Sunday, November 5th 2017

Intel CPU On-chip Management Engine Runs on MINIX

With the transition to multi-core processors, and multi-core processors with integrated core-logic (chipset), the need arose for a low-level SoC embedded into the processor with just enough compute power to make sure all the components you pay for start-up and function as advertised. Enter the Intel ME (management engine). This is a full-fledged computer within your Intel processor, which isn't exposed to you. It runs on its very own tiny x86 CPU core that isn't exposed, and its software is driven on an infinitesimally small ROM and RAM. Since you can't have software without some sort of operating-system, Intel chose MINIX for the job.

MINIX is a Unix-like OS with an extremely small memory footprint. The OS was designed by Andrew Tanenbaum, originally as an educational tool to demonstrate that machines can still be built with extremely tiny code. If you're familiar with the "ring-level" system of hardware-access privilege by software, ring 0 would designate the "highest" level of access. A software with ring 0 access can erase your disk, flash your system BIOS, and even make your CPU run at any C-state. The OS kernel needs these privileges, and hence is a ring 0 software. Most user software, like the web-browser you're reading this on, runs at ring 3 (with the browser's own sandbox, the user-level, and API level forming inner levels). Intel ME runs at ring -3 (negative 3), and your OS has no power over it. Most system BIOS updates for Intel motherboards include a ROM update for ME. ME governs the functioning of the rest of the processor, its start-up, and booting. It also governs silicon-level security and management features that can't be compromised by malware.

Source: NetworkWorld
Add your own comment

41 Comments on Intel CPU On-chip Management Engine Runs on MINIX

#1
btarunr
Editor & Senior Moderator
FAQ: omgz, can I unlock this 5th core on my quad-core chip?
Ans. No. An x86 core can be built with as few as 135,000 transistors (out of the 1.4 billion transistors on a "Haswell" quad-core die, for example). It's not a fifth core. It's a specialized small core that executes ME.
Posted on Reply
#3
phanbuey
incoming hax are incoming.
Posted on Reply
#4
InVasMani
Yes, but can it run or create Crysis!?
Posted on Reply
#5
Ferrum Master
I've been arguing about this for a who still believed in cmos reset lol. It ain't that simple for years.
Posted on Reply
#6
cdawall
where the hell are my stars
phanbuey said:
incoming hax are incoming.
There were holes exposed on it already.
Posted on Reply
#7
R-T-B
btarunr said:
It also governs silicon-level security and management features that can't be compromised by malware.
Can and has.
Posted on Reply
#8
StrayKAT
I didn't even know minix could be used commercially. I thought that was the point of linux and others.

I heard about existing exploits elsewhere. They all recommend and/or come up with ways of disabling it. This is the first I've seen the news in a positive light.
Posted on Reply
#9
R-T-B
StrayKAT said:
I didn't even know minix could be used commercially. I thought that was the point of linux and others.
They all can be used commercially if source code is provided upon request. That's pretty much the GPL in a nutshell.


Also, the source article is not nearly as positive as this post:
Google wants to remove MINIX from its internal servers
According to Google, which is actively working to remove Intel’s Management Engine (MINIX) from their internal servers (for obvious security reasons), the following features exist within Ring -3:
  • Full networking stack
  • File systems
  • Many drivers (including USB, networking, etc.)
  • A web server
That’s right. A web server. Your CPU has a secret web server that you are not allowed to access, and, apparently, Intel does not want you to know about.

Why on this green Earth is there a web server in a hidden part of my CPU? WHY?

The only reason I can think of is if the makers of the CPU wanted a way to serve up content via the internet without you knowing about it. Combine that with the fact that Ring -3 has 100 percent access to everything on the computer, and that should make you just a teensy bit nervous.

The security risks here are off the charts — for home users and enterprises. The privacy implications are tremendous and overwhelming.

Note to Intel: If Google doesn’t trust your CPUs on their own servers, maybe you should consider removing this “feature.” Otherwise, at some point they’ll (likely) move away from your CPUs entirely.

