Forgot your password?
typodupeerror
Intel Networking IT

Intel Shows RealVNC Embedded In the BIOS 154

Posted by timothy
from the no-not-that-other-idf dept.
LWATCDR writes "At Intel Developer Forum, Intel and RealVNC demoed RealVNC integrated at the BIOS level. Using VNC, one can now power down, power up, reboot, go into the BIOS, and even mount disk images on the network. All of this has been available for a while using IPMI but now it can be done using the open standard VNC. It is available now on Q57 and Q67 motherboards. One can just imagine how useful this could be in a data center, school, or any other system with a large number of computers. Let's hope AMD joins in."
This discussion has been archived. No new comments can be posted.

Intel Shows RealVNC Embedded In the BIOS

Comments Filter:
  • by djsmiley (752149) <djsmiley2k@gmail.com> on Tuesday September 20, 2011 @12:15PM (#37456918) Homepage Journal

    So..... we've had someone (I forget if it was AMD or Intel teaming up with trend micro to look for malware at the lowest possible hardware level) and then in teh same week an announcement about how you can have remote visuals for your WHOLE system from outside the O/S ?

    While its useful if your server decides to hang and you don't know why - but this exists in DRAC cards and other forms of remote management for systems which NEED it. I don't think i've ever had to access the bios of a consumer level device remotely before, or even thought i'd be a wildly good idea...

    So when a vuln is found, which it WILL be everyone has to update their bios now? I know of alot of people who are going to be very unhappy about that idea! - hey, at least they could do it remotely? (maybe!)

    • by durrr (1316311)
      Would it be possible that a vulnerability allowed normal bios patching to be blocked too? Meaning that the hardware could be more or less irreversibly compromised... Sounds like a brilliant stroke of stupid.
      • by vlm (69642)

        Would it be possible that a vulnerability allowed normal bios patching to be blocked too? Meaning that the hardware could be more or less irreversibly compromised... Sounds like a brilliant stroke of stupid.

        They make money off every bricked / overheated / burned out MB / CPU. Stupid for anyone to buy, brilliant for them to try and sell.

        Heck they could even write the windows worm themselves to cause maximum damage... set fan speed to lowest, set CPU voltage to maximum, set CPU speed to max, disable thermal throttling... insta-profit!!!!!

        • by DJLuc1d (1010987)
          That takes the cake in paranoia... Like they couldn't do this already to maximize profits ?
          • by rsborg (111459)

            That takes the cake in paranoia... Like they couldn't do this already to maximize profits ?

            Paranoia++ = "How do you know they aren't doing this already? What if Adobe's Flash division is secretly funded by Intel?";

        • by Joce640k (829181)

          Look on the bright side: At least the Linux users won't be able to act all smug about how much more secure their machines are then Windows machines.

          • by icebike (68054)

            Linux users would know enough to never hook a cat5 cable to the on-board nic, at least not a cable exposed to the internet.
            They would simply install an add-in nic for the public side of the machine.

          • by orange47 (1519059)
            don't worry, sooner or later someone will make Linux variant that runs in BIOS :)
      • There have been remote console mechanisms for PCs for a very long time now. I don't know why everyone suddenly thinks this is something new and shocking.

        • by cayenne8 (626475)
          Yeah..but VNC is pretty insecure isn't it?

          I mean, we have it on many boxes, but you have to run a ssh tunnel to the box to run VNC through to keep things a bit more secure.

          I can't see them doing that in the BIOS...or can they?

          • Probably no more secure than the existing PC remote console systems (i.e. not very good). I don't expect this to be any better than the existing stuff, just cheaper. Hopefully this thing by Intel will have it's own network port or at least the ability to be on it's own vlan like the existing ones so it can be segregated network-wise.

            • by icebike (68054)

              Actually if you watch the video you will see some stuff that is better than the existing stuff.
              Such as mounting an ISO on the GUEST machine over the network to be used by the Host machine.
              Most of the current tools don't allow manipulating things in the bios without flaky and expensive additional hardware.
              (So flaky and so expensive that you almost never see this stuff deployed in real life).

              If Intel can manage the security properly this would be very valuable.

              As demonstrated in the video, there still seems t

          • by Anonymous Coward

            From TFA:

            Last year, RealVNC teamed up with Intel to incorporate a bona fide VNC server (using hardware encryption native to vPro chipsets)

            I don't know why I read the comments on this site anymore. Once upon a time it was 80% morons and maybe 10% of posters had read the article. If only I knew how much I'd wind up missing those days....

