HN Gopher Feed (2017-11-21) - page 1 of 10 ___________________________________________________________________
Replacing x86 firmware with Linux and Go
317 points by dankohn1
https://lwn.net/SubscriberLink/738649/81007748bf15c1e5/___________________________________________________________________
floren - 5 hours ago
Ron's been beating on this drum for years, and I'm glad that the
wider world finally seems to be catching on.
luckydude - 5 hours ago
Doesn't the ME firmware to power saving, suspend, restore, etc?
AstralStorm - 3 hours ago
1) Not at all. Tables are in UEFI. Control is in kernel space. It
can remotely issue a boot or shutdown command among others.
Probably hard shutdown too considering the watchdog.2) Only in so
far as it goes into power saving mode itself. (Which is kind of
fake, does not disable magic networking junk.)3) Like in any
other boot if unhibernating. Does not touch suspend which is
handled in UEFI.
PopsiclePete - 5 hours ago
I would gladly trade in raw 30% performance from my Intel chip for
some other platform that did not have American corporate/Deep
State/NSA interests behind it.I just want a minimum bootloader
(open source) that boots into Linux - that's it. No "Enteprise
management" crap, no NSA crap.I don't think I have any options. I
certainly wouldn't buy Chinese or Russian, and I'm not aware of any
EU member state having anything in the works either - but I think
it's time we started seriously considering
this.Google/Amazon/Microsoft have the muscle to actually do
something about this, but no motivation. I'm surprised that they
even trust Intel - it would take one high-profile security breach
to turn their respective Cloud Computing businesses upside down -
people are already jittery.I don't know if IBM Power is the
solution, or ARM, but it's become abundantly clear that you can't
trust Intel or AMD, or the x86 platform, anymore.
eeZah7Ux - 4 hours ago
Both Facebook and Google are working at disabling ME. They make
no secret that they not trust it.NSA & other US orgs receive
hardware without ME already.Surveillance is for the rest of us.
ksk - 3 hours ago
>Surveillance is for the rest of us.Who has been spied on using
Intel ME?
AstralStorm - 3 hours ago
It requires some serious web traffic analysis and honeypot to
detect the attempt. That is assuming they would use remote
access and not use ME locally. That would be even harder to
prove once the malware uninstall itself.
ksk - 3 hours ago
Yeah, I fully understand that its not easy to detect this.
But I'd also like to make an informed decision based on
evidence, not speculation. So far I've seen bugs being
reported that require the user to enable and provision AMT,
which are quite serious, but entirely avoidable by keeping
it disabled.Anyway, I'm happy to read more about it if you
have any additional info.
eeZah7Ux - 2 hours ago
In security we work on addressing vulnerabilities,
reducing the attack surface, prevention and so on. We
don't wait for evidence that a vulnerability is being
exploited.This is especially true for cryptography where
a cryptosystem used today has to resist theoretical
attackers that can use hardware that will exists in
decades from now.
ksk - 1 hours ago
Sorry, I can't understand what point you're replying to.
To me, it sounded like you claimed it was being used for
surveillance. I'm happy to go through the evidence if you
have any.
confounded - 2 hours ago
> Both Facebook and Google are working at disabling ME. They
make no secret that they not trust it.I'm aware of Google's
work with Coreboot and Chromebooks, but not Facebook's. Can you
tell us anything?
bonzini - 1 hours ago
I think he's referring to the Open Compute Project.
bubblethink - 1 hours ago
I don't know of fb's direct involvement in any ME related
stuff, but they do develop openbmc which is a replacement for
proprietary bmc firmware. BMC isn't quite as nefarious as ME
though, and is optional anyway.
Fnoord - 4 hours ago
TWRP is open source, and allows you to boot into Linux. There's
ChromeOS (Linux). Samsung's busy with DeX and Linux on Galaxy.
