78 comments

[ 3.2 ms ] story [ 165 ms ] thread
Can someone ELI5 why Intel needs an OS in the processor?
It's the most reliable way to provide a full set of entrenched vulnerabilities, user espionage tools and privacy-evading mechanisms.
Because the implementation of all the complexity within would be much buggier if they tried to pull it all off from scratch. Also, it would be more expensive.

The official application of ME is, well, about managing the hardware. This means it has to work with lots of different components, including coordination of the resources available. When you think of it, that's pretty much the definition of an OS. Instead of writing their own one, they decided to use one of the ones already available.

Also remember while a case can be made (although in my opinion a very weak one) for why you need a separate computer running beside your main processor, the main issue people have is that you:

- Can not see what that operating system is doing

- Can not read the source code for that operating system

- Can not stop or manage that operating system

- Can not upload/change/edit anything to do with that operating system

I think it should be considered that none of these things are inherent to an OS running in a side CPU to the main CPU.

Rather, these are symptoms of specific implementations.

There are a lot more processors in your computer. Every hard disk has a computer [0] and your power adapter might too [1]. Seriously, who knows how many general purpose chips are inside a computer these days?

[0] http://spritesmods.com/?art=hddhack&page=3 [1] http://appleinsider.com/articles/13/03/01/apples-lightning-d...

Do they all have direct access to every other device, memory and hard drive connected to your computer. Genuine question, I'm not sure but I would have thought they have to go through the main processor to access those devices.

However with ME and PSP they have complete access to everything you do on your computer. It can record your screen, monitor your traffic, connect to the internet, etc

If you're a sysadmin for a machine that you don't have physical access to, and the main OS is hosed, how do you fix it?

It's a very useful feature for large enterprises, and pretty much only for them. The interesting question is why doesn't Intel charge "enterprise pricing" for the feature, just like they do for stuff like ECC?

It's probably cheaper to just ship it everywhere and enable it on enterprises
It's also the method by which a sysadmin will get to hear of drive failures in hardware RAID arrays, ECC memory errors, and other things relevant to the general upkeep of a server, regardless of the OS running and whether it is hosed or not.
IPMI.

IPMI is not integrated into the main CPU, so you don't have direct ability to control the state of the main CPU, but (depending on implementation) you'll be able to access sensor data, operate on the sensor data logs, get a console etc.

With a properly set up system it means you have a standard way to attach, request a reboot and and interact with the system remotely.

IPMI works great on the server, not so well for managing desktops. Perhaps it should have been extended to support desktops, but I'm not surprised that Intel chose to push vPro instead.
Well, yes, they'd rather push an option that doesn't give other companies an opportunity to play in that market.
It does hardware initialization. This used to be done with dip switches but is now handled by the BUP module in the ME. It's basically the first thing that is executed on power on. If you wanted to neuter the ME, it would probably be safe to do so after the BUP module finishes its work.
I don't understand why AMD isn't all over this as a product differentiator
Because they probably are required to do the same under whatever legal jurisdiction they fall under.
What makes you say this?
Because this can be a useful feature. (Compare to ILO on servers)
They don't need to remove it, adding the possibility to turn it off should suffice.
> adding the possibility to turn it off should suffice.

How could Intel/AMD reasonably communicate this to customers and have it taken at face value?

"Here's a flag to disable this black box we ship in every CPU. The product design and source code are proprietary, so please take our word for it that this flag disables everything."

There was a blackhat talk on embedding malware in SMM and triggering it with a magic number written to a register to escalate the process privileges. [0] So there will always be suspicion of special triggers to re-enable the black box that you turned "off"

I think there is a very slim chance that Intel and AMD can regain credibility when it concerns the IME/PSP.

Especially after it emerged Intel created a special ME disabled mode intended for US agency customers. [1]

[0] https://youtu.be/lR0nh-TdpVg

[1] https://m.hardocp.com/news/2017/08/30/how_to_disable_intel_m...

Turning it off/on would have to be a jumper setting on the mainboard. BIOS won't do any good, as this is more a "software" setting. However, a jumper might have the same effect...
How would a jumper resolve fears that the black box is not totally disabled?

You're referring to something deeply embedded in silicon and firmware. This isn't a separate device you can easily depower through a jumper.

What about a laptop or tablet where there is no user accessible jumper?

You could if the developer wanted to.

A jumper on a laptop is not impossible. But to be honest, I haven't seen one in my Thinkpads.

Even better would be to offer two classes of products: one with an IME-like controller and one without. They could push the non-IME one to consumers and the IME one to server/enterprise customers.

Just turning it off is hardly a guarantee that it'll stay off forever. Remove the entire component physically and I'll know it'll never be running in the background.

Because then someone might point at their PSP.
>> Note to AMD: Now might be a good time to remove similar functionality from your CPU lines to try to win market share from Intel. Better to do so now before Intel removes the “Management Engine.” Strike while the iron’s hot and all that.

