Intel Shows RealVNC Embedded In the BIOS 154
LWATCDR writes "At Intel Developer Forum, Intel and RealVNC demoed RealVNC integrated at the BIOS level. Using VNC, one can now power down, power up, reboot, go into the BIOS, and even mount disk images on the network. All of this has been available for a while using IPMI but now it can be done using the open standard VNC. It is available now on Q57 and Q67 motherboards. One can just imagine how useful this could be in a data center, school, or any other system with a large number of computers. Let's hope AMD joins in."
And how bad it becomes when a vuln is found (Score:4, Insightful)
So..... we've had someone (I forget if it was AMD or Intel teaming up with trend micro to look for malware at the lowest possible hardware level) and then in teh same week an announcement about how you can have remote visuals for your WHOLE system from outside the O/S ?
While its useful if your server decides to hang and you don't know why - but this exists in DRAC cards and other forms of remote management for systems which NEED it. I don't think i've ever had to access the bios of a consumer level device remotely before, or even thought i'd be a wildly good idea...
So when a vuln is found, which it WILL be everyone has to update their bios now? I know of alot of people who are going to be very unhappy about that idea! - hey, at least they could do it remotely? (maybe!)
Re: (Score:3)
Re: (Score:2)
Would it be possible that a vulnerability allowed normal bios patching to be blocked too? Meaning that the hardware could be more or less irreversibly compromised... Sounds like a brilliant stroke of stupid.
They make money off every bricked / overheated / burned out MB / CPU. Stupid for anyone to buy, brilliant for them to try and sell.
Heck they could even write the windows worm themselves to cause maximum damage... set fan speed to lowest, set CPU voltage to maximum, set CPU speed to max, disable thermal throttling... insta-profit!!!!!
Re: (Score:2)
Re: (Score:2)
That takes the cake in paranoia... Like they couldn't do this already to maximize profits ?
Paranoia++ = "How do you know they aren't doing this already? What if Adobe's Flash division is secretly funded by Intel?";
Re: (Score:3)
Look on the bright side: At least the Linux users won't be able to act all smug about how much more secure their machines are then Windows machines.
Re: (Score:2)
Linux users would know enough to never hook a cat5 cable to the on-board nic, at least not a cable exposed to the internet.
They would simply install an add-in nic for the public side of the machine.
Re: (Score:3)
You presume that is possible. And you presume the disableing is actually honored.
I looked at the bios screens very carefully and saw no such option.
Re: (Score:1)
True, I did take that for granted without looking into it more.
Whenever I think a designer "can't be that stupid", I tend to get proven wrong.
Re: (Score:2)
Re: (Score:2)
Go watch the video.
The guy shut down the entire tcp/op stack and was still talking to machine.
You can't do that with a nic in a slot.
The bios has direct control of that nic and can power it up even when the machine is shut down.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
There have been remote console mechanisms for PCs for a very long time now. I don't know why everyone suddenly thinks this is something new and shocking.
Re: (Score:2)
I mean, we have it on many boxes, but you have to run a ssh tunnel to the box to run VNC through to keep things a bit more secure.
I can't see them doing that in the BIOS...or can they?
Re: (Score:2)
Probably no more secure than the existing PC remote console systems (i.e. not very good). I don't expect this to be any better than the existing stuff, just cheaper. Hopefully this thing by Intel will have it's own network port or at least the ability to be on it's own vlan like the existing ones so it can be segregated network-wise.
Re: (Score:2)
Actually if you watch the video you will see some stuff that is better than the existing stuff.
Such as mounting an ISO on the GUEST machine over the network to be used by the Host machine.
Most of the current tools don't allow manipulating things in the bios without flaky and expensive additional hardware.
(So flaky and so expensive that you almost never see this stuff deployed in real life).
If Intel can manage the security properly this would be very valuable.
As demonstrated in the video, there still seems t
Re: (Score:2)
I meant better security-wise. Yeah, I agree, the existing remote console things are all kind of flakey.