Note to AMD: Now might be a good time to remove similar functionality from your CPU lines to try to win market share from Intel. Better to do so now before Intel removes the “Management Engine.” Strike while the iron’s hot and all that.

Note to Andrew Tanenbaum: Your operating system, MINIX, is now one of the most used on modern computers! That’s kinda cool, right?

Note to everyone else: We’re all MINIX users now.
Posted on Reply
#10
StrayKAT
R-T-B said:
They all can be used commercially if source code is provided upon request. That's pretty much the GPL in a nutshell.
Maybe I got it wrong. Now I recall that Linus made linux cuz Tannenbaum considered it pretty much finished. He didn't have a vision for it to actually rival UNIX. Linus originally just wanted to join the project.

edit: Pretty interesting usenet arguments between the two btw. And funny how humble the two OSes started. I guess you could say they can both rule the roost now.
Posted on Reply
#11
Boosnie
StrayKAT said:
Maybe I got it wrong. Now I recall that Linus made linux cuz Tannenbaum considered it pretty much finished. He didn't have a vision for it to actually rival UNIX. Linus originally just wanted to join the project.
Well, not really.
At that time Intel had "just" released the 80x86 platform: 32bit registers and IS + a paged MMU!!
MINIX was an educational OS and was written for 16bit processors. It couldn't do much on the new platforms and the code was licensed(this is important. everyone back then known that AT&T had won a judicial case against UC Berkeley because BSD -Berkeley UNIX port adopted by much of the academic world back then- contained AT&T code -being the original version of UNIX developed from AT&T-. From this legal battle all the GNU/GPL/Stallman history also bloomed).
So Torvald had this 32bit processor with a 16bit OS(MINIX) and was a broken College student that could not afford a BSD or UNIX distribution; what do you do in such cases? You write your own kernel to support the specification and unleash your processor power.
He developed it on MINIX, but he didn't care of the MINIX project because there was no MINIX project at all. Tenembaum used his OS as a teaching support for his OS design classes and at that time had no intrest in keep it up to date for new architectures.
Posted on Reply
#12
StrayKAT
Boosnie said:
Well, not really.
At that time Intel had "just" released the 80x86 platform: 32bit registers and IS + a paged MMU!!
MINIX was an educational OS and was written for 16bit processors. It couldn't do much on the new platforms and the code was licensed(this is important. everyone back then known that AT&T had won a judicial case against UC Berkeley because BSD -Berkeley UNIX port adopted by much of the academic world back then- contained AT&T code -being the original version of UNIX developed from AT&T-. From this legal battle all the GNU/GPL/Stallman history also bloomed).
So Torvald had this 32bit processor with a 16bit OS(MINIX) and was a broken College student that could not afford a BSD or UNIX distribution; what do you do in such cases? You write your own kernel to support the specification and unleash your processor power.
He developed it on MINIX, but he didn't care of the MINIX project because there was no MINIX project at all. Tenembaum used his OS as a teaching support for his OS design classes and at that time had no intrest in keep it up to date for new architectures.
Thanks for the refresher.

I've been messing with Linux on and off since the 90s, but could never find a use for it personally. I really want to like it though, because of how it started, if anything.
Posted on Reply
#13
Boosnie
StrayKAT said:
Thanks for the refresher.

