Intel CPU? Then you're running Minix

[Pjotr]

Rather nasty news:
https://www.networkworld.com/article/32 ... intel.html

Now the question is: what can Linux Mint do to protect us from an unpatched Minix?

[karlchen]

<Provided the Minix story is true>
Patched or unpatched Minix:
Linux Mint cannot do anything to protect us, because ring -3 is inaccessible to Linux Mint. So it is to Ubuntu, Debian, Windows or any other operating system.
More interesting question:
Who is Big Brother who has got access to this hidden operating system, the management system and the web server, potentially from outside our machines? Intel, various secret services, organized crime? (whereby the difference between the latter two is minor)
</Provided the Minix story is true>

[Faust]

......what can Linux Mint do to protect us from an unpatched Minix?

Very little I fear .
Any attempt via software would be limited to Ring 0 ( zero ) ie. the kernel , and that is not enough.
I've been investigating this issue for some time now ( as the dates of my links show ) and it is extremely difficult to combat.
Libreboot is not going to help us here .

At the hardware level there is this method to physically disable IME
https://hackaday.com/2016/11/28/neutral ... nt-engine/

But even for a highly experienced hardware tech , it is daunting .

For SandyBridge and IvyBridge platforms
https://hardenedlinux.github.io/firmwar ... ridge.html

I suggest that anyone wanting further information on the wider implications of this problem should watch this presentation
by Joanna Rutkowska:
" Towards (reasonably) trustworthy x86 laptops"
https://www.youtube.com/watch?v=rcwngbU ... tml5=False

And there is more to read here :-
https://recon.cx/2014/slides/Recon%2020 ... hinsky.pdf

[lmintnewb2]

Thanks for posting this, really interesting and good to know. My intel cpu is too old a model to likely be affected by this (going on 8yrs). Still really glad you brought it to people's attention. Plus the link about Google's comments in your link are really interesting to me and something I'll be planning to review and possibly apply.

Does AMD engage in similar ? Overall yeah, it's moderately disturbing the way this is setup. Not planning on losing much sleep over it. Anyone has to acknowledge it's a tad weird for Intel to do this. To lowest level difficult to access firmware.

Self quote from a recent thread about privacy/security etc.

In fact, with so many of our electronics manufactured overseas, by this and that government or who knows who companies. Have often wondered if they come out of the box preloaded with such exploits already, like at the lowest firmware levels. No expert on the topic but can see something like that being difficult even for experts to detect and correct. This is my uber-paranoid side typing. Overall this is filed under my things that go bump in the night and make you go hmmmmmmm section.

One more, open source being well AMAZING, AWESOME and UNBELIEVABLE stuff that it is, people are even developing open source firmware options, such as coreboot and parallels. Could come a day when you even have the option of having your hardware's lowest level firmware be open source and fully able to be audited. Am sure they have a long way to go and many obstacles to overcome but people are trying.

Had long since concluded such low level issues could already be widely deployed. Definitely disturbing and kind of aggravating, esp with such a major player in computing such as Intel now having been confirmed doing something along these lines.

[151tom]

.

[lmintnewb2]

^ +1 Him ... doubting I'll be buying new very seldom if even ever anymore. Though sooner or later even a savvy gnu/Nixer with a preference for buying used is going to run into this as dated hardware cycle's out and mentioned in previous comment here believe similar to this has likely been going on for a long time already.

Assume AMD is doing something similar. Even highly knowledgeable and skilled gnu/Linux users are not likely to audit and/or replace bios/uefi-firmware or the firmware running a major system component like it's processor. Would have to be a time consuming and borkage fraught endeavor even for such competent computer users. Here's a kind of related and interesting link someone provided about this topic on another forum.

[Faust]

My ambition , and that of many researchers around the world , is to have a truly stateless machine with up-to-date hardware .
As things stand right now , that is a near impossible task .

Hardware manufacturers and M$ and Apple ( just for starters ) all have a vested interest in preventing us from ever having such a machine .

