
Replacing x86 firmware with Linux and Go - dankohn1
https://lwn.net/SubscriberLink/738649/81007748bf15c1e5/
======
chroem-
And to think that posting about Intel ME on HN only a couple years ago would
have commenters swarm you with accusations of being a deluded conspiracy
theorist. Neat. It's good that people are finally becoming aware of the
problems that it poses.

~~~
mastax
Really? Every thread on HN I've seen about ME has been hordes of people
lamenting the fact that you can't buy a processor without it.

~~~
madez
I share GP's opinion. Snowden changed a lot. The internet really has a global
passive attacker that can control US-based companies like puppets, and is
doing so.

William Binney said the companies are paid money for providing data and
access. How is that not subsidizing that industry? Financial helps are a
first-class reason for other governments to impose duties, restrict
international trade and subsidize local competitors. Yet, there is no reaction
in Europe. Microsoft can freely sell their OS and Intel is free to have their
monopoly, and uses that to backdoor everybody.

It is creepy that european countries don't take action.

LiMux was a good example of moving in the right direction. Recently it was
abandoned. I didn't see big unseen powers at play there, just the harsh
reality that most people don't understand computers and don't care.

~~~
ajross
> global passive attacker that can control US-based companies like puppets,
> and is doing so.

And... this is where the deluded conspiracy theorist accusations the upthread
poster was complaining about come from.

There's no evidence for any of that[1]. The ME's capabilities (low level
system controller with access to all memory and hardware, with special access
to network hardware that can operate cleanly along with a running OS) have
been known and even _advertised by Intel_ for years. The news of the moment is
that it's subject to a few rather embarrassing exploits.

But that's rather better explained by incompetance instead of evil. Yet
everyone jumps to "back door" because that sounds more fun I guess. (In fact,
to the extent there is evidence of government involvement here, it's in the
opposite direction: the NSA appears to have demanded an "off switch" for the
ME).

[1] Edit to clarify: I'm talking about the ME folks. Yes, the government does
bad things. The EC flaws under discussion in this subthread are not among
them, so citing them as evidence paints you as a conspiracy nut and not
someone serious about security.

~~~
cyphar
> Yet everyone jumps to "back door" because that sounds more fun I guess.

IME is (by construction) a backdoor. It's primary purpose is as a management
tool, but all management tools are by necessity backdoors. The only
distinction between the two is whether the person using the backdoor has
ownership over the machine.

> In fact, to the extent there is evidence of government involvement here,
> it's in the opposite direction: the NSA appears to have demanded an "off
> switch" for the ME.

It also shows that the NSA is in communication with Intel and is capable of
getting them to implement something that large corporations like Google were
unable to convince them to do. Which should be concerning, because it makes
you wonder what else the NSA might've asked as well.

Also these really aren't conspiracy theories anymore. We know that the NSA and
CIA do these sorts of things thanks to the information we learned from Snowden
and other whistleblowers.

~~~
linkregister
No, the Snowden leaks showed that NSA _did_ do something, not that it does
every malicious thing that people accuse it of. How does it help anything by
making unfounded accusations?

Historically, Australia has heavily interfered in PNG affairs. Should you be
accused of espionage or subversion if you decide to hike a portion of the
Kokoda Trail?

Would it be appropriate for Indigenous People to accuse you of attempting to
steal their children, a practice that occurred until the 1970s?

~~~
traineater
> No, the Snowden leaks showed that NSA did do something, not that it does
> every malicious thing that people accuse it of. How does it help anything by
> making unfounded accusations?

It shows they'll do anything within their power, legal or illegal, in order to
get at more people's data. Of course they have involvement with this, why
wouldn't they?

> Historically, Australia has heavily interfered in PNG affairs. Should you be
> accused of espionage or subversion if you decide to hike a portion of the
> Kokoda Trail?

> Would it be appropriate for Indigenous People to accuse you of attempting to
> steal their children, a practice that occurred until the 1970s?

Bizarre points in support of your initial comment I think.

~~~
linkregister
_> Of course they have involvement with this, why wouldn't they?_

I think you give them too much credit and unnecessarily slander Intel, which
has little reason to go along with NSA (no large DoD contracts, almost all
consumer and B2B market).

Also, you overestimate the amount of resources NSA has. If they have enough
money to overcome Intel's appetite for risk, then why doesn't the NSA just run
every single internet and hardware service out there? Your threat model needs
to have bounds. It's worthless if you expect the adversary to have unlimited
resources.

~~~
ekianjo
Overestimate the amount of resources? Wikipedia:

> In 2012, the NSA said more than 30,000 employees worked at Fort Meade and
> other facilities.[2] In 2012, John C. Inglis, the deputy director, said that
> the total number of NSA employees is "somewhere between 37,000 and one
> billion" as a joke,[4] and stated that the agency is "probably the biggest
> employer of introverts."[4] In 2013 Der Spiegel stated that the NSA had
> 40,000 employees.[5] More widely, it has been described as the world's
> largest single employer of mathematicians.