Re: (Score:1)
From TFA:
Last year, RealVNC teamed up with Intel to incorporate a bona fide VNC server (using hardware encryption native to vPro chipsets)
I don't know why I read the comments on this site anymore. Once upon a time it was 80% morons and maybe 10% of posters had read the article. If only I knew how much I'd wind up missing those days....
Dammit Jim! (Score:2)
Re: (Score:3)
Thanks for pointing that out. Wow I never knew how many people just read the summary. When I wrote that summary I covered that this was already available. That the abilities are not that new but have been around for a while on system using IPMI, and what chip sets supported it. I left out that it was encrypted front to back because I actually thought that everyone and their dog would just assume that it was or read the article if they didn't bother to watch the video.
You know I really made an effort to wri
Re: (Score:2)
ll the article did say:
"using hardware encryption native to vPro chipsets"
So it could include SSH or HTTPS.
Re: (Score:2)
Would it be possible that a vulnerability allowed normal bios patching to be blocked too?
No.
Meaning that the hardware could be more or less irreversibly compromised... Sounds like a brilliant stroke of stupid.
Perhaps you should read up on IPMI (mentioned above) before you come to such conclusions. It's a whole separate computer inside your computer (generally just in servers) which can share your ethernet port and which can manage your system. Generally speaking they provide sensor access (handy on platforms which otherwise obscure it) as well as remote shutdown, startup, reflash, and usually BIOS config, albeit through their interface. There are generally working IPMI tools for Linux. I had an eServer 325 fo
Re: (Score:2)
time to take the system offline to reload the software ... in the bios.
Uh, what year is it? No wonder you posted as AC. I can't remember the last time I got a machine I couldn't flash live.
Re:And how bad it becomes when a vuln is found (Score:5, Insightful)
I don't think i've ever had to access the bios of a consumer level device remotely before, or even thought i'd be a wildly good idea...
You've obviously never worked in kiosks before - this would be endlessly useful for any company supporting a large number of kiosk computers. That being said, your point about possible vulnerabilities are well put. However, we can't let potential vulnerabilities get in the way of advancing technology. Just like I'm sure there will be some creative way for the bad guys to exploit this, I'm just as sure that there will be some equally creative way for the good guys to protect this.
Re: (Score:2)
Yes and it now gives those "security vendors" even more ammunition to sale snake oil products to protect your bios.
I can see the sales line now...
Buy the all new BIOS ULTRA DEFFENDER DELUXE 2XXX SUITE ENTERPRISE. Only $99.99 per server this week only. Don't let those pesky hackers take over your servers.
Re: (Score:2)
Re: (Score:1)
How about the OS is hosed and you want to force a PXE boot in order to re-image the disk?
Re: (Score:2)
Intel is saying you can now do remote boot options, prior to the OS starting up. Remote into the BIOS, then tell the machine to boot from the NIC instead of the HD, then run memtest or something.
Re: (Score:2)
Exactly how can a vulnerability burned into silicon be 'protected'?
Re: (Score:2)
It's not burned into the silicon, it's loaded in the BIOS. Which implies it can be updated in the bios when vulns are found.
Re: (Score:1)
the 'creative' solution from 'good guys' was to shut it off.. what a waste of time
Re: (Score:2)
If you are so worried about security why are you accessing the internet at all? For that matter why do you even have a computer? Do you also not use a credit card or check card? It was pointed out quite eloquently above. "we can't let potential vulnerabilities get in the way of advancing technology."
Re: (Score:1)
Some of the DRAC cards used VNC as the display protocal; they had some propriatary stuff on top to do other things though. I could see this being useful for geeks; if I'm watching the baby play in the living room I can't easily be in the office getting my computer back up. I just hope they shipped disabled so that those who want it can enable it but if the user is unaware of the feature it can't be used to compromise it.
