabilities in software and hardware that compromise systems, people say "nah, not a problem, see, you can turn it off" about this "computer in my computer." Really? It's off?

    I'm not seeing reports saying "The Intel ME is off by default in consumer devices, and this is verified by researchers." In fact, I'm seeing the opposite, which says that the Intel ME is always on. Do we have any proof that the "off switch" in BIOS actually makes this feature unexploitable? Because, really, that's what I want: I want this feature to be unexploitable, and the only way I can be sure of that is for it to be disabled, for real, because I don't need this feature.

    So yeah, please forgive us all if we are just a BIT skeptical about Intel ME. Forgive us if we're skeptical of spokespersons at Intel saying "There's no problem with this feature."

    1. Re:Cue the skeptics by thegarbz · · Score: 1, Insightful

      ME is always on, but it has many functions that do not involve any kind of remote access. By contrast the remote functions are disabled.

      Now really? Are they? Well until someone can prove to me that there's some way of getting a TCP packet to fly through the internet and into an ethernet port without a second IP address, without additional MAC address, and which doesn't appear to respond to any normally routable packet on any port, I really don't care how off or on it is.

      As the old adage goes: If someone has physical access it's game over. The ability to get remote access however can be verified.

      Could I have a back door larger than some of he nastiest videos available on Pornhub? Possibly. I don't give a shit about it though if no one is able to get past my fence, through the maze and is unable to actually find the door.

    2. Re:Cue the skeptics by cthulhu11 · · Score: 1

      How is this different from the SMASH-based BMCs built into branded servers for the last 15 years? iLO, ILOM, IMM, DRAC, etc.

  11. My thoughts by DaMattster · · Score: 2

    This may be worth 0.02 or less but I believe the vulnerabilities can be mitigated somewhat by using disk encryption. I store all of my data on virtual encrypted file system with a hardware decryption key. When I am done with the filesystem, I just unmount it and remove the USB thumb drive that acts as the decryption key. Yes, it's a pain in the ass and yes, it really only works on desktops. It is a little impractical to do this on a server. It would be good for Google to find a way to stop this Intel menace.

    1. Re:My thoughts by arth1 · · Score: 4, Interesting

      This may be worth 0.02 or less but I believe the vulnerabilities can be mitigated somewhat by using disk encryption.

      And what do you use to encrypt and decrypt that data, so it never passes through the CPU or south bridge?

    2. Re:My thoughts by rahvin112 · · Score: 1

      The ME has DMA access to memory and disks and can open a network socket the main computer won't even be aware of. Any protection scheme on the computer can easily be subverted by the ME because it has ring 0 access to everything in the CPU such as, the kernel, the RAM, the disks and the network port. All communication to the CPU goes through the ME first. So when your computer decrypts that drive the ME can intercept and record the decryption key, it's also fully capable of decrypting the disk itself.

      Now do you realize why people are so scared of it?

    3. Re:My thoughts by DaMattster · · Score: 1

      The ME has DMA access to memory and disks and can open a network socket the main computer won't even be aware of. Any protection scheme on the computer can easily be subverted by the ME because it has ring 0 access to everything in the CPU such as, the kernel, the RAM, the disks and the network port. All communication to the CPU goes through the ME first. So when your computer decrypts that drive the ME can intercept and record the decryption key, it's also fully capable of decrypting the disk itself.

      Now do you realize why people are so scared of it?

      I had no idea that the vulnerability ran that deep! This is bad

  12. Old news by complete+loony · · Score: 1

    Intel's ME being based on MINIX is quite old news. Or at least, based on the summary. Is there anything new in the talk that should have been in the summary / writeup?

    --
    09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
    1. Re:Old news by ChunderDownunder · · Score: 1

      During the week, Tanenbaum was trying to troll Linus and RMS by suggesting there were more MINIX installs than Linux and that was because Linus had chosen the GPL.

    2. Re:Old news by boudie2 · · Score: 1, Insightful

      If Tannenbaum had licensed Minix as GPL instead of BSD, Intel couldn't have done this.

  13. Minix most widely deployed, wait what? by Tough+Love · · Score: 2

    Due to MINIX's presence on every Intel system, the barebones Unix-like OS is the most widely deployed operating system in the world.

    I seriously doubt this claim. Phones have outnumbered PCs for years, for one thing. And Linux is deployed maybe even in more TVs and routers than phones, and numerous other embedded systems, now increasingly including cars. Anybody with decent stats on this?

