Professor Andrew S. Tanenbaum from the Department of Computer Science at Vrije Universiteit Amsterdam wrote "An Open Letter to Intel" regarding Intel's use of MINIX 3 to run the Intel Management Engine (video) built into their processors:
Thanks for putting a version of MINIX 3 inside the ME-11 management engine chip used on almost all recent desktop and laptop computers in the world. I guess that makes MINIX the most widely used computer operating system in the world, even more than Windows, Linux, or MacOS. And I didn't even know until I read a press report about it. Also here and here and here and here and here (in Dutch), and a bunch of other places.
[...] Note added later: Some people have pointed out online that if MINIX had a GPL license, Intel might not have used it since then it would have had to publish the modifications to the code. Maybe yes, maybe no, but the modifications were no doubt technical issues involving which mode processes run in, etc. My understanding, however, is that the small size and modular microkernel structure were the primary attractions. Many people (including me) don't like the idea of an all-powerful management engine in there at all (since it is a possible security hole and a dangerous idea in the first place), but that is Intel's business decision and a separate issue from the code it runs. A company as big as Intel could obviously write its own OS if it had to. My point is that big companies with lots of resources and expertise sometimes use microkernels, especially in embedded systems. The L4 microkernel has been running inside smartphone chips for years.
Professor Tanenbaum did the initial design and development of MINIX, a microkernel used primarily for teaching. He has helped guide it through the years as a small community around it has grown. Lately it has adopted much of the NetBSD userspace. The IME is a full operating system system running inside x86 computers. It gets run before whatever system on the actual hard disk even starts booting.
Related: Intel Management Engine Partially Defeated
EFF: Intel's Management Engine is a Security Hazard
Disabling Intel ME 11 Via Undocumented Mode
How-To: Disabling the Intel Management Engine
Positive Technologies - Learn and Secure : Intel ME: The Way of Static Analysis (takyon: I marked this one to not display at the time since it was a blog post from April and ran within hours of the preceding IME story.)
Purism Disables Intel Management Engine on Librem Laptops
Related Stories
In some shiny good news to us of the tinfoil hat crew, Phoronix is reporting:
Many free software advocates have been concerned by Intel's binary-only Management Engine (ME) built into the motherboards on newer generations of Intel motherboards. The good news is there is now a working, third-party approach for disabling the ME and reducing the risk of its binary blobs.
Via an open-source, third-party tool called me_cleaner it's possible to partially deblob Intel's ME firmware images by removing any unnecessary partitions from the firmware, reducing its ability to interface with the system. The me_cleaner works not only with free software firmware images like Coreboot/Libreboot but can also work with factory-blobbed images. I was able to confirm with a Coreboot developer that this program can disable the ME on older boards or devices with BootGuard and disable Secure Boot. This is all done with a Python script.
Those unfamiliar with the implications on Intel's ME for those wanting a fully-open system can read about it on Libreboot.org.
Looks like I may not have to go ARM on my next desktop build after all.
Submitted via IRC for TheMightyBuzzard
Since 2008, most of Intel's chipsets have contained a tiny homunculus computer called the "Management Engine" (ME). The ME is a largely undocumented master controller for your CPU: it works with system firmware during boot and has direct access to system memory, the screen, keyboard, and network. All of the code inside the ME is secret, signed, and tightly controlled by Intel. Last week, vulnerabilities in the Active Management (AMT) module in some Management Engines have caused lots of machines with Intel CPUs to be disastrously vulnerable to remote and local attackers. While AMT can be disabled, there is presently no way to disable or limit the Management Engine in general. Intel urgently needs to provide one.
[...] EFF believes that Intel needs to provide a minimum level of transparency and user control of the Management Engines inside our computers, in order to prevent this cybersecurity disaster from recurring. Unless that happens, we are concerned that it may not be appropriate to use Intel CPUs in many kinds of critical infrastructure systems.
It's a crying shame the what the EFF says doesn't hold a whole lot of weight.
Source: The Electronic Frontier Foundation
Positive Technologies has posted an interesting article about disabling the Intel Management Engine 11 via an undocumented mode.