Re: (Score:2)
I would assume that this is something that is available in the BIOS, but that you can turn it off. The default should probably be for it to be turned off.
Re: (Score:2)
call me paranoid, but the security risks of having this in general user hardware may be used as the stick to push a more general adoption of tpm hardware for general use as a carrot to fix the problems this creates.
tpm hardware, when used in a server setting is useful, and it's the only place it's useful as a server needs to be reliable and the software needs to be trusted in the mission critical roles they are used for. tpm has no practical purpose on a normal level desktop other then consolizing the norma
Re: (Score:2)
IPMI has supported serial over LAN for ages, and server BIOS have supported redirect to serial for even longer.
You just fire up the IPMI client, cycle power (telling it to boot into BIOS), then go to the serial over lan console.
In an office environment, it would be quite useful on the desktop. Not just for support, but for daily operations like powering up just before work so people don't leave them on all night to save the morning annoyance. In the home, I can see it being quite useful to parents wanting t
Re: (Score:2)
Windows, the only OS in the world you can't network boot.
Re: (Score:2)
WakeOnLAN is a bit hit and miss. It';s great when it works, but the feedback is really poor. You fire off the packet and can't know if you succeeded until a few minutes later when it boots (or doesn't). If you don't hear from it, you are none the wiser as to why. I have a desktop machine where WOL works about 40% of the time.
I've seen machines where IPMI was iffy as well, but could tell instantly that it wasn't working.
Re: (Score:2)
Combine these two efforts with TXT and say to yourself: "This is not Palladium."
Re: (Score:2)
Re:Why will we be unhappy? (Score:2)
So when a vuln is found, which it WILL be everyone has to update their bios now? I know of alot of people who are going to be very unhappy about that idea!
Why? What's so spectacular about a BIOS update? The boot to DOS and load the new BIOS from floppy is a thing of the past. My girlfriend upgraded her BIOS the other day. Didn't even notice. Ok that's a lie, she did notice. A window came up giving her a list of 2 drivers and a new BIOS, she clicked ok. That was it. The update utility for her computer is memory resident, so in theory it could be done as silently as a windows update.
The only critical part is still a potential for a bricked machine due to a dodg
Yeah, just great... (Score:2)
Using VNC, one can now power down, power up, reboot, go into the BIOS, mount disk images on the network
Re: (Score:2)
Employers were able to do that for a long time already...
Re: (Score:2)
Finally! (Score:3)
I suggested this and other ways of using VNC embedded hardware like this years ago. It will be great to have keyboard, mouse, video - hope they also add virtual CD/DVD or USB to get the machine loaded remotely.
It is shame that it maybe to late with VBLOCK and ESX system taking hold.
Re: (Score:2)
Re: (Score:3)
Why have you been waiting so long? If you've wanted to set up your servers incompetently this way it's been possible for decades with DRAC or ILO or LOM or IPMI... or hardware serial consoles for longer than there's been an Internet.
Desktops finaly get IPMI like (Score:2)
Look like about what we have had for years on server gear. I do hope you can disable that 6 digit key bit (making it worthless for servers and off hours). Has this not been around since version 6 and they are on version 8 now?
Intel have been pushing this for years (Score:2)
Or at least something very like it - vPro [wikipedia.org].
While IPMI is well-established on the server, so far no form of BIOS-level remote control seems to be doing particularly well on the desktop. It's damn difficult to find definitive statements from any major OEM concerning which lines support it, there's a plethora of versions with varying levels of sophistication, some of which require proprietary software in order to use.
That in itself isn't the end of the world, but even tracking down suitable proprietary software
Re: (Score:2)
As I understand it, this is just VNC with small enhancements for ISO-boot and encryption, which makes it easier to deal with on many different platforms.
SSH? (Score:3)
Why VNC? Why not SSH?
By the way this was on SGI workstations and it was awesome. I still remember the first time I went into the SGI BIOS setup only to be greeted with a shell. That blew my mind.
