Purism, Intel and Minix


#1

I was reading this article showing that Purism disabled Intel ME on their laptops, of which was explained here. Then I came across an interesting tidbit that indicates that Intel ME may be running Minix. So, that may mean that any Intel based PC is, at a low level, running an open sourced OS.

I didn’t understand much of what I read, but thought that, maybe, by posting it here and if a discussion resulted, I could understand more? Maybe? Or not?? :slight_smile:


#2

According to this article, Google is working to remove Minix based ME from Intel systems. It mentioned that it is a closed version of the OS. That has me scratching my head. Thoughts on that?

There is a fear of attackers being able to access the underlying OS. And since it has access to most, if not all, of the hardware, that would be frightening.


#3

abit old is Minix - but it had its appearance last year.

source: https://imgur.com/gallery/Qe71a


#4

Sounds like you got it. It’s pretty fucking impressive actually. Intel are running their AMT system on a Minix stack in ring -3 (the lowest you’ll ever get to is ring 0 with a regular OS, and ring -1 if you’re accessing hardware VT-x/AMD-V virtualisation instructions; ring -2 is where UEFI lives) to corral management jobs and sensor data without bothering the OS that you’re actually intending to run on the CPU. Oh, and ring -3 isn’t even running on the CPU; there’s a separate CPU core in the same package (most recently, a 32-bit Intel Quark SoC).

The tricky bit is that there are now published vulnerabilities in the management stack, allowing password bypass to a system that includes capabilities such as remote consoles, both serial and graphical, a web interface to the management stack, and remote ISO mounting over emulated IDE or USB (depending on the age of the system).

So this is actually pretty fucking scary. But it doesn’t have to be. AMT is present on virtually every x86 CPU Intel have made for years, but it isn’t enabled by default on every x86 computer ever shipped. To be vulnerable, you need to have a “vPro” compatible system (supported CPU and chipset, supported network chipset), with the Intel AMT package installed in the BIOS, and with the AMT options enabled.

Let’s check some of my local systems to see if they’re nominally vulnerable …

neuro@intrepid:~$ neofetch | grep -e Host -e CPU | cut -d: -f2- && lspci | grep -e MEI -e HECI
 10AW009QUK ThinkCentre E73
 Intel i3-4150 (4) @ 3.500GHz
00:16.0 Communication controller: Intel Corporation 8 Series/C220 Series Chipset Family MEI Controller #1 (rev 04)

Yup …

neuro@mojave:~$ neofetch | grep -e Host -e CPU | cut -d: -f2- && lspci | grep -e MEI -e HECI
 3237A1G ThinkCentre M92P
 Intel i5-3470T (4) @ 3.600GHz
00:16.0 Communication controller: Intel Corporation 7 Series/C210 Series Chipset Family MEI Controller #1 (rev 04)

Yup …

neuro@memoryalpha:~$ neofetch | grep -e Host -e CPU | cut -d: -f2- && lspci | grep -e MEI -e HECI
 HP ProDesk 400 G3 SFF
 Intel i7-6700 (8) @ 4.000GHz
00:16.0 Communication controller: Intel Corporation Sunrise Point-H CSME HECI #1 (rev 31)

Aaaaaaaaaand yup.

But here’s the thing; I have management options disabled in BIOS on all of these machines. So they’re fine. There are additional steps you can take while your computer is switched on, such as firewalling TCP/UDP 16992 and 16993, and block them at your border as well for when your computer is switched off, but the important part is disabling the management systems in your BIOS.

And this isn’t even about anything mental like arbitrary code execution, it’s just a password bypass into the ME interface itself, rather than the lower level RTOS part (and this is where we find Minix again). Yes, they can fuck with your installed OS and bootloader, but … shit, that’s still really bad, right?

So. Turn off AMT. That’s it. You’re safe. From this, at least.


#5

Intel has now confirmed there are security issues with its ME system. They are leaving it up to manufacturers to fix the issue.


#6

System 76 is releasing firmware that will disable ME. They say it has no functionality for its customers.


#7

isn’t M.E. something to do with bein’ too much with the lobsters ?

Celebrating another Workaversary @system76 loving my job, company and rows! Cheers to more years to come! pic.twitter.com/8doOpAwthX

sys76 (@SocialHappiness) January 20, 2018 click for pic.

:statue_of_liberty::woman_juggling::chipmunk::chipmunk::crab:


Please respect our code of conduct which is simple: don't be a dick.