Our team of Positive Technologies researchers has delved deep into the internal architecture of Intel Management Engine (ME) 11, revealing a mechanism that can disable Intel ME after hardware is initialized and the main processor starts. In this article, we describe how we discovered this undocumented mode and how it is connected with the U.S. government's High Assurance Platform (HAP) program.
[...] Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) chip and a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer. The ability to execute third-party code on Intel ME would allow for a complete compromise of the platform.
[...] Unfortunately, analysis of Intel ME 11 was previously impossible because the executable modules are compressed by Huffman codes with unknown tables. Nonetheless, our research team (Dmitry Sklyarov, Mark Ermolov, and Maxim Goryachy) managed to recover these tables and created a utility for unpacking images. The utility is available on our GitHub page.
Hey, the government isn't the only one who wants "high assurance" for their computers. We trolls and average peons would like to think our systems are secure as well.
But it gets better.
We've covered that it was possible and in theory how to do so before but I think having a proper How-To written up will save even us nerd types some hair pulling. Here's what you'll need to start:
- an Intel-CPU-based target PC — that does not have Boot Guard enabled — on which you wish to disable the IME;
- the target PC may be running an OEM BIOS (such as AMI, Dell etc.), or coreboot;
- a Raspberry Pi 3 Model B single board computer ('RPi3'), for use as an external flash programmer;
- a spare >= 8GB microSD card (to hold the 64-bit Gentoo O/S image we will use for the RPi3);
- an appropriate IC clip for your target PC's flash chip, e.g.:
- a Pomona 5250 for SOIC-8 chips;
- a Pomona 5208 for unsocketed DIP-8 chips, or
- a Pomona 5252 for SOIC-16 chips;
- 8 female-female connector wires (to attach the appropriate clip to the RPi3's GPIO header);
- a maintenance manual for your target PC, where available, to assist in safe disassembly / reassembly; and
- whatever tools are stipulated in the above.
Given the above list, you'll obviously need to be comfortable identifying and connecting an IC clip to your flash chip. So, it's not a procedure for most grandmothers but neither is especially complex or difficult for the vast majority of desktop machines (laptop/other difficulty will vary widely). Also, the guide explicitly does not cover PLCC or WSON flash chips, so you're out of luck here if your board has such.
Happy hacking, folks.
Purism Disables Intel ME On Its Privacy-Focused Librem Laptops
Purism, a startup that aims to develop privacy-focused devices, announced that it has now disabled Intel's Management Engine (ME). The company, and many privacy activists, believe that because Intel's ME is a black box to the user, it could hide backdoors from certain intelligence agencies. Alternatively, it may contain vulnerabilities that could even be unknown to Intel, but which might still be exploited by sophisticated attackers to bypass the operating system's security.
[...] The Librem laptops use Coreboot firmware, which is an open source alternative to BIOS and UEFI for Linux. The company said that using Coreboot is one of the primary reasons why they were able to disable Intel ME in the first place. Coreboot allowed them to dig down on how the processor interacts with this firmware and with the operating system.
Purism had already "neutralized" the Intel ME system on its Librem laptops, which essentially meant that the mission-critical components of Intel ME were removed. However, this could still cause some errors, because the Intel ME would still be "fighting" Coreboot's attempt to neutralize it. With the new method that disables it, the Intel ME can be shut down gracefully. Purism's laptops will continue to support both methods for extra security, just in case the Intel ME is able to "wake-up" somehow, after it's disabled.
[...] Both Librem 13 and Librem 15 laptop models will now ship with Intel ME disabled by default. Customers who have purchased the older Librem laptops will also receive an update that will disable Intel ME on their systems.
Related: Purism Exceeds $1 Million in Funding for Librem 5 Linux-Based Smartphone
How-To: Disabling the Intel Management Engine
It looks like it's nearly game over for the Intel Management Engine:
Positive Technologies, which in September said it has a way to attack the Intel Management Engine, has dropped more details on how its exploit works.
The firm has already promised to demonstrate [a] God-mode hack in December 2017, saying the bug "allows an attacker of the machine to run unsigned code in the Platform Controller Hub on any motherboard".