There's some experimentation done with convergence elsewhere at
Microsoft (Continuum) and Ubuntu. It all depends what you want to
run on it.If you want a POWER workstation and are OK with not
running on x86-64 (or x86-32) then there's the Talos II
workstation [1] [2]. It comes with a hefty price tag (IIRC 3,7k
USD). Peanuts for a lot of US-based developers, but for many
others in the world it just isn't affordable. You say 30% raw
performance would be OK. This is not 1,3x more expensive than a
x86-64 workstation. It is a lot more...It also depends on your
threat modelling. If you believe that Intel ME is out there,
remotely exploitable by XYZ (NSA, evil hackers, ???), then a
number of people and groups have a lot to worry about. Groups and
people high up in chains. We're talking about developers of
software, developers who build software in end user products
(those are 2 large groups already), and a whole plethora of other
groups which are the foundation of our society.And it is locally
and remotely vulnerable which Intel patched yesterday [3]. What I
don't know is if this patch should be applied, or if it should be
used to get rid of Intel ME.[1]
https://www.raptorcs.com/TALOSII/[2] https://www.crowdsupply.com
/raptor-computing-systems/talos-s...[3] https://security-
center.intel.com/advisory.aspx?intelid=INTE...
hugelgupf - 4 hours ago
I would challenge the "no motivation" part given that the speaker
that gave this talk works at Google.
shmerl - 3 hours ago
> Some people say to switch to AMD processors, but that is not
really a solution now. Ryzen is touted to be open, but that is not
truly the case, there are still closed parts.Can anyone elaborate
please. How does AMD compare to Intel's problems with ME?
bradfa - 2 hours ago
Prior to Zen based processors there are a decent number of
offerings under the Opteron and AMD's embedded SoC families
(possibly others, but these are the ones I'm familiar with) which
did not contain ME-like capabilities. Projects like Coreboot
generally have pretty good support for these AMD parts. For an
embedded example, see the PCEngines APU2 boards:
http://pcengines.ch/apu2.htmZen based parts from AMD have their
PSP (platform security processor), which I believe is generally a
dedicated Cortex-A series CPU within the silicon to do many
security related things. Its functionality is similar to some of
what the ME provides on Intel parts.
drewbug - 2 hours ago
https://libreboot.org/faq.html#amd
shmerl - 1 hours ago
Thanks!
lawl - 3 hours ago
They call it Platform Security Processor and not Management
Engine.
[deleted]
chroem- - 5 hours ago
And to think that posting about Intel ME on HN only a couple years
ago would have commenters swarm you with accusations of being a
deluded conspiracy theorist. Neat. It's good that people are
finally becoming aware of the problems that it poses.
mastax - 5 hours ago
Really? Every thread on HN I've seen about ME has been hordes of
people lamenting the fact that you can't buy a processor without
it.
julian_1 - 1 hours ago
Up until a few weeks ago, people speculated the firmware blobs
included a small amount of low-level bootstrap code used to
configure IO and to switch from 16 bit to other modes
etc.Nobody suggested there was a parallel multi-process
operating system running, with full bus arbitration, and mmio
capability.Edit. Not sure why I am being downvoted reddit
style. Every-time these threads come up - it's necessary to
trot out an explanation of the basic differences between ARC
core, psp, arm cortex and trustzone etc, and who uses what
technology, what is known about the software/OSes that are
running - jvm versus minix-os, amt versus ME etc, what is new
knowledge, what is official, and what has been uncovered from
private research. I base my statements about lack of general
awareness on these topics from actually following HN
submissions.Just a few days ago, someone in a thread was
speculating on using low-level op-codes in bootstrap code to
subvert the BIOS, apparently in complete ignorance of the depth
of the embedded stack.
sounds - 1 hours ago
Information about the previous CPU architecture on the Intel
ME has been widely available for years. It was an ArcCompact
CPU running ThreadX:https://www.slideshare.net/codeblue_jp
/igor-skochinsky-enpub
julian_1 - 1 hours ago
Where is Minix OS mentioned? How many preemptive processes
are running? Which orgs - internal or external to Intel
have review-power or signoff on the code running ?
madez - 5 hours ago
I share GP's opinion. Snowden changed a lot. The internet
really has a global passive attacker that can control US-based
companies like puppets, and is doing so.William Binney said the
companies are paid money for providing data and access. How is
that not subsidizing that industry? Financial helps are a
first-class reason for other governments to impose duties,
restrict international trade and subsidize local competitors.
