
Disabling Intel ME 11 via undocumented mode - Severian
http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
======
arca_vorago
This is why I support Power/MIPS/RISC development going forward. It's just a
shame that we allowed intel and amd to both put in cpu backdoors at such an
obvious level (I like x86 but it's not the cpu of the future unless it's
open). I highly suspect some national security letter type shit is going on in
the background, ala Promis and William A. Hamilton who has claimed on Bruce
Schneiers blog they (intel agencies) were infiltrating even low level chip
manufacturers. Danny Casalaro's death was likely a required nastyness to keep
it covered up.

~~~
userbinator
If some other CPU architecture were the dominant PC platform, do you think it
wouldn't grow such features too?

It's not hard to imagine an alternate universe in which we all have RISC
workstations with the equivalent of ME, and Intel/AMD are the minorities who
have more "open" CPUs without, but only because they hadn't grown enough.

The underlying reason why ME became popular is the same reason why proprietary
walled gardens became popular: because they are heavily promoted as a
_security /safety_ feature, and "who doesn't want to be safe and secure?"

Remember that, shortly before the turn of the century, Intel was convinced by
the masses to remove a feature that would seem almost innocuous today, a
serial number, but only because they marketed it as for DRM/identification
instead of a security feature:

[https://www.wired.com/1999/01/intel-on-privacy-
whoops/](https://www.wired.com/1999/01/intel-on-privacy-whoops/)

~~~
ams6110
> The underlying reason why ME became popular ...

... is also because it provides management features that are _wanted_ by
enterprise customers. If you're running hundreds of servers in a data center,
the more management you can do remotely, without visiting the machine room and
preferably automated as much as possible, the better.

This is quite irrelevant and even undesirable for an individual's personal
computer.

~~~
rekado
I read statements like this often on HN, but not once during my years of work
as a sysadmin in enterprise IT in different countries did I meet anyone who
used ME/AMT for employee laptops. Also not at conferences.

Admins use the ILOM/IPMI for servers, so you don't really need it for server
CPUs. For laptops all management happens at the operating system level, not
below it.

~~~
cyphar
Admins used the "Intel System Defense Utility"[1] back in the vPro/AMT days.
It allowed for "nice" BMC-like features for normal desktops and laptops. I
know about it from "The Website is Down"[2], but I find it hard to believe
that nobody used it.

[1]:
[https://downloadcenter.intel.com/download/15362/index.htm?ii...](https://downloadcenter.intel.com/download/15362/index.htm?iid=go+isdu)
[2]:
[https://www.youtube.com/watch?v=v0mwT3DkG4w](https://www.youtube.com/watch?v=v0mwT3DkG4w)

~~~
arca_vorago
I hadn't seen that episode of TWiD. So hilarious, with a mix of sad how true
it is.

------
userbinator
_Nonetheless, our research team (Dmitry Sklyarov, Mark Ermolov, and Maxim
Goryachy)_

Dmitry Sklyarov! There's a name I haven't seen in a while... good to see he's
still actively doing this stuff.

The immense complexity of the base firmware and hardware in a modern system is
astonishing. XML, MINIX, and three(!) complete 486 cores in the PCH.

Given this amazing feat of engineering, and the goals of the ME, it makes me
wonder what people would be willing to work on it --- "making the nooses on
which to hang ourselves", as the saying goes --- and if perhaps some of those
people are actually not too approving of the idea and would, given an
opportunity to do it without consequences to themselves, do a Snowden and leak
everything that they could...

The fact that such an "ME killswitch" exists doesn't surprise me either; in
this case it seems to be an actual feature, but putting such functionalty into
debug/test modes is not uncommon. It was only a matter of time before someone
would find it.

~~~
wmf
In my experience firmware is developed by an underclass who are happy to have
any decent-paying job at all.

Or maybe the people who work on the ME realize that it's far from the largest
risk in the system.

~~~
dmitrygr

      Underclass
    

LOLWUT?

Firmware pays pretty damn well. If you know what you're doing.

------
codedokode
If ME is not a backdoor then why doesn't Intel allow to disable it? Why don't
they publish detailed descriptions? Why don't they allow user to run their
programs on ME CPU?

