Sunday, November 5th 2017
Intel CPU On-chip Management Engine Runs on MINIX
With the transition to multi-core processors, and multi-core processors with integrated core-logic (chipset), the need arose for a low-level SoC embedded into the processor with just enough compute power to make sure all the components you pay for start-up and function as advertised. Enter the Intel ME (management engine). This is a full-fledged computer within your Intel processor, which isn't exposed to you. It runs on its very own tiny x86 CPU core that isn't exposed, and its software is driven on an infinitesimally small ROM and RAM. Since you can't have software without some sort of operating-system, Intel chose MINIX for the job.
MINIX is a Unix-like OS with an extremely small memory footprint. The OS was designed by Andrew Tanenbaum, originally as an educational tool to demonstrate that machines can still be built with extremely tiny code. If you're familiar with the "ring-level" system of hardware-access privilege by software, ring 0 would designate the "highest" level of access. A software with ring 0 access can erase your disk, flash your system BIOS, and even make your CPU run at any C-state. The OS kernel needs these privileges, and hence is a ring 0 software. Most user software, like the web-browser you're reading this on, runs at ring 3 (with the browser's own sandbox, the user-level, and API level forming inner levels). Intel ME runs at ring -3 (negative 3), and your OS has no power over it. Most system BIOS updates for Intel motherboards include a ROM update for ME. ME governs the functioning of the rest of the processor, its start-up, and booting. It also governs silicon-level security and management features that can't be compromised by malware.
Source:
NetworkWorld
MINIX is a Unix-like OS with an extremely small memory footprint. The OS was designed by Andrew Tanenbaum, originally as an educational tool to demonstrate that machines can still be built with extremely tiny code. If you're familiar with the "ring-level" system of hardware-access privilege by software, ring 0 would designate the "highest" level of access. A software with ring 0 access can erase your disk, flash your system BIOS, and even make your CPU run at any C-state. The OS kernel needs these privileges, and hence is a ring 0 software. Most user software, like the web-browser you're reading this on, runs at ring 3 (with the browser's own sandbox, the user-level, and API level forming inner levels). Intel ME runs at ring -3 (negative 3), and your OS has no power over it. Most system BIOS updates for Intel motherboards include a ROM update for ME. ME governs the functioning of the rest of the processor, its start-up, and booting. It also governs silicon-level security and management features that can't be compromised by malware.
41 Comments on Intel CPU On-chip Management Engine Runs on MINIX
Ans. No. An x86 core can be built with as few as 135,000 transistors (out of the 1.4 billion transistors on a "Haswell" quad-core die, for example). It's not a fifth core. It's a specialized small core that executes ME.
I heard about existing exploits elsewhere. They all recommend and/or come up with ways of disabling it. This is the first I've seen the news in a positive light.
Also, the source article is not nearly as positive as this post:
edit: Pretty interesting usenet arguments between the two btw. And funny how humble the two OSes started. I guess you could say they can both rule the roost now.
At that time Intel had "just" released the 80x86 platform: 32bit registers and IS + a paged MMU!!
MINIX was an educational OS and was written for 16bit processors. It couldn't do much on the new platforms and the code was licensed(this is important. everyone back then known that AT&T had won a judicial case against UC Berkeley because BSD -Berkeley UNIX port adopted by much of the academic world back then- contained AT&T code -being the original version of UNIX developed from AT&T-. From this legal battle all the GNU/GPL/Stallman history also bloomed).
So Torvald had this 32bit processor with a 16bit OS(MINIX) and was a broken College student that could not afford a BSD or UNIX distribution; what do you do in such cases? You write your own kernel to support the specification and unleash your processor power.
He developed it on MINIX, but he didn't care of the MINIX project because there was no MINIX project at all. Tenembaum used his OS as a teaching support for his OS design classes and at that time had no intrest in keep it up to date for new architectures.
I've been messing with Linux on and off since the 90s, but could never find a use for it personally. I really want to like it though, because of how it started, if anything.
Instead it all started because the guy is simply bold.
That's it and I quite like this fact.
1 May 2017
www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/
If you're lucky, then your motherboard vendor has issued a BIOS update to plug the security hole. If you're unlucky (i.e., have an older business-grade machine), then the hole will never be plugged....
docs.microsoft.com/en-us/windows-hardware/drivers/bringup/windows-uefi-firmware-update-platform
I mean, talk about creating FUD with little knowledge. :rolleyes:
So yes, a full network stack, mainboard drivers (just main board and extra storage, Centrino platform and all that, extra peripherals need not apply), a file system to handle updates and a web server...to enable OOB management.Home users, yes. Enterprises, not really.
How the hell am I supposed to track/manage a thousand-or-so geographically distant machines without this? (I know about Azure, not there yet but almost)
So I do use it and it is useful.
Now, I do know that what I can see, Intel servers can too and that Intel probably does see all the stuff. They are providing me a service, so I expect that.
That's why every fan forum for elitebooks, thinkpads and latitudes recommends to shut Intel ME/iAMT off from 2nd hand machines. And I do recommend it too. Remote wipe/power manage/access blocking is a thing.
EDIT: And I do believe Google must be doing this because it is redundant anyway, servers already have mainboard built-in OOB management interfaces.
I mean I guess it could be doing something else and ms could just be full of it?
I also guess these surface firmware updates pushed through windows update are a lie.
www.windowscentral.com/microsoft-pushes-fresh-firmware-updates-surface-book-surface-pro-4
This is still a vender specific situation, but most of these updates are happening in windows update. Quietly so quietly that apparently no one knows about it.
Having been following this problem since it was reported, the details are as follows;
If you have a system using Intel's AMT, to be vulnerable, it must be both enabled AND provisioned. Additionally, the source article seems to have missed the statement Intel made about the miniCPU in question not being on the CPU die, but rather elsewhere in the chipset. This is only a problem if enabled. If disabled, it has no access to the system.