Google Working To Remove MINIX-Based ME From Intel Platforms

Intel’s Management Engine (ME) technology is built into almost all modern Intel CPUs. At the Embedded Linux Conference, a Google engineer named Ronald Minnich revealed that the ME is actually running its own entire MINIX OS and that Google is working on removing it. Due to MINIX’s presence on every Intel system, the barebones Unix-like OS is the most widely deployed operating system in the world.

Intel’s ME technology is a hardware-level system within Intel CPUs that consists of closed-source firmware running on a dedicated microprocessor. There isn’t much public knowledge of the workings of the ME, especially in its current state. It’s not even clear where the hardware is physically located anymore. At its inception in 2006, the ME was reportedly located on the MCH (northbridge), but when that became integrated into the CPU beginning with Nehalem, ME was moved to the PCH (current-day “southbridge”).

Where the ME’s code is stored also isn’t clear. Intel has said that it, at least at one point, was loaded into system DDR RAM. The ME has access to many, if not all, of the platform’s integrated devices, such as Intel network controllers. It can also access the main system RAM (the DDR RAM) through DMA. Much has changed in Intel’s platform since some of this was reported, however, so the state of ME now isn’t well understood. Intel, of course, keeps many of the details veiled in secrecy for security purposes.

The statements above, in themselves, are not the reasons for why Google wants to remove ME from its Intel CPUs. Low-level code executing independently from the system OS is necessary for features such as network boot or wake-from-USB. This type of code is firmware and its existence is a given on modern hardware. The driver gives a regular app a way to use the hardware through the OS, but the driver itself controls the hardware by communicating with its firmware. The firmware is a program, so it needs a processor and RAM to run.

What’s concerning Google is the complexity of the ME. Public interest in the subject piqued earlier this year when a vulnerability was discovered in Intel’s Active Management Technology (AMT), but that’s just a software that runs on ME--ME is actually an entire OS.

Minnich’s presentation touched on his team’s discovery that the OS in question is a closed version of the open-source MINIX OS. The real focus, though, is what’s in it and the consequences. According the Minnich, that list includes web server capabilities, a file system, drivers for disk and USB access, and, possibly, some hardware DRM-related capabilities. It’s not known if all this code is explicitly included for current or future ME capabilities, or if it’s because Intel simply saw more potential value in keeping rather than removing it.

If we understand it correctly, then it’s not to say that ME is an OS “under” the system OS. Rather, it’s an OS running in parallel that is capable of accessing the same hardware at the same time as the system OS. The ME is not aware of the system OS, which treats it as a firmware and communicates with it through a driver.

As we hear so often now, though, no system is ever truly secure. There will always be bugs and creative people who can exploit those bugs. An OS full of latent capabilities to access hardware is just giving those people more room to be creative. The possibilities of what could happen if attackers figure out how to load their own software onto the ME’s OS are endless. Minnich and his team (and a number of others) are interested in removing ME to limit potential attackers’ capabilities.

Update, 11/9/17, 7:40am PT: We originally misstated that MINIX is barebones Linux. We've corrected the error.

  • sadsteve
    Um, MINIX is not a version of Linux. MINIX is based upon a microkernel architecture where Linux is based upon a monolithic kernel architecture.
    Reply
  • rbanffy
    Can you fix that "the barebones Linux OS is the most widely deployed operating system in the world" part? MINIX and Linux are completely different beasts.
    Reply
  • Rob1C
    More info about Minix on Intel CPUs is here: https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Hardware - The whole Webpage is a good read along with Wikipedia's Minix entry.
    Reply
  • hoofhearted
    This is already a thing:
    https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668
    Reply
  • ticamai
    It's wrong to say that this makes MINIX the most widely deployed OS - MINIX has only been used in the ME since the Skylake architecture, circa 2015. Before that, other solutions were used, notably including a real-time operating system called ThreadX. Many of these earlier revisions were much easier to remove or disable than the current MINIX-based ME, though.
    Reply
  • krueger.industrial
    MINIX was originally created for educational purposes and loosely patterned after UNIX. The name is an acronym for "Mini Unix".

    When Linus Torvald first created Linux much of the design of Linux was patterned after MINIX. The name Linux is an acronym for "Linus' MINIX".
    Reply
  • ObamasBFF
    20357967 said:
    More info about Minix on Intel CPUs is here: https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Hardware - The whole Webpage is a good read along with Wikipedia's Minix entry.

    Wow a link to Wikipedia - thanks for adding that, I'm sure no one would have thought to google this and look at the first return.
    Reply
  • jacksmith21006
    Good on Google to do this. But honestly MS should be taking the lead on these types of things and making us more secure.

    I saw at Pawned 2017 MS Edge was basically hacked at will. Penetrated over and over again. While Chrome was the only browser unhackable in the time allotted.
    Reply
  • grumpigeek
    It is probably a back door for the NSA.
    Reply