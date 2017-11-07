MINIX: Intel's Hidden In-chip Operating System (zdnet.com) 77
Steven J. Vaughan-Nichols, writing for ZDNet: Matthew Garrett, the well-known Linux and security developer who works for Google, explained recently that, "Intel chipsets for some years have included a Management Engine [ME], a small microprocessor that runs independently of the main CPU and operating system. Various pieces of software run on the ME, ranging from code to handle media DRM to an implementation of a TPM. AMT [Active Management Technology] is another piece of software running on the ME." [...] At a presentation at Embedded Linux Conference Europe, Ronald Minnich, a Google software engineer reported that systems using Intel chips that have AMT, are running MINIX. So, what's it doing in Intel chips? A lot. These processors are running a closed-source variation of the open-source MINIX 3. We don't know exactly what version or how it's been modified since we don't have the source code. In addition, thanks to Minnich and his fellow researchers' work, MINIX is running on three separate x86 cores on modern chips. There, it's running: TCP/IP networking stacks (4 and 6), file systems, drivers (disk, net, USB, mouse), web servers. MINIX also has access to your passwords. It can also reimage your computer's firmware even if it's powered off. Let me repeat that. If your computer is "off" but still plugged in, MINIX can still potentially change your computer's fundamental settings. And, for even more fun, it "can implement self-modifying code that can persist across power cycles." So, if an exploit happens here, even if you unplug your server in one last desperate attempt to save it, the attack will still be there waiting for you when you plug it back in. How? MINIX can do all this because it runs at a fundamentally lower level. [...] According to Minnich, "there are big giant holes that people can drive exploits through." He continued, "Are you scared yet? If you're not scared yet, maybe I didn't explain it very well, because I sure am scared." Also read: Andrew S. Tanenbaum's (a professor of Computer Science at Vrije Universiteit) open letter to Intel.
1) Do AMD processors have similar vulnerabilities or is this an Intel issue only?
2) Why isn't Intel being held responsible to fix this, either by action of lawmakers or through lawsuits for providing a faulty product?
3) Shouldn't Intel either have to patch the vulnerabilities or issue a recall?
Because it is functioning as intended for its usage among authoritarian regimes (the US included thanks to Congress, the NSA, CIA, and domestic SigInt/PsyOps.)
The Clipper chip concept was never off the table its implementation just became less 'warrant and seize' and more 'illegal wiretap'.
Do AMD processors have any counterpart of this nonsense?
The Opterons 41XX, 42XX, 43XX; 61XX, 62XX, 63XX and the FX series do not have this garbage baked in. Stockpile boards and CPUs while you can.
Yes, it does [reddit.com]. It's called "AMD Secure Processor" nowadays, but it's better known as PSP (as in "Platform Security Processor", its original name).
Overblown -- oh and AMD isn't any better (Score:3, Interesting)
This stuff is overblown since these management engines are only ever active in a limited set of corporate environments where out-of-band management is a huge plus that actually improves security by not requiring your IT drone to physically access every system even if it's turned off.
Oh, and don't think your magical AMD saviours are any better. There a TrustZone processor that you have zero control over embedded in their products that does the exact same bad stuff.
I am not sure why you are modded -1. This is exactly why I am actively buying vPro-enabled computers at work despite all these "dooms-day" articles about backdoor access to your computer through the chipset. I do not have the time to run between different office locations to fix people's issues when I can easily deal with it remotely. The OOB is a plus over any other remote-help software that requires Windows to be running before I can connect to it.
However, I would prefer to visit the manufacturer's website to download and install the additional ME firmware in order to activate the feature, rather than having this pre-embedded on every chipset. Those that ended up in home products do not need this.
I worked on a project to evaluate vPro and ME for laptops to be used in a very geographically dispersed and isolated environment where they would have Internet access but getting tech support to them would be a nightmare. It was very hard to get these technologies configured properly and two otherwise identical laptops, same make and model and, apparently same EVERYTHING, would behave differently with vPro/ME. I found it quirky and unreliable, sadly. Its a great technology for that kind of environment.
these management engines are only ever active in a limited set of corporate environments where out-of-band management is a huge plus that actually improves security by not requiring your IT drone to physically access every system even if it's turned off.
I think you mean that they only have a use to the consumer in a limited set of corporate environments. IME is active on all their chips.
The ME is actually active all the time. Basically the modern Intel architecture just doesn't live without ME managing things. It may not be network enabled or remote accessed depending on the configuration, but it's pretty much always there now, and always active.
Even the vendors don't really know what all it may be doing, just that they have to interact with it to provide certain features or interrogate it to explain why the system decided to go haywire.
The new part is that you make people pay you for putting the computers you manage into their server room, pay for the power to run them and put their software for you to manage on it.
It's kinda like being the admin for a server farm, only that you don't get paid, but in return, neither do you have to pay for anything, you're not responsible for anything you do to the computers and you can do with the software and data on them whatever you please.
It's kinda like being the admin for a server farm, only that you don't get paid, but in return, neither do you have to pay for anything, you're not responsible for anything you do to the computers and you can do with the software and data on them whatever you please.
Oh, you still pay for it. The fees include both hardware, operating costs and administration (done by largely unqualified people, but still administration of sorts). It's just cheaper due to scale.
And you're still responsible - the contracts tend to have clauses that you must not interfere with the hosting or other services. So if you deliberately break the hardware through software (quite doable, alas), don't expect them to blindly replace broken gear forever.
Before the cloud, people used to put their own servers in server rooms. That's the interface to manage your machine from outside.
This doesn't prevent a system from coming into your environment already compromised. That, to me is the scary part. Your order could be intercepted and compromised or compromised at the vendor before shipment. And there is no way to scan the subsystem for threats.
The years of the Minux desktop (Score:5, Insightful)
Tanenbaum: a professor of Computer Science...? (Score:5, Informative)
Kids these days...
Andrew S. Tanenbaum is the original creator of MINIX, not just "a professor" at Vrije Universiteit.
Somebody needs to learn a little tech history. The Linux (monolithic kernel) versus Minix (micro kernel) debate is well known.
Somebody needs to learn a little tech history. The Linux (monolithic kernel) versus Minix (micro kernel) debate is well known.
Apparently you don't hear that whooshing sound over your head.
We can always use a Raspberry Pi, right?
that's been around for decades? except they add more stuff to it and now it runs in a separate processor?
I've been waiting for someone to port Linux interfaces for SystemD (previously udev, kevents, and HAL) to Minix for a while, which would make it capable of replacing the Linux kernel.
Beyond that, you'd need to port in the file system and hardware drivers. Since they're separate services, you can make GPL versions out-of-tree and just load them into Minix. In-tree versions of adapted netbsd, freebsd, or dragonflybsd drivers are allowable.
