5 replies to this topic

[alacran]

Intel's Secret CPU-On-Chip Management Engine (ME) Runs on MINIX OS

Source: https://www.bleeping...ns-on-minix-os/

 

This are only some extractions from the page (better go to read source and watch there a very interesting video):

 

Intel ME runs on MINIX, Google finds

According to Ron Minnich, a Software Engineer at Google, MINIX is at the heart of Intel's Management Engine (ME), a secret processor embedded in all Intel CPUs sold in the last decade.

Despite many people calling ME a backdoor into everyone's computers, Intel has always advertised ME as a way for companies to manage workstations on internal networks by allowing system administrators to monitor, maintain, update, upgrade, and repair Intel-based computers from a remote, central location.

This is because the ME component runs independently from the user's main OS, with separate processes, threads, memory manager, hardware bus driver, file system, and many other components.

 

The talk, available for download here and in the YouTube video embedded below, details Google's recent efforts at removing proprietary firmware — like Intel ME — from its internal servers.

Google cited worries that the Intel ME (actually MINIX) code runs on their CPU's deepest access level — Ring "-3" — and also runs a web server component that allows anyone to remotely connect to remote computers, even when the main OS is turned off.

For a company that holds information on almost all Internet users, Intel ME is a gaping security hole its engineers are now actively trying to nuke off their systems. See video: https://youtu.be/iffTJ1vPCSo

 

alacran

[Wonko the Sane]

Just in case:

 

https://hardenedlinu..._ivybridge.html

 

http://blog.ptsecuri...g-intel-me.html

 

https://wiki.gentoo....nagement_Engine

 

@Alacran

To be very picky, the IME it is not "secret" at all, half the internet talks about that (the other half taks about AMD's own PSP or Platform Security Processor[1]), at the most it is "secretive" .

 

Wonko

 

[1] https://libreboot.org/faq.html#amd

and while we are at it:

https://libreboot.org/faq.html#intel

[alacran]

 

@Alacran

To be very picky, the IME it is not "secret" at all, half the internet talks about that (the other half taks about AMD's own PSP or Platform Security Processor[1]), at the most it is "secretive" .

 

Wonko

 

It is original title of the article, not my idea, just wanted to quote as it is, not adding or changing anything.

 

alacran

[alacran]

@alacran: Did you read the part about an enable/disable bit being used to toggle the chip/ME on/off? Customers like the NSA demanded it because they wanted noone, not even Intel, to have a way in. I couldnt find instructions, but everything says it's dangerous to do so even if you can. This is definitely a security risk that Intel should deal with. On the other hand, I dont really think Intel has any dubious reasons to want to use this CPU for nefarious purposes, but it's still a potential backdoor nonetheless, and in an age where govts/corporations collect all that they can on the general populace, you can never be too sure. And it doesnt really help that Intel has always been tongue-in-cheek when asked for info on the CPU. It would help generate goodwill if they would be open about it at the least, and maybe even supply some source code.

Nuno had posted a topic about this months ago, but I cant find the link. I basically replied asking how it can disabled. He should something to the effect that this CPU can theoretically be disabled at every boot by tapping something which would temporarily short it out. A hardware bypass, so to speak. Kind of like how you can blow a fuse by tapping it. Or hotwire an older car with flathead screwdrivers, wires, and a lighter.

 

Yes I read all, and also saw the video, about the enable/disable bit, I guess Intel has a way to do it in a safe way, but they haven't made it public.

In the video the speaker said that Google hasn't found a way to completely disable it jet, they can only disable the server and some other parts, but it is actually very risky.

About Nuno Post some months ago, I read it too, but I don't remember it's title, in order to search for it.

 

alacran

[Brito]

Good info about Minix.

 

The topic from a few months ago could possibly have been this one:

http://reboot.pro/to...ased-computers/

 

At this moment the only laptop that I would (minimally) trust would be this one https://puri.sm/products/librem-13/

 

It isn't perfect nor should be seen as safe, albeit the physical kill switches are certainly an upgrade when compared to manually covering our webcams with paper notes.