
MINIX – The most popular OS in the world, thanks to Intel - rbanffy
https://www.networkworld.com/article/3236064/servers/minix-the-most-popular-os-in-the-world-thanks-to-intel.html
======
Sir_Cmpwn
I don't appreciate the degree to which this article conflates MINIX and IME.

>Google wants to remove MINIX from its internal servers

No, Google wants to remove IME from its internal servers. They don't care that
it's MINIX.

>But MINIX has total and complete access to the entirety of your computer. All
of it.

You mean IME.

MINIX is really cool operating system, even if it's being used for evil. But
other operating systems are used for evil, too. MINIX has nothing to do with
the fact that Intel put it on their secondary processors and ran a bunch of
nasty services on it.

~~~
cormacrelf
IME has 'total and access', but so does MINIX, it would appear. Relevantly,
MINIX is what you would exploit to break into Ring -3. The article conflates
them deliberately.

~~~
microcolonel
On MINIX, you would more likely compromise a process like the file system, and
then induce a privileged service to fail, causing the reincarnation server to
read your version of that privileged service from the file system; that is,
assuming they haven't introduced pervasive load-time signature verification
for this version.

------
jhoechtl
>> Note to AMD: Now might be a good time to remove similar functionality from
your CPU lines to try to win market share from Intel. Better to do so now
before Intel removes the “Management Engine.” Strike while the iron’s hot and
all that.

I am absolutely certain this comes with backing maybe even pressure from
government surveillance bodies. You don't have it - you don't get a contract.

AMD does already follow suit and is not better by any means.

~~~
tw30tw
Then they should release the same CPU without the ME. Like they do for
overclocking purposes. Leave it to the consumers to choose.

~~~
RubenSandwich
To plays devil's advocate for AMD here. Then America and the other Five Eyes
might not allow you to sell your product in their countries without an ME.
Thereby you lose a huge market because let's face it most modern nations are
now doing surveillance on their citizens, not just the US.

------
cryogenic_soul
Here is some Russian guys having success in almost fully disabling the Intel
ME.

[http://www.pvsm.ru/informatsionnaya-
bezopasnost/262876](http://www.pvsm.ru/informatsionnaya-bezopasnost/262876)

(you can use Google translator from the top of the page, to translate content
from Russian to English)

~~~
georgecmu
Here's the Register write-up on this:
[https://www.theregister.co.uk/2017/08/29/intel_management_en...](https://www.theregister.co.uk/2017/08/29/intel_management_engine_can_be_disabled/)

 _On Monday, Positive Technologies researchers Dmitry Sklyarov, Mark Ermolov,
and Maxim Goryachy said they had found a way to turn off the Intel ME by
setting the undocumented HAP bit to 1 in a configuration file.

HAP stands for high assurance platform. It's an IT security framework
developed by the US National Security Agency, an organization that might want
a way to disable a feature on Intel chips that presents a security risk.

The Register asked Intel about this and received the same emailed statement
that was provided to Positive Technologies.

"In response to requests from customers with specialized requirements we
sometimes explore the modification or disabling of certain features," Intel's
spokesperson said. "In this case, the modifications were made at the request
of equipment manufacturers in support of their customer's evaluation of the US
government's 'High Assurance Platform' program. These modifications underwent
a limited validation cycle and are not an officially supported
configuration."_

~~~
EGreg
_" Intel does not and will not design backdoors for access into its products.
Recent reports claiming otherwise are misinformed and blatantly false. Intel
does not participate in any efforts to decrease security of its technology"_

We can all rest easy now that Intel has come out and public said this, right?