~~~
valarauca1
If ME isn't a backdoor why did Russia and China start efforts to surplant
Intel with locally sourced processors (even before US embargo'd Intel from
china)

~~~
baybal2
>even before US embargo'd Intel from china

You can see how well this embargo works in every electronics mall

~~~
valarauca1
It isn't a blanket sanction, just against government and computing centers.
The last 3 chinese super computers have used home grown FeiTeng RISC
processors which were binary compatible to Itanium, but for new models their
using OpenSPARC.

~~~
pantalaimon
> The last 3 chinese super computers have used home grown FeiTeng RISC
> processors which were binary compatible to Itanium, but for new models their
> using OpenSPARC.

Where did you get that information?

[https://en.wikipedia.org/wiki/SW26010](https://en.wikipedia.org/wiki/SW26010)
doesn't claim any of that.

~~~
bri3d
China's newest supercomputers are based on Sunway like you linked, but newer
FeiTeng models (post-Itanium) were indeed OpenSPARC:

[https://en.wikipedia.org/wiki/FeiTeng_(processor)](https://en.wikipedia.org/wiki/FeiTeng_\(processor\))

~~~
gnufx
I don't understand what the SPARC "front end" actually is, but the Tianhe-2
Top 500 figure comes from Intel processors
<[https://www.top500.org/system/177999>](https://www.top500.org/system/177999>).

------
yborg
Impressive work on reverse engineering this.

Am I correct in assuming that since this backdoor chip has access to all of
the peripheral I/O that it could even be used on a device with onboard
wireless in "power off" mode, which is usually some kind of low-level sleep?
So a compromise of this subsystem (or intentional backdoor) would allow one to
take control of even a device that is "off". Given the trend to non-removable
batteries, it might actually be impossible to prevent such an attack without
physically destroying a laptop.

~~~
astrobe_
a Faraday cage laptop bag is probably a less drastic solution.

~~~
QAPereo
I think if you're at that point, a laptop is a luxury you can't really afford.

------
eganist
Rather than assume anything nefarious on the part of the USG, I'm willing to
bet a buck that someone in the USG asked the right questions during contract
negotiation, which is why this kill switch was added but not publicized to
anyone outside participants in the HAP Program.

~~~
dane-pgp
But maybe that contract negotiation also included a rhetorical question like
"And you won't offer this option to other governments, will you?".

~~~
eganist
I mean, just asking for a feature exclusive to customers with the HAP Program
is enough to meet that goal.

~~~
dane-pgp
I think it's worth considering what sort of incentives are created by such a
deal.

------
throw2016
The more details leak about ME the more shocking it becomes. Why is this
accepted in any free democratic society?

There can be discussions, there can be debates but in everyday life this is
already accepted. And even if one does not want to accept it what are the
choices given similar technology is now integrated in other processors?

If we accept that computers are essential to operate in modern society then
this is akin to a company taking control of the water supply with the ability
to stop supply and do other unknown actions with zero accountability.

If you expand this thought this is a kind of fascism. We could be left with a
shell of freedom and democracy while the government in partnership with
corporates take deeper control of day to day life.

~~~
rsync
"There can be discussions, there can be debates ..."

Can there be ?

If ME is part of DRM platforms (and I believe it is) then disabling it is
circumvention of a digital copyright mechanism which brings the DMCA into
play.

"The lawsuit against 2600 magazine, threats against Professor Edward Felten's
team of researchers, and prosecution of the Russian programmer Dmitry Sklyarov
are among the most widely known examples of the DMCA being used to chill
speech and research. Bowing to DMCA liability fears, online service providers
and bulletin board operators have censored discussions of copy-protection
systems, programmers have removed computer security programs from their
websites, and students, scientists and security experts have stopped
publishing details of their research."[1]

[1] [https://www.eff.org/wp/unintended-consequences-under-
dmca](https://www.eff.org/wp/unintended-consequences-under-dmca)

~~~
wolfgke
This is rather an argument against DMCA or an argument why researchers working
in this area should consider leaving the USA.

