Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

ARM, here I come! [was AMD]

Off-Topic discussions about science, technology, and non Debian specific topics.
Message
Author
n_hologram
Posts: 459
Joined: 2013-06-16 00:10

Re: ARM, here I come! [was AMD]

#21 Post by n_hologram »

I want to inquire about a small aspect of this conversation:
Segfault wrote:
wizard10000 wrote:One thing I haven't heard anyone mention is that if your NIC isn't Intel I don't see how their ME can connect to anything.
Having 100% control over everything I do not see there would be any difficulties for MINIX to reach out to the internet using any hardware available, it may rely on user OS provided drivers in some cases, though.
wizard10000 wrote: According to Purism

http://www.tomshardware.com/news/purism ... 32576.html
For AMT to allow remote access, three things are necessary: an Intel chip with vPro support, an Intel networking card, and the corporate version of the Intel Management Engine binary.
This seems to imply that, assuming someone isn't physically at your computer (utilizing a USB exploit, for example) or convincing you to download "cool_screensaver.bin", remote code execution should be moot so long as one of those modules, like wifi, is not intel.

If so, then, for the average consumer, worried about frying their bios with the internal and external me_cleaner tutorials, would the best protection not be to swap-out any intel-based wifi hardware with non-intel ones?

I ask because it isn't clear to me how deeply this minix "spin" can be exploited if rce is disabled or rendered useless. It also isn't clear the degree to which it has been exploited -- I'd be interested to read any new findings on this. So, it's hard to make a clear judgment about whether or not the ME can really reach out to available hardware, although, to err on the safe side, I assume "probably" is the best prediction.

fwiw, I'm probably going to try externally me_clean-ing mine, but I thought I'd ask.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
the crunkbong project: scripts, operating system, the list goes on...

User avatar
pylkko
Posts: 1802
Joined: 2014-11-06 19:02

Re: ARM, here I come! [was AMD]

#22 Post by pylkko »

steve_v wrote:Perhaps, though the cost of such things is inversely proportional to the number produced. Hence ARM hardware found in every Android phone is cheap, while power9, which is not widely deployed yet, is not.
I wish this were all there is to it.
steve_v wrote: You say power9 is too expensive. I say ARM is too slow. Show me an ARM CPU that fits your definition of reasonably priced and can compete with current x86 gear, in terms of raw performance.
As far as I can see, I didn't say that. If you can show me were you feel that I said that, then perhaps I can answer this.
steve_v wrote:Show me an ARM CPU that can to professional level CAD
Hell, show me any ARM CPU that can break-even with my 4 year old I7. 6 cores @ 3.5GHz, minimum. 32GB system memory, minimum. Go. I'm making it easy here...
Well, considering that I never said that there is (or that there is even a need for) an ARM processor that can "do professional level CAD", I think I'll pass. But for what it's worth, the Coretex-A75 is going to attempt laptop and sercer market share, I believe, and is supposedly significantly better than its predecessor. If I absolutely have to show any ARM processor that "can compete with your laptop", I'd say what abnout this "tens of teraflops" ARM processor: https://www.top500.org/news/cray-to-del ... onsortium/
steve_v wrote: For "internet and email" sure, ARM all the way. But I have zero interest in an architecture that is designed around low cost and low power consumption making it's way into my desktop.
And yes, this desktop is at my home, therefore "home use". Yes, I do CAD at home. Yes, I need the performance. At home.
So, you are saying that because you have the very fringe case need for professional level CAD at home, that my statement that ARM has more chances in replacing average use is off, or not? And that a computer with a 1400W PSU and a 6000 USD price tag is more likely to replace x86 at home?

User avatar
pylkko
Posts: 1802
Joined: 2014-11-06 19:02

Re: ARM, here I come! [was AMD]

#23 Post by pylkko »

n_hologram wrote:I want to inquire about a small aspect of this conversation:
Segfault wrote:
wizard10000 wrote:One thing I haven't heard anyone mention is that if your NIC isn't Intel I don't see how their ME can connect to anything.
Having 100% control over everything I do not see there would be any difficulties for MINIX to reach out to the internet using any hardware available, it may rely on user OS provided drivers in some cases, though.
wizard10000 wrote: According to Purism

http://www.tomshardware.com/news/purism ... 32576.html
For AMT to allow remote access, three things are necessary: an Intel chip with vPro support, an Intel networking card, and the corporate version of the Intel Management Engine binary.
This seems to imply that, assuming someone isn't physically at your computer (utilizing a USB exploit, for example) or convincing you to download "cool_screensaver.bin", remote code execution should be moot so long as one of those modules, like wifi, is not intel.

If so, then, for the average consumer, worried about frying their bios with the internal and external me_cleaner tutorials, would the best protection not be to swap-out any intel-based wifi hardware with non-intel ones?

