Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

ARM, here I come! [was AMD]

Off-Topic discussions about science, technology, and non Debian specific topics.
Message
Author
User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: ARM, here I come! [was AMD]

#16 Post by GarryRicketson »

I looked at the link, but did not see any video.
----- edited ----
Oh, now you posted a different link,... let's try that one.

User avatar
pylkko
Posts: 1802
Joined: 2014-11-06 19:02

Re: ARM, here I come! [was AMD]

#17 Post by pylkko »

The situation is pretty grim. Even the term "back door" completely undermines the situtation. It not just some backdoor, it is a full blown computer with unrestricted access to all the hardware and system memory, running an entire operating system, network stack, java virtual machine etc. The leaks that have been made in the last years also suggest that these things have been widely exploited.

If it were so that, only potentially this could be used for bad stuff, then I would call it paranoia or conspiracy theorizing to suggest that it is, well, concerning. That the NSA/Russia can use this to track "terrorists and other bad people" is only a little bit worrisome in my opinion.

But that there are published and known security vulnerabilities in Management engine is way much more worrisome. Perhaps the management engine cannot be used in the way it was designed without an intel network chip, but that does not automatically mean that the weaknesses in it cannot be exploited even on machines with other network chips.

As long as there is only closed source options for the hardware, then ultimately, of course, the code cannot be audited by anyone willing to do so. And companies have pretty bad track records, most of the projects that have either been open sourced or leaked have shown very sloppy code... This is, of course, understandable as there is little money in making systems safe, except for some few fringe cases. Most computers and phones get a few firmware updates right after their release, but that's it.

Although most ARM-based computers have a much simpler booting process that does not involve entire computers that the user does not have any access to, still most of them use simple bootloaders, gpu drivers and other stuff that is closed source. IIRC the only gpu stack that has working open source alternatices for it is the reverse engineered etnaviv (although freedreno, lima and other projects attmept to do the same for these gpu's). Many of them are also SOC's where the cpu is permanently attached to peripherals cannot be "turned off".

There are other architectures but most of them are very obscure/hard to come by or unsuitable for PC use. For example, I believe SPARC processors don't have these hardware level security problems like described in OP, but there are other reasons why they are not easily adapted to normal home use.

RISCV is interesting because the ISA is open. That means that it is very hard to insert hardware level "back doors", since users have the freedom to validate the hardware. However, there are (AFAIK) no free code GPU's for that architecture either (at least currently) and therefore any kind of software level bad code can be involved. But this might change in the coming years.

steve_v
df -h | grep > 20TiB
df -h | grep > 20TiB
Posts: 1400
Joined: 2012-10-06 05:31
Location: /dev/chair
Has thanked: 79 times
Been thanked: 175 times

Re: ARM, here I come! [was AMD]

#18 Post by steve_v »

I'm surprised nobody has mentioned POWER9 yet, This is the FSFs suggested solution to the ME/backdoor drama.
Still in pre-order, but I am tempted to buy one. Looks pretty badass, and I am in the market for a new server.
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.

User avatar
pylkko
Posts: 1802
Joined: 2014-11-06 19:02

Re: ARM, here I come! [was AMD]

#19 Post by pylkko »

steve_v wrote:I'm surprised nobody has mentioned POWER9 yet, This is the FSFs suggested solution to the ME/backdoor drama.
Still in pre-order, but I am tempted to buy one. Looks pretty badass, and I am in the market for a new server.
OK. The thing is that it is realistically conceiveable that ARM, RISC-V etc. can to some extent replace x86 computers in home use. Last I checked these power9 products were several thousand just for the mother board. I believe the company you link to even had a crowd funding campaign that failed miserably, like they got only one bidder. The product was just way too expensive. It does sound like they are willing to create a fully auditable platform, it just doesn't sound like it could help home users much.

steve_v
df -h | grep > 20TiB
df -h | grep > 20TiB
Posts: 1400
Joined: 2012-10-06 05:31
Location: /dev/chair
Has thanked: 79 times
Been thanked: 175 times

Re: ARM, here I come! [was AMD]

#20 Post by steve_v »

pylkko wrote:The product was just way too expensive.
Perhaps, though the cost of such things is inversely proportional to the number produced. Hence ARM hardware found in every Android phone is cheap, while power9, which is not widely deployed yet, is not.
You say power9 is too expensive. I say ARM is too slow. Show me an ARM CPU that fits your definition of reasonably priced and can compete with current x86 gear, in terms of raw performance.
Show me an ARM CPU that can to professional level CAD.
Hell, show me any ARM CPU that can break-even with my 4 year old I7. 6 cores @ 3.5GHz, minimum. 32GB system memory, minimum. Go. I'm making it easy here...

For "internet and email" sure, ARM all the way. But I have zero interest in an architecture that is designed around low cost and low power consumption making it's way into my desktop.
And yes, this desktop is at my home, therefore "home use". Yes, I do CAD at home. Yes, I need the performance. At home.