For some details, we'll have to wait, but what's known is bad enough: Intel Management Engine (IME) talks to standard Joint Test Action Group (JTAG) debugging ports. As [does] USB, so Positive Technologies researchers put the two together and crafted a way to access IME from the USB port.
[...] The latest attack came to Vulture South's attention via a couple of Tweets:
Game over! We (I and @_markel___ ) have obtained fully functional JTAG for Intel CSME via USB DCI. #intelme #jtag #inteldci pic.twitter.com/cRPuO8J0oG
— Maxim Goryachy (@h0t_max) November 8, 2017
Full access the Intel ME( >=Skylake) by JTAG debugging via USB DCI https://t.co/TMvOirXOVI @ptsecurity @h0t_max @_markel___
— Hardened-GNU/Linux (@hardenedlinux) November 8, 2017
The linked blog post [in Russian] explains that since Skylake, the PCH – Intel's Platform Controller Hub, which manages chip-level communications – has offered USB access to JTAG interfaces that used to need specialised equipment. The new capability is DCI, Direct Connect Interface.
Reddit discussion linked by LoRdTAW in a journal.
Previously: Intel Management Engine Partially Defeated
Disabling Intel ME 11 Via Undocumented Mode
How-To: Disabling the Intel Management Engine
Andrew Tanenbaum's Open Letter to Intel About MINIX 3
(Score: 4, Insightful) by tangomargarine on Wednesday November 08 2017, @04:18PM (20 children)
So "I'm ethically opposed to this, but you used my software, which massages my ego about microkernels so thanks"? Gee, thanks for making a stand, dude.
Sigh. If it were me I wouldn't draw attention to the shadowy conspiracy that's taking advantage of my generosity.
Guy sounds like a bit of an ivory tower twat; no wonder Linus didn't get along with him.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 3, Insightful) by tangomargarine on Wednesday November 08 2017, @04:25PM (2 children)
The word "preening" comes to mind.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 1) by DannyB on Wednesday November 08 2017, @05:32PM (1 child)
How is the -p option of fsck relevant?
Every performance optimization is a grate wait lifted from my shoulders.
(Score: 2) by tangomargarine on Wednesday November 08 2017, @05:51PM
Not the first definition, the third or fifth.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 5, Interesting) by Arik on Wednesday November 08 2017, @04:27PM (8 children)
And he's a very smart guy with a rare knack for designing systems properly.
I agree with his distate for the ME as currently done, and further I'm not sure his 'your choice/business decision' apologetics is sufficient or even accurate, but that, too, is a different point which doesn't need to be beaten into the ground.
He's spent his life on a very useful codebase, gifted it to everyone, and it's being used by virtually everyone every day. And Intel didn't even bother to let him know they were using it, as a courtesy. I'd say the guy has every right to kvetch a bit more than he did.
If laughter is the best medicine, who are the best doctors?
(Score: 5, Interesting) by DannyB on Wednesday November 08 2017, @04:49PM (2 children)
Not that I'm arguing for Intel here. Not at all.
I can understand1 why Intel would not notify him that every processor is running his MINIX. Because Intel is (rightfully) ashamed of the management engine and wants to keep it as low key as possible. Now everyone seems to know about management engine and nobody seems to like it. Is it any wonder why Intel would keep this quiet and not notify Professor Tanenbaum ?
1Understanding a POV doesn't mean I like it
Every performance optimization is a grate wait lifted from my shoulders.
(Score: 2, Interesting) by Anonymous Coward on Wednesday November 08 2017, @09:42PM
The issue is Intel CANNOT keep it secret or low profile. It must go in the docs. So it should had been known long ago, as soon as they announced they had "this new ME thing that is good for you"™.
https://soylentnews.org/comments.pl?noupdate=1&sid=22467&page=1&cid=594246#commentwrap [soylentnews.org]
(Score: 0) by Anonymous Coward on Wednesday November 08 2017, @11:22PM
Were they obliged to specify where the software was installed? if they merely put the license at the end of the manual with the preamble "this device works thanks to a modified version of software covered by the following license"? One might think it's some networking code used to boot.