            • Finally a good post and I am all out of mod points!
            • by LWATCDR (28044)

              Thanks for pointing that out. Wow I never knew how many people just read the summary. When I wrote that summary I covered that this was already available. That the abilities are not that new but have been around for a while on system using IPMI, and what chip sets supported it. I left out that it was encrypted front to back because I actually thought that everyone and their dog would just assume that it was or read the article if they didn't bother to watch the video.
              You know I really made an effort to wri

          • by Lennie (16154)

            ll the article did say:

            "using hardware encryption native to vPro chipsets"

            So it could include SSH or HTTPS.

      • by drinkypoo (153816)

        Would it be possible that a vulnerability allowed normal bios patching to be blocked too?

        No.

        Meaning that the hardware could be more or less irreversibly compromised... Sounds like a brilliant stroke of stupid.

        Perhaps you should read up on IPMI (mentioned above) before you come to such conclusions. It's a whole separate computer inside your computer (generally just in servers) which can share your ethernet port and which can manage your system. Generally speaking they provide sensor access (handy on platforms which otherwise obscure it) as well as remote shutdown, startup, reflash, and usually BIOS config, albeit through their interface. There are generally working IPMI tools for Linux. I had an eServer 325 fo

    • by jhigh (657789) on Tuesday September 20, 2011 @12:20PM (#37456978)

      I don't think i've ever had to access the bios of a consumer level device remotely before, or even thought i'd be a wildly good idea...

      You've obviously never worked in kiosks before - this would be endlessly useful for any company supporting a large number of kiosk computers. That being said, your point about possible vulnerabilities are well put. However, we can't let potential vulnerabilities get in the way of advancing technology. Just like I'm sure there will be some creative way for the bad guys to exploit this, I'm just as sure that there will be some equally creative way for the good guys to protect this.

      • Yes and it now gives those "security vendors" even more ammunition to sale snake oil products to protect your bios.

        I can see the sales line now...

        Buy the all new BIOS ULTRA DEFFENDER DELUXE 2XXX SUITE ENTERPRISE. Only $99.99 per server this week only. Don't let those pesky hackers take over your servers.

      • by The Moof (859402)
        Maybe I'm missing something about the kiosk industry (it's been a long time). Booting up can be done via wake-on-LAN [wikipedia.org], shutting down remotely is built in at the OS level. What BIOS functionality would you need to access that doesn't require you to already be physically in the box?
        • by darksabre (250838)

          How about the OS is hosed and you want to force a PXE boot in order to re-image the disk?

        • by Bengie (1121981)

          Intel is saying you can now do remote boot options, prior to the OS starting up. Remote into the BIOS, then tell the machine to boot from the NIC instead of the HD, then run memtest or something.

      • I'm just as sure that there will be some equally creative way for the good guys to protect this.

        Exactly how can a vulnerability burned into silicon be 'protected'?

        • It's not burned into the silicon, it's loaded in the BIOS. Which implies it can be updated in the bios when vulns are found.

      • by orange47 (1519059)
        yeah, right. remember the autorun fiasco?
        the 'creative' solution from 'good guys' was to shut it off.. what a waste of time
    • by Anonymous Coward

      Some of the DRAC cards used VNC as the display protocal; they had some propriatary stuff on top to do other things though. I could see this being useful for geeks; if I'm watching the baby play in the living room I can't easily be in the office getting my computer back up. I just hope they shipped disabled so that those who want it can enable it but if the user is unaware of the feature it can't be used to compromise it.

    • I would assume that this is something that is available in the BIOS, but that you can turn it off. The default should probably be for it to be turned off.

    • call me paranoid, but the security risks of having this in general user hardware may be used as the stick to push a more general adoption of tpm hardware for general use as a carrot to fix the problems this creates.

      tpm hardware, when used in a server setting is useful, and it's the only place it's useful as a server needs to be reliable and the software needs to be trusted in the mission critical roles they are used for. tpm has no practical purpose on a normal level desktop other then consolizing the norma

    • by sjames (1099)

      IPMI has supported serial over LAN for ages, and server BIOS have supported redirect to serial for even longer.

      You just fire up the IPMI client, cycle power (telling it to boot into BIOS), then go to the serial over lan console.

      In an office environment, it would be quite useful on the desktop. Not just for support, but for daily operations like powering up just before work so people don't leave them on all night to save the morning annoyance. In the home, I can see it being quite useful to parents wanting t

      • by ckaminski (82854)
        Daily operations - there's be an answer for that for DECADES (at least one) called Wake-On-LAN.

