Hacker News new | comments | show | ask | jobs | submit login
Replacing x86 firmware with Linux and Go (lwn.net)
498 points by dankohn1 11 months ago | hide | past | web | favorite | 127 comments



And to think that posting about Intel ME on HN only a couple years ago would have commenters swarm you with accusations of being a deluded conspiracy theorist. Neat. It's good that people are finally becoming aware of the problems that it poses.


Really? Every thread on HN I've seen about ME has been hordes of people lamenting the fact that you can't buy a processor without it.


I share GP's opinion. Snowden changed a lot. The internet really has a global passive attacker that can control US-based companies like puppets, and is doing so.

William Binney said the companies are paid money for providing data and access. How is that not subsidizing that industry? Financial helps are a first-class reason for other governments to impose duties, restrict international trade and subsidize local competitors. Yet, there is no reaction in Europe. Microsoft can freely sell their OS and Intel is free to have their monopoly, and uses that to backdoor everybody.

It is creepy that european countries don't take action.

LiMux was a good example of moving in the right direction. Recently it was abandoned. I didn't see big unseen powers at play there, just the harsh reality that most people don't understand computers and don't care.


> global passive attacker that can control US-based companies like puppets, and is doing so.

And... this is where the deluded conspiracy theorist accusations the upthread poster was complaining about come from.

There's no evidence for any of that[1]. The ME's capabilities (low level system controller with access to all memory and hardware, with special access to network hardware that can operate cleanly along with a running OS) have been known and even advertised by Intel for years. The news of the moment is that it's subject to a few rather embarrassing exploits.

But that's rather better explained by incompetance instead of evil. Yet everyone jumps to "back door" because that sounds more fun I guess. (In fact, to the extent there is evidence of government involvement here, it's in the opposite direction: the NSA appears to have demanded an "off switch" for the ME).

[1] Edit to clarify: I'm talking about the ME folks. Yes, the government does bad things. The EC flaws under discussion in this subthread are not among them, so citing them as evidence paints you as a conspiracy nut and not someone serious about security.


> Yet everyone jumps to "back door" because that sounds more fun I guess.

IME is (by construction) a backdoor. It's primary purpose is as a management tool, but all management tools are by necessity backdoors. The only distinction between the two is whether the person using the backdoor has ownership over the machine.

> In fact, to the extent there is evidence of government involvement here, it's in the opposite direction: the NSA appears to have demanded an "off switch" for the ME.

It also shows that the NSA is in communication with Intel and is capable of getting them to implement something that large corporations like Google were unable to convince them to do. Which should be concerning, because it makes you wonder what else the NSA might've asked as well.

Also these really aren't conspiracy theories anymore. We know that the NSA and CIA do these sorts of things thanks to the information we learned from Snowden and other whistleblowers.


No, the Snowden leaks showed that NSA did do something, not that it does every malicious thing that people accuse it of. How does it help anything by making unfounded accusations?

Historically, Australia has heavily interfered in PNG affairs. Should you be accused of espionage or subversion if you decide to hike a portion of the Kokoda Trail?

Would it be appropriate for Indigenous People to accuse you of attempting to steal their children, a practice that occurred until the 1970s?


> No, the Snowden leaks showed that NSA did do something, not that it does every malicious thing that people accuse it of. How does it help anything by making unfounded accusations?

It shows they'll do anything within their power, legal or illegal, in order to get at more people's data. Of course they have involvement with this, why wouldn't they?

> Historically, Australia has heavily interfered in PNG affairs. Should you be accused of espionage or subversion if you decide to hike a portion of the Kokoda Trail?

> Would it be appropriate for Indigenous People to accuse you of attempting to steal their children, a practice that occurred until the 1970s?

Bizarre points in support of your initial comment I think.


They have zero context for an American, but the parent poster was Australian. If I had used American analogies, the point would have been lost.

You're right that anyone else should be mystified.


> Of course they have involvement with this, why wouldn't they?

I think you give them too much credit and unnecessarily slander Intel, which has little reason to go along with NSA (no large DoD contracts, almost all consumer and B2B market).

Also, you overestimate the amount of resources NSA has. If they have enough money to overcome Intel's appetite for risk, then why doesn't the NSA just run every single internet and hardware service out there? Your threat model needs to have bounds. It's worthless if you expect the adversary to have unlimited resources.