I've been messing with Linux on and off since the 90s, but could never find a use for it personally. I really want to like it though, because of how it started, if anything.
Well, I did it only because your recollection seemed to imply that Linus did it out of some sort of denial or refuse.
Instead it all started because the guy is simply bold.
That's it and I quite like this fact.
Posted on Reply
#14
StrayKAT
Boosnie said:
Well, I did it only because your recollection seemed to imply that Linus did it out of some sort of denial or refuse.
Instead it all started because the guy is simply bold.
That's it and I quite like this fact.
No, I agree. That's been on my mind the whole time. I just thought that after Tanenbaum turned things down, he still had the balls and talent to make his own OS. I got events mixed up a bit though.
Posted on Reply
#15
hellrazor
btarunr said:
FAQ: omgz, can I unlock this 5th core on my quad-core chip?
Ans. No. An x86 core can be built with as few as 135,000 transistors (out of the 1.4 billion transistors on a "Haswell" quad-core die, for example). It's not a fifth core. It's a specialized small core that executes ME.
All I need to do is get it to run DOOM and I'll be happy.
Posted on Reply
#16
Static~Charge
btarunnr
ME governs the functioning of the rest of the processor, its start-up, and booting. It also governs silicon-level security and management features that can't be compromised by malware.
Red alert! Intel patches remote execution hole that's been hidden in chips since 2010
1 May 2017
https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/

If you're lucky, then your motherboard vendor has issued a BIOS update to plug the security hole. If you're unlucky (i.e., have an older business-grade machine), then the hole will never be plugged....
Posted on Reply
#17
cdawall
where the hell are my stars
Static~Charge said:
Red alert! Intel patches remote execution hole that's been hidden in chips since 2010
1 May 2017
https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/

If you're lucky, then your motherboard vendor has issued a BIOS update to plug the security hole. If you're unlucky (i.e., have an older business-grade machine), then the hole will never be plugged....
The update was pushed through windows as a patch. So unless you are on a junk windows 7 machine that has updates turned off it was patched through MS.
Posted on Reply
#18
Static~Charge
cdawall said:
The update was pushed through windows as a patch. So unless you are on a junk windows 7 machine that has updates turned off it was patched through MS.
Somehow, I doubt that you read the article; otherwise, you would have seen these tidbits:
These insecure management features have been available in various, but not all, Intel chipsets for nearly a decade, starting with 2010's Intel Q57 family, all the way up to this year's Kaby Lake Core parts. Crucially, the vulnerability lies at the very heart of a machine's silicon, out of sight of the operating system, its applications and any antivirus.

The programming blunder can only be fully addressed with a firmware-level update, and it is present in millions of chips. It is effectively a backdoor into computers all over the world
According to Intel today, this critical security vulnerability, labeled CVE-2017-5689, was discovered and reported in March by Maksim Malyutin at Embedi. To get Intel's patch to close the hole, you'll have to pester your machine's manufacturer for a firmware update, and in the meantime, try the mitigations here. These updates, although developed by Intel, must be cryptographically signed and distributed by the manufacturers. It is hoped they will be pushed out to customers within the next few weeks. They should be installed ASAP.
To patch the problem, you need a BIOS update from the motherboard vendor, not a patch from Microsoft. Over the past few months, I've been doing BIOS updates on Dell OptiPlex and Lenovo ThinkCentre machines at work due to this issue. However, Dell was too cheap/lazy to update older model machines, so they'll remain vulnerable indefinitely. Most home users won't be affected by this issue because their motherboards lack AMT support.
Posted on Reply
#19
cdawall
where the hell are my stars
Static~Charge said:
Somehow, I doubt that you read the article; otherwise, you would have seen these tidbits:




To patch the problem, you need a BIOS update from the motherboard vendor, not a patch from Microsoft. Over the past few months, I've been doing BIOS updates on Dell OptiPlex and Lenovo ThinkCentre machines at work due to this issue. However, Dell was too cheap/lazy to update older model machines, so they'll remain vulnerable indefinitely. Most home users won't be affected by this issue because their motherboards lack AMT support.
That update can still be pushed through windows update. Most of the OptiPlex units listed it during the update cycles

https://docs.microsoft.com/en-us/windows-hardware/drivers/bringup/windows-uefi-firmware-update-platform
Posted on Reply
#20
Static~Charge
cdawall said:
That update can still be pushed through windows update. Most of the OptiPlex units listed it during the update cycles

https://docs.microsoft.com/en-us/windows-hardware/drivers/bringup/windows-uefi-firmware-update-platform
Can be pushed, or is being pushed? I never saw any sign of AMT updates from Microsoft, only from the system vendors. MS isn't in the business of doing BIOS updates to systems (they get enough flack from the updates to their operating systems... ;) ).
Posted on Reply
#21
Frick
Fishfaced Nincompoop
R-T-B said:
They all can be used commercially if source code is provided upon request. That's pretty much the GPL in a nutshell.