------
nur0n
Such blatant security holes are why Google resorts to measures like this:
[https://cloudplatform.googleblog.com/2017/08/Titan-in-
depth-...](https://cloudplatform.googleblog.com/2017/08/Titan-in-depth-
security-in-plaintext.html)

~~~
foobiekr
The company I founded built something very similar to a titan equipped server
to allow attestation/measurement/signed logs/full external policy. I can tell
you point blank that while the product we built is great, getting enterprises,
the majority of whom ___still___ haven't patched eternal blue to worry about
clean source, log traceability, etc. can be quite a challenging business at
times. They don't understand problems with IPMI or anything else.

The only thing that is going to change the face of the security market is that
the loop between responsibility and inaction gets closed; as things stand
today, the primary difficulty in the space is that for your average, not-very-
knowledgeable customer, there is effectively no difference in mostly
fraudulent security solutions and real ones - both get auditors out of your
hair, so why bother buying anything real (or even not deploying anything like
Comodo which actually makes things worse but still checks the box)?

------
dmitrygr
The interesting question here is: why undocumented. It was created on request,
but nobody was told. Who pushed so hard ME to be on for everything but them?
And why? We know the answer :)

~~~
codezero
Intel's response to the authors kind of explains it: they added this feature
hastily to meet specific requirements of the HAP program and didn't fully
validate it – so it's not supported.

~~~
dmitrygr
You missed the point. It was added for people with big money. I promise you -
it is supported. Just not for you. You need to be backdoorable. They don't

~~~
etatoby
ME itself was added for people with big money.

I'm not an engineer experienced in this kind of work, but I fail to see how a
company whose core business is manufacturing chips would develop an entire
computer (comprising an x86 CPU, its own RAM, MINIX OS, and access to all
kinds of I/O) hidden inside each one of their chips and made largely
inaccessible to regular users and developers. Unless they are paid _very_ well
to do so.

In retrospect they were kind of naive not to make it much harder to enable
this HAP mode, considering the lengths they went to make ME tamper proof. They
left the flag wide open and even commented it in an XML file.

~~~
the8472
> comprising an x86 CPU

The ME runs an Argonaut RISC Core instruction set and leverages a lot of the
existing infrastructure in the system since it sits directly in the chipset
and can ask the main CPU to do some things on its behalf too.

~~~
Narishma
Old versions did. Newer ones, as mentioned in the article, use a 486-derived
low-power core (similar to what was used in Edison/Quark platforms) for the
ME.

------
ryanlol
Here's the me_cleaner dev branch which supports setting the HAP bit to disable
ME.
[https://github.com/corna/me_cleaner/tree/dev](https://github.com/corna/me_cleaner/tree/dev)

------
captainmuon
This is something I always have been wondering about. I can't imagine the US
government is happy having the ME in every computer, with a closed source
operating system running that has complete access to CPU, memory and network.
If anybody can call Intel and ask for a custom version without this stuff, it
is the government. And it looks like they did.

(If any important Silicon Valley CEO reads this, why don't you give Intel a
call, as an important customer, and ask why 1) you can't disable the ME and 2)
for a written guarantee that there is no backdoor in the ME?)

Something else: does anybody know if the trick mentioned in the article has
negative side effects? Does power management still work? Can we be sure that
this doesn't _activate_ a backdoor to begin with, and the computer tries to
connect to an NSA domain :-) ?

~~~
etatoby
Considering that they left the HAP flag in the open and even commented it in
an XML file; considering how it does not disable all of ME, but only certain
bits; and contrasting it with the otherwise inscrutable, encrypted, and
tamper-proof nature of ME, it's hard not to see it as a honeypot or bait.

~~~
codedokode
Intel's management and QA probably looked only at UI where the flag is marked
as "Reserved".

------
discreditable
TL;DR: Intel put a special High Assurance Platform (HAP) mode in ME for the US
government. If toggled on, it disables all non-critical ME functionality.
Questioned, Intel responded:

> In response to requests from customers with specialized requirements we
> sometimes explore the modification or disabling of certain features. In this
> case, the modifications were made at the request of equipment manufacturers
> in support of their customer’s evaluation of the US government’s “High
> Assurance Platform” program. These modifications underwent a limited
> validation cycle and are not an officially supported configuration.

~~~
trhway
basically govt finally learned about ME (like VNC built into CPU) and said
"what?! are you kidding!?" and on second breath - "keep it on for everybody
else though!"

