Intel Management Engine runs on MINIX 3 OS

by Mark Tyson on 6 November 2017, 13:01

Tags: Intel (NASDAQ:INTC), Google (NASDAQ:GOOG)

Quick Link: HEXUS.net/qadnhr

Add to My Vault: x

There is growing unrest concerning the scope and potential for mischief arising from the deployment of modern processors packing Intel’s Management Engine. Back in May the EFF published an article about how, since 2008, most of Intel’s chipsets have come packing “a tiny homunculus computer called the ‘Management Engine’ (ME)”. This CPU master controller system has direct access to system memory, the screen, keyboard, and network, it was reported. Intel boasts of AMT (Active Management Technology) as an enterprise feature and it has been enabled on Core vPro and Xeon processors for years.

Earlier in the same month there was a security scare story about Intel AMT equipped processors which allowed "an unprivileged attacker to gain control of the manageability features provided by these products". Intel subsequently published a firmware fix to block the dangerous remote access issue but it wasn’t made available to everyone as the vulnerability was nine years in standing. Some hardware is simply so old it is no longer supported, or the maker has gone bust etc.

A recent article published by Network World, via TechPowerUp, has now revealed that the OS behind Intel’s ME is MINIX 3. MINIX is a Unix-like OS developed by Andrew Tanenbaum as an educational tool and it is extremely compact yet powerful.

On your Intel CPU with AMT, MINIX is said to be running in Ring -3 on its own CPU/ROM/RAM within the Intel SoC. You have no access to Ring -3, the lowest ‘Ring’ you have any access to is Ring 0: the OS kernel level. However most applications you will use are Ring 3 (that’s positive 3). Importantly, the following features are available to the MINIX 3 OS which operates at such a low level:

  • Full networking stack
  • File systems
  • Many drivers (including USB, networking, etc.)
  • A web server

Understandably, security minded individuals and organisations don’t want to deal with a Ring -3 level potential security hole which and is left to Intel and hardware partners to maintain via BIOS updates.

For individuals, Purism has been working to develop Linux PCs with the Intel Management Engine disabled. Purism has started to ship its secure ‘Librem’ laptop products which don’t use Intel AMT.

In other news, organisations like Google also want to remove (PDF) the MINIX OS from server machine CPUs - due to security concerns. As Network World emphasises, Intel should consider removing the feature or make it easy to disable - otherwise huge customers like Google might decide on a different CPU supplier or architecture.



HEXUS Forums :: 5 Comments

Login with Forum Account

Don't have an account? Register today!
Go with AMD instead.
Is it the management engine that's responsible for the whole coffee lake compatibility thing?
I.e. could this result in some interesting hacking of chipsets?
Biscuit
Is it the management engine that's responsible for the whole coffee lake compatibility thing?
I.e. could this result in some interesting hacking of chipsets?
No. It's been in every mainstream Intel chip since around 2008.
spacein_vader
No. It's been in every mainstream Intel chip since around 2008.
I know that, but isn't it also the element of the system that limits kaby lake chipsets working with coffee lake cpu. Didn't someone from Asus say that if intel updated the management engine, there would be compatibility.
Biscuit
…Didn't someone from Asus say that if intel updated the management engine, there would be compatibility.

Yes:
bit-tech: So if you wanted and Intel let you, you could make Z270 compatible?

Andrew: Yes, but you also require an upgrade from the ME and a BIOS update. Intel somehow has locked the compatibility.
http://www.bit-tech.net/features/tech/motherboards/asus-interview-andrew-wu-rog-motherboard-pm/1/
Baking DRM into their backdoor sounds like a typical intel thing to do