Hacker News Comments on
Replace Your Exploit-Ridden Firmware with Linux - Ronald Minnich, Google
The Linux Foundation
·
Youtube
·
24
HN points
·
13
HN comments
- This course is unranked · view top recommended courses
Hacker News Stories and Comments
All the comments and stories posted to Hacker News that reference this video.Intel had an opportunity to develop Zephyr as a usable RTOS, internally* and externally. If they thought that the technology was compelling, why did they let it go?*(Intel's Management Engine is still around, running....Minix. https://www.youtube.com/watch?v=iffTJ1vPCSo)
They run in ring -2. Proprietary software with networking stacks, file systems, device drivers, web servers, all running in a mode more privileged than the operating system. There's also the Intel Management Engine with pretty much the same features but running in ring -3.
⬐ als0Only SMM drivers run in the proverbial "ring -2". Ordinary UEFI apps run at the same privilege level as the host OS (0), just like any bootloader.
There seems to be confusion about vPro, AMT, BIOS, UEFI, Trusted Boot, and so on.This talk helped me: "Replace Your Exploit-Ridden Firmware with Linux"
> As someone who's worked in the consumer electronics industry for years, I think we desperately need to rethink our approach to Linux-based electronics with respect to both the userland and the primary application.Google has created a stack called NERF (Non-Extensible Reduced Firmware) for this:
https://firmwaresecurity.com/2017/07/23/google-nerf-non-exte...
There's a presentation about it on youtube:
There were investigating flashing the ME for their compute cloud processors [0] to avoid the possibility of an ME vulnerability being exploited, which would greatly harm their reputation.
Why so many haters? Just the fact that they've got Ron Minnich[0-1] on the team--one of the guys fighting the good fight against all of the voodoo BS in your Intel/AMD firmware--makes it worth a look IMHO.
Is there any link to that talk?Edit: yes at the end of the article https://www.youtube.com/watch?v=iffTJ1vPCSo&list=PLbzoR-pLrL...
Absolutely fantastic video from a google engineer (and the original author of LinuxBios / Coreboot) on how they replaced the UEFI firmware with Linux to get Dell servers to boot in 20 seconds:
A recent talk [0] by Ronald Minnich from Google gives a nice overview of their efforts to replace parts of Intel ME and UEFI with Linux, mostly for security reasons.
I first heard the Minix thing in this talk: https://www.youtube.com/watch?v=iffTJ1vPCSo which I found, I think via a HN thread. Anyway, most of the articles rehash this talk and IMO its a solid 30 minute investment.
Related talk and slides: https://www.youtube.com/watch?v=iffTJ1vPCSo https://schd.ws/hosted_files/osseu17/84/Replace%20UEFI%20wit...Interesting Atom boards mentioned in the talk: https://minnowboard.org/
> Is this related to Purism announcing that they had successfully disabled the Intel Management Engine on their laptops? Or is that unrelated?It is completely unrelated.
Intel ME is about a remote servicing interface that exists on all current Intel processors. While it has some usages for managing computers in a corporate setting or managing servers (keyword to look for: Intel Active Management Technology (Intel AMT), which needs Intel vPro), it exists on nearly all current Intel processors (except, I think, Intel, Quark; but this processor is built for completely different purposes). Thus there are rumors that it is a backdoor for, say, 3-letter agencies. I don't want to spread any rumors here, but just say: Because Intel ME is very large and complicated (according to https://www.youtube.com/watch?v=iffTJ1vPCSo 5 MB in size) it is a real concern that lots of security gaps will be found (and some have been found in the past), which, because of Intel ME's structure (according to https://schd.ws/hosted_files/osseu17/84/Replace%20UEFI%20wit... it runs on ring -3) can easily lead to really dangerous security holes. Just for this reason alone any responsible admin should try to disable Intel ME so that this security liability does not have to stay open.
PRISM is a surveillance program by the NSA.
Because the schedule does not provide it, here's the direct link to the talk: https://youtu.be/iffTJ1vPCSo
⬐ feelin_googleyThis is quite good.It is really about the presence of multiple Intel x86 CPUs on a single motherboard each running its own "kernel", but where the user only controls one of these kernels, and what control the user's kernel has over the hardware is easily subverted by the others.
The crunched binary for intramfs is written in Go and yet only 5.9MB. No systemd. Everything, even init scripts, is written in Go.SMM - can disable UEFI - can replace ME - can remove components ISH - not discussed IE - not discussed