Yet, there is no reaction in Europe. Microsoft can freely sell
their OS and Intel is free to have their monopoly, and uses
that to backdoor everybody.It is creepy that european countries
don't take action.LiMux was a good example of moving in the
right direction. Recently it was abandoned. I didn't see big
unseen powers at play there, just the harsh reality that most
people don't understand computers and don't care.
ajross - 4 hours ago
> global passive attacker that can control US-based companies
like puppets, and is doing so.And... this is where the
deluded conspiracy theorist accusations the upthread poster
was complaining about come from.There's no evidence for any
of that[1]. The ME's capabilities (low level system
controller with access to all memory and hardware, with
special access to network hardware that can operate cleanly
along with a running OS) have been known and even advertised
by Intel for years. The news of the moment is that it's
subject to a few rather embarrassing exploits.But that's
rather better explained by incompetance instead of evil. Yet
everyone jumps to "back door" because that sounds more fun I
guess. (In fact, to the extent there is evidence of
government involvement here, it's in the opposite direction:
the NSA appears to have demanded an "off switch" for the
ME).[1] Edit to clarify: I'm talking about the ME folks.
Yes, the government does bad things. The EC flaws under
discussion in this subthread are not among them, so citing
them as evidence paints you as a conspiracy nut and not
someone serious about security.
cyphar - 4 hours ago
> Yet everyone jumps to "back door" because that sounds
more fun I guess.IME is (by construction) a backdoor. It's
primary purpose is as a management tool, but all management
tools are by necessity backdoors. The only distinction
between the two is whether the person using the backdoor
has ownership over the machine.> In fact, to the extent
there is evidence of government involvement here, it's in
the opposite direction: the NSA appears to have demanded an
"off switch" for the ME.It also shows that the NSA is in
communication with Intel and is capable of getting them to
implement something that large corporations like Google
were unable to convince them to do. Which should be
concerning, because it makes you wonder what else the NSA
might've asked as well.Also these really aren't conspiracy
theories anymore. We know that the NSA and CIA do these
sorts of things thanks to the information we learned from
Snowden and other whistleblowers.
linkregister - 4 hours ago
No, the Snowden leaks showed that NSA did do something,
not that it does every malicious thing that people accuse
it of. How does it help anything by making unfounded
accusations?Historically, Australia has heavily
interfered in PNG affairs. Should you be accused of
espionage or subversion if you decide to hike a portion
of the Kokoda Trail?Would it be appropriate for
Indigenous People to accuse you of attempting to steal
their children, a practice that occurred until the 1970s?
traineater - 1 hours ago
> No, the Snowden leaks showed that NSA did do something,
not that it does every malicious thing that people accuse
it of. How does it help anything by making unfounded
accusations?It shows they'll do anything within their
power, legal or illegal, in order to get at more people's
data. Of course they have involvement with this, why
wouldn't they?> Historically, Australia has heavily
interfered in PNG affairs. Should you be accused of
espionage or subversion if you decide to hike a portion
of the Kokoda Trail?> Would it be appropriate for
Indigenous People to accuse you of attempting to steal
their children, a practice that occurred until the
1970s?Bizarre points in support of your initial comment I
think.
linkregister - 23 minutes ago
They have zero context for an American, but the parent
poster was Australian. If I had used American analogies,
the point would have been lost.You're right that anyone
else should be mystified.
[deleted]
m-p-3 - 1 hours ago
It's hard not to assume the worst, especially when you
have no concrete reports on their capabilities. And when
assessing the threat it creates, you can't really ignore
the possibilities by that lack of knowledge.
linkregister - 7 minutes ago
But you have tons of concrete reports from the Snowden
leaks and prior leaks. Dual_EC RNG is the worst example
anyone can think of, something that has been red-flagged
since 2007.Assuming a supposedly* adversarial agency has
unlimited resources and ability will only cause you to
focus on that threat instead of more immediate ones. Or
worse, make you needlessly complacent when there is so
much that can be done to harden against APTs and other,
more immediate threats.* supposedly because if you're a
U.S. citizen, the government works for you. If you're
outside of FVEY (AU,CA,UK,US,NZ) and are a government
official, military member, have interesting technical
infrastructure, or operate an interesting company, then
yes you should include NSA in your threat model.
madez - 4 hours ago
> There's no evidence for any of that.Have you heard about
PRISM? Have you heard about Lavabit? Have you heard about
the FISA court and its practice?> But that's rather better
explained by incompetance instead of evil.Have the ME in
all products, not deactivatable, and not replaceable is not
a trivial thing to do, so it surely isn't incompetence.
