On 03/28/2019 04:04 PM, Philipp Stanner wrote:
Recently I had an interesting discussion with a system administrator who is responsible for several hundred PCs, Routers etc.
His argument was: Imagine it would take you 15 minutes to install a patch on a computer (all windows machines of course...). If your company has 1000 computers and you send one admin to install the patches, it will take him >31 work days, working 8h a day. That's why, he said, companies are interested in software allowing them to install stuff on the OS / hard drive remotely through the firmware
What happened to WSUS etc? powershell scripting? remote desktop? WMI? PXE/iSCSI boot to use Windows deployment services?
That is a poor excuse since no one has ever needed ME/PSP to remotely install patches and I personally have never seen it used only the things above.
I, not dealing with large networks, had never thought about it this way. But it does make a lot of sense to me, it's about real money (as usual).
So I guess that's indeed a huge reason why Intel and AMD created Frankenstein, running below UEFI and Kernel.
No its not.
ME/PSP are DRM.
BMC chips are not and have been around for a long time for exactly the use you desire.
A big company can buy RaptorCS OpenPOWER Blackbird or TALOS 2 workstation motherboards and use OpenBMC which is much better, more secure and one can always make updates rather than being stuck with an old and exploitable proprietary firmware when the support cycle ends.