ARM, here I come! [was AMD]

If it doesn't relate to Debian, but you still want to share it, please do it here
Message
Author
Segfault
Posts: 914
Joined: 2005-09-24 12:24

ARM, here I come! [was AMD]

#1 Post by Segfault »

Last edited by Segfault on 2017-11-10 16:39, edited 1 time in total.

User avatar
GarryRicketson
Posts: 5872
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: AMD, here I come!

#2 Post by GarryRicketson »

I like Minix, it is a good OS, and yes, that is a wonderful feature, it is small and simple, it can be embedded in a small chip, and is very secure.
I suspect Google does not want it or like it for other reasons,...maybe because
they have no control over it ?
I trust Minix, and Andrew Tanenbaum,more then I trust Google, maybe I need to remove google from my system :mrgreen:
Note to Intel: If Google doesn’t trust your CPUs on their own servers, maybe you should consider removing this “feature.” Otherwise, at some point they’ll (likely) move away from your CPUs entirely.
Image

Segfault
Posts: 914
Joined: 2005-09-24 12:24

Re: AMD, here I come!

#3 Post by Segfault »

So it does not worry you if your CPU opens a tunnel and gives 100% access to your computer to a third party.

User avatar
golinux
Posts: 1576
Joined: 2010-12-09 00:56
Location: not a 'buntard!

Re: AMD, here I come!

#4 Post by golinux »

There a very long thread about this on Devuan's DNG mail list starting with this link:

https://lists.dyne.org/lurker/message/20171030.055913.44761087.en.html

That video is quite enlightening. Do watch.

And you might want to rethink that AMD is the solution:

https://lists.dyne.org/lurker/message/20171109.175824.8412a570.en.html
Last edited by golinux on 2017-11-10 18:36, edited 1 time in total.
May the FORK be with you!

User avatar
GarryRicketson
Posts: 5872
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: AMD, here I come!

#5 Post by GarryRicketson »

Postby Segfault » 2017-11-09 20:22
So it does not worry you if your CPU opens a tunnel and gives 100% access to your computer to a third party.
No , it does not worry me, and it is not the fault of Minix 3, nor Andrew Tanenbaum . To start with what Intel is using for it's Management Engine
is not really Minix, it is based on Minix, and
I don't believe it works quite the way that article is trying to make it sound like. There is a lot in that article that just does not "rhyme" up,
Google wants to remove MINIX from its internal servers

According to Google, which is actively working to remove Intel’s Management Engine (MINIX) from their internal servers (for obvious security reasons), the following features exist within Ring -3:
That link to "according to Google", is mostly about getting rid of UEFI, it says
nothing about Minix, I do agree, and would love to see UEFI and the so called
"secure boot" junk removed and banned from all new computers,...
Minix, is not "closed source, and is not the problem, as the writer tries to make it sound,..
It is so very obvious the author is pro- Linux, but anti-Minix, yet Minix is not the problem, The problem is the UEFI, Intel,and it's ME, If INTEL, has programmed, or used code based on Minix OS, embedded it in their chip,to do bad things, that is fault of Intel, not Minix, nor Andrew Tanenbaum .
There has been an ongoing battle between Linus Torvalds and Andrew Tanenbaum ever since Linus started working on his kernel, but that is another topic.
However something many linux users do not know:
from: https://en.wikipedia.org/wiki/Andrew_S._TanenbaumOne of these subscribers was a Finnish student named Linus Torvalds who began adding new features to MINIX and tailoring it to his own needs. On October 5, 1991, Torvalds announced his own (POSIX like) kernel, called Linux, which originally used the MINIX file system, but it is not based on MINIX code.[24]
I notice this:
From: http://blog.ptsecurity.com/2017/04/inte ... lysis.html In addition, when we looked inside the decompressed vfs module, we encountered the strings “FS: bogus child for forking” and “FS: forking on top of in-use child,” which clearly originate from Minix3 code. It would seem that ME 11 is based on the MINIX 3 OS developed by Andrew Tanenbaum :)
Hmm, It says, "BASED on Minix 3". So isn't this kind of like when some
kiddie script writer uses Kali, to exploit or compromise some bank,or something Kali, is based on Debian, oh my, We need to get Debian out of all the systems, it could be put to evil uses.
So some of the code they are using , originated from Minix 3 code," Oh my GOD, we have got to get rid of Minix, it is evil , evil, evil. "
I think the author and Linus are jealous, of the fact that Intel is using code based on what is known as Minix, instead of Linux, how ever Linux, in the hands of Intel,and Microsoft, can be put to just as much evil, as they have done with code , BASED on Minix.
Last edited by GarryRicketson on 2017-11-10 05:20, edited 2 times in total.

User avatar
GarryRicketson
Posts: 5872
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: AMD, here I come!

#6 Post by GarryRicketson »

Just another thought, I wonder, if Google is so dead set against Minix 3, like the author of the above article tries to make it sound, then Why, do they allow
a news group, for the students, and developers using Minix ? ,.. now Minx 3.4.
https://groups.google.com/forum/#!forum/minix3
Minix 3 What Is MINIX 3?