What is it then?
throw2016 - 2 hours ago
There is already overwhelming evidence of abuse of power,
bad faith and surveillance. Attempting to brush it aside as
'incompetence' is brazenly disingenuous.What's the point of
asking for more 'evidence'? Do you expect Snowden levels of
sacrifice and disclosures every month?Apologists will
continue to do this untill it's too late to do anything
about surveillance, at which point they will shrink into
the thicket and leave everyone else hanging onto a
surveillance state.Those who care about surveillance,
privacy and democracy have every responsibility to be alert
and act now.
pdelbarba - 4 hours ago
I wouldn't say that there's no evidence of this behavior.
https://en.wikipedia.org/wiki/Dual_EC_DRBG We also have a
fair amount of evidence that there have been attempts in
china to implement hardware back-doors
mschuster91 - 4 hours ago
> There's no evidence for any of that.Oh there is:
Dual_EC_DRBG, and that took years to get proof. Also, NSA
and AT&T room 641A, plus the packet interdiction programs
of the NSA - and I mean physical packets containing DC
hardware, that then was modified by NSA.And we don't have
any overview what the US government forces companies and
people with NSLs to do... only the sliver of info we got
with the Lavabit case.
linkregister - 4 hours ago
Do you think that the U.S. government has enough money to
influence Intel and Microsoft? It is the other way around:
both companies spend tens of millions on lobbyists.William
Binney said something. Does it mean that it applies to all
companies? Did he mention which companies? Is he a credible
source for things that occurred after he left NSA? Is he even
a credible source outside his expertise?Do you think that
European countries don't take action? What would you call the
anti-trust suit against Google, GDPR, anti-tax haven lawsuit
against Apple, and other actions?Having a narrow set of news
sources can lead a reasonable person (you) to your
conclusion. I urge you to look at a variety of sources. Some
good ones: Der Spiegel, Al Jazeera, NPR, The Economist, The
Wall Street Journal, The South China Morning Post.
madez - 3 hours ago
You ask interesting questions.> Do you think that the U.S.
government has enough money to influence Intel and
Microsoft?I think the government uses (legal) force and
threats to get what they want. The laws are in place to
leave no options for the company. The money is more a
compensation than a bribery. It could make the companies
comply without needing to go nuclear. Also, it supports
local companies.> It is the other way around: both
companies spend tens of millions on lobbyists.Do these
lobbysist have any influence on the FBI, CIA, NSA, etc.,
either directly or remotely through the government? I don't
think so.> William Binney said something. Does it mean that
it applies to all companies? Did he mention which
companies? Is he a credible source for things that occurred
after he left NSA? Is he even a credible source outside his
expertise?All companies? I don't know, and it doesn't even
matter. He talked about his time at the NSA. I consider him
a credible source, since I have no reason not to.> Do you
think that European countries don't take action? What would
you call the anti-trust suit against Google, GDPR, anti-tax
haven lawsuit against Apple, and other actions?Yes, I think
they don't take sufficient and adequate action. The GDPR is
a good step, but the race is not won by a step. It reminds
me of an anti-corruption office in a one-party communist
regime. A good thing, but not enough.Please don't meddle
this with taxes. That is a totally different outrageous
clusterfuck.
linkregister - 15 minutes ago
> Do these lobbysist have any influence on the FBI, CIA,
NSA, etc., either directly or remotely through the
government? I don't think so.These agencies have their
budgets set by the U.S. Congress. I think you're
unfamiliar with the composition of the United States
government.> I consider him a credible source, since I
have no reason not to.What makes him a credible source?
His claim to fame is THINTHREAD, not cash deals with
companies. Are you saying that if a man says something
that aligns with your world view, but is outside of his
expertise, you'll still believe the statement? That
doesn't sound honest.> Yes, I think they don't take
sufficient and adequate actionThen why claim that the EU
won't take any action when you admit they do in the next
reply?This is the problem with discourse on most of the
internet. People make extreme claims to make a point. But
that's not a reasoned argument. You're venting, not
arguing. That belongs on Reddit and 4chan, not here.