This is from the highly informative libreboot website
https://libreboot.org/faq.html#intelme

"It is extremely unlikely that any post-2008 Intel hardware will ever be supported in libreboot, due to severe security and freedom issues; so severe, that the libreboot project recommends avoiding all modern Intel hardware. If you have an Intel based system affected by the problems described below, then you should get rid of it as soon as possible. "

Are AMD involved in this type of activity ?
I have not seen any reliable evidence , only rumors , but that proves nothing .... so my guess has to be " Yes "
This raises an interesting question for me -

Where might we look in future for reliable MOBOs without backdoors ?

It would have to be a nation with sufficient technical and industrial capabilities , and one which will be most definitely unhappy
about having their current hardware backdoored by American tech giants .

[lmintnewb2]

Mentioned already and another poster did too. Doubt it's just restricted to US ( other govt's are no doubt getting into the action too.) Some officially sanctioned, other non-authorized parties getting in on it too possibly. With so much manufactured in foreign countries, in particular the East. High potential for groups like the Yakuza or Chinese Triad showing interest in this type of thing for cyber crime applications.

[michael louwe]

.

.
AFAIK, the Intel Management Engine/vPro(IME) is a feature present only in high-end Business PCs using high-end Intel CPUs since around 2005, ie not present in non-high-end Consumer computers. AMD also have a similar feature for their high-end Business processors = AMD Platform Security Processor. ...
https://chiefio.wordpress.com/2017/02/0 ... rocessors/

This IME feature allows businesses' IT Department to Remote Management their computers which may be located in faraway local branches and foreign branches. The IT Admin can remotely wake up such a powered-off computer which has to be still attached to the AC wall outlet and then do anything with it, including reinstalling the OS or do a System Image recovery. This IME feature has to be activated at both ends for it to work and the remote computer must be attached to the AC wall outlet.

As with any Remote Access feature, it can be opened to misuse(by Intel) and hacking, especially the quite vulnerable Windows Remote Desktop Protocol feature which allows IT Admins to remotely access their running servers and office computers from anywhere.
... My home-router also has a Remote Management feature which allows the ISP's personnel to trouble-shoot problems from their office = my router may be open to misuse by the ISP's personnel. Of course, I have already disabled my router's RM feature.

... .... To prevent any shenanigans, the affected consumers with IME can always unplug their computers from the AC wall outlet after use, eg those who have bought refurbished Wintel Business PCs.

So, I think the overall risk is quite remote.

[lmintnewb2]

^ Not from what's stated and inferred in that link given by Pjotr. Out of curiosity had to fire up google and see where Richard Stallman stands on it. Couple links quickly came up, one and two. Apparently the guy isn't pleased with Intel.

Consider myself mostly safe from this issue on this relic of a laptop due to how aged it's processor is. Still more than up to my computer uses. Though may also be experiencing some earlier approach Intel used to the management engine in newer Intel stuff and just be blissfully unaware of it for the time being too. Arghhhhh !

[Tomgin5]

Verry interresting!
Good points and exactly the reason I picked up this scraptop. Nice keyboard and even with a single core and only 1 gig of RAM runs LM18.2 cinnamon 32 just fine.