I am absolutely certain this comes with backing maybe even pressure from government surveillance bodies. You don't have it - you don't get a contract.

AMD does already follow suit and is not better by any means.

Then they should release the same CPU without the ME. Like they do for overclocking purposes. Leave it to the consumers to choose.
To plays devil's advocate for AMD here. Then America and the other Five Eyes might not allow you to sell your product in their countries without an ME. Thereby you lose a huge market because let's face it most modern nations are now doing surveillance on their citizens, not just the US.
You mean you discovered that fimware is bad? Good! Now search for Bryan Cantrill’s latest video on the torment of debugging closed source firmware...
I do not like the post. It seems scant on details and rife with conclusions. The Google presentation linked to has a bit more detail on the underlying technologies. A modern processor is a complex beast, and a security argument can always be made to reduce complexity. Citation needed for espionage and privacy evasion use cases...
Surely, this is more an opinion piece than a didactic article. Here you have a more detailed write-up on the issue, including a known vulnerability and how others could be lingering: https://www.eff.org/deeplinks/2017/05/intels-management-engi...
Thanks. The citation describes the existence of vulnerabilities and laments the lack of transparency. While the latter is indeed lamentable, and is known to be a contributing factor in increasing risk, vulnerabilities do exist in any system, including transparent ones (e.g., OpenSSL). Still am not seeing any evidence of malice by this vendor, as "providing a full set of entrenched vulnerabilities, user espionage tools and privacy-evading mechanisms" would perhaps imply. Vendors have a hard time with security. Chip vendors are no different, only the stakes are higher.
The important point is that in the case of OpenSSL, anyone who wanted to know could know, and plenty of people knew. Not the specific vulnerabilities, but the horrible quality of the code base was not just something that you could discover by looking at the source, it is something that plenty of people did discover. Also, obviously, anyone could in principle fix vulnerabilities they find in OpenSSL, without any need to wait for the OpenSSL project or anyone else to do anything.
That's not how reliable, safe, secure engineering works. You don't consider stuff safe until someone proves that it will kill you/let people steal your data/whatever, but rather everything is suspect unless it can be demonstrated that according to current state of the art/best practices, it can reasonably be expected to be safe.

A bridge isn't considered safe until it collapses, it is considered unsafe until it has been shown that according to our current understanding of physics and material properties, it can be expected to hold up.

The same should obviously apply to software and computing hardware.

That implication was not intended. I was merely attempting to address the FUD. If anything, I took care to mention that all systems are vulnerable and must be assumed as such.
But the point is that it's not FUD if doubt is the correct default position, the situation is in fact uncertain, there is no reasonable way for you to resolve the uncertainty, and fear is justified in the face of that uncertainty.

FUD is when you deliberately avoid getting an accurate picture of the uncertainty/danger so as to paint as bleak a picture as possible and thus induce gratuitous fear.

Is anyone actually using Intel Management Engine? I understand why Intel would have it as a feature, but the majority of all users, including large companies and other organisation with 1000+ desktops, don't need it or use other solutions.

Besides not being able to turn it of, it actually seems like a nice enough offer, I just never heard of anyone using it.

Is there a demo of the ME somewhere?

Intel ME is part of the initialization of the CPU during boot. You are running Intel ME wether or not you think its usefull. Removing Intel ME, or disabling it, results in your computer stopping after 30 sec. Much of the work to remove Intel ME is more about neutralizing the firmware.

Pretty great talk from 32C3 about Intel ME https://media.ccc.de/v/32c3-7352-towards_reasonably_trustwor...

That wasn't really my point. Arguably it should be a feature you specifically enable, or better yet only present if you buy that option.

If you ignore all that, then Intel ME actually seems rather useful, for a subset of users, specifically organisations with large numbers of machines deployed. Still I'm not sure that even the target audience of ME is actually using it, so it seems like a huge waste of time and money from Intel perspective.

I believe the person you replied to was talking about the BUP module. This is useful to every user.

It's probably cheaper for Intel to ship the same ME on every motherboard than to customize it endlessly.

Yeah, I have had my sysadmin email me telling me that my server has reported a few ECC errors on one of the DIMMs. That was done at IME level. Told us exactly which DIMM to replace, made it very easy.

Likewise, I have had him email me to tell me that a hard drive in one of the hardware RAID arrays had failed. No main OS involvement.

There is a use-case for this stuff. What is evil is how it is switched on all the time on everything when that is unnecessary.

Here is some Russian guys having success in almost fully disabling the Intel ME.

http://www.pvsm.ru/informatsionnaya-bezopasnost/262876

(you can use Google translator from the top of the page, to translate content from Russian to English)

Here's the Register write-up on this: https://www.theregister.co.uk/2017/08/29/intel_management_en...

On Monday, Positive Technologies researchers Dmitry Sklyarov, Mark Ermolov, and Maxim Goryachy said they had found a way to turn off the Intel ME by setting the undocumented HAP bit to 1 in a configuration file.