        Windows, the only OS in the world you can't network boot.
        • by sjames (1099)

          WakeOnLAN is a bit hit and miss. It';s great when it works, but the feedback is really poor. You fire off the packet and can't know if you succeeded until a few minutes later when it boots (or doesn't). If you don't hear from it, you are none the wiser as to why. I have a desktop machine where WOL works about 40% of the time.

          I've seen machines where IPMI was iffy as well, but could tell instantly that it wasn't working.

    • Combine these two efforts with TXT and say to yourself: "This is not Palladium."

    • What are you complaining about? Obviously, there will be options in the BIOS to disable that new feature! In the mean while, it's great options for IT support.
    • So when a vuln is found, which it WILL be everyone has to update their bios now? I know of alot of people who are going to be very unhappy about that idea!

      Why? What's so spectacular about a BIOS update? The boot to DOS and load the new BIOS from floppy is a thing of the past. My girlfriend upgraded her BIOS the other day. Didn't even notice. Ok that's a lie, she did notice. A window came up giving her a list of 2 drivers and a new BIOS, she clicked ok. That was it. The update utility for her computer is memory resident, so in theory it could be done as silently as a windows update.

      The only critical part is still a potential for a bricked machine due to a dodg

  • Using VNC, one can now power down, power up, reboot, go into the BIOS, mount disk images on the network

    ... watch what your employees are doing,

  • by jackb_guppy (204733) on Tuesday September 20, 2011 @12:22PM (#37457000)

    I suggested this and other ways of using VNC embedded hardware like this years ago. It will be great to have keyboard, mouse, video - hope they also add virtual CD/DVD or USB to get the machine loaded remotely.

    It is shame that it maybe to late with VBLOCK and ESX system taking hold.

    • Agreed! I've been waiting decades for a technology that will open up my hardware configurations to anyone on the internet capable of hacking it. I hope it can flash the firmware too!
      • Why have you been waiting so long? If you've wanted to set up your servers incompetently this way it's been possible for decades with DRAC or ILO or LOM or IPMI... or hardware serial consoles for longer than there's been an Internet.

  • Look like about what we have had for years on server gear. I do hope you can disable that 6 digit key bit (making it worthless for servers and off hours). Has this not been around since version 6 and they are on version 8 now?

  • Or at least something very like it - vPro [wikipedia.org].

    While IPMI is well-established on the server, so far no form of BIOS-level remote control seems to be doing particularly well on the desktop. It's damn difficult to find definitive statements from any major OEM concerning which lines support it, there's a plethora of versions with varying levels of sophistication, some of which require proprietary software in order to use.

    That in itself isn't the end of the world, but even tracking down suitable proprietary software

    • by Lennie (16154)

      As I understand it, this is just VNC with small enhancements for ISO-boot and encryption, which makes it easier to deal with on many different platforms.

  • by Kagetsuki (1620613) on Tuesday September 20, 2011 @12:30PM (#37457114)

    Why VNC? Why not SSH?

    By the way this was on SGI workstations and it was awesome. I still remember the first time I went into the SGI BIOS setup only to be greeted with a shell. That blew my mind.

    • by wagnerrp (1305589)
      Agreed. VNC just seems like a stupid choice for such a system. VNC, Citrix, Windows Terminal Services, Remote Desktop... all of these things only exist as a crutch to allow remote use of programs not designed for remote operation. If you are designing the application from scratch, why not design it for remote use in the first place? Use a terminal or curses application. Use an embedded web server and a javascript application. Do something that actually makes sense rather than render a 2D interface, an
      • Re:SSH? (Score:4, Insightful)

        by silas_moeckel (234313) <silas@[ ]inc-corp.com ['dsm' in gap]> on Tuesday September 20, 2011 @12:55PM (#37457412) Homepage

        Because it's not adding a new interface it's connecting to the existing one. You want a tech to be able to correct say broken nic drivers. It's not meant for application sharing etc.

        • by wagnerrp (1305589)
          But the fancy graphical interface IS a new one, and you only have access to the fancy new graphical BIOS configuration utility. If it were the age old BIOS configuration utility, you would have no problem pumping that over a telnet or SSH terminal. It's not like you have meaningful access to the OS installed on the system such that you could tinker with the system or replace drivers.
          • Yes you do that's the point. You can connect at any point and see whatever is on the primary screen, This could be the text bios, a full gui desktop or various installers. You can mount ISO's remotely all without help from the OS network stack. There is a serial connection as well that uses a bit funky protocol (it's all wrapped in udp packets and encrypted) but there are proxies to convert that to straight ssh/telnet. It's nearly what IPMI is for servers.