A corporation should be never excused for this kind of behavior anyway. They can afford a lawyer or two.
(Score: 0) by Anonymous Coward on Wednesday November 08 2017, @05:21PM (3 children)
Once Tanenbaum was told, he would go shoot his mouth off all the places, the ego-driven twit that he is.
"INTEL RUNS MY MINIX ON THEIR IME BACKDOOR!!!111!!"
(Score: 2) by MostCynical on Wednesday November 08 2017, @08:59PM
Yes, but more politely.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 3, Interesting) by Demena on Thursday November 09 2017, @02:28AM (1 child)
“Ego-driven”
Yeah, right. Ever compared his statements with Linus’s statements? Obliviously not.
(Score: 0) by Anonymous Coward on Thursday November 09 2017, @02:51AM
I went through the whole flamewar between tanaenbaum and linus way back when. Linus was a young asshole, but tanenbaum was, and apparently still remains, an entitled jackass.
(Score: 2) by sjames on Wednesday November 08 2017, @07:24PM
Given the license, it's not as if he has any sort of recourse other than like it or don't.
(Score: 5, Insightful) by Anonymous Coward on Wednesday November 08 2017, @04:32PM
Consider for a moment how every possible method of contact for him his probably been flooded since the moment it was reported that Intel was using MINIX. "Have you heard about this?" "Did you know they were doing this?" "Did they tell you they were using MINIX?" "Are you working with them on this?" "what do you think about this?" "If you GPL'd it, this wouldn't have happened?" and so on, ad nauseum. Perhaps you would consider making a public and visible statement about the subject as well.
(Score: 5, Touché) by Anonymous Coward on Wednesday November 08 2017, @06:11PM (5 children)
Awesome! As a user of a computer running this code on a chip, how do I exercise my freedom with regard to that code?
(Score: 2, Insightful) by Anonymous Coward on Wednesday November 08 2017, @06:47PM
Easy: you don't pay money for or use the crippled products that don't respect your freedoms!
(Score: 2) by Bot on Wednesday November 08 2017, @11:34PM (3 children)
I think he referred to users of the license itself, that is devs modifying the software under the terms of the license. End users or any downstream tinkerer are SOL. That is considered a freedom by Tanenbaum. You have the freedom to close up your modifications. Which is BS, because then an even freer license is the following: "to use or modify this software you agree to award me, the creator, all your money and the jus primae noctis". It's quite a lot of freedom, granted to the creator only.
Account abandoned.
(Score: 0) by Anonymous Coward on Thursday November 09 2017, @08:32AM (2 children)
But those are developers. Users are the ones that get shafted by this - and everyone else closing up open code.
Calling developers "users" is an insult to developers, and pretending that the "freedom to make software closed source" gives freedom to users is an insult to users.
To pretend that the BSD license gives more freedom than the GPL, you either have to dishonest like a Bill Gates era Microsoft shill, or be so religiously pro-BSD that you fail to see the weaknesses of the license (such as the BSD guy (I think it was Theo) who complained that Linux developers would incorporate BSD code into Linux, slapping the GPL on it, while not acknowledging that the BSD license specifically allows this, and if they wanted more control about what developers can do with the code they should have used the GPL in the first place).
(Score: 2) by tangomargarine on Thursday November 09 2017, @03:33PM
The BSD license's purpose is to maximize freedom for the developers; the GPL's purpose is to maximize freedom for the users, although it also makes it easier for users to develop with it in the process.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Friday November 10 2017, @05:17AM
(Score: 4, Insightful) by melikamp on Wednesday November 08 2017, @07:50PM
Prof. Tanenbaum obviously does not use the words "potential users" to refer to actual users of computer systems. By "users" he means exclusively the higher echelon of corporate management in companies like Intel, who are perfectly free to use his code to subjugate millions of actual computer users. Once again, he is certainly NOT talking about computer users, since they have absolutely no access to this modified version of MINIX, despite the fact that MINIX bears a free license, and they cannot use the free version of MINIX in any meaningful, practical way.