[deleted]
ksk - 3 hours ago
Why would posting about a product that was publicly available and
advertised by a company be a conspiracy?
Insanity - 4 hours ago
Am I correct in believing the AMD variant of this is
'Trustzone'[0]? If not, does AMD have something similar?[0]:
https://www.arm.com/products/security-on-arm/trustzone
rileyphone - 2 hours ago
ARM != AMD
Insanity - 52 minutes ago
Woops yeah, I realise that. I just saw a reference somewhere
from AMD + Trustzone and clicked on the first link I found :D
Sorry
thg - 3 hours ago
AMD PSP (Platform Security Processor) is what you're looking for.
Essentially the same thing as the ME, just for AMD processors.
AstralStorm - 3 hours ago
It is now called AMD Secure Processor.
Insanity - 52 minutes ago
Thanks!
snvzz - 5 hours ago
Linux has MILLIONS of lines of code. Please don't. EFI is already
bloated as it is.Support efforts like coreboot instead. And FFS,
firmware should not persist once the operating system boots.
Persistent firmware is cancer.
cyphar - 4 hours ago
UEFI is larger than the Linux kernel (if you don't include
drivers, because UEFI doesn't have drivers). And it has orders of
magnitude more syscalls. So Linux is actually better than UEFI
from a bloat standpoint.
pgeorgi - 5 hours ago
A board specific Linux build is smaller than a board specific EFI
build. Yes, it's that bad.Also, Linux in firmware is either the
final OS, or - more likely - a kexec step into the actual OS. In
the latter case, there's no persistent firmware since the old
Linux is gone.
jabl - 3 hours ago
> Linux has MILLIONS of lines of code. Please don't. EFI is
already bloated as it is.Well, if you're going to run Linux
anyway, running Linux as your firmware + bootloader doesn't
increase your attack surface. And, it can be argued that e.g. the
Linux networking stack is more battle tested than the UEFI one.>
Support efforts like coreboot instead.Ron Minnich is the father
of coreboot. If it were possible to run coreboot on modern Intel
server platforms, I'm certain that's what he would propose. As a
sibling commenter mentioned, he views NERF as a backup solution
if using coreboot isn't possible.> And FFS, firmware should not
persist once the operating system boots. Persistent firmware is
cancer.In NERF, the Linux kernel burned on the flash rom
kexec()'s the final distro kernel. IOW, it replaces itself by the
new kernel, it doesn't linger around in the background.
mschuster91 - 4 hours ago
> And FFS, firmware should not persist once the operating system
boots.Generally I agree with you, however there is one thing that
cannot be done without a RAM-persisted firmware: any kind of
power management. It's highly dependant on the specific chips
(sometimes, chip revisions) on the motherboard, and while
integrating even ultra low level stuff into the Linux kernel
might help there, we see the consequences of doing so in the
Android world: manufacturers do not have the time/money to get
their code in a shape that's going to be accepted by the kernel
community, so they fork it and the users are screwed.
AstralStorm - 3 hours ago
RAM persisted what? Table of hardware pstates and cstates per
device? A flag to reinitialize busses and hardware, skip memory
clear? Handling PCI and CPU reinit should be easy. It is not
because manufacturers are keeping critical parts under NDA or
completely secret.
mschuster91 - 2 hours ago
> A flag to reinitialize busses and hardware, skip memory
clearIt's not just a simple flag - it's basic stuff like for
example which clock pin is mapped to which clock consumer(s),
which GPIOs on which pins are mapped to stuff like LEDs, the
power/reset switch, which hardware interrupt line is mapped
to which GPIO... all stuff that's best kept inside the BIOS
where the manufacturer can easily patch it if needed in
contrast to the Linux kernel with its notorious difficulty to
get stuff accepted into mainline, much less into a kernel
that actually runs on users' computers - think LTS users, for
example. I can take a 2010 kernel and it will likely run fine
on a recent x86 machine, but if I needed to wait for
motherboard support to ship in kernel, that would be not very
cool.Yes, something like FDT would be nice but even on the
relatively small ARM space it has its fair share of issues -
I don't even want to think about having FDT in mainstream
x86.
stmw - 5 hours ago
That's a good point, actually, it'd be nicer to keep things
separate and alive for only as long as needed.