~~~
mjg59
ME isn't like VNC built into the CPU - that's AMT. AMT is restricted to
higher-end Intel platforms, but ME is everywhere.

~~~
trhway
[https://en.wikipedia.org/wiki/Intel_Active_Management_Techno...](https://en.wikipedia.org/wiki/Intel_Active_Management_Technology)
:

>AMT is part of the Intel Management Engine, which is built into PCs with
Intel vPro technology.

>Currently, AMT is available in desktops, servers, ultrabooks, tablets, and
laptops with Intel Core vPro processor family, including Intel Core i3, i5,
i7, and Intel Xeon processor E3-1200 product family.

~~~
mjg59
AMT is a piece of software that runs on the Management Engine. vPro-enabled
platforms are the ones aimed at business laptops and workstations, not
consumer stuff. It's important to make the distinction because people can
check, find that their machine doesn't have the VNC functionality and then
assume that they don't have anything to worry about as far as the ME goes,
which is a false sense of security.

~~~
trhway
i don't think you described the behavior of typical HN reader :) Anyway, vPro
with VNC seems to be present on all consumer (ie. with IGP) CPUs, so there is
nothing to worry about in the sense that one anyway can't do anything about
it, and thus the worrying is futile.

~~~
mjg59
No, it's not. AMT is only shipped on Core-series CPUs when they're accompanied
with the business chipset rather than the consumer chipset. It's not an
integral part of the ME, it's software that the OEM has to license and ship in
their firmware.

------
xoroshiro
Can someone explain simply what this means for projects like libreboot and
coreboot? I'm always interested with this stuff and it's implications, but
don't have the background to understand a lot of low level details. Is the
verdict still the same or are we gaining ground? Last time I checked, purism
was quite optimistic about it, but the libreboot website seemed really
pessimistic about it.

~~~
aaronmdjones
I imagine coreboot might integrate this functionality or recommend that people
using coreboot do so themselves, but libreboot won't, because the entire point
of libreboot is to only use entirely free software and the ME firmware (even
the stripped down version that obeys this disable bit) which is required to
boot the machine is not free.

------
codedokode
I wonder if Apple is ok with this. They usually don't like someone's else
software running on their machines, especially on such a low level. They will
probably negotiate a kill switch for them too.

~~~
glasz
i've heard the ME is not enabled in macs. for technical/architectural reasons.
somebody please enlighten me if that is true.

~~~
JudasGoat
I've heard that ME can't communicate over a non Intel WiFi or Ethernet chip-
set. Possibly related?

------
dabockster
Does AMD have anything like Intel ME on their chipsets? I recently completed a
Ryzen build and am curious.

~~~
eightysixfour
Yes, the AMD Platform Security Professor. The CEO said in a Reddit AMA they
would look into open sourcing it.

~~~
1001101
They aren't going to:

[https://news.ycombinator.com/item?id=14803373](https://news.ycombinator.com/item?id=14803373)

~~~
dv_dt
This makes one wonder if there is a secret legal requirement for this kind of
capability.

~~~
carapace
Years and years ago, when color printer/scanners were fairly new, I tried to
scan and print a $5 dollar bill. I was curious. The machine printed out about
a third of the image but the rest of what it printed was a very official
looking notice to please call the US Treasury.

(edit: HP was the manufacturer.)

~~~
mnbghj
Likely to do with the EURion constellation:
[https://en.wikipedia.org/wiki/EURion_constellation](https://en.wikipedia.org/wiki/EURion_constellation)