Code: Select all

penguin@penguin-MS-1012 ~ $ inxi -Fxzd
System:    Host: penguin-MS-1012 Kernel: 4.10.0-38-generic i686 (32 bit gcc: 5.4.0)
           Desktop: Cinnamon 3.4.6 (Gtk 3.18.9-1ubuntu3.3) Distro: Linux Mint 18.2 Sonya
Machine:   System: MICRO-STAR INT'L product: MS-1012 v: 0121
           Mobo: N/A model: N/A Bios: American Megatrends v: A1012IMS VB.80 date: 06/24/2005
CPU:       Single core Intel Pentium M (-UP-) cache: 2048 KB
           flags: (nx pae sse sse2) bmips: 3192 speed/max: 1596/1862 MHz
Graphics:  Card: Intel Mobile 915GM/GMS/910GML Express Graphics Controller bus-ID: 00:02.0
           Display Server: X.Org 1.18.4 drivers: intel (unloaded: fbdev,vesa) Resolution: 1280x800@65.28hz
           GLX Renderer: Mesa DRI Intel 915GM x86/MMX/SSE2 GLX Version: 1.4 Mesa 17.0.7 Direct Rendering: Yes
Audio:     Card Intel 82801FB/FBM/FR/FW/FRW (ICH6 Family) AC'97 Audio Controller
           driver: snd_intel8x0 ports: d000 cc00 bus-ID: 00:1e.2
           Sound: Advanced Linux Sound Architecture v: k4.10.0-38-generic
Network:   Card: Realtek RTL-8100/8101L/8139 PCI Fast Ethernet Adapter
           driver: 8139too v: 0.9.28 port: e800 bus-ID: 01:03.0
           IF: enp1s3 state: unknown speed: 100 Mbps duplex: full mac: <filter>
Drives:    HDD Total Size: 160.0GB (4.4% used) ID-1: /dev/sda model: ST9160821A size: 160.0GB
           Optical: /dev/sr0 model: HL-DT-ST DVD-RW GCA-4080N rev: 0A31 dev-links: cdrom,cdrw,dvd,dvdrw
           Features: speed: 24x multisession: yes audio: yes dvd: yes rw: cd-r,cd-rw,dvd-r state: running
Partition: ID-1: / size: 146G used: 5.5G (4%) fs: ext4 dev: /dev/dm-0
           ID-2: /boot size: 472M used: 117M (27%) fs: ext2 dev: /dev/sda1
           ID-3: swap-1 size: 1.06GB used: 0.10GB (9%) fs: swap dev: /dev/dm-1
RAID:      No RAID devices: /proc/mdstat, md_mod kernel module present
Sensors:   System Temperatures: cpu: 51.0C mobo: N/A
           Fan Speeds (in rpm): cpu: N/A
Info:      Processes: 160 Uptime: 6 min Memory: 511.2/990.6MB Init: systemd runlevel: 5 Gcc sys: 5.4.0
           Client: Shell (bash 4.3.481) inxi: 2.2.35 
penguin@penguin-MS-1012 ~ $ 

Of course it has a WIFI card that nothing recognizes.
it might be a good candidate to entice various NSA or Snowden's

[jimallyn]

Maybe the Chinese will clone Intel processors, but without the malware. Or maybe somebody could build a processor from gate arrays? Or maybe somebody could build a PC with an ARM or MIPS processor, which is, presumably, not similarly compromised? Or PowerPC? Perhaps the geeks will figure out how to disable all the malware on all Intel processors currently in the wild?

I am not at all happy about this. Must be nice having so much market share that you can do this sort of thing to your customers.

[lmintnewb2]

^ Yeah ... me either and share your sentiments. Not even saying Intel is absolutely up to anything malicious, it's just that there's no way, at least for us mere-mortal non supergeeks to even have a clue. So yeah ... kinda natural to assume it's nefarious, shrugs.

It's just not that simple by any stretch. Even to someone with my (VERY) limited understanding of it. When dealing with proprietary closed source software, in particular talking about something which operates at the absolute lowest levels of a computers function is just a murky pool in which even HIGHLY qualified techies may not have access. Prospect of them ever being able to reverse engineer all this stuff ? Plus people like the Chinese are not world renown for human rights in regards to privacy etc for their own citizens, much less anyone else.

Folks are working on open source firmware ie: Libreboot etc etc and open source firmware to make cpu(s) or whatnot work properly. Again though so many potential pitfalls and obstacles involved it has to be a mind boggling undertaking for them, much less the people trying to use the products of their efforts. Is intel or firmware makers EVER going to open source their software. Sure ... just about the time it starts raining unicorns and $100 dollar bills.