MINIX 3 is a free, open-source, operating system designed to be highly reliable, flexible, and secure. It is based on a tiny microkernel running in kernel mode with the rest of the operating system running as a number of isolated, protected, processes in user mode. It runs on x86 and ARM CPUs, is compatible with NetBSD, and runs thousands of NetBSD packages. Get MINIX 3 now and join our community!
It is a great little OS, and perfect for, some of my older equipment, and yes it
can be used to power the CPU, it does not have to be "based on Minix 3 " and locked down, like Intel has done, ....
Am I evil, because I am using Minix in my CPU ? Oh my God, here comes
Google, they are going to take it away, and make me use something else...
give me a break.
This is past, but any way : https://groups.google.com/forum/#!topic ... QXMhscIPmQ

User avatar
pylkko
Posts: 1801
Joined: 2014-11-06 19:02

Re: AMD, here I come!

#7 Post by pylkko »

I haven't checked the facts, but according to the Free Software Foundation AMD has an equivalent system baked in. In order to avoid having another processor having ring -3, i.e better access to your hardware and data than root (kernel is protection ring 0), you gave to avoid x86 entirely.

User avatar
alan stone
Posts: 269
Joined: 2011-10-22 14:08
Location: In my body.

Re: AMD, here I come!

#8 Post by alan stone »

AMD, here I come!
Do you mean Advanced Micro, correction: Monitoring, Devices?

User avatar
Lysander
Posts: 629
Joined: 2017-02-23 10:07
Location: London

Re: AMD, here I come!

#9 Post by Lysander »

pylkko wrote:I haven't checked the facts, but according to the Free Software Foundation AMD has an equivalent system baked in.
Indeed, people have been saying this for years, that both Intel and AMD CPUs have 'backdoors' built into them. A casual Google finds articles going back to at least 2013 about similar concerns. Jumping ship to AMD won't make much difference.

For what it's worth, here's what RMS says
The current generation of Intel and AMD processor
chips are designed with vicious back doors that users cannot shut
off. (In Intel processors, it’s the "management engine".)

No users should trust those processors.
https://www.fsf.org/blogs/rms/a-message ... foundation

I personally can't see myself moving from my Q8400 for a while. Backdoor or no backdoor. I think that one can tie oneself in knots over security and privacy concerns ad nauseum. By the time one has reconfigured or replaced one's hardware the next piece of FUD will hit the internet.

User avatar
ticojohn
Posts: 1025
Joined: 2009-08-29 18:10
Location: /home/heart
Has thanked: 2 times
Been thanked: 8 times

Re: AMD, here I come!

#10 Post by ticojohn »

Think I'll go back to using my abacus. No back doors there. LOL!
I am not irrational, I'm just quantum probabilistic.

Segfault
Posts: 914
Joined: 2005-09-24 12:24

Re: AMD, here I come!

#11 Post by Segfault »

wizard10000 wrote:One thing I haven't heard anyone mention is that if your NIC isn't Intel I don't see how their ME can connect to anything.
Having 100% control over everything I do not see there would be any difficulties for MINIX to reach out to the internet using any hardware available, it may rely on user OS provided drivers in some cases, though.

User avatar
GarryRicketson
Posts: 5872
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: ARM, here I come! [was AMD]

#12 Post by GarryRicketson »

That is why I like Minix and use it :mrgreen:

Code: Select all

#mount/dev/cpu1 /data
#cd /data
#pwd
cpu1/data/
cpu1#uname -a
MINIX 3.3.0. (588a35b)
Copyright 2014, Vrije Universiteit, Amsterdam, The
Netherlands
MINIX is open source software, see
http://www.minix3.org
Started VFS: 9 worker thread(s)
 e1000#0: Intel PRO/1000 MT 82545EM (8086/100f/00) at
2.0.0
#locate (name removed for protection of the innocent)
#located : print data or save P or S....
#S
#data saved to f673100043291100.dat
#exit
$
:mrgreen:

Segfault
Posts: 914
Joined: 2005-09-24 12:24

Re: ARM, here I come! [was AMD]

#13 Post by Segfault »

For those ready to brick their computers, here is the link: https://github.com/corna/me_cleaner

User avatar
Head_on_a_Stick
Posts: 13450
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: ARM, here I come! [was AMD]

#14 Post by Head_on_a_Stick »

Why has the title been changed to "ARM"?

That (micro)architecture is also closed and so we should presume that there is also embedded malicious code.

The only answer is true open source hardware, pylkko has been keeping us up-to-date about that:

http://forums.debian.net/viewtopic.php? ... 9&p=655805
Black Lives Matter

Debian buster-backports ISO image: for new hardware support

User avatar
golinux
Posts: 1576
Joined: 2010-12-09 00:56
Location: not a 'buntard!

Re: ARM, here I come! [was AMD]

#15 Post by golinux »

Has no one watched the video posted in my first post above? Or read that long thread which was veeerrry interesting? Ah, it wasn't working anymore but this one does:

https://www.youtube.com/watch?v=iffTJ1vPCSo
May the FORK be with you!