PatchMonkey - 4 hours ago
Uhm... coreboot is the linux kernel, just like this project,
running that plaform control module that normally runs via Intel
ME.The big difference is Go on one side, and a small selection of
config files to support a small/growing collection of hardware on
the other.Is this guy looking to use the existing kernel code, as
coreboot does? Or is he going to add to it, to make the One
Kernel to Rule Them Allz? Because Im hearing the former, not the
latter. I could be wrong.
Sir_Cmpwn - 2 hours ago
coreboot is not the Linux kernel.
Jonnax - 5 hours ago
"He was also asked about the relationship of this work to
coreboot. Minnich said that coreboot should always be preferred,
but it has not been available for server platforms for 12 years.
So he would suggest that developers "always use coreboot if you
can", but if not, look at NERF.""I know some people like being
retro with old ThinkPads but 12 year old servers are a bit much.
[deleted]
throwaway613834 - 3 hours ago
I understand the urge to remove networking capabilities, but why do
privacy folks freak out about the entireties of UEFI/ME/SMM? It's a
fact that the hardware is the one with control of the system at
boot, and you're always at the mercy of the vendors in terms of bad
code (whether intentional or otherwise). You can't get rid of
hardware-specific code, and you also don't have any control over
the designs of the chips. Both of those are places where it will
always be possible to do something nefarious if the vendor feels
like it. Unless you feel like fabricating your own chips from
scratch, at some point you have to trust all these layers. Why
suddenly freak out when it comes to new layers?
AstralStorm - 3 hours ago
Because SMM can be disabled. UEFI potentially replaced and
should renounce direct hardware access after initialization and
driver disable. ME cannot be disabled and has both networking and
direct memory access bypassing even IOMMU. Running in background.
throwaway613834 - 3 hours ago
> UEFI should renounce direct hardware access after
initialization and driver disableI don't follow. If it's
nefarious then doesn't having control in the beginning already
screw you? And if not, but if it gets compromised, then can't
it be programmed not to do that?
cjbprime - 3 hours ago
Did you follow yesterday's news? The ME is remotely vulnerable,
has full control over the machine, and it's not even clear that
it can be upgraded in a secure way.Why wouldn't you be interested
in turning it off?And why would you classify people who'd rather
not be running remotely vulnerable code they can't control as
"privacy folks"?
throwaway613834 - 3 hours ago
I did follow the news about being remotely vulnerable. That's
why I said I'd understand the urge to remove the networking
stacks. Other vulnerabilities would require local access.> Why
wouldn't you be interested in turning it off?I'm not asking why
you'd be interested in it, I'm asking why you'd freak out so
much about it given X/Y/Z are already true and you can't do
anything about them. There's a bit more nuance in my argument
than you're giving me credit for here.> And why would you
classify people who'd rather not be running remotely vulnerable
code they can't control as "privacy folks"?I already excluded
the part about remote vulnerability. See first point above.
ksk - 3 hours ago
> The ME is remotely vulnerable,Could you please post a link on
that? I read about the AMT bugs, which require the user to
manually provision it.
macns - 1 hours ago
http://cve.circl.lu/cve/CVE-2017-5712Summary: Buffer overflow
in Active Management Technology (AMT) in Intel Manageability
Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20
allows attacker with remote Admin access to the system to
execute arbitrary code with AMT execution privilegeEDIT: I'm
not sure this was the one the GP referring to
iainmerrick - 4 hours ago
The Go portion of this -- a Go-based Linux userspace -- sounds very
interesting, but not directly related to all the firmware stuff,
unless I misunderstand.Anybody got some good links about the Go
userspace?
jabl - 3 hours ago
http://u-root.tk/
mikeokner - 5 hours ago
You'd think if the ME truly wasn't nefarious that Intel would offer
chips without it and capitalize on the extra features in the
enterprise market. I've yet to encounter anyone who actually wants
it.
tyingq - 4 hours ago
> I've yet to encounter anyone who actually wants itIgnoring the
security concerns, the remote access, imaging, etc, are actually
pretty nice. Better done than most 3rd party IPMI
implementations.If it were open and documented , and able to be
turned off, it has value.
tscs37 - 2 hours ago
Several corporations use it for Lights-Out management or on
laptops to ensure data security compliance.The things for which
you actually want a backdoor in your server to control it from.