    --
    When all you have is a hammer, every problem starts to look like a thumb.
    1. Re:Minix most widely deployed, wait what? by sizzlinkitty · · Score: 2

      From everything I've read, this started before the smart phone craze, some where around 2007-2008. With that being said, they had a very good head start which may still allow them to claim the biggest installation base. Also don't forget all those "cloud" servers...

    2. Re:Minix most widely deployed, wait what? by Tough+Love · · Score: 1

      From everything I've read, this started before the smart phone craze, some where around 2007-2008. With that being said, they had a very good head start which may still allow them to claim the biggest installation base.

      Most of those PCs are in landfill today. I guess somebody just pulled the claim out of their ass.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    3. Re:Minix most widely deployed, wait what? by Zocalo · · Score: 1

      While I think it's probably started to get pretty close, I suspect that *NIX (there is lots of BSD in the embedded space) hasn't quite knocked some of the more popular RTOSs - like QNX or VxWorks out of the park for embedded systems just yet either, and it gets even more messy if you take into account that many RTOSs are actually derived from *NIX OSs. There are an *awful* lot of home, office, and industrial appliances running something like QNX/VxWorks behind the scenes, and you typically have far more of those than PCs when you start to think about it, but even then there's a good chance the monitor will be running an RTOS variant too for all those on-screen displays and colour management tools. Usage stats for given devices, let alone ones that might be credible or aggregated by OS, are awfully hard to come by though.

      --
      UNIX? They're not even circumcised! Savages!
    4. Re:Minix most widely deployed, wait what? by Tough+Love · · Score: 1

      You are right that there are more RTOS computers out there than the sum of all general purpose computers, including personal, handset and data center. However, you are most probably not right that any one RTOS covers more devices than Linux does. Hell, I strongly suspect that my thermostat is running Linux, judging by the web connectivity options it has. And Wind River, one of the biggest vendors in the RTOS space, has been offering https://www.windriver.com/prod...>its own flavor of Linux for years. Plus, Linux is an RTOS of sorts, don't you know? With the real time patch, Linux works pretty well at the millisecond range hard response level, and has pretty much invaded that space. Microsecond-level hard latency is still ruled by the specialized RTOS. Linux can do it (see Xenomai) but its something of a force fit. Most likely, the most common OS today is still "no OS". What do you think runs the tens of billions of controllers in dime-store toys? Not Linux, not any OS at all in most cases, these things are coded right on the metal.

      Excellent survey of real time options for Linux

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    5. Re: Minix most widely deployed, wait what? by Brockmire · · Score: 1

      Except it seems more like a hack, than proper design. We tried really hard with 2.4 and 2.6 kernels, and could not come near the vxworks performance for a wireless BS/CPE. The 2.4 worked better. The 2.6 was faster, but crashed a lot and didn't make it out of development. Mind you, I hated vxworks and Wind River, but they could charge like a mofo because they knew they had better OS.

    6. Re: Minix most widely deployed, wait what? by Tough+Love · · Score: 1

      What is "it", PREEMPT_RT or Xenomai? Not doubting your report, but 2.4 and 2.6 are both ancient.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    7. Re: Minix most widely deployed, wait what? by Tough+Love · · Score: 1

      We tried really hard with 2.4 and 2.6 kernels, and could not come near the vxworks performance for a wireless BS/CPE.

      By the way, Linux seems to work out fine for these guys and you already know the license cost.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
  14. Lots of Problems With That Statement by Bruce+Perens · · Score: 4, Insightful

    First, not all Intel systems that are capable of it actually have the management engine software. Second, the Intel PC motherboard probably does not hold the "largest number of systems" title, that might belong to Android phones. And anyway isn't the fact that MINIX with its BSD/MIT style licensing was used for the most user-hostile system in recent time an indictment of that license? You would not see GPL software used for this, for obvious reasons, and people who use GPL should be proud of that.

    --
    Bruce Perens.
    1. Re:Lots of Problems With That Statement by Anonymous Coward · · Score: 2, Informative

      The idea that a GPLed operating system wouldn't be used for this doesn't make sense. There is nothing preventing a company like Intel from using a minimal GPLed OS for this task. In fact, companies have used GPLed kernels, like Linux, in the past for locked down or embedded devices. Just look at the TiVo issue.