Disturbing ... just nothing I can really effectively do about it coming to mind. Arghhhh !

[lmintnewb2]

Ok one more on this, why not ? This is what caffeine and gnu/Linux forum addiction will do to a person. Not pretty to look at ... eh ?

Ironically SECURITY is one of the reasons firmware and component makers will repeatedly cite as a reason they don't allow more transparency and access to the software involved. Saying that if we were to make such information public, then all these bad people will have open access and be able to look for exploits in the software easily. Whereas with open source, more people have access to the source code, more eyes, more people to find and patch holes or offer improvements etc.

So oem's say we aren't helping the bad people but aren't letting the good guys in either. Which honestly makes much sense to me. They don't want their competitors being able to review it and possibly improve their own stuff or learn from and make their stuff better. Ie: Theoretically say I/we were Intel, we've spent $15 bazillion dollars having inhouse techies engineer and design xyz technologies and software which runs the chips.

Open source it, xyz-competitor ( who didn't pay a penny in development etc etc) get's full access to look it over, learn and potentially reap many benefits from how the software involved functions. Again without having to invest a dime in development.

Also have to consider deployment and application that'd be involved. Plus across many different form factors and platforms. Let's use the average window$ user for example. It becomes known that xyz-bios etc has a massively severe security hole in it. How long between it becoming public knowledge and people actually taking any action to correct it ? Way it would go imo, is some small percentage of the affected window$ users would have the knowledge/awareness to fix it themselves, some other smallish % would take it into a tech-shop and ask them to do it and the vast majority would shrug and get on with life w/o bothering to lift a finger etc. Long before actually seriously considering flashing their bios.

Just another 2 cents, taken with my previous posts, am up to like 8 cents on this ! Yay ! Anyone got a link on caffeine and Nix forum addiction ? Perhaps a 12 step program or something, I'm on a serious bender lately !

[earthlingkc]

Doesn't disabling AMT solve this? There are Windows tools to disable AMT supposedly at the BIOS level if not directly available via BIOS. If AMT is disabled from Windows, will it be disabled when booting Linux?

[lmintnewb2]

All I can say is I want to install and run Minix as an OS on my lappy ! Ya know what they say, if ya can't beat em ... install Minix properly on your lappy o course.

[michael louwe]

@ earthlingkc, .......

Doesn't disabling AMT solve this? There are Windows tools to disable AMT supposedly at the BIOS level if not directly available via BIOS. If AMT is disabled from Windows, will it be disabled when booting Linux?

.
Better to disable Intel ME/AMT at the BIOS level through the Intel MEBx setting, which is accessed by pressing Ctl+P after POST startup, as per this link ...
http://www.thinkwiki.org/wiki/Intel_Act ... logy_(AMT)

Intel ME/AMT is enabled by default. Many home-users have bought refurbished Wintel Business PCs at very cheap prices and are not aware of the need to disable this deep Remote Access feature and/or unplug their computers from the AC wall outlet when not in use. This Intel feature can be hacked by hackers or abused by Intel(backdoor for the NSA.?). ... https://thehackernews.com/2017/05/intel ... ility.html

Computers with Intel ME/AMT, when running Windows, can have an Intel Management and Security Status Tool(IMSS) installed to configure Intel AMT from within Windows, as per ... https://software.intel.com/en-us/articl ... ntel-amt-9

I think it is mostly companies who are actively using Intel ME/AMT to remotely manage their computers/servers who are vulnerable to being hacked by hackers or abused by Intel.

[lmintnewb2]

Random resource on the subject that am too tired to lookup again, said AMT is often enabled but not provisioned by default. Apparently such provisioning being required for remote exploits. At least the known serious one that's been going around for quite awhile. This looks to have some good info and links related to the topic.

[Lucap]

Intel are going to make it harder by 2020 to modify the Bios but my post got moved.

[Moem]

Yes. For those interested, it's here.