HAP stands for high assurance platform. It's an IT security framework developed by the US National Security Agency, an organization that might want a way to disable a feature on Intel chips that presents a security risk.

The Register asked Intel about this and received the same emailed statement that was provided to Positive Technologies.

"In response to requests from customers with specialized requirements we sometimes explore the modification or disabling of certain features," Intel's spokesperson said. "In this case, the modifications were made at the request of equipment manufacturers in support of their customer's evaluation of the US government's 'High Assurance Platform' program. These modifications underwent a limited validation cycle and are not an officially supported configuration."

"Intel does not and will not design backdoors for access into its products. Recent reports claiming otherwise are misinformed and blatantly false. Intel does not participate in any efforts to decrease security of its technology"

We can all rest easy now that Intel has come out and public said this, right?

Good to know that those hours in school wrestling with recreating parts of Minix for my OS class weren't wasted.

But seriously, the Tannenbaum stuff (book, code) was really impressive, if painful to do on 3.5" floppies.

I'm just assuming that by now, we'd have something better for embedded OSes in one of the most central computing approaches used in the world.

Kinda a shame for Minix. I always hoped v3 would pick up a wider following, but this is probably not the right kind of popularity.

Intel would have picked it for it's high reliability (e.g it can survive critical driver bugs without rebooting).

I'd say "wide spread" not "popular".
So if there is a web server running, can we access that somehow?
One of the most popular, not the. Finding precise numbers is hard, but in 2016, IDC reported worldwide PC sales of ca. 65 million units in Q1, and the market has been in decline (the Q1 2016 numbers were at 2007 levels). Meanwhile Android phones alone account for more than that every month, and while Intel does sell some CPUs for tablets etc. and other markets, it's peanuts compared to their PC sales.

So at least Android still ships in more devices.

Tron or the ETron variant are in far more machines than Linux or Minix. Think about all of the washing / drying machines or refrigerators since vaguely the 80s. Many of them run a Tron variant.

https://en.wikipedia.org/wiki/TRON_project

They qualify their stand by adding "... shipping today on modern Intel-based computers"
Thus making the headline effectively: "The most popular OS in the world ... shipping today on modern Intel-based computers ... thanks to Intel".

If we're all MINIX users, then Linux is a major player in the smartphone market and BSD is crushing the laptop market.

LOL, so who wins the Tanenbaum–Torvalds debate?
Everybody loses.
I don't appreciate the degree to which this article conflates MINIX and IME.

>Google wants to remove MINIX from its internal servers

No, Google wants to remove IME from its internal servers. They don't care that it's MINIX.

>But MINIX has total and complete access to the entirety of your computer. All of it.

You mean IME.

MINIX is really cool operating system, even if it's being used for evil. But other operating systems are used for evil, too. MINIX has nothing to do with the fact that Intel put it on their secondary processors and ran a bunch of nasty services on it.

IME has 'total and access', but so does MINIX, it would appear. Relevantly, MINIX is what you would exploit to break into Ring -3. The article conflates them deliberately.
On MINIX, you would more likely compromise a process like the file system, and then induce a privileged service to fail, causing the reincarnation server to read your version of that privileged service from the file system; that is, assuming they haven't introduced pervasive load-time signature verification for this version.
Poor Andrew, now his tool is used for evil... Maybe he should have chosen his license more carefully ? Maybe he sold his soul to the devil to beat Linus ?

Or maybe he doesn't care, in which case, he may read : https://en.wikipedia.org/wiki/Nuclear_ethics

It sounds harsh, I know, but in the age of computers, these questions do matter (imho).

Linux is used for evil, too. More pervasively than MINIX, I bet.
Remember those hackers from science fiction movies who can control everything everywhere with Internet access? WHY the F*CK is a web server on Ring -3 there? Don't they watch movies at Intel?
Maybe they watch too many ;)
Because intel saw all the dollars pouring into things like SCCM and other enterprise management solutions and wanted a slice of that pie and the only feasible move to grab that market was a hardware solution, like a poor man's iLO. The same way they saw dollars pouring into RAID controllers and integrated its own soft raid solution into their hardware. Not to mention their other market oddities like their mobile x86 chip, their SSD line, Intel TV, etc.

The promise of dollars makes men do odd things.

Sure. Some stern men in suits came over one day and showed them Guantanamo_Bay.avi and AbuGhraib.mp4.
so microkernel is finally a thing!
I'd think that would have to be some rtos used in cars or other consumer products.
I mean, the dangerous thing about ME is not the operating system, but the level of access each module has, and the lack of consumer insight.

This article seems to be trying to fluff up ME by defending MINIX (is it MINX3? that's cool, but still doesn't make ME sit right).

[citation needed (most definitely)] i would wager that devices running linux are in far greater number than intel hardware.
So does anyone actually have any rough numbers on what kind of specs this MINIX on the IME runs? I mean, in terms of "this is like a 100MHz CPU with 1MB of RAM" or something.

Also, related: http://spritesmods.com/?art=hddhack&page=1