Let's assume they have 30 000 employees and the large majority of them are
highly educated, that would make it into one of the largest organization on
Earth in terms of intellect capital.

In terms of actual budget it's obviously classified but estimations are
probably around 10 billions USD per year.

[https://www.globalsecurity.org/intell/library/budget/index.h...](https://www.globalsecurity.org/intell/library/budget/index.html)

That's not a small budget by any feat, and we know they operate huge data
centers for surveillance, so they are certainly not a "passive" intelligence
agency.

~~~
linkregister
Wal-Mart has more employees, is it more powerful? Number of employees is a
negative metric. It means the NSA has less ostensible secret bribe money.

Throwing up a big number is dazzling, but when you look at what the NSA does
with that $10B, there is a limit. For example, the supposed 40k employees
already eat up $3.2B, assuming an extremely charitable average fully-loaded
cost of $80k per employee.

Including facilities and supercomputer costs, this rapidly dwindles.

That leaves maybe $5B for bribes, according to your accounting. Is that enough
to subvert everybody?

 _> they are certainly not a "passive" intelligence agency_

What is this addressing? Are you attempting to change the goal posts? The
topic is ostensible unlimited NSA resources to corrupt every proprietary
technology.

~~~
ekianjo
> Wal-Mart has more employees, is it more powerful?

I doubt wal-mart has as many highly educated employees as the NSA. Numbers
don't mean anything by themselves, but if you hire thousands of mathematicians
they are bound to deliver more than Wal-Mart in the datascience and
cryptography department.

> Including facilities and supercomputer costs, this rapidly dwindles.

Well, considering the overall surveillance budget of all secret agencies
constantly increases, it does not seem that they will ever lack funding.

> That leaves maybe $5B for bribes, according to your accounting. Is that
> enough to subvert everybody?

Why would you need bribes when you have the Law and the full might of
government power behind you? If you can convict of high treason anybody who
speaks publicly about what the NSA does, why would anyone at Google, Microsoft
or other companies working with the NSA have any incentive to say anything?

> The topic is ostensible unlimited NSA resources to corrupt every proprietary
> technology.

Resources is not only money. When you work for the government (and furthermore
of the military establishment), as I said earlier, you can bring down a whole
new level of pressure that money itself cannot buy. If that were not the case,
then a bunch of secrets (take for example everything related to nuclear
testing in the US) that were only revealed way, way after the facts, would
have emerged much earlier in all likelihood.

~~~
linkregister
_> If you can convict of high treason anybody who speaks publicly about what
the NSA does, why would anyone at Google, Microsoft or other companies working
with the NSA have any incentive to say anything?_

This is where your rhetoric is getting ahead of the facts. The Snowden leaks
were published in American newspapers. Company officers from each of those
businesses publicly berated the NSA. FBI national security letters did force
companies to disclose information about foreign intelligence targets, but this
is not because of secret NSA powers, it's from a law passed by Congress.

 _> When you work for the government (and furthermore of the military
establishment), as I said earlier, you can bring down a whole new level of
pressure that money itself cannot buy._

What does the military have to do with Software-as-a-Service providers? Can
you name an instance when the modern military provided a chilling effect or
seriously impacted these services?

~~~
cyphar
> This is where your rhetoric is getting ahead of the facts. The Snowden leaks
> were published in American newspapers.

Snowden is being prosecuted under the Espionage Act, the reporters were
threatened repeatedly by the authorities, The Guardian was forced to destroy
their copies of the Snowden Archives, etc etc.

Also, just because the "secret NSA power" of National Security Letters are a
tool made legal by Congress doesn't change the ethics concerns relating to
their use.

------
mikeokner
You'd think if the ME truly wasn't nefarious that Intel would offer chips
without it and capitalize on the extra features in the enterprise market. I've
yet to encounter anyone who actually wants it.

~~~
colejohnson66
I say it also has to do with them just not caring about what their users want.
You’re still gonna buy an x86 processor and AMD has their own ME-like tool
too. What are you gonna do, run your desktop on ARM or RISC-V?