Re: (Score:3)
Re:SSH? (Score:4, Insightful)
Because it's not adding a new interface it's connecting to the existing one. You want a tech to be able to correct say broken nic drivers. It's not meant for application sharing etc.
Re: (Score:2)
Re: (Score:2)
Yes you do that's the point. You can connect at any point and see whatever is on the primary screen, This could be the text bios, a full gui desktop or various installers. You can mount ISO's remotely all without help from the OS network stack. There is a serial connection as well that uses a bit funky protocol (it's all wrapped in udp packets and encrypted) but there are proxies to convert that to straight ssh/telnet. It's nearly what IPMI is for servers.
Windows OS - Windows Driver (Score:2)
VNC subsystem -> VNC Driver
Multiple systems can share a physically functional NIC. A bad driver in the OS layer does not stop the NIC in a different environment from using it.
Re: (Score:2)
"Use an embedded web server and a javascript application." - actually that's genius. It's not like you would need to start from scratch either, you could use Router firmware like OpenWRT to do it. OpenWRT also has SSH and Telnet included, and you could add VNC support through packages.
Re: (Score:1)
Re: (Score:1)
Intel only supports SSH Out of Band Management for entry-level server motherboards.
Re: (Score:2)
Never used an Apple I or II? Not only a shell in ROM but Basic too.
Re: (Score:2)
The Alpha workstations had a shell too.
Re: (Score:2)
Because what are you going to SSH into? The BIOS? Great, now you can change BIOS settings, and the whole system is completely useless once you boot your OS. Or are you going to SSH into your OS? Well first, that's no good for Windows, and second, we've already had remote logins on the OS level for a long time.
Sorry, but the value in something like this is to be able to see what's being displayed on the screen, regardless of what kind of output it is, and then to be able to use input devices (keyboard a
Re: (Score:2)
Unless it was implemented as a virtual serial port. You would at least be able to SSH into a terminal session on any OS that supports that sort of thing (i.e. not Windows). I was thinking the same, though.
Re: (Score:2)
a glance at the article only seemed to touch on bios controlling, it didn't seem to imply full remote keyboard/video/mouse control. if so, ssh would be MUCH better.
it only mentions "install an OS", which is very vague and doesn't imply the above.
Re: (Score:2)
Wait, so what are you confused about? VNC *is* full remote video and keyboard/mouse control. How else would you remotely install the OS unless the VNC session continued while the OS booted?
SSH just isn't better for the intended use here. It's worse. If it were just for BIOS control it would work, but it could mean learning complex commands and settings for each individual manufacturer and model. For a BIOS with a limited configuration options, a menu system is going to be easier and more intuitive tha
Re: (Score:2)
if you've used vnc, you would not have to ask this.
I've been a vnc user for over a decade, now. ALL my home systems are vnc based. the noisy-room servers all are up 7x24 and usually run freebsd or linux. the clients are noiseless (ideally) things that boot up and I run vncviewer as soon as I get a term window inside a graphic screen. the o/s is a life-support system for vnc. vnc IS the killer app.
sadly, I find that vnc over win (7 or xp) is the best overall client. the video drivers are fast, usually
The BIOS needs to die (Score:1)
Hey, that's great Intel. But, when can we get off the shelf motherboards with a EFI [wikipedia.org] instead of a legacy BIOS? What's the hold up?
Re: (Score:2)
EFI is just as big a mess as the legacy BIOS:
http://lwn.net/Articles/451690/ [lwn.net]
http://lwn.net/Articles/453003/ [lwn.net]
And would you like Microsoft with their Windows 8 (App) Store and Intel to control your PC like it is an Apple iDevice ?:
http://lwn.net/Articles/459569/ [lwn.net]
DHCP? Huh? (Score:1)
Using VNC, one can now ... power up,
Before I VNC in to power up the box, I need DHCP running so I have an IP address to connect to. No problemo, I'll just power up the box to get a DHCP address before I power up the box to power up the box. Its turtles all the way down.