Overestimate the amount of resources? Wikipedia:

> In 2012, the NSA said more than 30,000 employees worked at Fort Meade and other facilities.[2] In 2012, John C. Inglis, the deputy director, said that the total number of NSA employees is "somewhere between 37,000 and one billion" as a joke,[4] and stated that the agency is "probably the biggest employer of introverts."[4] In 2013 Der Spiegel stated that the NSA had 40,000 employees.[5] More widely, it has been described as the world's largest single employer of mathematicians.

Let's assume they have 30 000 employees and the large majority of them are highly educated, that would make it into one of the largest organization on Earth in terms of intellect capital.

In terms of actual budget it's obviously classified but estimations are probably around 10 billions USD per year.

https://www.globalsecurity.org/intell/library/budget/index.h...

That's not a small budget by any feat, and we know they operate huge data centers for surveillance, so they are certainly not a "passive" intelligence agency.


Wal-Mart has more employees, is it more powerful? Number of employees is a negative metric. It means the NSA has less ostensible secret bribe money.

Throwing up a big number is dazzling, but when you look at what the NSA does with that $10B, there is a limit. For example, the supposed 40k employees already eat up $3.2B, assuming an extremely charitable average fully-loaded cost of $80k per employee.

Including facilities and supercomputer costs, this rapidly dwindles.

That leaves maybe $5B for bribes, according to your accounting. Is that enough to subvert everybody?

> they are certainly not a "passive" intelligence agency

What is this addressing? Are you attempting to change the goal posts? The topic is ostensible unlimited NSA resources to corrupt every proprietary technology.


> Wal-Mart has more employees, is it more powerful?

I doubt wal-mart has as many highly educated employees as the NSA. Numbers don't mean anything by themselves, but if you hire thousands of mathematicians they are bound to deliver more than Wal-Mart in the datascience and cryptography department.

> Including facilities and supercomputer costs, this rapidly dwindles.

Well, considering the overall surveillance budget of all secret agencies constantly increases, it does not seem that they will ever lack funding.

> That leaves maybe $5B for bribes, according to your accounting. Is that enough to subvert everybody?

Why would you need bribes when you have the Law and the full might of government power behind you? If you can convict of high treason anybody who speaks publicly about what the NSA does, why would anyone at Google, Microsoft or other companies working with the NSA have any incentive to say anything?

> The topic is ostensible unlimited NSA resources to corrupt every proprietary technology.

Resources is not only money. When you work for the government (and furthermore of the military establishment), as I said earlier, you can bring down a whole new level of pressure that money itself cannot buy. If that were not the case, then a bunch of secrets (take for example everything related to nuclear testing in the US) that were only revealed way, way after the facts, would have emerged much earlier in all likelihood.


> If you can convict of high treason anybody who speaks publicly about what the NSA does, why would anyone at Google, Microsoft or other companies working with the NSA have any incentive to say anything?

This is where your rhetoric is getting ahead of the facts. The Snowden leaks were published in American newspapers. Company officers from each of those businesses publicly berated the NSA. FBI national security letters did force companies to disclose information about foreign intelligence targets, but this is not because of secret NSA powers, it's from a law passed by Congress.

> When you work for the government (and furthermore of the military establishment), as I said earlier, you can bring down a whole new level of pressure that money itself cannot buy.

What does the military have to do with Software-as-a-Service providers? Can you name an instance when the modern military provided a chilling effect or seriously impacted these services?


> This is where your rhetoric is getting ahead of the facts. The Snowden leaks were published in American newspapers.

Snowden is being prosecuted under the Espionage Act, the reporters were threatened repeatedly by the authorities, The Guardian was forced to destroy their copies of the Snowden Archives, etc etc.

Also, just because the "secret NSA power" of National Security Letters are a tool made legal by Congress doesn't change the ethics concerns relating to their use.


> How does it help anything by making unfounded accusations?

You can only conservatively assume the worst since they operate in complete secrecy with pretty much a blank check from the Federal Government, and prevent anyone from disclosing what they actually do. And take in account that even the Snowden revelations were not the full picture, there are documents that were still not released from what he passed on to journalists.

And it's in their agency's interest to go above and beyond what the Law, and to lie about it like they did before the Congress hearing. They will do every malicious thing given the opportunity because that's their core mission. Unless you assume they are grossly incompetent at it.


It's hard not to assume the worst, especially when you have no concrete reports on their capabilities. And when assessing the threat it creates, you can't really ignore the possibilities by that lack of knowledge.