(Score: 3, Funny) by Anonymous Coward on Wednesday November 08 2017, @04:35PM (7 children)
Not only is it the year of MINIX on the desktop, it's almost a decade. Mua ha ha!
(Score: 2, Touché) by Anonymous Coward on Wednesday November 08 2017, @04:59PM (4 children)
It may be running MINIX, but the users aren't using MINIX ...
(Score: 4, Insightful) by DannyB on Wednesday November 08 2017, @05:17PM (3 children)
I must uncomfortably admit, while I love to point out how two billion Android smartphones run Linux, what you say could apply in some sense to Android.
Every performance optimization is a grate wait lifted from my shoulders.
(Score: 4, Informative) by RamiK on Wednesday November 08 2017, @06:14PM (2 children)
And each one of those phones is running a baseband with QNX, L4, or some other microkernel proving Andy's position.
compiling...
(Score: 0) by Anonymous Coward on Thursday November 09 2017, @04:13PM (1 child)
But are are those using MINIX? If not then Android is the most widely used OS and Andy is wrong about "MINIX the most widely used computer operating system in the world".
There are two billion ACTIVE android devices. There maybe about 2 billion PCs+servers but not all are Intel. And I'm not sure how many of the 2 billion are active on a monthly basis.
I see lots of poor people around with low end smartphones who most likely don't have a PC. They are probably on Android and unlikely to be using an iPhone. I'm not sure if they use an internet dataplan regularly enough to be counted under Google's 2 billion active android devices.
In my house there are far more phones than PCs.
Many workplaces supply PCs and servers so the figures get close but I think the Android phones have got the edge over Intel computers in numbers nowadays.
(Score: 0) by Anonymous Coward on Thursday November 09 2017, @09:20PM
Andy argued for microkernels in favor of monolithic kernels. Not for Minix in favor of Linux.
And another thing, most, if not all, micro-controllers (and DSPs big enough to run an OS as opposed to a simple loop) are running microkernels. That's harddrives, network controllers, north\south bridges, audio chips, USB and SATA controllers, etc...
Mind you, like CISC vs. RISC, the "argument" between microkernels and monolithic kernels is antiquated. Modern hardware designs start with capability-based RISC hardware that completely negates any performance advantages a monolithic kernel hold on such legacy designs as the x86 and ARM. It's just that the commercial desktop & server software world hasn't successfully kept up with the times due to Intel sitting on several key patents since the early 90s and artificially holding back progress.
(Score: 3, Funny) by Bot on Thursday November 09 2017, @12:02AM (1 child)
So, the future will hail Tanenbaum as the most successful OS author and Torvalds as the guy who wrote git because he did not follow a bearded guy advice who, after falling in trance, had told him to avoid bitkeeper.
William gates III will be probably known as the guy whose foundation starts wwIII by issuing the wrong kind of vaccine which morphs people in Burundi into foaming mad right wingers building the IV reich, and apple as the maker of the finest telescreens.
Account abandoned.
(Score: 0) by Anonymous Coward on Thursday November 09 2017, @12:29AM
Pretty sure that sums it up :)
(Score: -1, Flamebait) by Anonymous Coward on Wednesday November 08 2017, @05:16PM (6 children)
Tanenbaum is a jackass.
(Score: 2) by DannyB on Wednesday November 08 2017, @05:18PM (5 children)
Linux is probably right more than just once.
Every performance optimization is a grate wait lifted from my shoulders.
(Score: 2) by DannyB on Wednesday November 08 2017, @05:18PM (1 child)
Ugh. Linus is right more than just wants.
Every performance optimization is a grate wait lifted from my shoulders.
(Score: 2) by c0lo on Wednesday November 08 2017, @05:37PM
Ugh
(if you shorten the comment to the word above, the risk of typos are lower)
---
Dyslexics of the world, untie!
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by takyon on Wednesday November 08 2017, @05:43PM (2 children)
Linux Torvalds' poo don't smell.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 1, Funny) by Anonymous Coward on Wednesday November 08 2017, @05:55PM
Must be a bug in the poo driver code. I'm sure that will be fixed soon.