      So not only can you use a GPLed kernel for this sort of thing, people have, GPL advocates have nothing to be proud of in this instance because there is nothing in the license which prevents a company like Intel from using their software for the same scenario they used MINIX.

    2. Re:Lots of Problems With That Statement by Atmchicago · · Score: 1

      If the OS were GPL'ed, then the source code would have to be made available upon request. Making the source code available would mitigate much of the concern that the OS is not trustworthy, as in principle third parties could look for flaws and undocumented features.

      --

      You can lead a horse to water, but you can't make it dissolve.

    3. Re:Lots of Problems With That Statement by JThundley · · Score: 1

      What Tivo did is find and exploit a bug in the GPL 2 which was fixed in the next version to prevent that exploit.

    4. Re:Lots of Problems With That Statement by Bruce+Perens · · Score: 3, Interesting

      If the OS were GPL'ed, then the source code would have to be made available upon request. Making the source code available would mitigate much of the concern that the OS is not trustworthy, as in principle third parties could look for flaws and undocumented features.

      Sure, the GPL would be better than what there is now. But I think even that would not be good enough. GPL source code would be the start of making a system that users could trust. Besides that, there would have to be an explicit way to turn it off that could be confirmed to work reliably, and I would prefer a way to permanently remove it from the system with confirmation that worked too.

      There would be a lot of concern related to the overall security of that system (researchers tell us there are Minix bugs they will be reporting) and what that system is capable of doing for anyone but its owner.

      I am not sure I would want anything other than a very minimal system written in some sort of functional language that could be proven correct (and we know how expensive that is to write).

      Overall, I think I'd rather just have it out of my system.

      --
      Bruce Perens.
    5. Re:Lots of Problems With That Statement by tender-matser · · Score: 1

      The source code isn't worth much if you can't use it to rebuild and install the whole system.

      For most android phones and wireless routers the "gpl source code" usually consist of some old / incomplete tarred archive of the linux source code which does NOT correspond to the kernel installed on the device; for many drivers, the source files are a mix of magic numbers and binary arrays; and no change logs or version history are ever provided.

      The fact that they're able to pull this shit without anybody crying foul, and making the "source code" available acts like a magical gesture that shies tilfoil-hatters away is rather an indictment of the GPL.

    6. Re: Lots of Problems With That Statement by Bert64 · · Score: 1

      The source of windows nt4 is available on the internet too, but the version available will be significantly different from the versions currently being sold.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    7. Re:Lots of Problems With That Statement by edtice1559 · · Score: 1

      Intel actually asked Tennenbaum to make Minix changes for them as part of the project. They very well may be running stock Minix.

    8. Re:Lots of Problems With That Statement by squiggleslash · · Score: 1

      While this is true, it would be easy for Intel to create a hybrid licensed OS comprising of the Linux kernel and a BSD userland, and just to release source for the Kernel. As all the "interesting stuff" would be userland, there'd be absolutely nothing useful we'd glean from examining the kernel source code.

      --
      You are not alone. This is not normal. None of this is normal.
  15. In the meantime, this stalls AMT/ME by Anonymous Coward · · Score: 4, Interesting

    See subject: Stop it's ability to send info. outward via router port filtering ala ports 16992-16995 that Intel AMT/ME uses so filter those ports in a modem/router external to OS/PC. Intel ME/AMT operates from your mobo but has NO CONTROL OF YOUR MODEM/ROUTER!

    (This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)

    Additionally, once you disable the AMT engine's software interface (ez via software these articles note)? A malware to 'repatch' this = impossible (bios updaters require it in usermode ware, e.g. ASUS).

    (I only allow 80, 8080 & 443 in/out here on a SINGLE stand-alone system (no home LAN but TCP/IP connected online in BOTH my modem or router port filters or software firewalls))

    HOWEVER - Be CERTAIN your modem/router's internal ware is "solid" as well (turn off things like UPnP etc. & CHECK router/modem HAS NO KNOWN BACKDOOR EXPLOITS (tons do unfortunately)) - get it patched ASAP if it's KNOWN exploited & TONS of routers, ARE https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/

    * GOOD ROUTERS/MODEMS HAVE PORT FILTERING OPTIONS (crappy ones do not)!