But you have tons of concrete reports from the Snowden leaks and prior leaks. Dual_EC RNG is the worst example anyone can think of, something that has been red-flagged since 2007.

Assuming a supposedly* adversarial agency has unlimited resources and ability will only cause you to focus on that threat instead of more immediate ones. Or worse, make you needlessly complacent when there is so much that can be done to harden against APTs and other, more immediate threats.

* supposedly because if you're a U.S. citizen, the government works for you. If you're outside of FVEY (AU,CA,UK,US,NZ) and are a government official, military member, have interesting technical infrastructure, or operate an interesting company, then yes you should include NSA in your threat model.


Dude youre acting like snowden leaked that shit in the fifties.


> There's no evidence for any of that.

Oh there is: Dual_EC_DRBG, and that took years to get proof. Also, NSA and AT&T room 641A, plus the packet interdiction programs of the NSA - and I mean physical packets containing DC hardware, that then was modified by NSA.

And we don't have any overview what the US government forces companies and people with NSLs to do... only the sliver of info we got with the Lavabit case.


I wouldn't say that there's no evidence of this behavior. https://en.wikipedia.org/wiki/Dual_EC_DRBG We also have a fair amount of evidence that there have been attempts in china to implement hardware back-doors


> There's no evidence for any of that.

Have you heard about PRISM? Have you heard about Lavabit? Have you heard about the FISA court and its practice?

> But that's rather better explained by incompetance instead of evil.

Have the ME in all products, not deactivatable, and not replaceable is not a trivial thing to do, so it surely isn't incompetence. What is it then?


> [ .. ] not deactivatable, and not replaceable ...

Because they don't want people bricking their computers.


There are other ways to prevent bricking. For that you don't need an updatable and extensible OS with Ring0-invisible access to network and hardware. And even if bricking were possible, so it is with many other computers, so what?

I have yet to hear a good reason for the ME that makes it possible to argue that it is not for backdooring of and having power over all x86 machines.


> the NSA appears to have demanded an "off switch" for the ME).

This is not incompatible with them encouraging or exploiting a back door, and it is strong evidence that ME is a security risk.


There is already overwhelming evidence of abuse of power, bad faith and surveillance. Attempting to brush it aside as 'incompetence' is brazenly disingenuous.

What's the point of asking for more 'evidence'? Do you expect Snowden levels of sacrifice and disclosures every month?

Apologists will continue to do this untill it's too late to do anything about surveillance, at which point they will shrink into the thicket and leave everyone else hanging onto a surveillance state.

Those who care about surveillance, privacy and democracy have every responsibility to be alert and act now.


Inslaw, PROMIS, and the murder of Danny Casolaro indicate you are wrong.


Do you think that the U.S. government has enough money to influence Intel and Microsoft? It is the other way around: both companies spend tens of millions on lobbyists.

William Binney said something. Does it mean that it applies to all companies? Did he mention which companies? Is he a credible source for things that occurred after he left NSA? Is he even a credible source outside his expertise?

Do you think that European countries don't take action? What would you call the anti-trust suit against Google, GDPR, anti-tax haven lawsuit against Apple, and other actions?

Having a narrow set of news sources can lead a reasonable person (you) to your conclusion. I urge you to look at a variety of sources. Some good ones: Der Spiegel, Al Jazeera, NPR, The Economist, The Wall Street Journal, The South China Morning Post.


You ask interesting questions.

> Do you think that the U.S. government has enough money to influence Intel and Microsoft?

I think the government uses (legal) force and threats to get what they want. The laws are in place to leave no options for the company. The money is more a compensation than a bribery. It could make the companies comply without needing to go nuclear. Also, it supports local companies.

> It is the other way around: both companies spend tens of millions on lobbyists.

Do these lobbysist have any influence on the FBI, CIA, NSA, etc., either directly or remotely through the government? I don't think so.

> William Binney said something. Does it mean that it applies to all companies? Did he mention which companies? Is he a credible source for things that occurred after he left NSA? Is he even a credible source outside his expertise?

All companies? I don't know, and it doesn't even matter. He talked about his time at the NSA. I consider him a credible source, since I have no reason not to.

> Do you think that European countries don't take action? What would you call the anti-trust suit against Google, GDPR, anti-tax haven lawsuit against Apple, and other actions?

Yes, I think they don't take sufficient and adequate action. The GDPR is a good step, but the race is not won by a step. It reminds me of an anti-corruption office in a one-party communist regime. A good thing, but not enough.