If the Talos 2 ever goes into production, I'll almost certainly buy one. As far as I can tell, it's the only fully open and auditable platform available with acceptable performance.
I'm not willing to pre-order it though, at least not at that price. If the company went belly-up right after I'd be left with an expensive orphan, and that would kinda piss me off.
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.

n_hologram
Posts: 459
Joined: 2013-06-16 00:10

Re: ARM, here I come! [was AMD]

#21 Post by n_hologram »

I want to inquire about a small aspect of this conversation:
Segfault wrote:
wizard10000 wrote:One thing I haven't heard anyone mention is that if your NIC isn't Intel I don't see how their ME can connect to anything.
Having 100% control over everything I do not see there would be any difficulties for MINIX to reach out to the internet using any hardware available, it may rely on user OS provided drivers in some cases, though.
wizard10000 wrote: According to Purism

http://www.tomshardware.com/news/purism ... 32576.html
For AMT to allow remote access, three things are necessary: an Intel chip with vPro support, an Intel networking card, and the corporate version of the Intel Management Engine binary.
This seems to imply that, assuming someone isn't physically at your computer (utilizing a USB exploit, for example) or convincing you to download "cool_screensaver.bin", remote code execution should be moot so long as one of those modules, like wifi, is not intel.

If so, then, for the average consumer, worried about frying their bios with the internal and external me_cleaner tutorials, would the best protection not be to swap-out any intel-based wifi hardware with non-intel ones?

I ask because it isn't clear to me how deeply this minix "spin" can be exploited if rce is disabled or rendered useless. It also isn't clear the degree to which it has been exploited -- I'd be interested to read any new findings on this. So, it's hard to make a clear judgment about whether or not the ME can really reach out to available hardware, although, to err on the safe side, I assume "probably" is the best prediction.

fwiw, I'm probably going to try externally me_clean-ing mine, but I thought I'd ask.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
the crunkbong project: scripts, operating system, the list goes on...

User avatar
pylkko
Posts: 1802
Joined: 2014-11-06 19:02

Re: ARM, here I come! [was AMD]

#22 Post by pylkko »

steve_v wrote:Perhaps, though the cost of such things is inversely proportional to the number produced. Hence ARM hardware found in every Android phone is cheap, while power9, which is not widely deployed yet, is not.
I wish this were all there is to it.
steve_v wrote: You say power9 is too expensive. I say ARM is too slow. Show me an ARM CPU that fits your definition of reasonably priced and can compete with current x86 gear, in terms of raw performance.
As far as I can see, I didn't say that. If you can show me were you feel that I said that, then perhaps I can answer this.
steve_v wrote:Show me an ARM CPU that can to professional level CAD
Hell, show me any ARM CPU that can break-even with my 4 year old I7. 6 cores @ 3.5GHz, minimum. 32GB system memory, minimum. Go. I'm making it easy here...
Well, considering that I never said that there is (or that there is even a need for) an ARM processor that can "do professional level CAD", I think I'll pass. But for what it's worth, the Coretex-A75 is going to attempt laptop and sercer market share, I believe, and is supposedly significantly better than its predecessor. If I absolutely have to show any ARM processor that "can compete with your laptop", I'd say what abnout this "tens of teraflops" ARM processor: https://www.top500.org/news/cray-to-del ... onsortium/
steve_v wrote: For "internet and email" sure, ARM all the way. But I have zero interest in an architecture that is designed around low cost and low power consumption making it's way into my desktop.
And yes, this desktop is at my home, therefore "home use". Yes, I do CAD at home. Yes, I need the performance. At home.
So, you are saying that because you have the very fringe case need for professional level CAD at home, that my statement that ARM has more chances in replacing average use is off, or not? And that a computer with a 1400W PSU and a 6000 USD price tag is more likely to replace x86 at home?

User avatar
pylkko
Posts: 1802
Joined: 2014-11-06 19:02

Re: ARM, here I come! [was AMD]

#23 Post by pylkko »

n_hologram wrote:I want to inquire about a small aspect of this conversation:
Segfault wrote:
wizard10000 wrote:One thing I haven't heard anyone mention is that if your NIC isn't Intel I don't see how their ME can connect to anything.
Having 100% control over everything I do not see there would be any difficulties for MINIX to reach out to the internet using any hardware available, it may rely on user OS provided drivers in some cases, though.
wizard10000 wrote: According to Purism

http://www.tomshardware.com/news/purism ... 32576.html
For AMT to allow remote access, three things are necessary: an Intel chip with vPro support, an Intel networking card, and the corporate version of the Intel Management Engine binary.
This seems to imply that, assuming someone isn't physically at your computer (utilizing a USB exploit, for example) or convincing you to download "cool_screensaver.bin", remote code execution should be moot so long as one of those modules, like wifi, is not intel.

If so, then, for the average consumer, worried about frying their bios with the internal and external me_cleaner tutorials, would the best protection not be to swap-out any intel-based wifi hardware with non-intel ones?