(Score: 3, Touché) by bob_super on Wednesday November 08 2017, @06:58PM
It does, but it's got very efficient garbage collection.
(Score: 2, Insightful) by Anonymous Coward on Wednesday November 08 2017, @09:35PM (2 children)
Wait, did Intel break a license as simple as BSD one? All they had to do is put the required text in the documents! No source distribution, just attribution.
It's 3 clauses with a leading and ending extra paragraphs, the point that matters is:
"2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution."
https://minix1.woodhull.com/faq/mxlicense.html [woodhull.com] if you want to see what was posted to newsgroup in 2000.
Maybe Tannenbaum could sue, if he really cares about ME as he says latter (after being pointed by others...), as they didn't comply with the license and are thus infringing his IP. Oops, he can't, it should be Prentice Hall! So big company saved some money and final users got the stick. And Andy got his 10 minutes of fame just because someone else hacked the system and tried to get rid of most of it.
(Score: 1, Interesting) by Anonymous Coward on Wednesday November 08 2017, @11:34PM
It is possibly Intel violated the license, yes. Although the link listed here http://wiki.minix3.org/doku.php?id=faq#what_is_the_minix_3_license [minix3.org] goes to a 404 page, there's a license in here http://git.minix3.org/index.cgi?p=minix.git;a=blob_plain;f=LICENSE;hb=HEAD [minix3.org] which seems to require attribution for binary redistribution. I can't tell if that's the current license, however, because there are a bunch of other places to look http://git.minix3.org/index.cgi [minix3.org]
(Score: 0) by Anonymous Coward on Thursday November 09 2017, @01:41AM
OPSEC trumps copyright concerns.
(Score: 3, Interesting) by requerdanos on Wednesday November 08 2017, @10:45PM (5 children)
Thanks for using a version of our FordChevy Racer Car to mow down pedestrians. Many people (including us) don't like the idea of murdering pedestrians with impunity (since it results in dead people), but that is your business decision and quite separate from what car you use to do it. Enclosed please find a sheet of free stick-figure-family stickers to help count your victims. Have a nice day. Sincerely, FordChevy.
More seriously, I know that being Torvalds' OS-design teacher is kind of like being Einstein's math teacher, and I hope that his speaking against IME here helps spread the word.
(Score: 2, Interesting) by Anonymous Coward on Wednesday November 08 2017, @11:39PM (4 children)
> being Torvalds' OS-design teacher is kind of like being Einstein's math teacher
No, that's not a great analogy. Einstein came up with something wonderfully simple. Linux isn't simple, it's a monolithic kernel with millions of lines of code. If someone is Einstein in this analogy, it's Tanenbaum, because Minix3 is quite simple by comparison. Which makes Intel the guys who took the equation E=mc^2 and made a weapon out of it.
(Score: 5, Interesting) by Bot on Thursday November 09 2017, @12:15AM (2 children)
E=mc^2 is not Einstein's, nice parallel anyway.
Honestly, between Tanenbaum and Torvalds it seems to be going like this:
- so, we use a microkernel to split stuff between userland processes
- that's slow, let's make a simple and fast monolithic kernel instead...
the monolith is becoming complex, let's dynamically load modules instead...
the kernel is insecure let's put it in a VM...
the VM is inefficient let's put it in a container...
root is too powerful let's use some kind of access control...
- hey how's your microkernel coming along, Linus?
- fuck you, prof.
Account abandoned.
(Score: 2, Funny) by Anonymous Coward on Thursday November 09 2017, @01:19AM (1 child)
MINIX is like a bowl of rice. Linux is like a station wagon full of spaghetti. Never underestimate the popularity of a station wagon full of spaghetti hurtling down the highway.
(Score: 1, Funny) by Anonymous Coward on Thursday November 09 2017, @02:11AM
I would bet a dime that the author of the above comment is a pastafarian.
(Score: 0) by Anonymous Coward on Friday November 10 2017, @05:22AM
Please try to say the same thing again after trying to study General Relativity.