Please don't meddle this with taxes. That is a totally different outrageous clusterfuck.


> Do these lobbysist have any influence on the FBI, CIA, NSA, etc., either directly or remotely through the government? I don't think so.

These agencies have their budgets set by the U.S. Congress. I think you're unfamiliar with the composition of the United States government.

> I consider him a credible source, since I have no reason not to.

What makes him a credible source? His claim to fame is THINTHREAD, not cash deals with companies. Are you saying that if a man says something that aligns with your world view, but is outside of his expertise, you'll still believe the statement? That doesn't sound honest.

> Yes, I think they don't take sufficient and adequate action

Then why claim that the EU won't take any action when you admit they do in the next reply?

This is the problem with discourse on most of the internet. People make extreme claims to make a point. But that's not a reasoned argument. You're venting, not arguing. That belongs on Reddit and 4chan, not here.


Up until a few weeks ago, people speculated the firmware blobs included a small amount of low-level bootstrap code used to configure IO and to switch from 16 bit to other modes etc.

Nobody suggested there was a parallel multi-process operating system running, with full bus arbitration, and mmio capability.

Edit. Not sure why I am being downvoted reddit style. Every-time these threads come up - it's necessary to trot out an explanation of the basic differences between ARC core, psp, arm cortex and trustzone etc, and who uses what technology, what is known about the software/OSes that are running - jvm versus minix-os, amt versus ME etc, what is new knowledge, what is official, and what has been uncovered from private research. I base my statements about lack of general awareness on these topics from actually following HN submissions.

Just a few days ago, someone in a thread was speculating on using low-level op-codes in bootstrap code to subvert the BIOS, apparently in complete ignorance of the depth of the embedded stack.


Information about the previous CPU architecture on the Intel ME has been widely available for years. It was an ArcCompact CPU running ThreadX:

https://www.slideshare.net/codeblue_jp/igor-skochinsky-enpub


Where is Minix OS mentioned? How many preemptive processes are running? Which orgs - internal or external to Intel have review-power or signoff on the code running ?


Why would posting about a product that was publicly available and advertised by a company be a conspiracy?


You don't need to think ME is a secret NSA backdoor to know it's a terrible "feature" from security point of view.


You'd think if the ME truly wasn't nefarious that Intel would offer chips without it and capitalize on the extra features in the enterprise market. I've yet to encounter anyone who actually wants it.


It's also a convenient place to put in all the things they don't want to hard wire. Which gets more every day.

Need to maintain crypto keys for SGX enclave memory? Do it in the ME. Need to do some extra stuff on suspend/resume? Do it in the ME. Not sure if any other special handling might require updates at a later date? Do it in the ME. ...

There's no need for nefarious purposes to explain why the ME isn't optional anymore - it's just more convenient.


Need to add/remove/read system's crypto keys, Do it in ME.

Need to monitor/hack the computer when the users think it is "power off", Do it in ME.

Need to add other "features" to the system in the future, Do it in ME.


Those are the concerns around the ME. But those motivations aren't necessary to explain the presence of the ME. Occam's razor and all that.


> I've yet to encounter anyone who actually wants it

Ignoring the security concerns, the remote access, imaging, etc, are actually pretty nice. Better done than most 3rd party IPMI implementations.

If it were open and documented , and able to be turned off, it has value.


It's in part used for DRM. You've probably used it if you've watched BluRays or Netflix over 720p.


I am genuinely asking, how intel ME is related to watching movies in Netflix? Would you mind to elaborate a little bit?


AFAIU, it's used in the HDCP encryption negotiation.


Yup. There's also rumours it holds the secure enclave equivalent, so getting root into this means you're double fucked:

https://twitter.com/mjg59/status/932730696614813696


Given Intel's announcement: https://security-center.intel.com/advisory.aspx?intelid=INTE...

>Based on the items identified through the comprehensive security review, an attacker could gain unauthorized access to platform, Intel® ME feature, and 3rd party secrets protected by the Intel® Management Engine (ME), Intel® Server Platform Service (SPS), or Intel® Trusted Execution Engine (TXE).

It seems like there's a reasonable chance of that being the case.


Link to Intel's announcement isn't working. Might be a server-side issue ¯\_(ツ)_/¯


Apparently it needs to have appended &languageid=en-fr to work [1]

[1] https://security-center.intel.com/advisory.aspx?intelid=INTE...