    APK

    P.S.=> Good luck - it's the BEST EASIEST & CHEAPEST DEFENSE using what you already have (hopefully, again as not ALL modems have port filtering but most do & certainly GOOD ONES DO) vs. this threat by stopping it being able to communicate in/out period, from OUTSIDE of the INTEL chipset external to it via a router/firewall hardware... apk

    1. Re:In the meantime, this stalls AMT/ME by Anonymous Coward · · Score: 1

      Better check that that router doesn't have an Intel chipset while you're at it. Oh, and given that what was just disclosed is that there is a lot more stuff in the ME than AMT, even a web server with unknown triggers, I guess you better close the rest of those ports. Hmmmm. Whoops.

    2. Re:In the meantime, this stalls AMT/ME by edtice1559 · · Score: 1

      This works fine if you have a desktop machine or server that never moves. It's a useless mitigation for laptop users who can't always use networks that they fully control

    3. Re:In the meantime, this stalls AMT/ME by Gavagai80 · · Score: 1

      Can't I just use a hosts file to fix the problem?

      --
      This space intentionally left blank
  16. No with chrome by goombah99 · · Score: 1

    Seriously, and no joke, chromebooks disable the ME after boot.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:No with chrome by epine · · Score: 1

      Seriously, and no joke, Chromebooks disable the ME after boot.

      Do Chromebooks use the off switch, like most people do to turn their PC "off", or do Chromebooks actually unplug ME from the wall socket?

      I have more confidence in the second method.

    2. Re:No with chrome by networkBoy · · Score: 1

      there is a "minSKU" available that Google and Apple use that has ME alive long enough to bring up the system, do the secure boot stuff then dies.

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
  17. Intel ME by wjcofkc · · Score: 1

    Irony.

    --
    Brought to you by Carl's Junior.
  18. Google, our saviour by wjcofkc · · Score: 1

    Google is just as or more evil than... Wait. You know what? Fuck attempting to say something clever. I've always been on board with Open Source, yet I have always had my limits on the philosophy. It always seemed to me that the hard line Open Source philosophy wanted hold things back. I get it now. Not just because of this. Hold up and hold back. We are irresponsible with technology and ultimately we are holding back and damaging our species. If a hard line stance on Open Source means holding technology back, hold it back.

    --
    Brought to you by Carl's Junior.
    1. Re:Google, our saviour by 110010001000 · · Score: 1

      Well digital technology progress has stopped, so there is no holding anything back. The computer you use 10, 20, 50 years from now will be very similar to the one you are using right now. Because, physics.

  19. Intel should be forced to pay compensation by Anonymous Coward · · Score: 1, Insightful

    Intel is running their software on your CPU, using electricity
    which you pay for. If they do not compensate for that, they are essentially
    stealing money from you, which is an offense for which they can be held liable in court.

    I propose everbody with such a CPU starts sending Intel invoices.
    If they do not compensate, a class action law-suit should be started.

  20. UPDATE: Ports 623-625 also filter them by Anonymous Coward · · Score: 1

    UPDATE: Ports 623-625 also filter them - JUST picked that up today (new information apparently, maybe for versions past 5-11.6 Intel AMT/ME have).

    APK

    P.S.=> An unidentifiable ac (probably a troll harassing me as usual) noted it uses port 80 in his reply to my original post (maybe in the usermode software interface, that's easily removed, but I have not seen news of it being in the MINIX on motherboard chip portion)... apk

  21. EFF analysis by Craggles · · Score: 5, Informative

    https://www.eff.org/deeplinks/...

  22. Re:Point me to this info. you speak of... apk by Bert64 · · Score: 2

    As the ME is a black box, we still have no idea what ports it uses... We know for sure that it does use those ports listed, but can you prove it doesn't use any others?
    Lack of evidence does not prove innocence.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  23. So how is google going to remove something from by mark_reh · · Score: 1

    hardware built into every PC? Are they going to somehow overwrite the Minix OS? Any side effects?

    1. Re:So how is google going to remove something from by m.alessandrini · · Score: 1

      I'm wondering, where is this OS resident? As a software, I mean. I think it would not be practical to have it on an immutable ROM, maybe the chipset has a flash memory inside, and maybe they can find a way to access it?