Another item of interest may be printer stenography, in which every piece of
printed paper, seemingly from every printer, can be traced back to make, model
and potentially even the unit used to print it:
[https://en.wikipedia.org/wiki/Printer_steganography](https://en.wikipedia.org/wiki/Printer_steganography)

~~~
carapace
I'm one of the most paranoid people you're ever likely to meet. (People more
paranoid than I am won't communicate online.) Printer stenography is just
beyond the limit I set for myself to try to disbelieve, and yet, here it is.

(Meaning that I always assumed something like this was going on, _because that
's what I would do_, but I try to disbelieve it so as to be able to act
normal. I believe all phones are continually listening to and scanning their
ambient environments, _because that 's what I would do_. But probably not,
right? Right?)

The thing that bothers me the most is that "normal" people refuse to engage
with reality. I used to tell people some of the things e.g. that Snowden
revealed, but I was always accused of wearing the tinfoil hat. From my point
of view, normal people are hugely intellectually dishonest. Poor Ed Snowden
had to throw his life away to try to get people to notice and think about
what's happening, and typically all most people do is whine about their
precious privacy (the ones that don't immediately stick their heads back into
the sand that is.) Like privacy is something that still exists. It doesn't.

I better wrap it up here before I get the urge to talk about forbidden
technologies like REDACTED, REDACTED, and REDACTED. I mean, there's a certain
tension knowing about a REDACTED that can cure all diseases, but that cannot
be popularized because it can also REDACTED without a trace. Could you imagine
the chaos if something _like that_ became public knowledge!?

~~~
mnbghj
I wrote off freedom and privacy 2 years ago simply because it was having
adverse effects on my mental health. I wasn't changing anything by being
paranoid so I just stopped being paranoid.

I still don't use facebook and I run free/open-source software exclusively,
but worrying about it didn't change anything.

------
nickpsecurity
Here's the main product using HAP if anyone wants to see if they can buy it
and RE _its_ firmware.

[https://gdmissionsystems.com/cyber/products/trusted-
computin...](https://gdmissionsystems.com/cyber/products/trusted-computing-
cross-domain/trusted-multilevel-computing-solution)

Some stuff is government only but some for businesses. You'll have to contact
them to find out.

~~~
forapurpose
Recently I saw a guy in a cafe with a General Dynamics laptop. It looked
ruggedized and a few years old; I don't know if it was an HAP system. He said
he got if off of eBay.

------
wolfgke
What I consider as "interesting" is the fact that much more research (at least
if you look at HN headlines/posts) goes into "Intel ME" vs. "AMD Secure
Processor" (formerly known as "AMD PSP" ("Platform Security Processor")). I
really don't want to badmouth this important research on "Intel ME", but I am
a little bit confused from this asymmetry.

~~~
richdougherty
Perhaps this is because Intel ME is deployed much more widely than AMD PSP.

------
stinos
Could somebody explain in layman terms what exactly (say, 'spy-wise') ME could
enable some parties to (remotely?) do with one's pc? And what are the chances
this actually is being done?

~~~
mtreis86
They could put in a backdoor that opens when a magic packet is passed. These
things exist[1]. Your cell phone likely has one in the radio[2]. The problem
with this existing, other than the privacy issues, is that the packet can
eventually be discovered by fuzzing[3] the hardware.

[1][https://github.com/elvanderb/TCP-32764](https://github.com/elvanderb/TCP-32764)

[2][https://www.contextis.com/resources/blog/binary-sms-old-
back...](https://www.contextis.com/resources/blog/binary-sms-old-backdoor-
your-new-thing/)

[3][https://www.owasp.org/index.php/Fuzzing](https://www.owasp.org/index.php/Fuzzing)

------
rubatuga
So if i understand correctly, the way to disable intel me is to simply flip a
bit? Using a software tool?

~~~
totony
Thw article also mentions removing some non critical binaries and modifying
the ME filesystem

~~~
eganist
My understanding is this step isn't really a necessity but rather was done to
prove that ME could be disabled at an extremely low level since the missing
binaries would no longer trigger what's effectively a failure condition.

Could be wrong. Probably safer to just set the killbit rather than also tamper
with ME directly is ultimately my point. That's my risk aversion at work.

~~~
rubatuga
I'm simply intrigued how this bit has managed to elude so many developers and
hackers over the years. It's literally an option in an intel software tool,
and yet you have people who have vehemently complained about Intel ME for the
past few years. I have some serious cognitive dissonance going on right now.

~~~
dmm
The latest version of ME, 11, uses a x86 processor. That's why the researchers
were able to perform this analysis and find the bit to flip. It also doesn't
disable ME, just most of it.

~~~
rubatuga
I see, it appears ME 11 was introduced in September 2015, which means this
discovery came about in less than two years.

------
homerowilson
Great new marketing phrase tho: MINIX Inside!