What I'm worried about is:
1) Its not going to be "open standard VNC" but some weird kluge that operates strictly on layer 2 and requires "special" probably windows only software, that at least doesn't require ip to work.
2) Or, to have the VNC interface not interfere with the
Re: (Score:2)
Before I VNC in to power up the box, I need DHCP running so I have an IP address to connect to. No problemo, I'll just power up the box to get a DHCP address before I power up the box to power up the box. Its turtles all the way down.
I suspect that like IPMI, if you enable this new system, then as long as the "big red switch" is on (i.e., the motherboard is getting the power it would need to respond to the momentary "power on" switch), then the network card will also be powered and able to send and receive.
The real trick is the very first time power on...if this new feature is set to "on" by default, and the NIC is set to use DHCP, then you can just drop ship new systems to wherever they are needed and then start the remote configure.
Re: (Score:2)
Using VNC, one can now ... power up,
Before I VNC in to power up the box, I need DHCP running so I have an IP address to connect to. No problemo, I'll just power up the box to get a DHCP address before I power up the box to power up the box. Its turtles all the way down.
I'll take it you've never heard of Wake-on-LAN. Third-party services such as LogMeIn actually can turn on remote machines as long as there is another computer on the network with LogMeIn installed. That doesn't even require an IP address. It's a packet addressed to the MAC of the NIC (which is why the originating packet needs to be on the same network).
Re: (Score:2)
I'll take it you've never heard of Wake-on-LAN. Third-party services such as LogMeIn actually can turn on remote machines as long as there is another computer on the network with LogMeIn installed. That doesn't even require an IP address. It's a packet addressed to the MAC of the NIC (which is why the originating packet needs to be on the same network).
Yeah but thats cheating. You need an extra box and a WOL compatible switch, right? If I'm allowed to cheat and have stuff other than the as advertised VNC, then I can just specify a robot arm poised to punch the power switch. Or default the bios to always power up on restoral of AC and hook up to innumerable remote rebooter products and home automation products.
I have noticed over the years that the concept of a power switch has been removed. The only thing my cable settop box does when its "off" is out
Re: (Score:2)
Exactly. All that is required is that the packet reaches the intended destination. The easiest way to do that on a TCP/IP network is the magic packet sent to one of the broadcast addresses (either network specific i.e. 192.168.0.255 or the general purpose one: 255.255.255.255). Every switch knows how to handle network broadcasts (and every hub, though I haven't seen an actual network hub in ages since small switches are commodity hardware now, transmits every packet to every connected port).
Let's hope AMD does what? (Score:2)
Uhm... Patents? Software Patents? Who wants to bet there are dozens of patents on this technology already applied for by Intel? We already know VNC's patents, but not when you add "in the BIOS" to the end of it.
Big boon to the Enterprise... (Score:1)
Not really.. (Score:2)
Currently, they have this tied to AMT. That only works with a pure Intel implementation (integrated Intel nic, chipset, etc). AFAIK, it's even *specefically* only the 'desktop' chipsets that bother putting in the bits. So your EP/EN/EX platforms are not invited to the party at all, even *if* your vendor didn't put Emulex or Broadcom down. They specifically segmented this off as 'desktop/laptop', and said 'IPMI' is the server equivalent (which covers most of the base capabilities, but omits KVM and has d
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
No you are wrong.
Nice! (Score:2)
Cool! I use VNC hooks for recording user sessions. Is it a full install? ie. key stroke and pointer location code too?
OEM's wont like it... (Score:2)
Re: (Score:2)
Re: (Score:2)
yep, *LO cards have a lot more than just a BIOS implementation of VNC.
To start with, they provide a hardware watchdog, power on/off/cycle options, and querying of sensors and settings via ipmi from the OS as well as just remote console access. They're also a dedicated computer that's available at all times, not just when the machine is running the BIOS, including when they main machine is powered off. i.e. they offer out-of-band access to controlling the server.