I ask because it isn't clear to me how deeply this minix "spin" can be exploited if rce is disabled or rendered useless. It also isn't clear the degree to which it has been exploited -- I'd be interested to read any new findings on this. So, it's hard to make a clear judgment about whether or not the ME can really reach out to available hardware, although, to err on the safe side, I assume "probably" is the best prediction.

fwiw, I'm probably going to try externally me_clean-ing mine, but I thought I'd ask.
I don't know how possible these exploits are and if it is at all possible to make realistic judgement on this issue given that the code is top secret, apparently not even shared with firmware developers. There have been some exploits, for example a "super rootkit" was demonstrated and last year a criminal group apparently used another vulnerability. From what is known about these, you can maybe make inferences, see wikipedia. You need to remember that even if the way it is supposed to work requires Intel network chip etc, it might be possible that here are hacks or workarounds that can be used to do something adverse with it outside of the normal use scenario. Perhaps someone can spoof an Intel wifi chip some how or use the ME chip to write to system RAM programs that do adverse stuff with the OS network stack (the firmware has its own network stack that is entirely invisible to Linux/any other operating system and is not affected by your kernel's firewall at all). Since the chip can read the HDD, the RAM and NVRAM and stores stuff on its own flash chip, perhaps there are ways to make it read data that it thought it stored there, but which in reality is exploit code? It is known that it can be used to reads non-encrypted data from the HDD for example when it analyses the health status of the machine. If you knew where exactly it is going to read and how much, you could feed it stuff, I suppose. Also, it allows for the BIOS to write to its own memory area for updating itself if needed using a tech called Host ME Region Flash Protection Override (see last link). This is really wild speculation, of course.

See:
https://en.wikipedia.org/wiki/Intel_Act ... d_exploits

Also, libreoot has gatherered some information here:
https://libreboot.org/faq.html#intel

there is even apparently an entire book written about platform insecurity that talks anout the Management Engine in detail.

http://www.apress.com/gp/book/9781430265719


Here appears to be very detailed information:
http://2012.ruxconbreakpoint.com/assets ... hinsky.pdf

tynman
Posts: 131
Joined: 2016-05-03 19:48
Location: British Columbia, Canada
Been thanked: 1 time

Re: ARM, here I come! [was AMD]

#24 Post by tynman »

Someone please let me know when the Power9 CPUs with suitable motherboards are down around the $300 point. I'm ready to test. :D

n_hologram
Posts: 459
Joined: 2013-06-16 00:10

Re: ARM, here I come! [was AMD]

#25 Post by n_hologram »

@pylkko: That was good information, thanks. In particular, the Silent Bob Is Silent exploit sounds pretty egregious -- fun name, though. I also didn't think to use nmap to see if AMT is keeping any ports opened, although I wonder how reliable nmap is for something working beneath even the OS.

In any case, I ordered my supplies to run me_cleaner, so by Saturday night I'll either have a deblobbed system or a fried motherboard. :)
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
the crunkbong project: scripts, operating system, the list goes on...

steve_v
df -h | grep > 20TiB
df -h | grep > 20TiB
Posts: 1400
Joined: 2012-10-06 05:31
Location: /dev/chair
Has thanked: 79 times
Been thanked: 175 times

Re: ARM, here I come! [was AMD]

#26 Post by steve_v »

tynman wrote:Someone please let me know when the Power9 CPUs with suitable motherboards are down around the $300 point.
As far as I know, the only power9 gear around is server-grade, and you won't get Intel / AMD server grade stuff for that price either. It's entirely possible to build desktop-orientated boards with the architecture, but AFAIK nobody's doing it (yet).
Hell, (assuming USD) $300 is a pittance even for an AMD desktop board + CPU. I certainly can't find anything worth having for that price around here, at least not new.
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.

User avatar
pylkko
Posts: 1802
Joined: 2014-11-06 19:02

Why doesn't Google use power9?

#27 Post by pylkko »

The price is really high, but other than that the architecture is for sure very interesting. I am wondering a bit, why Google is not adapting it (or are they?). Because there were some news items about Google being concerned about Management Engine, and even starting a project to remove it:

http://www.tomshardware.com/news/google ... 35876.html

But why not just invest in power9 given that they have the capital required?

EDIT: here is Ron Minnich's (Google engineer) presentation about the NERF project attempting to get rid of Intel's Management Engine
https://schd.ws/hosted_files/osseu17/84 ... 0Linux.pdf

User avatar
golinux
Posts: 1579
Joined: 2010-12-09 00:56
Location: not a 'buntard!
Been thanked: 1 time

Re: Why doesn't Google use power9?

#28 Post by golinux »

pylkko wrote:I am wondering a bit, why Google is not adapting it (or are they?). Because there were some news items about Google being concerned about Management Engine, and even starting a project to remove it:
That pdf is the presentation from this talk::

https://www.youtube.com/watch?v=iffTJ1vPCSo
May the FORK be with you!

Post Reply