Several corporations use it for Lights-Out management or on laptops to ensure data security compliance.

The things for which you actually want a backdoor in your server to control it from. Maybe even in the face of an attacker who has gained full control of both software and hardware.


I would love a potential employer/recruiter to woo me with, "Your choice of non-backdoor-ed laptop that respects your privacy." I would at least give them a phone call for that line.


What is private about a company laptop? Your own laptop shouldn’t be backdoored, but I think it’s irrational to expect the a laptop owned by the company won’t be managed by that company.


I don't expect it. That's why if a company offered it to me I would be impressed. It would speak volumes that they:

A) Trust their employees

B) Respect my privacy

C) Aren't paternalistic


I say it also has to do with them just not caring about what their users want. You’re still gonna buy an x86 processor and AMD has their own ME-like tool too. What are you gonna do, run your desktop on ARM or RISC-V?


Would be good to have a low performance riscv motherboard with something like a PCI bus. Then, run an x86 daughter card. Early arm systems (acorn RISC pc) could house a 486 daughter card like this, and you could run Windows on it in a box. Have one at home.


And even with ARM (I'm not familiar with RISC-V), you're likely going to have binary blobs for critical drivers.


Worse, in Qualcomm chips you have essentially the same OS as in AMD "Secure" Processor. Trustonic TEE OS. Handling ARM "Trust"Zone.


>I say it also has to do with them just not caring about what their users want.

Why are people buying their products?


Because the only alternative is AMD, who, until Ryzen, was lacking in performance quite a bit.


In that case, it actually goes against your "they don't care about their users" narrative. Or maybe they partially care about their users.

Anyway, I see some value in the features that ME provides, and so I'm not as anti-ME as a lot of the commenters on here. But obviously, I want the security bugs to be fixed too.


What I was trying to say is that Intel doesn’t really have a financial incentive to have non-ME SKUs because, besides the majority of users not caring, those who do care don’t really have any other options.


Sadly, the main reason IMO this isn't possible is not just that desktop software is designed for the x86 instruction set, but that it's designed for lots of RAM and CPU usage, when it could be slimmer.


I want it. Wearing multiple hats at a small company, I have to occasionally reimage machines and this would make it very useful for me.


You've already got it! If you are reimaging physical machines, most server class machines have IPMI features that allow reimaging.


I would gladly trade in raw 30% performance from my Intel chip for some other platform that did not have American corporate/Deep State/NSA interests behind it.

I just want a minimum bootloader (open source) that boots into Linux - that's it. No "Enteprise management" crap, no NSA crap.

I don't think I have any options. I certainly wouldn't buy Chinese or Russian, and I'm not aware of any EU member state having anything in the works either - but I think it's time we started seriously considering this.

Google/Amazon/Microsoft have the muscle to actually do something about this, but no motivation. I'm surprised that they even trust Intel - it would take one high-profile security breach to turn their respective Cloud Computing businesses upside down - people are already jittery.

I don't know if IBM Power is the solution, or ARM, but it's become abundantly clear that you can't trust Intel or AMD, or the x86 platform, anymore.


"Google/Amazon/Microsoft have the muscle to actually do something about this, but no motivation. I'm surprised that they even trust Intel - it would take one high-profile security breach to turn their respective Cloud Computing businesses upside down - people are already jittery."

We know that Google don't have unlimited trust in Intel: they replace the firmware, are talking about how they are trying to defang IME, and continue to maintain investments in the POWER architecture, even though AFAIK they have no public products that use it.


TWRP is open source, and allows you to boot into Linux. There's ChromeOS (Linux). Samsung's busy with DeX and Linux on Galaxy. There's some experimentation done with convergence elsewhere at Microsoft (Continuum) and Ubuntu. It all depends what you want to run on it.

If you want a POWER workstation and are OK with not running on x86-64 (or x86-32) then there's the Talos II workstation [1] [2]. It comes with a hefty price tag (IIRC 3,7k USD). Peanuts for a lot of US-based developers, but for many others in the world it just isn't affordable. You say 30% raw performance would be OK. This is not 1,3x more expensive than a x86-64 workstation. It is a lot more...

It also depends on your threat modelling. If you believe that Intel ME is out there, remotely exploitable by XYZ (NSA, evil hackers, ???), then a number of people and groups have a lot to worry about. Groups and people high up in chains. We're talking about developers of software, developers who build software in end user products (those are 2 large groups already), and a whole plethora of other groups which are the foundation of our society.