Maybe even in the face of an attacker who has gained full control
of both software and hardware.
freedomben - 37 minutes ago
I would love a potential employer/recruiter to woo me with,
"Your choice of non-backdoor-ed laptop that respects your
privacy." I would at least give them a phone call for that
line.
pgeorgi - 4 hours ago
It's also a convenient place to put in all the things they don't
want to hard wire. Which gets more every day.Need to maintain
crypto keys for SGX enclave memory? Do it in the ME. Need to do
some extra stuff on suspend/resume? Do it in the ME. Not sure if
any other special handling might require updates at a later date?
Do it in the ME. ...There's no need for nefarious purposes to
explain why the ME isn't optional anymore - it's just more
convenient.
srcmap - 4 hours ago
Need to add/remove/read system's crypto keys, Do it in ME.Need
to monitor/hack the computer when the users think it is "power
off", Do it in ME.Need to add other "features" to the system
in the future, Do it in ME.
colejohnson66 - 4 hours ago
I say it also has to do with them just not caring about what
their users want. You?re still gonna buy an x86 processor and AMD
has their own ME-like tool too. What are you gonna do, run your
desktop on ARM or RISC-V?
cturner - 4 hours ago
Would be good to have a low performance riscv motherboard with
something like a PCI bus. Then, run an x86 daughter card. Early
arm systems (acorn RISC pc) could house a 486 daughter card
like this, and you could run Windows on it in a box. Have one
at home.
drvdevd - 4 hours ago
Sadly, the main reason IMO this isn't possible is not just that
desktop software is designed for the x86 instruction set, but
that it's designed for lots of RAM and CPU usage, when it could
be slimmer.
prophesi - 3 hours ago
And even with ARM (I'm not familiar with RISC-V), you're likely
going to have binary blobs for critical drivers.
AstralStorm - 3 hours ago
Worse, in Qualcomm chips you have essentially the same OS as
in AMD "Secure" Processor. Trustonic TEE OS. Handling ARM
"Trust"Zone.
ksk - 3 hours ago
>I say it also has to do with them just not caring about what
their users want.Why are people buying their products?
colejohnson66 - 2 hours ago
Because the only alternative is AMD, who, until Ryzen, was
lacking in performance quite a bit.
ksk - 1 hours ago
In that case, it actually goes against your "they don't
care about their users" narrative. Or maybe they partially
care about their users.Anyway, I see some value in the
features that ME provides, and so I'm not as anti-ME as a
lot of the commenters on here. But obviously, I want the
security bugs to be fixed too.
ksk - 3 hours ago
I want it. Wearing multiple hats at a small company, I have to
occasionally reimage machines and this would make it very useful
for me.
monocasa - 5 hours ago
It's in part used for DRM. You've probably used it if you've
watched BluRays or Netflix over 720p.
0xFFC - 5 hours ago
I am genuinely asking, how intel ME is related to watching
movies in Netflix? Would you mind to elaborate a little bit?
monocasa - 5 hours ago
AFAIU, it's used in the HDCP encryption negotiation.
sofaofthedamned - 4 hours ago
Yup. There's also rumours it holds the secure enclave
equivalent, so getting root into this means you're double
fucked:https://twitter.com/mjg59/status/932730696614813696
Groxx - 3 hours ago
Given Intel's announcement: https://security-
center.intel.com/advisory.aspx?intelid=INTE...>Based on
the items identified through the comprehensive security
review, an attacker could gain unauthorized access to
platform, Intel? ME feature, and 3rd party secrets
protected by the Intel? Management Engine (ME), Intel?
Server Platform Service (SPS), or Intel? Trusted
Execution Engine (TXE).It seems like there's a reasonable
chance of that being the case.
freedomben - 39 minutes ago
Link to Intel's announcement isn't working. Might be a
server-side issue ?\_(?)_/?