      • "Use an embedded web server and a javascript application." - actually that's genius. It's not like you would need to start from scratch either, you could use Router firmware like OpenWRT to do it. OpenWRT also has SSH and Telnet included, and you could add VNC support through packages.

    • You're correct about that, but the reason it's still done is because of this annoying little program called "Microsoft Windows" which a lot of people refuse to stop using even though it's been proven to be a horrendously bad design.
    • by jorgef (10617)

      Intel only supports SSH Out of Band Management for entry-level server motherboards.

    • by ceoyoyo (59147)

      Never used an Apple I or II? Not only a shell in ROM but Basic too.

    • by sgt scrub (869860)

      The Alpha workstations had a shell too.

    • Because what are you going to SSH into? The BIOS? Great, now you can change BIOS settings, and the whole system is completely useless once you boot your OS. Or are you going to SSH into your OS? Well first, that's no good for Windows, and second, we've already had remote logins on the OS level for a long time.

      Sorry, but the value in something like this is to be able to see what's being displayed on the screen, regardless of what kind of output it is, and then to be able to use input devices (keyboard a

      • by omnichad (1198475)

        Unless it was implemented as a virtual serial port. You would at least be able to SSH into a terminal session on any OS that supports that sort of thing (i.e. not Windows). I was thinking the same, though.

      • by richlv (778496)

        a glance at the article only seemed to touch on bios controlling, it didn't seem to imply full remote keyboard/video/mouse control. if so, ssh would be MUCH better.

        it only mentions "install an OS", which is very vague and doesn't imply the above.

        • Wait, so what are you confused about? VNC *is* full remote video and keyboard/mouse control. How else would you remotely install the OS unless the VNC session continued while the OS booted?

          SSH just isn't better for the intended use here. It's worse. If it were just for BIOS control it would work, but it could mean learning complex commands and settings for each individual manufacturer and model. For a BIOS with a limited configuration options, a menu system is going to be easier and more intuitive tha

    • if you've used vnc, you would not have to ask this.

      I've been a vnc user for over a decade, now. ALL my home systems are vnc based. the noisy-room servers all are up 7x24 and usually run freebsd or linux. the clients are noiseless (ideally) things that boot up and I run vncviewer as soon as I get a term window inside a graphic screen. the o/s is a life-support system for vnc. vnc IS the killer app.

      sadly, I find that vnc over win (7 or xp) is the best overall client. the video drivers are fast, usually

  • by Anonymous Coward

    Hey, that's great Intel. But, when can we get off the shelf motherboards with a EFI [wikipedia.org] instead of a legacy BIOS? What's the hold up?

  • by vlm (69642)

    Using VNC, one can now ... power up,

    Before I VNC in to power up the box, I need DHCP running so I have an IP address to connect to. No problemo, I'll just power up the box to get a DHCP address before I power up the box to power up the box. Its turtles all the way down.

    What I'm worried about is:

    1) Its not going to be "open standard VNC" but some weird kluge that operates strictly on layer 2 and requires "special" probably windows only software, that at least doesn't require ip to work.

    2) Or, to have the VNC interface not interfere with the

    • by nabsltd (1313397)

      Before I VNC in to power up the box, I need DHCP running so I have an IP address to connect to. No problemo, I'll just power up the box to get a DHCP address before I power up the box to power up the box. Its turtles all the way down.

      I suspect that like IPMI, if you enable this new system, then as long as the "big red switch" is on (i.e., the motherboard is getting the power it would need to respond to the momentary "power on" switch), then the network card will also be powered and able to send and receive.

      The real trick is the very first time power on...if this new feature is set to "on" by default, and the NIC is set to use DHCP, then you can just drop ship new systems to wherever they are needed and then start the remote configure.

    • by smbarbour (893880)

      Using VNC, one can now ... power up,

      Before I VNC in to power up the box, I need DHCP running so I have an IP address to connect to. No problemo, I'll just power up the box to get a DHCP address before I power up the box to power up the box. Its turtles all the way down.

      I'll take it you've never heard of Wake-on-LAN. Third-party services such as LogMeIn actually can turn on remote machines as long as there is another computer on the network with LogMeIn installed. That doesn't even require an IP address. It's a packet addressed to the MAC of the NIC (which is why the originating packet needs to be on the same network).