And it is locally and remotely vulnerable which Intel patched yesterday [3]. What I don't know is if this patch should be applied, or if it should be used to get rid of Intel ME.

[1] https://www.raptorcs.com/TALOSII/

[2] https://www.crowdsupply.com/raptor-computing-systems/talos-s...

[3] https://security-center.intel.com/advisory.aspx?intelid=INTE...


I'm interested in the computers from Talos, but so far I did not hear from anybody having it. On their web-site it says that it is not yet shipping, you can just pre-order.


I would challenge the "no motivation" part given that the speaker that gave this talk works at Google.


Both Facebook and Google are working at disabling ME. They make no secret that they not trust it.

NSA & other US orgs receive hardware without ME already.

Surveillance is for the rest of us.


> Both Facebook and Google are working at disabling ME. They make no secret that they not trust it.

I'm aware of Google's work with Coreboot and Chromebooks, but not Facebook's. Can you tell us anything?


I don't know of fb's direct involvement in any ME related stuff, but they do develop openbmc which is a replacement for proprietary bmc firmware. BMC isn't quite as nefarious as ME though, and is optional anyway.


I think he's referring to the Open Compute Project.


>Surveillance is for the rest of us.

Who has been spied on using Intel ME?


It requires some serious web traffic analysis and honeypot to detect the attempt. That is assuming they would use remote access and not use ME locally. That would be even harder to prove once the malware uninstall itself.


Yeah, I fully understand that its not easy to detect this. But I'd also like to make an informed decision based on evidence, not speculation. So far I've seen bugs being reported that require the user to enable and provision AMT, which are quite serious, but entirely avoidable by keeping it disabled.

Anyway, I'm happy to read more about it if you have any additional info.


In security we work on addressing vulnerabilities, reducing the attack surface, prevention and so on. We don't wait for evidence that a vulnerability is being exploited.

This is especially true for cryptography where a cryptosystem used today has to resist theoretical attackers that can use hardware that will exists in decades from now.


Sorry, I can't understand what point you're replying to. To me, it sounded like you claimed it was being used for surveillance. I'm happy to go through the evidence if you have any.


Can anyone ELI5 how two additional OSs can run network stacks without interfering with each other and the user OS networking?

I assume ME and UEFI use DHCP to get their addresses yet my modem/router only shows the one from my user OS.

Where do they get the drivers for whatever NIC happens to be installed? Do the motherboard vendors have to put blobs in place during manufacturing?


If the stacks each get transport layer copies of what's incoming and the hidden stack gets to also see all that is outgoing and produce its own frames, it should not be hard, and I think that's the level of interference we should assume at least. The hidden stack could listen in on DHCP communication to figure out what address to assume and act on any incoming packets as necessary, and until it actually sends something it would be invisible to your network. When it does send something it could then easily be with one of the addresses assigned to the non-hidden stack.

It is not much different in concept from a normal layer 1 switch. Everything gets repeated and the recipients discard what they're not interested in.


The fact that ME and UEFI have network stacks doesn't mean that they are always active. And yes there is nic support embedded in the firmware. This is how you're able to pxe boot or bring up the nic after booting EFI shell for example.


To get the network capabilities of the ME, the machine has to have a compatible NIC, AFAIK.


This is a good reason to buy a machine that is not all Intel (or all anything else)


I'd like to know about this, too.


The Go portion of this -- a Go-based Linux userspace -- sounds very interesting, but not directly related to all the firmware stuff, unless I misunderstand.

Anybody got some good links about the Go userspace?



https://github.com/u-root/u-root

Let us know if you have any questions. There's a slack channel (see contributing.md) where Ron and I are pretty active.


Hi,

I have kind of a "FOSS diplomacy" question: is the kernel core team involved in this effort, or is it something totally third party to them? (the purpose of this question being to know if linux core team gets involved in go programming)


Ron's been beating on this drum for years, and I'm glad that the wider world finally seems to be catching on.


Go is a compiled language, but it is often used for scripting. Minnich uses it that way "all the time"; he stopped writing Bash scripts years ago in favor of Go. It is "easier and more reliable" to write scripts in Go.

Interesting.

Also, the NERF (basically negate most of UEFI, in particular the extensibility) firmware using Linux, has an initramfs containing all the user space stuff as uncompiled Go, and a compiler which compiles on the fly.


> Some people say to switch to AMD processors, but that is not really a solution now. Ryzen is touted to be open, but that is not truly the case, there are still closed parts.