Also, the source article is not nearly as positive as this post:
Heh, I was going to make a joke about it probably even having a full ethernet stack. Everything does. :(
Posted on Reply
#22
Easo
Static~Charge said:
Can be pushed, or is being pushed? I never saw any sign of AMT updates from Microsoft, only from the system vendors. MS isn't in the business of doing BIOS updates to systems (they get enough flack from the updates to their operating systems... ;) ).
Is not being pushed by Microsoft. HP, Dell, Lenovo and others all published their firmware patches.
Posted on Reply
#23
_JP_
R-T-B said:

Also, the source article is not nearly as positive as this post:
Google wants to remove MINIX from its internal servers
According to Google, which is actively working to remove Intel’s Management Engine (MINIX) from their internal servers (for obvious security reasons), the following features exist within Ring -3:
  • Full networking stack
  • File systems
  • Many drivers (including USB, networking, etc.)
  • A web server
That’s right. A web server. Your CPU has a secret web server that you are not allowed to access, and, apparently, Intel does not want you to know about.

Why on this green Earth is there a web server in a hidden part of my CPU? WHY?

The only reason I can think of is if the makers of the CPU wanted a way to serve up content via the internet without you knowing about it. Combine that with the fact that Ring -3 has 100 percent access to everything on the computer, and that should make you just a teensy bit nervous.

AMT. Part of vPRO also, in laptops/desktops.
I mean, talk about creating FUD with little knowledge. :rolleyes:
So yes, a full network stack, mainboard drivers (just main board and extra storage, Centrino platform and all that, extra peripherals need not apply), a file system to handle updates and a web server...to enable OOB management.
The security risks here are off the charts — for home users and enterprises. The privacy implications are tremendous and overwhelming.
Home users, yes. Enterprises, not really.
How the hell am I supposed to track/manage a thousand-or-so geographically distant machines without this? (I know about Azure, not there yet but almost)
So I do use it and it is useful.
Now, I do know that what I can see, Intel servers can too and that Intel probably does see all the stuff. They are providing me a service, so I expect that.
That's why every fan forum for elitebooks, thinkpads and latitudes recommends to shut Intel ME/iAMT off from 2nd hand machines. And I do recommend it too. Remote wipe/power manage/access blocking is a thing.

EDIT: And I do believe Google must be doing this because it is redundant anyway, servers already have mainboard built-in OOB management interfaces.
Posted on Reply
#24
cdawall
where the hell are my stars
Static~Charge said:
Can be pushed, or is being pushed? I never saw any sign of AMT updates from Microsoft, only from the system vendors. MS isn't in the business of doing BIOS updates to systems (they get enough flack from the updates to their operating systems... ;) ).
Last batch of dells I had run windows updates (those ones from Ms) restarted and literally said "updating firmware do not power off"

I mean I guess it could be doing something else and ms could just be full of it?

I also guess these surface firmware updates pushed through windows update are a lie.

https://www.windowscentral.com/microsoft-pushes-fresh-firmware-updates-surface-book-surface-pro-4

This is still a vender specific situation, but most of these updates are happening in windows update. Quietly so quietly that apparently no one knows about it.
Posted on Reply
#25
lexluthermiester
This article should be of interest; https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it

Having been following this problem since it was reported, the details are as follows;
If you have a system using Intel's AMT, to be vulnerable, it must be both enabled AND provisioned. Additionally, the source article seems to have missed the statement Intel made about the miniCPU in question not being on the CPU die, but rather elsewhere in the chipset. This is only a problem if enabled. If disabled, it has no access to the system.
Posted on Reply
Add your own comment