You can completely manage a remote machine.
Re: (Score:2)
I mentioned this elsewhere, but AMT (which this is a part of) is a non-starter in the 'server' Intel chipsets at all, and even if it were, the second they drop an emulex or broadcom to drive the networking, it would still become non-working.
Default=disable (Score:1)
I'm hoping that by default it's disabled and requires enabling+password to work.
However, isn't VNC an insecure protocol? Perhaps it had a default SSL layer or something like that (I suppose then it would need an ability to update the cert as well) then it would be a safer solution.
this is new? (Score:1)
Re: (Score:2)
As I understand it, this is VNC (with encryption) and vPro isn't.
Very cool, but can be difficult to set up. (Score:1)
I bought my latest server board from Intel specifically because it supports this, and it does work well -- full KVM over VNC, can boot from bios all the way to desktop regardless of the OS, it's basically exactly like sitting at the console, but you can be anywhere.
However, I had a few issues with the design:
1) Setting up encryption for VNC was a pain... I had to dig around on intel's site to find some corporate management software before I could install a x509 certificate and connect to the encrypted port
Old news (Score:2)
It's called AMT, and I've been running one of these for over a year on my $120 vPro motherboard.
As of AMT 6.0, you can control every aspect of the pc, including interacting with the bios screen, from remote.
http://en.wikipedia.org/wiki/Intel_Active_Management_Technology [wikipedia.org]
Re: (Score:2)
Indeed. The main alternative to this is TFTP and SSH, and that isn't secured either as you have to load and boot the image before SSH gets into the picture.. Which is understandable, but at this point in history, you really shouldn't be doing these things over a network without some security in place. Even a supposedly secured network can be infiltrated if it's valuable enough.
And this is definitely not going to be worth using over the internet unless one has a means of ensuring a secured connection between
Re: (Score:2)
This is assuming you're stupid and use it over an untrusted network.
BMCs and such generally talk over a protected VPN and are not general access. These are the same LANs that allow you to telnet to APC controllers and fiddle with power outlets.
Re: (Score:2)
Only if you're stupid (again) and have Windows on said secure network. Here's a hint - you can only get to it through (non Windows!) trusted (read: secured and audited) machines, and only management devices reside upon it.
Re:REALLY useful (Score:4, Interesting)
More then likely this is integrated at the BMC (baseboard management controller). While the BMC may be integrated into the system and a few values override some of the DMI it is not technically the BIOS. I've run into several systems with dead BMCs and they will happily chug along and act mostly normal. (DMI values revert to the BIOS provided values)
You can obtain the source to the FRU and play with your hearts content. Unfortunately, these are typically available on their high end S5000 and above series boards. SuperMicro makes some cheap boards with IPMI, but I don't know if it is a similar BMC setup. Now, the kicker is the BMC is just linux on a chip managed through IPMI. You can obtain and modify this to your hearts content. Though I don't know if they left out any bits and the system firmware is still a binary blob I believe.
Re: (Score:2)
I also had a chance to watch the video.
This is integrated into the vPro management utilities. vPro is a proprietary BMC featured in their laptops and desktops. I have only user end experience with this, but you really just want to think of it as a DRAC. The major difference here is that beyond being another management interface it is shared with the host nic.
Same technology and the primary difference is the level of exposure*1. vPro already offers remote kvm with a proprietary interface. Introducing VNC sim
Re: (Score:2)
Wouldn't a BIOS screen be really low-rez anyway?
Re: (Score:2)
This probably just implements the standard RFB protocol, so any viewer (UltraVNC, RealVNC or whatever) can connect to it.
Re: (Score:2)
Re: (Score:2)
Alright! I have my hard-to-detect avenue for exploit. What a great vector! Thanks, Intel!
Re: (Score:2)