User avatar
GarryRicketson
Posts: 5872
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: ARM, here I come! [was AMD]

#16 Post by GarryRicketson »

I looked at the link, but did not see any video.
----- edited ----
Oh, now you posted a different link,... let's try that one.

User avatar
pylkko
Posts: 1801
Joined: 2014-11-06 19:02

Re: ARM, here I come! [was AMD]

#17 Post by pylkko »

The situation is pretty grim. Even the term "back door" completely undermines the situtation. It not just some backdoor, it is a full blown computer with unrestricted access to all the hardware and system memory, running an entire operating system, network stack, java virtual machine etc. The leaks that have been made in the last years also suggest that these things have been widely exploited.

If it were so that, only potentially this could be used for bad stuff, then I would call it paranoia or conspiracy theorizing to suggest that it is, well, concerning. That the NSA/Russia can use this to track "terrorists and other bad people" is only a little bit worrisome in my opinion.

But that there are published and known security vulnerabilities in Management engine is way much more worrisome. Perhaps the management engine cannot be used in the way it was designed without an intel network chip, but that does not automatically mean that the weaknesses in it cannot be exploited even on machines with other network chips.

As long as there is only closed source options for the hardware, then ultimately, of course, the code cannot be audited by anyone willing to do so. And companies have pretty bad track records, most of the projects that have either been open sourced or leaked have shown very sloppy code... This is, of course, understandable as there is little money in making systems safe, except for some few fringe cases. Most computers and phones get a few firmware updates right after their release, but that's it.

Although most ARM-based computers have a much simpler booting process that does not involve entire computers that the user does not have any access to, still most of them use simple bootloaders, gpu drivers and other stuff that is closed source. IIRC the only gpu stack that has working open source alternatices for it is the reverse engineered etnaviv (although freedreno, lima and other projects attmept to do the same for these gpu's). Many of them are also SOC's where the cpu is permanently attached to peripherals cannot be "turned off".

There are other architectures but most of them are very obscure/hard to come by or unsuitable for PC use. For example, I believe SPARC processors don't have these hardware level security problems like described in OP, but there are other reasons why they are not easily adapted to normal home use.

RISCV is interesting because the ISA is open. That means that it is very hard to insert hardware level "back doors", since users have the freedom to validate the hardware. However, there are (AFAIK) no free code GPU's for that architecture either (at least currently) and therefore any kind of software level bad code can be involved. But this might change in the coming years.

steve_v
Posts: 772
Joined: 2012-10-06 05:31
Location: New Zealand
Has thanked: 2 times
Been thanked: 3 times

Re: ARM, here I come! [was AMD]

#18 Post by steve_v »

I'm surprised nobody has mentioned POWER9 yet, This is the FSFs suggested solution to the ME/backdoor drama.
Still in pre-order, but I am tempted to buy one. Looks pretty badass, and I am in the market for a new server.

User avatar
pylkko
Posts: 1801
Joined: 2014-11-06 19:02

Re: ARM, here I come! [was AMD]

#19 Post by pylkko »

steve_v wrote:I'm surprised nobody has mentioned POWER9 yet, This is the FSFs suggested solution to the ME/backdoor drama.
Still in pre-order, but I am tempted to buy one. Looks pretty badass, and I am in the market for a new server.
OK. The thing is that it is realistically conceiveable that ARM, RISC-V etc. can to some extent replace x86 computers in home use. Last I checked these power9 products were several thousand just for the mother board. I believe the company you link to even had a crowd funding campaign that failed miserably, like they got only one bidder. The product was just way too expensive. It does sound like they are willing to create a fully auditable platform, it just doesn't sound like it could help home users much.

steve_v
Posts: 772
Joined: 2012-10-06 05:31
Location: New Zealand
Has thanked: 2 times
Been thanked: 3 times

Re: ARM, here I come! [was AMD]

#20 Post by steve_v »

pylkko wrote:The product was just way too expensive.
Perhaps, though the cost of such things is inversely proportional to the number produced. Hence ARM hardware found in every Android phone is cheap, while power9, which is not widely deployed yet, is not.
You say power9 is too expensive. I say ARM is too slow. Show me an ARM CPU that fits your definition of reasonably priced and can compete with current x86 gear, in terms of raw performance.
Show me an ARM CPU that can to professional level CAD.
Hell, show me any ARM CPU that can break-even with my 4 year old I7. 6 cores @ 3.5GHz, minimum. 32GB system memory, minimum. Go. I'm making it easy here...

For "internet and email" sure, ARM all the way. But I have zero interest in an architecture that is designed around low cost and low power consumption making it's way into my desktop.
And yes, this desktop is at my home, therefore "home use". Yes, I do CAD at home. Yes, I need the performance. At home.

If the Talos 2 ever goes into production, I'll almost certainly buy one. As far as I can tell, it's the only fully open and auditable platform available with acceptable performance.
I'm not willing to pre-order it though, at least not at that price. If the company went belly-up right after I'd be left with an expensive orphan, and that would kinda piss me off.

Post Reply