~~~
prophesi
And even with ARM (I'm not familiar with RISC-V), you're likely going to have
binary blobs for critical drivers.

~~~
AstralStorm
Worse, in Qualcomm chips you have essentially the same OS as in AMD "Secure"
Processor. Trustonic TEE OS. Handling ARM "Trust"Zone.

------
PopsiclePete
I would gladly trade in raw 30% performance from my Intel chip for some other
platform that did not have American corporate/Deep State/NSA interests behind
it.

I just want a minimum bootloader (open source) that boots into Linux - that's
it. No "Enteprise management" crap, no NSA crap.

I don't think I have any options. I certainly wouldn't buy Chinese or Russian,
and I'm not aware of any EU member state having anything in the works either -
but I think it's time we started seriously considering this.

Google/Amazon/Microsoft have the muscle to actually do something about this,
but no motivation. I'm surprised that they even trust Intel - it would take
_one_ high-profile security breach to turn their respective Cloud Computing
businesses upside down - people are already jittery.

I don't know if IBM Power is the solution, or ARM, but it's become abundantly
clear that you can't trust Intel or AMD, or the x86 platform, anymore.

~~~
eeZah7Ux
Both Facebook and Google are working at disabling ME. They make no secret that
they not trust it.

NSA & other US orgs receive hardware without ME already.

Surveillance is for the rest of us.

~~~
confounded
> _Both Facebook and Google are working at disabling ME. They make no secret
> that they not trust it._

I'm aware of Google's work with Coreboot and Chromebooks, but not Facebook's.
Can you tell us anything?

~~~
bubblethink
I don't know of fb's direct involvement in any ME related stuff, but they do
develop openbmc which is a replacement for proprietary bmc firmware. BMC isn't
quite as nefarious as ME though, and is optional anyway.

------
dajt
Can anyone ELI5 how two additional OSs can run network stacks without
interfering with each other and the user OS networking?

I assume ME and UEFI use DHCP to get their addresses yet my modem/router only
shows the one from my user OS.

Where do they get the drivers for whatever NIC happens to be installed? Do the
motherboard vendors have to put blobs in place during manufacturing?

~~~
nine_k
To get the network capabilities of the ME, the machine has to have a
compatible NIC, AFAIK.

~~~
emmelaich
This is a good reason to buy a machine that is not _all_ Intel (or _all_
anything else)

------
iainmerrick
The Go portion of this -- a Go-based Linux userspace -- sounds very
interesting, but not directly related to all the firmware stuff, unless I
misunderstand.

Anybody got some good links about the Go userspace?

~~~
hugelgupf
[https://github.com/u-root/u-root](https://github.com/u-root/u-root)

Let us know if you have any questions. There's a slack channel (see
contributing.md) where Ron and I are pretty active.

~~~
oelmekki
Hi,

I have kind of a "FOSS diplomacy" question: is the kernel core team involved
in this effort, or is it something totally third party to them? (the purpose
of this question being to know if linux core team gets involved in go
programming)

------
floren
Ron's been beating on this drum for years, and I'm glad that the wider world
finally seems to be catching on.

------
cmurf
_Go is a compiled language, but it is often used for scripting. Minnich uses
it that way "all the time"; he stopped writing Bash scripts years ago in favor
of Go. It is "easier and more reliable" to write scripts in Go._

Interesting.

Also, the NERF (basically negate most of UEFI, in particular the
extensibility) firmware using Linux, has an initramfs containing all the user
space stuff as uncompiled Go, and a compiler which compiles on the fly.

------
shmerl
_> Some people say to switch to AMD processors, but that is not really a
solution now. Ryzen is touted to be open, but that is not truly the case,
there are still closed parts._

Can anyone elaborate please. How does AMD compare to Intel's problems with ME?

~~~
bradfa
Prior to Zen based processors there are a decent number of offerings under the
Opteron and AMD's embedded SoC families (possibly others, but these are the
ones I'm familiar with) which did not contain ME-like capabilities. Projects
like Coreboot generally have pretty good support for these AMD parts. For an
embedded example, see the PCEngines APU2 boards:
[http://pcengines.ch/apu2.htm](http://pcengines.ch/apu2.htm)

Zen based parts from AMD have their PSP (platform security processor), which I
believe is generally a dedicated Cortex-A series CPU within the silicon to do
many security related things. Its functionality is similar to some of what the
ME provides on Intel parts.

~~~
ranma42
Actually AFAIK the APU2 SoC includes a PSP already, the APU1 is still free of
that. But even the APU1 SoC has a small LM32 core that you have no source for,
see Rudolf Marek's CCC talk "AMD x86 SMU firmware analysis".

------
mhd
> The user-space piece is all written in Go, which is generally more trusted
> than C within Google

Someone should read "On Trusting Trust" and note its author…

~~~
IshKebab
You can get around that by cross-compiling. I think in this day pulling
something like that off on a compiler as popular as Go would get noticed.

Anyway that issue is orthogonal to the language choice.

------
luckydude
Doesn't the ME firmware to power saving, suspend, restore, etc?

~~~
AstralStorm
1) Not at all. Tables are in UEFI. Control is in kernel space. It can remotely
issue a boot or shutdown command among others. Probably hard shutdown too
considering the watchdog.

2) Only in so far as it goes into power saving mode itself. (Which is kind of
fake, does not disable magic networking junk.)

