Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Mon 26 Jun 2017, 11:47
All times are UTC - 4
 Forum index » Off-Topic Area » Security
The EFF on Intel's Management Engine (CPU inside the CPU)
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [5 Posts]  
Author Message
souleau


Joined: 23 Oct 2016
Posts: 74

PostPosted: Tue 09 May 2017, 15:01    Post subject:  The EFF on Intel's Management Engine (CPU inside the CPU)
Subject description: An urgent call to provide means to disable or limit it.
 

From the article:

Quote:
Since 2008, most of Intel’s CPUs have contained a tiny homunculus computer called the “Management Engine” (ME). The ME is a largely undocumented master controller for your CPU: it works with system firmware during boot and has direct access to system memory, the screen, keyboard, and network. All of the code inside the ME is secret, signed, and tightly controlled by Intel. Last week, vulnerabilities in the Active Management (AMT) module in some Management Engines have caused lots of machines with Intel CPUs to be disastrously vulnerable to remote and local attackers. While AMT can be disabled, there is presently no way to disable or limit the Management Engine in general. Intel urgently needs to provide one.


https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 12543
Location: Arizona USA

PostPosted: Tue 09 May 2017, 19:49    Post subject:  

By sheer dumb luck, I've only owned AMD machines. Was this management engine intended to control the scheduling of multi-core CPUs? I always wondered how that was done.
Back to top
View user's profile Send private message 
s243a

Joined: 02 Sep 2014
Posts: 646

PostPosted: Wed 10 May 2017, 00:48    Post subject:  

Flash wrote:
By sheer dumb luck, I've only owned AMD machines. Was this management engine intended to control the scheduling of multi-core CPUs? I always wondered how that was done.


I don't think it's an immediate concern. From the article:

"Not every machine is susceptible to the attack. For it to work, AMT has to have been both enabled and provisioned (commonly AMT is enabled but not provisioned by default). "

but this could change very quickly:
" But if there is even a single, minor flaw in that second system, you now have a devastating security disaster, because your main computer, by design, can't tell you what that second system is doing, nor can it override the instructions that the supervising system sends it -- once that supervising system is compromised, it's game over.

Intel won't tell us how to disable ME altogether for lots of reasons, but a big one is surely the fact that they've sold lots of entertainment companies on the promise of using ME for DRM -- for example, to stop you from running a program that converts one of the W3C's DRM-locked video streams into a download. Letting you shut down this back door into your computer -- and your whole digital life -- would also eliminate the means by which Intel plans to stop you from watching TV the wrong way. This is a terrible trade-off.
"
http://boingboing.net/2017/05/09/management-engine.html
Back to top
View user's profile Send private message 
s243a

Joined: 02 Sep 2014
Posts: 646

PostPosted: Wed 10 May 2017, 09:46    Post subject:  

Here's something interesting:

Quote:

While these may be useful to some people, it should be up to hardware owners to decide if this code will be installed in their CPUs or not. Perhaps most alarmingly, there is also reportedly a DRM module that is actively working against the user’s interests, and should never be installed in an ME by default.

For expert users on machines without Verified Boot, a Github project called ME cleaner exists and can be used to disable a Management Engine. But be warned: using this tool has the potential to brick hardware, and interested parties should exercise caution before attempting to protect their systems. A real solution is going to require assistance from Intel.

https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it
Back to top
View user's profile Send private message 
Moose On The Loose


Joined: 24 Feb 2011
Posts: 727

PostPosted: Thu 11 May 2017, 10:36    Post subject:  

Flash wrote:
By sheer dumb luck, I've only owned AMD machines. Was this management engine intended to control the scheduling of multi-core CPUs? I always wondered how that was done.


Linux controls the dividing of tasks among the available threads (2 per core).

The coordination of access to shared resources like the path to RAM is done to fast for something coded to do. That bit is done by hardware with logic that looks like:

if A wants access and B is not using it then A gains access
if B wants access and A is not using it then B gains access
if both A and B wants access "flip a coin" and give it to one of them
otherwise anyone who want access waits

The "flip a coin" logic is usually a mysterious chain of flip flops and logic gates that really does something like alternate who gets priority. The real trick is in making sure that the "A gains access" signals don't glitch when both CPU's make the request. In something as fast as a modern computer, you can't count on the timing of the requests not being less than the time for a flip-flop to change state.

The new CPUs from AMD are looking better and better. I figure that if someone makes a mother board that holds perhaps 4 of them and a few TB of RAM it would be ideal for running puppy on for doing scientific computing. I may have to one day recode my FFT routine so that it works for more than 2 billion data points.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [5 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0397s ][ Queries: 13 (0.0058s) ][ GZIP on ]