------
therealmarv
Remember those hackers from science fiction movies who can control everything
everywhere with Internet access? WHY the F*CK is a web server on Ring -3
there? Don't they watch movies at Intel?

~~~
drzaiusapelord
Because intel saw all the dollars pouring into things like SCCM and other
enterprise management solutions and wanted a slice of that pie and the only
feasible move to grab that market was a hardware solution, like a poor man's
iLO. The same way they saw dollars pouring into RAID controllers and
integrated its own soft raid solution into their hardware. Not to mention
their other market oddities like their mobile x86 chip, their SSD line, Intel
TV, etc.

The promise of dollars makes men do odd things.

------
walterbell
Good news for OpenPower and IBM, where the firmware appears to be open-source,
[https://news.ycombinator.com/item?id=12168502](https://news.ycombinator.com/item?id=12168502)

------
vidarh
_One of_ the most popular, not _the_. Finding precise numbers is hard, but in
2016, IDC reported worldwide PC sales of ca. 65 million units in Q1, and the
market has been in decline (the Q1 2016 numbers were at 2007 levels).
Meanwhile Android phones alone account for more than that every month, and
while Intel does sell some CPUs for tablets etc. and other markets, it's
peanuts compared to their PC sales.

So at least Android still ships in more devices.

~~~
sacheendra
They qualify their stand by adding "... shipping today on modern Intel-based
computers"

~~~
TallGuyShort
Thus making the headline effectively: "The most popular OS in the world ...
shipping today on modern Intel-based computers ... thanks to Intel".

If we're all MINIX users, then Linux is a major player in the smartphone
market and BSD is crushing the laptop market.

------
tomxor
Kinda a shame for Minix. I always hoped v3 would pick up a wider following,
but this is probably not the right kind of popularity.

Intel would have picked it for it's high reliability (e.g it can survive
critical driver bugs without rebooting).

------
esistgut
Replace UEFI with Linux:
[https://schd.ws/hosted_files/osseu17/84/Replace%20UEFI%20wit...](https://schd.ws/hosted_files/osseu17/84/Replace%20UEFI%20with%20Linux.pdf)

------
factorialboy
Can someone ELI5 why Intel needs an OS in the processor?

~~~
bryanlarsen
If you're a sysadmin for a machine that you don't have physical access to, and
the main OS is hosed, how do you fix it?

It's a very useful feature for large enterprises, and pretty much only for
them. The interesting question is why doesn't Intel charge "enterprise
pricing" for the feature, just like they do for stuff like ECC?

~~~
vidarh
IPMI.

IPMI is not integrated into the main CPU, so you don't have direct ability to
control the state of the main CPU, but (depending on implementation) you'll be
able to access sensor data, operate on the sensor data logs, get a console
etc.

With a properly set up system it means you have a standard way to attach,
request a reboot and and interact with the system remotely.

~~~
bryanlarsen
IPMI works great on the server, not so well for managing desktops. Perhaps it
should have been extended to support desktops, but I'm not surprised that
Intel chose to push vPro instead.

~~~
vidarh
Well, yes, they'd rather push an option that doesn't give other companies an
opportunity to play in that market.

------
wink
So does anyone actually have any rough numbers on what kind of specs this
MINIX on the IME runs? I mean, in terms of "this is like a 100MHz CPU with 1MB
of RAM" or something.

Also, related:
[http://spritesmods.com/?art=hddhack&page=1](http://spritesmods.com/?art=hddhack&page=1)

------
sigzero
I'd say "wide spread" not "popular".

------
lallysingh
I don't understand why AMD isn't all over this as a product differentiator

~~~
alex_duf
Because they probably are required to do the same under whatever legal
jurisdiction they fall under.

~~~
pas
What makes you say this?

------
mmagin
Related talk and slides:
[https://www.youtube.com/watch?v=iffTJ1vPCSo](https://www.youtube.com/watch?v=iffTJ1vPCSo)
[https://schd.ws/hosted_files/osseu17/84/Replace%20UEFI%20wit...](https://schd.ws/hosted_files/osseu17/84/Replace%20UEFI%20with%20Linux.pdf)

Interesting Atom boards mentioned in the talk:
[https://minnowboard.org/](https://minnowboard.org/)

------
thyrsus
It would appear
[http://download.intel.com/support/motherboards/desktop/sb/in...](http://download.intel.com/support/motherboards/desktop/sb/intel_mebx_user_guide_for_7series.pdf)
that one must set the address of the IME before it is net accessible; how do I
get there from, e.g., the HP iLO menus?

P.S.: I haven't observed the prompt "Press <CTRL-P> to enterIntel®MESetup"
during boot.

------
stinos
So if there is a web server running, can we access that somehow?

------
mrweasel
Is anyone actually using Intel Management Engine? I understand why Intel would
have it as a feature, but the majority of all users, including large companies
and other organisation with 1000+ desktops, don't need it or use other
solutions.

Besides not being able to turn it of, it actually seems like a nice enough
offer, I just never heard of anyone using it.

Is there a demo of the ME somewhere?

