Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.
posted by martyb on Monday June 20 2016, @10:12AM   Printer-friendly
from the One-ring-to-bring-them-all-and-in-the-darkness-bind-them... dept.

From Damien Zammit, we have this fun little tidbit:

Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine. When these are eventually compromised, they'll expose all affected systems to nearly un-killable, undetectable rootkit attacks. I've made it my mission to open up this system and make free, open replacements, before it's too late.

The Intel Management Engine (ME) is a subsystem composed of a special 32-bit ARC microprocessor that's physically located inside the chipset. It is an extra general purpose computer running a firmware blob that is sold as a management system for big enterprise deployments.

When you purchase your system with a mainboard and Intel x86 CPU, you are also buying this hardware add-on: an extra computer that controls the main CPU. This extra computer runs completely out-of-band with the main x86 CPU meaning that it can function totally independently even when your main CPU is in a low power state like S3 (suspend).

On some chipsets, the firmware running on the ME implements a system called Intel's Active Management Technology (AMT). This is entirely transparent to the operating system, which means that this extra computer can do its job regardless of which operating system is installed and running on the main CPU.

The purpose of AMT is to provide a way to manage computers remotely (this is similar to an older system called "Intelligent Platform Management Interface" or IPMI, but more powerful). To achieve this task, the ME is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface and packets entering and leaving your machine on certain ports bypass any firewall running on your system.

Yeah, and I'm sure they pinky-swear never to allow the NSA access to any computer via it. I'll be using AMD from now on, slower or not, thanks.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Informative) by tonyPick on Monday June 20 2016, @10:24AM

    by tonyPick (1237) on Monday June 20 2016, @10:24AM (#362805) Homepage Journal

    I'll be using AMD from now on, slower or not, thanks.

    See https://libreboot.org/faq/#amd, [libreboot.org] and specifically the "AMD Platform Security Processor (PSP)", which is the AMD equivalent of the AMT system.

    The PSP is an ARM core with TrustZone technology, built onto the main CPU die. As such, it has the ability to hide its own program code, scratch RAM, and any data it may have taken and stored from the lesser-privileged x86 system RAM (kernel encryption keys, login data, browsing history, keystrokes, who knows!). To make matters worse, the PSP theoretically has access to the entire system memory space (AMD either will not or cannot deny this, and it would seem to be required to allow the DRM "features" to work as intended), which means that it has at minimum MMIO-based access to the network controllers and any other PCI/PCIe peripherals installed on the system.

    More linkage on this topic....
    http://hackaday.com/2016/01/22/the-trouble-with-intels-management-engine/ [hackaday.com]
    https://www.fsf.org/blogs/community/active-management-technology [fsf.org]

    Starting Score:    1  point
    Moderation   +4  
       Informative=4, Total=4
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 2, Insightful) by Anonymous Coward on Monday June 20 2016, @10:42AM

    by Anonymous Coward on Monday June 20 2016, @10:42AM (#362812)

    so. let's say I want to have a reasonable computer that does nothing of this sort. is there such a thing, or do I just need to make my own country and then make a factory there which is not under pressure by governments?

    • (Score: 3, Informative) by Anonymous Coward on Monday June 20 2016, @11:17AM

      by Anonymous Coward on Monday June 20 2016, @11:17AM (#362828)
      • (Score: 2, Interesting) by Anonymous Coward on Monday June 20 2016, @01:49PM

        by Anonymous Coward on Monday June 20 2016, @01:49PM (#362877)

        Do we know for sure that IBM POWER 8 doesn't have an integrated privileged second processor, or is it just that we don't know it has one?

      • (Score: 2) by captain normal on Monday June 20 2016, @04:22PM

        by captain normal (2205) on Monday June 20 2016, @04:22PM (#362951)

        Looks like pie-in-the-sky-someday to me. If...if enough people sign up and lay down enough cash, then they'll make the CPU.

        --
        “I have not failed. I’ve just found 10,000 ways that won’t work.” Thomas Edison
        • (Score: 0) by Anonymous Coward on Monday June 20 2016, @08:43PM

          by Anonymous Coward on Monday June 20 2016, @08:43PM (#363051)

          If...if enough people sign up and lay down enough cash, then they'll make the CPU.

          They (Raptor Engineering) aren't making the CPUs, those are made by IBM. This project is for a mainboard. According to Richard Yao: "The number [of people needed to sign up] is 1500. I know because I have been talking to them about this since last year."

          Personally I am super excited for Talos, and signed up. I'd love to see POWER back in the desktop space.

  • (Score: 2) by The Mighty Buzzard on Monday June 20 2016, @10:52AM

    Well shit.

    --
    My rights don't end where your fear begins.
    • (Score: 0) by Anonymous Coward on Monday June 20 2016, @03:26PM

      by Anonymous Coward on Monday June 20 2016, @03:26PM (#362929)

      Older processors are the key here. I believe the AM3 series of chips did not have this, and the Phenom 2 procs were pretty respectable, even today. They just dont sip the power.

    • (Score: 2) by bob_super on Monday June 20 2016, @05:36PM

      by bob_super (1357) on Monday June 20 2016, @05:36PM (#362979)

      ARM is british, so you can get a GCHQ rootkit (NSA-approved for .mil applications) in your binary blobs instead...

      Or grab an FPGA board and run linux on microblaze. Enough power for nethack, but not for HD porn.

  • (Score: 4, Insightful) by LoRdTAW on Monday June 20 2016, @12:09PM

    by LoRdTAW (3755) on Monday June 20 2016, @12:09PM (#362838) Journal

    It would be nice if we didn't have to be treated like children but this is modern computing. I'd prefer if we had the ability to manage or disable this system but good luck getting the vendors to go down that road.

    And a security processor that randomly reads memory, bypassing the MMU isn't a security processor. It's a security hole. I hope these systems are compromised, billions lost, and blows the lid off of this bullshit.

    • (Score: 4, Funny) by Anonymous Coward on Monday June 20 2016, @02:07PM

      by Anonymous Coward on Monday June 20 2016, @02:07PM (#362882)

      You know what this thing needs? Native systemd support.

  • (Score: 0) by Anonymous Coward on Monday June 20 2016, @12:09PM

    by Anonymous Coward on Monday June 20 2016, @12:09PM (#362839)

    What about Via?

    The still make x86.

    Could Royssia come the the rescue?

    Elbrus can emulate x86.
    (pls rus no backdoor)

  • (Score: 2) by fritsd on Monday June 20 2016, @01:34PM

    by fritsd (4586) on Monday June 20 2016, @01:34PM (#362875) Journal

    That's what I thought too, but then hairyfeet came with a comment that only few of AMD's processors have this "feature".

    I'll try to find the comment..

  • (Score: 0) by Anonymous Coward on Tuesday June 21 2016, @01:26AM

    by Anonymous Coward on Tuesday June 21 2016, @01:26AM (#363107)

    So the men in the dark suits already visited AMD, no surprise. And people wonder why the world does not trust the US or its tech... prepare for a lot of stinging (Over the Hedge) as others leapfrog. In the end, the end-users only have a choice which galactic empire their data will be owned by - US, CN, RU, other.. as each will always bake such things into their chips.