3) Like in any other boot if unhibernating. Does not touch suspend which is
handled in UEFI.

------
throwaway613834
I understand the urge to remove networking capabilities, but why do privacy
folks freak out about the entireties of UEFI/ME/SMM? It's a fact that the
hardware is the one with control of the system at boot, and you're always at
the mercy of the vendors in terms of bad code (whether intentional or
otherwise). You can't get rid of hardware-specific code, and you also don't
have any control over the designs of the chips. Both of those are places where
it will always be possible to do something nefarious if the vendor feels like
it. Unless you feel like fabricating your own chips from scratch, at some
point you have to trust all these layers. Why suddenly freak out when it comes
to new layers?

~~~
cjbprime
Did you follow yesterday's news? The ME is _remotely vulnerable_ , has full
control over the machine, and it's not even clear that it can be upgraded in a
secure way.

Why wouldn't you be interested in turning it off?

And why would you classify people who'd rather not be running remotely
vulnerable code they can't control as "privacy folks"?

~~~
ksk
> The ME is remotely vulnerable,

Could you please post a link on that? I read about the AMT bugs, which require
the user to manually provision it.

~~~
macns
[http://cve.circl.lu/cve/CVE-2017-5712](http://cve.circl.lu/cve/CVE-2017-5712)

Summary: Buffer overflow in Active Management Technology (AMT) in Intel
Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20
allows attacker with remote Admin access to the system to execute arbitrary
code with AMT execution privilege

EDIT: I'm not sure this was the one the GP referring to

------
sjellis
I've been wondering if there would ever be a killer feature that would make
ARM-based servers really compelling, and now I'm starting to think that we
have one. Intel are handing ARM a massive opportunity with the IME issues.

------
samlewis
Am I missing something or is the next step going to be Intel making ME
impossible to remove without bricking your CPU? If so, seems like these
efforts are fairly futile if they'll only work for the current gen of
processors.

~~~
madez
It is already impossible to remove the ME. If one does, then the system either
doesn't boot at all or reboots after 30 minutes. All you can do is to
apparently cripple it on some models.

------
Insanity
Am I correct in believing the AMD variant of this is 'Trustzone'[0]? If not,
does AMD have something similar?

[0]: [https://www.arm.com/products/security-on-
arm/trustzone](https://www.arm.com/products/security-on-arm/trustzone)

~~~
thg
AMD PSP (Platform Security Processor) is what you're looking for. Essentially
the same thing as the ME, just for AMD processors.

~~~
AstralStorm
It is now called AMD Secure Processor.

~~~
Insanity
Thanks!

------
alex_duf
Is there any link to that talk?

Edit: yes at the end of the article
[https://www.youtube.com/watch?v=iffTJ1vPCSo&list=PLbzoR-
pLrL...](https://www.youtube.com/watch?v=iffTJ1vPCSo&list=PLbzoR-
pLrL6pISWAq-1cXP4_UZAyRtesk)

------
snvzz
Linux has MILLIONS of lines of code. Please don't. EFI is already bloated as
it is.

Support efforts like coreboot instead. And FFS, firmware should not persist
once the operating system boots. Persistent firmware is cancer.

~~~
mschuster91
> And FFS, firmware should not persist once the operating system boots.

Generally I agree with you, however there is one thing that cannot be done
without a RAM-persisted firmware: any kind of power management. It's highly
dependant on the specific chips (sometimes, chip revisions) on the
motherboard, and while integrating even ultra low level stuff into the Linux
kernel might help there, we see the consequences of doing so in the Android
world: manufacturers do not have the time/money to get their code in a shape
that's going to be accepted by the kernel community, so they fork it and the
users are screwed.

~~~
AstralStorm
RAM persisted what? Table of hardware pstates and cstates per device? A flag
to reinitialize busses and hardware, skip memory clear? Handling PCI and CPU
reinit should be easy. It is not because manufacturers are keeping critical
parts under NDA or completely secret.

~~~
mschuster91
> A flag to reinitialize busses and hardware, skip memory clear

It's not just a simple flag - it's basic stuff like for example which clock
pin is mapped to which clock consumer(s), which GPIOs on which pins are mapped
to stuff like LEDs, the power/reset switch, which hardware interrupt line is
mapped to which GPIO... all stuff that's best kept inside the BIOS where the
manufacturer can easily patch it if needed in contrast to the Linux kernel
with its notorious difficulty to get stuff accepted into mainline, much less
into a kernel that actually runs on users' computers - think LTS users, for
example. I can take a 2010 kernel and it will likely run fine on a recent x86
machine, but if I needed to wait for motherboard support to ship in kernel,
that would be not very cool.

Yes, something like FDT would be nice but even on the relatively small ARM
space it has its fair share of issues - I don't even want to think about
having FDT in mainstream x86.