~~~
Foxboron
Intel ME is part of the initialization of the CPU during boot. You are running
Intel ME wether or not you think its usefull. Removing Intel ME, or disabling
it, results in your computer stopping after 30 sec. Much of the work to remove
Intel ME is more about neutralizing the firmware.

Pretty great talk from 32C3 about Intel ME
[https://media.ccc.de/v/32c3-7352-towards_reasonably_trustwor...](https://media.ccc.de/v/32c3-7352-towards_reasonably_trustworthy_x86_laptops)

~~~
mrweasel
That wasn't really my point. Arguably it should be a feature you specifically
enable, or better yet only present if you buy that option.

If you ignore all that, then Intel ME actually seems rather useful, for a
subset of users, specifically organisations with large numbers of machines
deployed. Still I'm not sure that even the target audience of ME is actually
using it, so it seems like a huge waste of time and money from Intel
perspective.

~~~
criddell
I believe the person you replied to was talking about the BUP module. This is
useful to every user.

It's probably cheaper for Intel to ship the same ME on every motherboard than
to customize it endlessly.

------
mwexler
Good to know that those hours in school wrestling with recreating parts of
Minix for my OS class weren't wasted.

But seriously, the Tannenbaum stuff (book, code) was really impressive, if
painful to do on 3.5" floppies.

I'm just assuming that by now, we'd have something better for embedded OSes in
one of the most central computing approaches used in the world.

------
signa11
[citation needed (most definitely)] i would wager that devices running linux
are in far greater number than intel hardware.

------
microcolonel
I mean, the dangerous thing about ME is not the operating system, but the
level of access each module has, and the lack of consumer insight.

This article seems to be trying to fluff up ME by defending MINIX (is it
MINX3? that's cool, but still doesn't make ME sit right).

------
ngneer
I do not like the post. It seems scant on details and rife with conclusions.
The Google presentation linked to has a bit more detail on the underlying
technologies. A modern processor is a complex beast, and a security argument
can always be made to reduce complexity. Citation needed for espionage and
privacy evasion use cases...

~~~
aylons
Surely, this is more an opinion piece than a didactic article. Here you have a
more detailed write-up on the issue, including a known vulnerability and how
others could be lingering: [https://www.eff.org/deeplinks/2017/05/intels-
management-engi...](https://www.eff.org/deeplinks/2017/05/intels-management-
engine-security-hazard-and-users-need-way-disable-it)

~~~
ngneer
Thanks. The citation describes the existence of vulnerabilities and laments
the lack of transparency. While the latter is indeed lamentable, and is known
to be a contributing factor in increasing risk, vulnerabilities do exist in
any system, including transparent ones (e.g., OpenSSL). Still am not seeing
any evidence of malice by this vendor, as "providing a full set of entrenched
vulnerabilities, user espionage tools and privacy-evading mechanisms" would
perhaps imply. Vendors have a hard time with security. Chip vendors are no
different, only the stakes are higher.

~~~
zAy0LfpBZLC8mAC
The important point is that in the case of OpenSSL, anyone who wanted to know
could know, and plenty of people knew. Not the specific vulnerabilities, but
the horrible quality of the code base was not just something that you could
discover by looking at the source, it is something that plenty of people did
discover. Also, obviously, anyone could in principle fix vulnerabilities they
find in OpenSSL, without any need to wait for the OpenSSL project or anyone
else to do anything.

------
jacquesm
I'd think that would have to be some rtos used in cars or other consumer
products.

------
fibo
LOL, so who wins the Tanenbaum–Torvalds debate?

~~~
tpeo
Everybody loses.

------
zulrah
so microkernel is finally a thing!

------
Annatar
You mean you discovered that fimware is bad? Good! Now search for Bryan
Cantrill’s latest video on the torment of debugging closed source firmware...

