YetanotherHackerNewsdigest.com
HN Theater | HN Academy | HN Books

HN Theater @HNTheaterMonth

The best talks and videos of Hacker News.
Rankings: this week · month (apr/may) · year (2024) · all time
digests · search

Hacker News Comments on
Replace Your Exploit-Ridden Firmware with Linux - Ronald Minnich, Google

The Linux Foundation · Youtube · 24 HN points · 13 HN comments
HN Theater has aggregated all Hacker News stories and comments that mention The Linux Foundation's video "Replace Your Exploit-Ridden Firmware with Linux - Ronald Minnich, Google".
Youtube Summary
Replace Your Exploit-Ridden Firmware with Linux - Ronald Minnich, Google

With the WikiLeaks release of the vault7 material, the security of the UEFI (Unified Extensible Firmware Interface) firmware used in most PCs and laptops is once again a concern. UEFI is a proprietary and closed-source operating system, with a codebase almost as large as the Linux kernel, that runs when the system is powered on and continues to run after it boots the OS (hence its designation as a “Ring -2 hypervisor"). It is a great place to hide exploits since it never stops running, and these exploits are undetectable by kernels and programs.

Our answer to this is NERF (Non-Extensible Reduced Firmware), an open source software system developed at Google to replace almost all of UEFI firmware with a tiny Linux kernel and initramfs. The initramfs file system contains an init and command line utilities from the u-root project (http://u-root.tk/), which are written in the Go language.

About Ronald G. Minnich
Ron Minnich is a Software Engineer at Google. He has contributed to many open source projects in the last several decades, including the Linux kernel (9p file system); the FreeBSD kernel (rfork); and Plan 9 (many different areas). He directed the team that ported Plan 9 to the Blue Gene supercomputers. He invented LinuxBIOS (now called coreboot) in 1999. He is one of the core contributors to the Harvey operating system. His most recent Linux Foundation talk was on how to build your own signed version of ChromeOS and resign your Chromebook with your personal keys in 2016.
HN Theater Rankings

Hacker News Stories and Comments

All the comments and stories posted to Hacker News that reference this video.
Intel had an opportunity to develop Zephyr as a usable RTOS, internally* and externally. If they thought that the technology was compelling, why did they let it go?

*(Intel's Management Engine is still around, running....Minix. https://www.youtube.com/watch?v=iffTJ1vPCSo)

They run in ring -2. Proprietary software with networking stacks, file systems, device drivers, web servers, all running in a mode more privileged than the operating system. There's also the Intel Management Engine with pretty much the same features but running in ring -3.

https://www.youtube.com/watch?v=iffTJ1vPCSo

als0
Only SMM drivers run in the proverbial "ring -2". Ordinary UEFI apps run at the same privilege level as the host OS (0), just like any bootloader.
There seems to be confusion about vPro, AMT, BIOS, UEFI, Trusted Boot, and so on.

This talk helped me: "Replace Your Exploit-Ridden Firmware with Linux"

https://youtu.be/iffTJ1vPCSo

> As someone who's worked in the consumer electronics industry for years, I think we desperately need to rethink our approach to Linux-based electronics with respect to both the userland and the primary application.

Google has created a stack called NERF (Non-Extensible Reduced Firmware) for this:

https://firmwaresecurity.com/2017/07/23/google-nerf-non-exte...

There's a presentation about it on youtube:

https://www.youtube.com/watch?v=iffTJ1vPCSo

There were investigating flashing the ME for their compute cloud processors [0] to avoid the possibility of an ME vulnerability being exploited, which would greatly harm their reputation.

[0] https://www.youtube.com/watch?v=iffTJ1vPCSo

Why so many haters? Just the fact that they've got Ron Minnich[0-1] on the team--one of the guys fighting the good fight against all of the voodoo BS in your Intel/AMD firmware--makes it worth a look IMHO.

[0] https://www.youtube.com/watch?v=iffTJ1vPCSo

[1] https://lwn.net/Articles/738649/

Is there any link to that talk?

Edit: yes at the end of the article https://www.youtube.com/watch?v=iffTJ1vPCSo&list=PLbzoR-pLrL...

Absolutely fantastic video from a google engineer (and the original author of LinuxBios / Coreboot) on how they replaced the UEFI firmware with Linux to get Dell servers to boot in 20 seconds:

https://www.youtube.com/watch?v=iffTJ1vPCSo

A recent talk [0] by Ronald Minnich from Google gives a nice overview of their efforts to replace parts of Intel ME and UEFI with Linux, mostly for security reasons.

[0] https://www.youtube.com/watch?v=iffTJ1vPCSo

Nov 07, 2017 · mmcclellan on An Open Letter to Intel
I first heard the Minix thing in this talk: https://www.youtube.com/watch?v=iffTJ1vPCSo which I found, I think via a HN thread. Anyway, most of the articles rehash this talk and IMO its a solid 30 minute investment.
Related talk and slides: https://www.youtube.com/watch?v=iffTJ1vPCSo https://schd.ws/hosted_files/osseu17/84/Replace%20UEFI%20wit...

Interesting Atom boards mentioned in the talk: https://minnowboard.org/

> Is this related to Purism announcing that they had successfully disabled the Intel Management Engine on their laptops? Or is that unrelated?

It is completely unrelated.

Intel ME is about a remote servicing interface that exists on all current Intel processors. While it has some usages for managing computers in a corporate setting or managing servers (keyword to look for: Intel Active Management Technology (Intel AMT), which needs Intel vPro), it exists on nearly all current Intel processors (except, I think, Intel, Quark; but this processor is built for completely different purposes). Thus there are rumors that it is a backdoor for, say, 3-letter agencies. I don't want to spread any rumors here, but just say: Because Intel ME is very large and complicated (according to https://www.youtube.com/watch?v=iffTJ1vPCSo 5 MB in size) it is a real concern that lots of security gaps will be found (and some have been found in the past), which, because of Intel ME's structure (according to https://schd.ws/hosted_files/osseu17/84/Replace%20UEFI%20wit... it runs on ring -3) can easily lead to really dangerous security holes. Just for this reason alone any responsible admin should try to disable Intel ME so that this security liability does not have to stay open.

PRISM is a surveillance program by the NSA.

Because the schedule does not provide it, here's the direct link to the talk: https://youtu.be/iffTJ1vPCSo
Oct 27, 2017 · 24 points, 1 comments · submitted by maccam94
feelin_googley
This is quite good.

It is really about the presence of multiple Intel x86 CPUs on a single motherboard each running its own "kernel", but where the user only controls one of these kernels, and what control the user's kernel has over the hardware is easily subverted by the others.

   SMM - can disable
   UEFI - can replace
   ME - can remove components
   ISH - not discussed
   IE - not discussed
The crunched binary for intramfs is written in Go and yet only 5.9MB. No systemd. Everything, even init scripts, is written in Go.
HN Theater is an independent project and is not operated by Y Combinator or any of the video hosting platforms linked to on this site.
~ yaj@
;laksdfhjdhksalkfj more things
yahnd.com ~ Privacy Policy ~
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.