------
trapperkeeper74
ACPI is almost as horrible: complicated, opaque, untrusted code running on a
VM instead of using declarative data tables.

Closed-source firmware and silicon must end, because it's impossible to
authoritatively verify correctness or rule out malware implants inserted at
some point along the way.

~~~
unlmtd1
Well said. It also makes computing much more expensive and slow to progress.
But those fraudsters love their violence-backed monopoly. Image if a few vital
manufacturing plants were destroyed, we would have silicone shortages. We have
made ourselves fragile, backwards and weak.

------
ece
What happened to 3rd party chipsets? Seems like VIA, ALi, SiS, Nvidia nForce,
all stopped making them for Intel processors around 2008. If there were
alternative chipsets still around, we would see more motherboard makers
adopting something like openBMC with an alternative chipset and using it. No
Intel PCH, no Intel ME.

~~~
wmf
_If there were alternative chipsets still around, we would see more
motherboard makers adopting something like openBMC with an alternative chipset
and using it._

No we wouldn't. All the chipsets would be subject to the same market forces
and thus would converge on similar features, including the ME. Just like how
99% of x86 systems are running UEFI instead of coreboot.

~~~
ece
That is not an apples to apples comparison. Plenty of features differ from
motherboard to motherboard. Someone like an ASUS could adopt openbmc much
easier if an alternative chipset existed. I'm not arguing about the
marketability of openbmc, I know it exists. I'm talking about why there are no
chipset alternatives to Intel PCH that would force Intel ME on us.

------
tomxor
Q: How does one actually determine intel ME is present in a CPU... I've got an
old P8600, I can find no definitive list of CPUs or ways to test for it. Some
articles say all intel CPUs since 2006, others say only the newer "core"
brand.

~~~
milcron
Intel Core 2 Duo P8600? That has the ME.

Intel's ME was first available in 2006, and by the end of 2008 it was on every
CPU they produce.

According to ark.intel.com, the P8600 chip was produced Q3'08 so it's in the
right timeline for having the ME. But the giveaway is that the chip has
"Trusted Execution technology".

    
    
        Intel® Trusted Execution Technology for safer computing is a versatile set
        of hardware extensions to Intel® processors and chipsets that enhance the
        digital office platform with security capabilities such as measured launch
        and protected execution. It enables an environment where applications can
        run within their own space, protected from all other software on the system.
    

On the bright side, older MEs are easier to de-fang. The 06-08 versions can
sometimes be removed entirely.

------
chris_wot
Is this the same Dmitry Sklyarov who got caught up in a DMCA debacle over a
decade ago?

------
arkainW123
I really can't grasp the "undocumented mode" term. I believe It was created on
request.

~~~
dfox
That is pretty much standard term for processor features that are not
supported by Intel. The main selling point of the whole Intel's x86 platform
is that when something is supported and documented it will either behave the
same way on newewr processors or newer processors would include some mechanism
to emulate the old behavior. Intel tends to go especially overboard with this
approach and even support feature combinations that are not useful in any way.

Recent example is that original AMD's x86_64 CPUs did not support certain
descriptor formats in long mode and didn't support x87 FPU ISA for 64b code.
Intel's EMT64 supports both of these things. Usefulnes of first is somewhat
questionable as only real user of that is dosemu, another would be if somebody
would want to modify some Concurrent DOS/FlexOS derived OS to be 64b aware
(there actually might be some small bussiness case for doing so). Microsoft
solved this by droping support for 16b and DOS applications in 64b builds. And
for the second limitation it is pretty obvious that there cannot be any code
that would be broken by that.

Older examples are the whole A20M# business and then there is LOADALL, which
was never officially documented, has three diferrent encodings and behaviors
depending on CPU generation but got used by Microsoft and thus the 386
encoding and behavior is somewhat semi-documented and semi-supported even 30
years later.

~~~
ajross
Just to clarify: the A20 stuff was an IBM PC/AT feature in the chipset of the
original machine, not a CPU thing. It was actually a response to an Intel
_mistake_ in backward compatibility between the 8086 and 286 (real mode
segments that pointed "beyond" the first 1MB would wrap around on the original
processor but hit the second megabyte on the 286).