      • by vlm (69642)

        I'll take it you've never heard of Wake-on-LAN. Third-party services such as LogMeIn actually can turn on remote machines as long as there is another computer on the network with LogMeIn installed. That doesn't even require an IP address. It's a packet addressed to the MAC of the NIC (which is why the originating packet needs to be on the same network).

        Yeah but thats cheating. You need an extra box and a WOL compatible switch, right? If I'm allowed to cheat and have stuff other than the as advertised VNC, then I can just specify a robot arm poised to punch the power switch. Or default the bios to always power up on restoral of AC and hook up to innumerable remote rebooter products and home automation products.

        I have noticed over the years that the concept of a power switch has been removed. The only thing my cable settop box does when its "off" is out

  • Uhm... Patents? Software Patents? Who wants to bet there are dozens of patents on this technology already applied for by Intel? We already know VNC's patents, but not when you add "in the BIOS" to the end of it.

  • This will be very useful in the Enterprise space, with no need to resort to HP iLO or Dell's DRAC, or IBM's management processor.
    • Currently, they have this tied to AMT. That only works with a pure Intel implementation (integrated Intel nic, chipset, etc). AFAIK, it's even *specefically* only the 'desktop' chipsets that bother putting in the bits. So your EP/EN/EX platforms are not invited to the party at all, even *if* your vendor didn't put Emulex or Broadcom down. They specifically segmented this off as 'desktop/laptop', and said 'IPMI' is the server equivalent (which covers most of the base capabilities, but omits KVM and has d

  • VNC is not the pinnacle of security to begin with, unless they changed it, the default password limitation in VNC use to be at least only 8 characters. And if they haven't it just gives a much easier method of compromising a system.
  • RealVNC at the GPL level, which i suspect is what we're testing with, has no encryption. IPMI, which is billed as standard on most enterprise grade servers on the other hand, comes with the option of key based crypto.
  • Cool! I use VNC hooks for recording user sessions. Is it a full install? ie. key stroke and pointer location code too?

  • OEM's like Dell and HP have the DRAC's and ALOM "add-in" cards that they sell at various prices ranging from $99 upwards of $650. Yet Intel is talking about enabling features the OEM's are charging premiums for in the BIOS for free. This could have a backlash effect from the channel partners...
    • Depending on the feature set, quality, and reliability, people may still want to buy the Lights-Out add-on cards. Either way, that's the way progress works sometimes. You're making money fixing problems, and then those problems go away. I don't think that Intel's, Dell's, or HP's business will be so hurt by this that it'll cause a huge hubbub.
      • by cas2000 (148703)

        yep, *LO cards have a lot more than just a BIOS implementation of VNC.

        To start with, they provide a hardware watchdog, power on/off/cycle options, and querying of sensors and settings via ipmi from the OS as well as just remote console access. They're also a dedicated computer that's available at all times, not just when the machine is running the BIOS, including when they main machine is powered off. i.e. they offer out-of-band access to controlling the server.

        You can completely manage a remote machine.

    • by Junta (36770)

      I mentioned this elsewhere, but AMT (which this is a part of) is a non-starter in the 'server' Intel chipsets at all, and even if it were, the second they drop an emulex or broadcom to drive the networking, it would still become non-working.

  • I'm hoping that by default it's disabled and requires enabling+password to work.

    However, isn't VNC an insecure protocol? Perhaps it had a default SSL layer or something like that (I suppose then it would need an ability to update the cert as well) then it would be a safer solution.

  • I use this tech on a number of lenovo desktops. It works pretty good, though I have had some reliability issues. Isn't this standard with all vPro capable hardware. BTW this has some amazing potential when working with our India based IT support, especially for a small company.
  • I bought my latest server board from Intel specifically because it supports this, and it does work well -- full KVM over VNC, can boot from bios all the way to desktop regardless of the OS, it's basically exactly like sitting at the console, but you can be anywhere.

    However, I had a few issues with the design:

    1) Setting up encryption for VNC was a pain... I had to dig around on intel's site to find some corporate management software before I could install a x509 certificate and connect to the encrypted port

  • by Mock (29603)

    It's called AMT, and I've been running one of these for over a year on my $120 vPro motherboard.
    As of AMT 6.0, you can control every aspect of the pc, including interacting with the bios screen, from remote.

    http://en.wikipedia.org/wiki/Intel_Active_Management_Technology [wikipedia.org]

Facts are stubborn, but statistics are more pliable.

Working...