SoylentNews is people
SoylentNews
from the One-ring-to-bring-them-all-and-in-the-darkness-bind-them... dept.
From Damien Zammit, we have this fun little tidbit:
Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine. When these are eventually compromised, they'll expose all affected systems to nearly un-killable, undetectable rootkit attacks. I've made it my mission to open up this system and make free, open replacements, before it's too late.
The Intel Management Engine (ME) is a subsystem composed of a special 32-bit ARC microprocessor that's physically located inside the chipset. It is an extra general purpose computer running a firmware blob that is sold as a management system for big enterprise deployments.
When you purchase your system with a mainboard and Intel x86 CPU, you are also buying this hardware add-on: an extra computer that controls the main CPU. This extra computer runs completely out-of-band with the main x86 CPU meaning that it can function totally independently even when your main CPU is in a low power state like S3 (suspend).
On some chipsets, the firmware running on the ME implements a system called Intel's Active Management Technology (AMT). This is entirely transparent to the operating system, which means that this extra computer can do its job regardless of which operating system is installed and running on the main CPU.
The purpose of AMT is to provide a way to manage computers remotely (this is similar to an older system called "Intelligent Platform Management Interface" or IPMI, but more powerful). To achieve this task, the ME is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface and packets entering and leaving your machine on certain ports bypass any firewall running on your system.
Yeah, and I'm sure they pinky-swear never to allow the NSA access to any computer via it. I'll be using AMD from now on, slower or not, thanks.
(Score: 5, Informative) by tonyPick on Monday June 20 2016, @10:24AM
See https://libreboot.org/faq/#amd, [libreboot.org] and specifically the "AMD Platform Security Processor (PSP)", which is the AMD equivalent of the AMT system.
More linkage on this topic....
http://hackaday.com/2016/01/22/the-trouble-with-intels-management-engine/ [hackaday.com]
https://www.fsf.org/blogs/community/active-management-technology [fsf.org]
(Score: 2, Insightful) by Anonymous Coward on Monday June 20 2016, @10:42AM
so. let's say I want to have a reasonable computer that does nothing of this sort. is there such a thing, or do I just need to make my own country and then make a factory there which is not under pressure by governments?
(Score: 3, Informative) by Anonymous Coward on Monday June 20 2016, @11:17AM
I believe this is one viable option. https://www.fsf.org/blogs/licensing/interested-in-a-powerful-free-software-friendly-workstation [fsf.org]
(Score: 2, Interesting) by Anonymous Coward on Monday June 20 2016, @01:49PM
Do we know for sure that IBM POWER 8 doesn't have an integrated privileged second processor, or is it just that we don't know it has one?
(Score: 2) by rleigh on Monday June 20 2016, @08:57PM
It does. It has an off-CPU "service processor" which is needed to monitor the system and bring up the POWER processor (POWER CPUs won't work without one).
http://unix.worldiswelcome.com/what-is-service-processor-and-how-to-access-it [worldiswelcome.com]
http://www.arbsol.com/marketing/POWER8_Facts_and_Features.PDF [arbsol.com]
As to whether they are used for anything nefarious, I guess it's possible but somewhat less likely. It's primarily for system management and monitoring. They are all running OpenFirmware.
I'm keeping my eye on things like https://www.raptorengineering.com/TALOS/prerelease.php [raptorengineering.com] (this claims to provide fully open firmware). It's a little pricey for me at the moment, but I'd be happy to go back to POWER for my next workstation so long as the graphics support is there. If I can run FreeBSD on it, so much the better, otherwise Linux would do.
(Score: 2) by captain normal on Monday June 20 2016, @04:22PM
Looks like pie-in-the-sky-someday to me. If...if enough people sign up and lay down enough cash, then they'll make the CPU.
When life isn't going right, go left.
(Score: 0) by Anonymous Coward on Monday June 20 2016, @08:43PM
They (Raptor Engineering) aren't making the CPUs, those are made by IBM. This project is for a mainboard. According to Richard Yao: "The number [of people needed to sign up] is 1500. I know because I have been talking to them about this since last year."
Personally I am super excited for Talos, and signed up. I'd love to see POWER back in the desktop space.
(Score: 2) by The Mighty Buzzard on Monday June 20 2016, @10:52AM
Well shit.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Monday June 20 2016, @03:26PM
Older processors are the key here. I believe the AM3 series of chips did not have this, and the Phenom 2 procs were pretty respectable, even today. They just dont sip the power.
(Score: 2) by bob_super on Monday June 20 2016, @05:36PM
ARM is british, so you can get a GCHQ rootkit (NSA-approved for .mil applications) in your binary blobs instead...
Or grab an FPGA board and run linux on microblaze. Enough power for nethack, but not for HD porn.
(Score: 4, Insightful) by LoRdTAW on Monday June 20 2016, @12:09PM
It would be nice if we didn't have to be treated like children but this is modern computing. I'd prefer if we had the ability to manage or disable this system but good luck getting the vendors to go down that road.
And a security processor that randomly reads memory, bypassing the MMU isn't a security processor. It's a security hole. I hope these systems are compromised, billions lost, and blows the lid off of this bullshit.
(Score: 4, Funny) by Anonymous Coward on Monday June 20 2016, @02:07PM
You know what this thing needs? Native systemd support.
(Score: 0) by Anonymous Coward on Monday June 20 2016, @12:09PM
What about Via?
The still make x86.
Could Royssia come the the rescue?
Elbrus can emulate x86.
(pls rus no backdoor)
(Score: 2) by fritsd on Monday June 20 2016, @01:34PM
That's what I thought too, but then hairyfeet came with a comment that only few of AMD's processors have this "feature".
I'll try to find the comment..
(Score: 0) by Anonymous Coward on Tuesday June 21 2016, @01:26AM
So the men in the dark suits already visited AMD, no surprise. And people wonder why the world does not trust the US or its tech... prepare for a lot of stinging (Over the Hedge) as others leapfrog. In the end, the end-users only have a choice which galactic empire their data will be owned by - US, CN, RU, other.. as each will always bake such things into their chips.