But when the memory mapping went on-chip in later devices, it needed to be
part of the CPU core for compatibility with software written to work on the
AT.

~~~
dfox
The mistake was with the fact, that 8086 has 64kB-16B worth of user visible
memory addresses that are beyond what the harware could actually address due
to width of the physical address bus and thus got aliased to the other end of
address space. People say that there was software that depended on this
behavior, but I can't see any sane reason why somebody would write something
like that (given how the address layout of PC looks like the only sane
application of this aliasing is in the early initialization BIOS code, which
obviously had to be significantly rewritten for AT)

Edit: the reason why 486 and later CPUs contain the A20M logic internally has
nothing to do with "memory mapping". 486 has on chip cache which has to know,
whether this memory region is aliased or not. Additional effect of this logic
being in the CPU is that it can be controlled by writes into MSRs, which are
significantly faster than sending commands into KBC which controlled this
thing on AT. (Also, in vm86 mode this compatibility hack could be implemented
by MMU without dedicated hardware cludges, which is what essentially all DOS
XMS managers do)

~~~
ajross
You're arguing semantics. Pulling the cache on-chip _means_ that the memory
bus and its mapping logic needs to be on-chip too, because it sits beneath the
cache. We're saying exactly the same thing.

(And FWIW: the mistake Intel made was that those accesses were legal on an
8086. They should have been an exception condition, which would have avoided
this problem by making the 286 behavior a proper superset)

~~~
dfox
I know we are saying ecactly the same thing, but somebody else who reads this
threads might not, so the successive clarifications are useful :)

In hindsight, making accesses beyond the end of physical memory on 8086 an
exception is nice solution. But I think that more useful solution would be
different design of the 8086 pseudo-segmentation that would make such linear
adresses unrepresentable on the user level. On the other hand whether this
would be good idea depends on whether you view another horrible cludge (ie.
HMA/UMB and potentially also usage of that as EMS window or bounce buffer) as
useful.

Edit: as for the memory attached to processor behaving sanely it is
interesting to look at Alpha which expects that memory is memory and could be
write back cached. With one small and significant exception: the region on
which ISA VGA would exist is hardwired to be uncacheable.

------
hellbanner
Are there any good open computers?

~~~
e12e
I think that depends on what you mean by _good_ and _computer_. You might, for
example, want something that costs on the same order of magnitude as an Intel
or AMD x86_64-bit cpu. Afaik the answer to that question then becomes _no_.

There's some hope around power9-based systems:

[https://www.raptorcs.com/TALOSII/](https://www.raptorcs.com/TALOSII/)

For more modest demands on performance, and affordability , there's LEON and
OpenSPARC.

~~~
hellbanner
Thanks. I couldn't find LEON (bad google-fu?), can you link?

So in effect, big $CORPs own computers and with Alphabet agency influence and
systemic flaws, the hope for open and secure and powerful computing should be
forgotten.

~~~
e12e
See:
[https://en.m.wikipedia.org/wiki/LEON](https://en.m.wikipedia.org/wiki/LEON)

> the hope for open and secure and powerful computing should be forgotten

I'd say it depends a bit. IBM still throwing money at POWER is interesting.
The openSPARC is interesting for certain embedded applications that deal with
signal processing - where there's real work to be done both in software and
hardware (asic / fpga) - like wireless communication. Having a few sparc cores
that run Linux well ready to drop in on a fpga is very nice.

But for consumer hw... Yeah, it's difficult to compete with arm on one side
and Intel/AMD on the other. Remember that even transmeta had to throw in the
towel trying to compete in that space.

------
JudasGoat
I didn't notice if the HAP switch is available on earlier (pre ME 11)
hardware.

------
DarkKomunalec
Imagine if some non-US government voided Intel and AMD's patents as a self-
defence measure against these probably-backdoored 'features'. Why should they
protect the profits of hostile corporations?

~~~
codedokode
Voiding patents probably doesn't change anything because patents usually
contain just vague description.

~~~
DarkKomunalec
You underestimate how much patents are used to impede competition - see
[https://arstechnica.com/information-
technology/2017/06/intel...](https://arstechnica.com/information-
technology/2017/06/intel-fires-warning-shots-at-microsoft-
claims-x86-emulation-is-a-patent-minefield/) , and the many less public patent
licenses and threats.