Can anyone elaborate please. How does AMD compare to Intel's problems with ME?


Prior to Zen based processors there are a decent number of offerings under the Opteron and AMD's embedded SoC families (possibly others, but these are the ones I'm familiar with) which did not contain ME-like capabilities. Projects like Coreboot generally have pretty good support for these AMD parts. For an embedded example, see the PCEngines APU2 boards: http://pcengines.ch/apu2.htm

Zen based parts from AMD have their PSP (platform security processor), which I believe is generally a dedicated Cortex-A series CPU within the silicon to do many security related things. Its functionality is similar to some of what the ME provides on Intel parts.


Actually AFAIK the APU2 SoC includes a PSP already, the APU1 is still free of that. But even the APU1 SoC has a small LM32 core that you have no source for, see Rudolf Marek's CCC talk "AMD x86 SMU firmware analysis".



Thanks!


They call it Platform Security Processor and not Management Engine.


> The user-space piece is all written in Go, which is generally more trusted than C within Google

Someone should read "On Trusting Trust" and note its author…


You can get around that by cross-compiling. I think in this day pulling something like that off on a compiler as popular as Go would get noticed.

Anyway that issue is orthogonal to the language choice.


Doesn't the ME firmware to power saving, suspend, restore, etc?


1) Not at all. Tables are in UEFI. Control is in kernel space. It can remotely issue a boot or shutdown command among others. Probably hard shutdown too considering the watchdog.

2) Only in so far as it goes into power saving mode itself. (Which is kind of fake, does not disable magic networking junk.)

3) Like in any other boot if unhibernating. Does not touch suspend which is handled in UEFI.


I understand the urge to remove networking capabilities, but why do privacy folks freak out about the entireties of UEFI/ME/SMM? It's a fact that the hardware is the one with control of the system at boot, and you're always at the mercy of the vendors in terms of bad code (whether intentional or otherwise). You can't get rid of hardware-specific code, and you also don't have any control over the designs of the chips. Both of those are places where it will always be possible to do something nefarious if the vendor feels like it. Unless you feel like fabricating your own chips from scratch, at some point you have to trust all these layers. Why suddenly freak out when it comes to new layers?


Because SMM can be disabled. UEFI potentially replaced and should renounce direct hardware access after initialization and driver disable. ME cannot be disabled and has both networking and direct memory access bypassing even IOMMU. Running in background.


> UEFI should renounce direct hardware access after initialization and driver disable

I don't follow. If it's nefarious then doesn't having control in the beginning already screw you? And if not, but if it gets compromised, then can't it be programmed not to do that?


Did you follow yesterday's news? The ME is remotely vulnerable, has full control over the machine, and it's not even clear that it can be upgraded in a secure way.

Why wouldn't you be interested in turning it off?

And why would you classify people who'd rather not be running remotely vulnerable code they can't control as "privacy folks"?


> The ME is remotely vulnerable,

Could you please post a link on that? I read about the AMT bugs, which require the user to manually provision it.


http://cve.circl.lu/cve/CVE-2017-5712

Summary: Buffer overflow in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allows attacker with remote Admin access to the system to execute arbitrary code with AMT execution privilege

EDIT: I'm not sure this was the one the GP referring to



I did follow the news about being remotely vulnerable. That's why I said I'd understand the urge to remove the networking stacks. Other vulnerabilities would require local access.

> Why wouldn't you be interested in turning it off?

I'm not asking why you'd be interested in it, I'm asking why you'd freak out so much about it given X/Y/Z are already true and you can't do anything about them. There's a bit more nuance in my argument than you're giving me credit for here.

> And why would you classify people who'd rather not be running remotely vulnerable code they can't control as "privacy folks"?

I already excluded the part about remote vulnerability. See first point above.


I've been wondering if there would ever be a killer feature that would make ARM-based servers really compelling, and now I'm starting to think that we have one. Intel are handing ARM a massive opportunity with the IME issues.


Am I missing something or is the next step going to be Intel making ME impossible to remove without bricking your CPU? If so, seems like these efforts are fairly futile if they'll only work for the current gen of processors.


It is already impossible to remove the ME. If one does, then the system either doesn't boot at all or reboots after 30 minutes. All you can do is to apparently cripple it on some models.


Am I correct in believing the AMD variant of this is 'Trustzone'[0]? If not, does AMD have something similar?