    2. Re:So how is google going to remove something from by Zocalo · · Score: 1

      Google apparently custom builds their core systems (or more likely gets a third party to build systems to their specs), including the use of their own motherboard designs. That affords them a lot more latitude to design the IME out of the system and implement alternatives that they control - using proprietary silicon if need be - than it would if they were buying pre-built systems off the shelf and trying to turn the IME off after the fact. I wouldn't count on any potential Google solution being a fix for a regular user who is buying pre-built PCs, or even building their own from readily available COTS components.

      --
      UNIX? They're not even circumcised! Savages!
  24. Re: Obvious answer by Anonymous Coward · · Score: 2, Funny

    It's a UNIX system, I know this!

  25. Re:Bert64 - read what u said "we know/have no idea by Bert64 · · Score: 4, Insightful

    There's no contradiction, we know for sure it uses *some* ports but do not know what other ports it *might* use. Your notion of blocking the known ports is flawed as it may well communicate via other as yet unknown ports.

    See subject: Point me to a valid reputable security community source that shows more ports being used than what I listed.

    I don't need to prove that more ports are being used, you need to prove that other ports are *NOT* being used in order to validate your claim that filtering at the network layer is effective.

    Monitoring in/out communique from router logs external to the PC would tell fact of what ports it used easily beyond Intel's docs.

    Monitoring the network traffic only shows the communication that actually takes place, not the communication that *could* take place. We don't know if any circumstances exist in which it could attempt other forms of communication. Sure the network router could log this traffic were it to take place, but we cannot be sure of all the triggers which would make it do so. That also assumes that the device only has wired connectivity, which is connected directly to your networking equipment. If the device has any form of wireless connectivity it could attempt communication with anything that's within range.

    Unless we are 100% sure of all the possible network communication the device could perform, and what could potentially trigger it, a blacklist approach at the network gateway can never be truly effective.

    We don't know, and a lack of knowledge is dangerous.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  26. ARM has TrustZone... by Anonymous Coward · · Score: 1

    Which is enabled/disabled in the stage0 bootloader usually, with signing/hashing just like the Intel ME firmware.

    The only difference is that the TrustZone stuff runs on ARM cores and may run either on the primary cores, or a dedicated coprocessor depending on the design chosen by the downstream chip designer.

    Earlier versions of TrustZone as well as the ARM Java/JVM stuff (I forget what those extensions were called, but they were basically the predecessor to TrustZone) were completely proprietary, required even stricter license to develop or use, and were never enabled for end-user applications. In theory you can install a custom TrustZone kernel on the later implementations, but I am not clear on if that documentation is available outside academia/nda'd commercial settings, and even then 99 percent of ARM devices that support TrustZone will not allow you to install an unsigned or user signed TrustZone kernel, and even on those devices that will, you will lose support for a large variety of applications (gapps and likely widevine support on android) that rely on the vendor key baked into a locked device's image, which your unlocked device will not have available to avoid the risk of you reusing the key to commit piracy or avoid digital rights management restrictions on the code, data, or device.

  27. More questions by Gonoff · · Score: 1

    Are AMD CPUs clear of it?
    Has someone got it onto RISC chips?
    Has the NSA or other criminals got their hooks into it?
    Can it be "zapped" with some xrays like cancer patients?

    --
    I'll see your Constitution and raise you a Queen.
    1. Re:More questions by TeknoHog · · Score: 1

      Older AMD CPUs (read: Phenom 2 and earlier) do not have any kind of management processor. I don't know about the desktop versions of the earthmover cores (the FX-series), but a fair few of the mobile chips (the A-series) have it

      The FX series don't have it, as they are family 15, and the PSP is only there starting from family 16: https://libreboot.org/faq.html... I think you can continue to buy FX CPUs for a while, as the (Ry)?Zen series is only now starting to make an impact in the marketplace.

      --
      Escher was the first MC and Giger invented the HR department.
  28. ME and chromebooks by DrYak · · Score: 2

    For chromebooks where google can't use their own openbios-based stack,
    they use heavily modified firmware, where the ME part running on the micro-controller embed in the chipset is reduced to the base minimum necessary to get the chipset running.

    Among other, all the juicy bits that are targeted by ME-exploits (half-broken webserver serving as the user-interface, capability to reflash the UEFI/BIOS while the main Intel CPU isn't even powered, VNC-like server with USB-over-network extensions, etc.) are all removed.
    (Common, these are *chromebooks*, why to they need tools for Admins doing "lights-out" maintenance ?!?)

