[TUHS] Question about BSD disklabel history

Kevin Bowling kevin.bowling at kev009.com
Fri Jan 5 04:26:34 AEST 2024 

On Thu, Jan 4, 2024 at 1:42 AM <arnold at skeeve.com> wrote:
>
> Things have wandered a little far afield... :-)
>
> "Theodore Ts'o" <tytso at mit.edu> wrote:
>
> > Or there's something running on a completely different x86 core with
> > unpatched securiy bugs in the Minix and Apache cores that you can't
> > even disable (unless you are the National Security Agency)....  Sadly,
> > Intel refuses to make it available the magic bits to disable the Intel
> > ME to anyone else.  :-(
>
> I worked for a number of years in the design center where the firmware
> and software for the ME were develped.  Although it's possible that
> the firmware developers were sworn to secrecy, I never heard anything
> about back doors for the NSA or anyone else.
>
> Intel took security and code quality in the ME very seriously,
> and during my tenure the quality of the ME firmware improved a lot.
>
> ISTR that the BIOS had settings for disabling the ME. Is that
> no longer true?
>
> I know there are lots of people who despise the ME, which I never
> understood. It was designed to solve the very real problem of remote
> PC management, and for that it works.  My own feeling is, if you don't
> want the ME, buy a processor without it; there are plenty from Intel
> and AMD.

I have tried out the AMT stuff for OS development and it is a mess.  I
am skeptical anyone seriously uses it.  Laptops already have
microcontrollers for various functionality so it is hard to see why
the already standardized NC-SI and IPMI couldn't be applied to the
problem space in some way that is secure, standardized, and doesn't
significantly change the BOM cost.

For whatever reason, intel makes it difficult to impossible to remove
the ME in later generations.  It seems more than accidental
incompetence since people have figured out how to force it into a
brain dead state (coreboot with me_cleaner).  It is doubly suspicious
that the US government has a killswitch for it that the commercial and
general public do not.

Which are the intel CPUs without the ME?  Just because a CPU doesn't
have vPro licensed doesn't mean the ME isn't there.

> Quite seriously, and with no animosity, I'd be happy to learn what
> I'm missing here.

https://en.wikipedia.org/wiki/Intel_Management_Engine has a good
enough survey and links to other soruces.

It's a complete mess on the NIC too, the firmware on e1000 NICs has
all sorts of issues and much of it is related to the insane errata and
complexity of transitioning to and fro Management mode and different
interpretations of who is responsible for power management.

>
> Thanks,
>
> Arnold

More information about the TUHS mailing list