[0]: https://www.arm.com/products/security-on-arm/trustzone


AMD PSP (Platform Security Processor) is what you're looking for. Essentially the same thing as the ME, just for AMD processors.


It is now called AMD Secure Processor.


Thanks!


ARM != AMD


Woops yeah, I realise that. I just saw a reference somewhere from AMD + Trustzone and clicked on the first link I found :D Sorry


Is there any link to that talk?

Edit: yes at the end of the article https://www.youtube.com/watch?v=iffTJ1vPCSo&list=PLbzoR-pLrL...


Linux has MILLIONS of lines of code. Please don't. EFI is already bloated as it is.

Support efforts like coreboot instead. And FFS, firmware should not persist once the operating system boots. Persistent firmware is cancer.


> Linux has MILLIONS of lines of code. Please don't. EFI is already bloated as it is.

Well, if you're going to run Linux anyway, running Linux as your firmware + bootloader doesn't increase your attack surface. And, it can be argued that e.g. the Linux networking stack is more battle tested than the UEFI one.

> Support efforts like coreboot instead.

Ron Minnich is the father of coreboot. If it were possible to run coreboot on modern Intel server platforms, I'm certain that's what he would propose. As a sibling commenter mentioned, he views NERF as a backup solution if using coreboot isn't possible.

> And FFS, firmware should not persist once the operating system boots. Persistent firmware is cancer.

In NERF, the Linux kernel burned on the flash rom kexec()'s the final distro kernel. IOW, it replaces itself by the new kernel, it doesn't linger around in the background.


"He was also asked about the relationship of this work to coreboot. Minnich said that coreboot should always be preferred, but it has not been available for server platforms for 12 years. So he would suggest that developers "always use coreboot if you can", but if not, look at NERF.""

I know some people like being retro with old ThinkPads but 12 year old servers are a bit much.


A board specific Linux build is smaller than a board specific EFI build. Yes, it's that bad.

Also, Linux in firmware is either the final OS, or - more likely - a kexec step into the actual OS. In the latter case, there's no persistent firmware since the old Linux is gone.


> And FFS, firmware should not persist once the operating system boots.

Generally I agree with you, however there is one thing that cannot be done without a RAM-persisted firmware: any kind of power management. It's highly dependant on the specific chips (sometimes, chip revisions) on the motherboard, and while integrating even ultra low level stuff into the Linux kernel might help there, we see the consequences of doing so in the Android world: manufacturers do not have the time/money to get their code in a shape that's going to be accepted by the kernel community, so they fork it and the users are screwed.


RAM persisted what? Table of hardware pstates and cstates per device? A flag to reinitialize busses and hardware, skip memory clear? Handling PCI and CPU reinit should be easy. It is not because manufacturers are keeping critical parts under NDA or completely secret.


> A flag to reinitialize busses and hardware, skip memory clear

It's not just a simple flag - it's basic stuff like for example which clock pin is mapped to which clock consumer(s), which GPIOs on which pins are mapped to stuff like LEDs, the power/reset switch, which hardware interrupt line is mapped to which GPIO... all stuff that's best kept inside the BIOS where the manufacturer can easily patch it if needed in contrast to the Linux kernel with its notorious difficulty to get stuff accepted into mainline, much less into a kernel that actually runs on users' computers - think LTS users, for example. I can take a 2010 kernel and it will likely run fine on a recent x86 machine, but if I needed to wait for motherboard support to ship in kernel, that would be not very cool.

Yes, something like FDT would be nice but even on the relatively small ARM space it has its fair share of issues - I don't even want to think about having FDT in mainstream x86.


>there is one thing that cannot be done without a RAM-persisted firmware: any kind of power management.

Either do it in the OS, or do it in a separate CPU, such as a microcontroller.


Uhm... coreboot is the linux kernel, just like this project, running that plaform control module that normally runs via Intel ME.

The big difference is Go on one side, and a small selection of config files to support a small/growing collection of hardware on the other.

Is this guy looking to use the existing kernel code, as coreboot does? Or is he going to add to it, to make the One Kernel to Rule Them Allz? Because Im hearing the former, not the latter. I could be wrong.


coreboot is not the Linux kernel.


UEFI is larger than the Linux kernel (if you don't include drivers, because UEFI doesn't have drivers). And it has orders of magnitude more syscalls. So Linux is actually better than UEFI from a bloat standpoint.


That's a good point, actually, it'd be nicer to keep things separate and alive for only as long as needed.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: