Linked by Thom Holwerda on Tue 10th Oct 2017 23:45 UTC
Intel

The Intel Management Engine ('IME' or 'ME') is an out-of-band co-processor integrated in all post-2006 Intel-CPU-based PCs. It has full network and memory access and runs proprietary, signed, closed-source software at ring -2, independently of the BIOS, main CPU and platform operating system - a fact which many regard as an unacceptable security risk (particularly given that at least one remotely exploitable security hole has already been reported).

In this mini-guide, I'll run through the process of disabling the IME on your target PC.

Apparently, the IME co-processor runs... MINIX 3. That is incredibly fascinating. This means every post-2006 Intel PC runs MINIX.

Order by: Score:
Does this mean...
by jockm on Wed 11th Oct 2017 00:00 UTC
jockm
Member since:
2012-12-22

Minix 3 is the most popular x86 Operating System?

Reply Score: 5

RE: Does this mean...
by Brendan on Wed 11th Oct 2017 06:20 UTC in reply to "Does this mean..."
Brendan Member since:
2005-11-16

Hi,

Minix 3 is the most popular x86 Operating System?


Popularity implies people had a choice. For example; you can't say that Minix 3 is the most hated/least popular OS just because nobody wants Intel's management engine.

- Brendan

Reply Score: 1

RE[2]: Does this mean...
by Kochise on Wed 11th Oct 2017 06:55 UTC in reply to "RE: Does this mean..."
Kochise Member since:
2006-03-03

Is Windows the most popular operating system ?

Reply Score: 3

RE[3]: Does this mean...
by The123king on Wed 11th Oct 2017 07:17 UTC in reply to "RE[2]: Does this mean..."
The123king Member since:
2009-05-28

I'd say yes for x86-based platforms. Outside of that, maybe not so much

Reply Score: 3

RE[4]: Does this mean...
by CaptainN- on Thu 12th Oct 2017 18:01 UTC in reply to "RE[3]: Does this mean..."
CaptainN- Member since:
2005-07-07

Android must be the most popular by volume no? Certainly Linux is as far as kernels go.

Reply Score: 1

Interesting process but ...
by shotsman on Wed 11th Oct 2017 05:25 UTC
shotsman
Member since:
2005-07-22

this is certainly not for everyone. I'm sure that if you follow the steps perfectly you may do it but TBH, it seem an awful lot more trouble than it is worth.
I suspect that only the most paranoid or who work for the various TLA's around the world will bother.

For the average punter? I don't see any compelling reason to do this (at the moment)

But... it was interesting to find out that it can be done.
Thanks Thom.

Reply Score: 3

RE: Interesting process but ...
by Flatland_Spider on Wed 11th Oct 2017 17:20 UTC in reply to "Interesting process but ..."
Flatland_Spider Member since:
2006-09-01

IME is a security risk. The AMT/vPro security holes of the not too distant past illustrate the problem of this technology, and without a compelling reason to keep it around (ie. corporate setting which uses it for remote administration and provisioning of desktops), it should get nuked.

References:
https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-int...
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-000...
https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Sec...

Edited 2017-10-11 17:23 UTC

Reply Score: 3

RE: Interesting process but ...
by CaptainN- on Thu 12th Oct 2017 18:12 UTC in reply to "Interesting process but ..."
CaptainN- Member since:
2005-07-07

Wow, this FAQ page makes a strong case for Apple (and maybe others) to ditch x86 quickly https://libreboot.org/faq.html#amd

From the FAQ:
"it is our opinion that all performant x86 hardware newer than the AMD Family 15h CPUs (on AMD’s side) or anything post-2009 on Intel’s side is defective by design and cannot safely be used to store, transmit, or process sensitive data. Sensitive data is any data in which a data breach would cause significant economic harm to the entity which created or was responsible for storing said data, so this would include banks, credit card companies, or retailers (customer account records), in addition to the “usual” engineering and software development firms. This also affects whistleblowers, or anyone who needs actual privacy and security."

Apple is really the only larger player that has not only vocally supported privacy, but also actually done some things about it. A switch away from x86 to ARM could allow them to engineer their CPUs without these problems. Of course, I wonder whether they would...

Reply Score: 1

MINIX link
by zdzichu on Wed 11th Oct 2017 05:34 UTC
zdzichu
Member since:
2006-11-07

Do read second link carefully. MINIX is used after PCH 100 series overhaul. It was released in 2015.
So it is not true that every post-2006 Intel PC has Minix inside.

Reply Score: 6

Minix and Qt
by Carewolf on Wed 11th Oct 2017 11:27 UTC
Carewolf
Member since:
2005-09-08

I would love to see the IME code.. It is probably full of scary crap, but it sounds so fascinating.

Reply Score: 3

Linux depends on MINIX to run!
by moondevil on Wed 11th Oct 2017 11:53 UTC
moondevil
Member since:
2005-07-08

Oh the irony.....

Reply Score: 5

Comment by Sidux
by Sidux on Wed 11th Oct 2017 12:20 UTC
Sidux
Member since:
2015-03-10

Curious if AMD's TrustZone runs something similar as well. it's ARM based ..

Edited 2017-10-11 12:20 UTC

Reply Score: 4

Comment by jing
by jing on Wed 11th Oct 2017 13:33 UTC
jing
Member since:
2017-08-19

This means every post-2006 Intel PC runs MINIX.

No. ThreadX until Skylake (IME v11)

So every post-2015 Intel PC runs MINIX.

Reply Score: 2

NOT in all post-2006 Intel-CPU-based PCs.
by bhhenry on Wed 11th Oct 2017 17:40 UTC
bhhenry
Member since:
2005-07-06

The Intel Management Engine chip and firmware need to be installed on the motherboard. Not all hardware sold since 2006 has this. It is typically included as a feature for Corporate use.

Reply Score: 2

bassbeast
Member since:
2007-11-11

The article claims AMD has an equivalent but all I have found is a bunch of FUD that all link back to a couple of 2012 articles saying "AMD has licensed Trustzone and plan to use it in the future" but I have found ZERO evidence they ever did anything with ARM Trustzone other than use it for the console APUs they sold to MSFT and Sony.

With the Intel version you can find code for the IME, you can find where it is on the chip layouts, I have scoured over everything I can find on AMD chips and have found exactly squat when it comes to AMD having their own IME, instead it all comes back to those same couple of 2012 articles. Even AMD's Trustzone page hasn't been updated since 2013 so unless someone can show us some current code or chip layouts showing Trustzone on current AMD processors? I'm calling FUD.

Reply Score: 3

ssokolow Member since:
2010-01-21

It doesn't help that AMD changed the name twice. First to PSP (Platform Security Processor) and now to "Secure Processor".

According to this article, the first in-the-wild PSP cores back in 2014 were 32-bit ARM Cortex-A5 cores:

http://www.tomshardware.com/reviews/amd-tablet-processor,3813-2.htm...

...and here are some more recent links about it:

https://www.amd.com/en-us/innovations/software-technologies/security

https://hothardware.com/news/amd-confirms-it-will-not-be-opensourcin...

Edited 2017-10-13 00:33 UTC

Reply Score: 3

Question
by Earl C Pottinger on Thu 12th Oct 2017 21:45 UTC
Earl C Pottinger
Member since:
2008-07-12

If the CPUs run okay with IME disabled, why did we need it in the first place?

Reply Score: 2

RE: Question
by ssokolow on Sat 14th Oct 2017 07:07 UTC in reply to "Question"
ssokolow Member since:
2010-01-21

The system can run without the IME because, originally, its purpose was to allow remote administration of servers even when the primary OS is completely borked. (Hence the "ME" part. [Remote] Management Engine.)

That's probably also the reason that it resets the system if the IME doesn't come up quickly enough. Better to have your server fail while you're still in the datacenter doing the install than to discover the IME is broken just when you need it.

...and, since then, the new modules that were added are so that the entire "decrypt video, then re-encrypt with HDCP" step can be moved completely outside the reach of software the user can inspect or modify.

https://www.alexrad.me/discourse/why-rosyna-cant-take-a-movie-screen...

Edited 2017-10-14 07:08 UTC

Reply Score: 2

minor nit pick
by bn-7bc on Sat 14th Oct 2017 10:53 UTC
bn-7bc
Member since:
2005-09-04

Just a minor nitpick, but the summaru Mentioned BIOS, dies this allso effect people with UEFI?

Reply Score: 1