I ask because it isn't clear to me how deeply this minix "spin" can be exploited if rce is disabled or rendered useless. It also isn't clear the degree to which it has been exploited -- I'd be interested to read any new findings on this. So, it's hard to make a clear judgment about whether or not the ME can really reach out to available hardware, although, to err on the safe side, I assume "probably" is the best prediction.

fwiw, I'm probably going to try externally me_clean-ing mine, but I thought I'd ask.
I don't know how possible these exploits are and if it is at all possible to make realistic judgement on this issue given that the code is top secret, apparently not even shared with firmware developers. There have been some exploits, for example a "super rootkit" was demonstrated and last year a criminal group apparently used another vulnerability. From what is known about these, you can maybe make inferences, see wikipedia. You need to remember that even if the way it is supposed to work requires Intel network chip etc, it might be possible that here are hacks or workarounds that can be used to do something adverse with it outside of the normal use scenario. Perhaps someone can spoof an Intel wifi chip some how or use the ME chip to write to system RAM programs that do adverse stuff with the OS network stack (the firmware has its own network stack that is entirely invisible to Linux/any other operating system and is not affected by your kernel's firewall at all). Since the chip can read the HDD, the RAM and NVRAM and stores stuff on its own flash chip, perhaps there are ways to make it read data that it thought it stored there, but which in reality is exploit code? It is known that it can be used to reads non-encrypted data from the HDD for example when it analyses the health status of the machine. If you knew where exactly it is going to read and how much, you could feed it stuff, I suppose. Also, it allows for the BIOS to write to its own memory area for updating itself if needed using a tech called Host ME Region Flash Protection Override (see last link). This is really wild speculation, of course.

See:
https://en.wikipedia.org/wiki/Intel_Act ... d_exploits

Also, libreoot has gatherered some information here:
https://libreboot.org/faq.html#intel

there is even apparently an entire book written about platform insecurity that talks anout the Management Engine in detail.

http://www.apress.com/gp/book/9781430265719


Here appears to be very detailed information:
http://2012.ruxconbreakpoint.com/assets ... hinsky.pdf

tynman
Posts: 131
Joined: 2016-05-03 19:48
Location: British Columbia, Canada
Been thanked: 1 time

Re: ARM, here I come! [was AMD]

#24 Post by tynman »

Someone please let me know when the Power9 CPUs with suitable motherboards are down around the $300 point. I'm ready to test. :D

n_hologram
Posts: 459
Joined: 2013-06-16 00:10

Re: ARM, here I come! [was AMD]

#25 Post by n_hologram »

@pylkko: That was good information, thanks. In particular, the Silent Bob Is Silent exploit sounds pretty egregious -- fun name, though. I also didn't think to use nmap to see if AMT is keeping any ports opened, although I wonder how reliable nmap is for something working beneath even the OS.

In any case, I ordered my supplies to run me_cleaner, so by Saturday night I'll either have a deblobbed system or a fried motherboard. :)
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
the crunkbong project: scripts, operating system, the list goes on...

steve_v
df -h | grep > 20TiB
df -h | grep > 20TiB
Posts: 1400
Joined: 2012-10-06 05:31
Location: /dev/chair
Has thanked: 79 times
Been thanked: 175 times

Re: ARM, here I come! [was AMD]

#26 Post by steve_v »

tynman wrote:Someone please let me know when the Power9 CPUs with suitable motherboards are down around the $300 point.
As far as I know, the only power9 gear around is server-grade, and you won't get Intel / AMD server grade stuff for that price either. It's entirely possible to build desktop-orientated boards with the architecture, but AFAIK nobody's doing it (yet).
Hell, (assuming USD) $300 is a pittance even for an AMD desktop board + CPU. I certainly can't find anything worth having for that price around here, at least not new.
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.

User avatar
pylkko
Posts: 1802
Joined: 2014-11-06 19:02

Why doesn't Google use power9?

#27 Post by pylkko »

The price is really high, but other than that the architecture is for sure very interesting. I am wondering a bit, why Google is not adapting it (or are they?). Because there were some news items about Google being concerned about Management Engine, and even starting a project to remove it:

http://www.tomshardware.com/news/google ... 35876.html

But why not just invest in power9 given that they have the capital required?

EDIT: here is Ron Minnich's (Google engineer) presentation about the NERF project attempting to get rid of Intel's Management Engine
https://schd.ws/hosted_files/osseu17/84 ... 0Linux.pdf

User avatar
golinux
Posts: 1579
Joined: 2010-12-09 00:56
Location: not a 'buntard!
Been thanked: 1 time

Re: Why doesn't Google use power9?

#28 Post by golinux »

pylkko wrote:I am wondering a bit, why Google is not adapting it (or are they?). Because there were some news items about Google being concerned about Management Engine, and even starting a project to remove it:
That pdf is the presentation from this talk::

https://www.youtube.com/watch?v=iffTJ1vPCSo
May the FORK be with you!

Post Reply