    In a similar way, the parts of UEFI that run at "negative rings" on the main Intel CPU have also been reduced or removed.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  29. Year of the MINIX on desktops by DrYak · · Score: 1

    intel ME isn't on Qualcomm/ARM chips in mobiles that android (linux) runs on, or any of these IoT devices. I'm willing to wager there are more mobile phones in the world than intel ME enabled PCs at this point.

    The correct mention would be :
    MINIX is the most widely deployed OS on desktops in the world.

    But indeed, the desktop themselves are completely dwarfed by the embed world, were Linux seems to be the king.

    and linux would be on some AMD x86 systems

    BTW, IPMI is the industry standard for "lights-out management" (and Intel ME/AMT is the Intel proprietary "lights-out management").

    According to several presentation at conferences :
    - lots of IPMI implementation run actually Linux on their embed micro-controller.
    (Meaning that even in the server room/cluster/data center, Minix isn't the king it claims to be on the dekstop)
    - expect as many GPL-violations and tivoizations as you could imagine
    (so no, you can't install Debian on your micro-controller)
    - IPMI is just as buggy, broken and exploitable as Intel ME.
    (Running a IPMI-enabled server with an Opteron on a Super-micro motherboard, won't save you from exploit. It will just switch you to a different collection of exploits).

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
    1. Re:Year of the MINIX on desktops by jabuzz · · Score: 1

      Except that the IPMI on a server usually is plugged into a dedicated ethernet port all of it's own. Well at least all of mine are.

      Those ethernet ports are all highly segregated into a VLAN all of their own with very limited access to the outside world. They can hop to specific NTP servers and that's it. Everything else is contained within the VLAN itself.

      So while I expect the lights out management to be buggy and badly maintained (I have to keep a raft of ancient web browsers available on console server to use half of them in 2017) they are limited in what they can do and who can access them that it matters not.

  30. Google has done a marvelous thing by sajad0102 · · Score: 1

    Google has done a great job however Google also has done a good thing on pixel phones and that is their camera clarity.

  31. Why would anyone remove the ME? by tore66 · · Score: 1

    MINIX is a transparent and nice OS, well suited for this kind of tasks.

  32. Re:Twisted facts... by bananaquackmoo · · Score: 1

    Use a power strip. Problem solved.

  33. Re:Bert64 - read what u said "we know/have no idea by rahvin112 · · Score: 1

    Not only do we know what ports it could use, it could easily piggyback it's communications on a known port while it's being used. It's code may include anti-circumvention code that in the case it can't communicate with it's home base that it starts trying all available ports including port 80. It's ability to edit packets at transmission.

  34. Re: Not bad, so why not a RTlinux? by Brockmire · · Score: 1

    BB10, not BBOS.

  35. apk gets butthurt over tiniest things by Brockmire · · Score: 1

    See subject: you routinely fail to understand the point the other person makes, freaks out and attacks them with nonsensical bullshit. Brockmire P.S=> learn to fucking write a comprehensible post. Brockmire

  36. Re: Google hold back? Backfired on them... apk by Brockmire · · Score: 1

    Your program is so fucking simple, if someone actually gave a fuck, they'd just write their own and make it look the same. But I imagine, they'd use one of the many other hosts file aggregator than your shit if they just want the functionality.

  37. Re: I do what Dr. Mark Russinovich did... apk by Brockmire · · Score: 1

    Then you better google your program and check the top 10 hits. I know your shit was on a website without malware bytes in the server name just yesterday.

  38. This is actually pretty useful... by ShamblerBishop · · Score: 1

    Supposedly we all may have this pretty cool feature built into our processors, that if we can figure out how to get access to it and control it, we can then do lots of cool shit with our computers without even having to turn them on fully. We should set up some kind of public 'bounty' or such, to incentivize and reward the first people to get us a reliable open source toolkit, for taking control of this feature on our processors and putting it to use - and further bounties, for discoveries of externally accessible exploits within this feature (and a super-sized bounty for discovery of deliberate malicious exploits/backdoors built in). There's not just a security-based incentive for giving huge financial rewards here, there's the incentive based on this being an actual really cool feature.

  39. Pedantic by Rujiel · · Score: 1

    Regardless, intel processors, whether they're purchased individually or on a machine manufactured by the likes of dell, has Intel ME activated from the start. That's the point. Your nitpick is insignificant.