[coreboot] Intel ME The Way of the Static Analysis

Zoran Stojsavljevic zoran.stojsavljevic at gmail.com
Sun Apr 30 09:12:42 CEST 2017 

Very good presentation from Dmitry Sklyarov. Despite there are some
inaccuracies, the work done by his team on ME 11 is impressive. :-)

Here, I am just thinking loud...

Interesting... ME 11 has some new HW concepts, introduced by INTEL for SKL
onward. Knowing the EGO trips of the leading INTEL people, I would not be
surprised to see that ARC/SPARC is actually swapped with quark (shrinked
PENTIUM on 22nm), introduced as serious challenge to ARM in IOT space by
BK, CEO of INTEL, when BK was just a TMG leader (Y2013). Quark is his
beloved baby, crown of his technical career (leading him to be CEO).

Actually, quark is pushed into very serious designs all over the place,
from 3 years ago, fast forwarded in Time. So quark could be the
replacement. AS additional justification for BK's decisions, dated more
than 3 years ago.

Looking what MINIX3 itself is, it kinda confirms my thoughts:
http://www.minix3.org/
*MINIX 3 is a free, open-source, operating system designed to be highly
reliable, flexible, and secure. It is based on a tiny microkernel running
in kernel mode with the rest of the operating system running as a number of
isolated, protected, processes in user mode.*

The another interesting fact I did not know is that ME is taking minimum 2x
of consecutive 16MB of DRAM (this I new already), but that this DRAM is not
accessible by OS, running on CPU. Thus, Since I know that these 32MB of
memory are very close to TOM (on the first 4GB of memory), and reserved by
the time HECI I/F starts synchronising BIOS and ME engines, by 99.999%
users while BIOS executes, but for more Coreboot knowledgeable people right
after MRC algorithm is done/executed), it forces me to think that there is
another INTEL HW extension, hidden, which assures that this memory is NOT
accessible. Or, perhaps, one of variable MTRR definitions is used for this
purpose (procedure embedded in BIOS). I need to investigate more on this
topic.

MINIX3 on the top of quark is viable design. Especially that there is
superuser mode, there are discovered UNIX FS definitions (user/group/world
permissions on extensions), and modular packages (all modern Linux distros
have this concept). And... Notion of ring0 and ring3, introducing
additional layer of ME protection (not available by RTOS ThreadX, my best
guess).

Very interesting presentation, indeed. But I need to watch it several
times, to let additional ideas to pop in my mind... ;-)

Thank you (Dmitry especially),
Zoran

On Wed, Apr 26, 2017 at 10:57 PM, Patrick Georgi via coreboot <
coreboot at coreboot.org> wrote:

> Fun tidbit: The ME is running MINIX3 (confirmed by a file in the
> Google cache: http://webcache.googleusercontent.com/search?
> q=cache:tCcU0NRwTnQJ:ftp://ftp.supermicro.com/CDR-X11-UP_
> 1.10_for_Intel_X11_UP_platform/Intel/ME/Other_
> Licenses/Minix3_License.txt+&cd=1&hl=de&ct=clnk&gl=de&lr=lang_de%7Clang_en
> )
>
> 2017-04-26 22:47 GMT+02:00 Youness Alaoui <kakaroto at kakaroto.homelinux.net
> >:
> > Thanks for the links.
> > This is the article that I had seen :
> > http://blog.ptsecurity.com/2017/04/intel-me-way-of-static-analysis.html
> >
> >
> > On Tue, Apr 25, 2017 at 10:38 AM, Shawn <citypw at gmail.com> wrote:
> >>
> >> slide:
> >> https://www.troopers.de/downloads/troopers17/TR17_ME11_Static.pdf
> >>
> >> video:
> >> https://www.youtube.com/watch?v=2_aokrfcoUk
> >>
> >> --
> >> coreboot mailing list: coreboot at coreboot.org
> >> https://mail.coreboot.org/mailman/listinfo/coreboot
> >
> >
> >
> > --
> > coreboot mailing list: coreboot at coreboot.org
> > https://mail.coreboot.org/mailman/listinfo/coreboot
>
>
>
> --
> Google Germany GmbH, ABC-Str. 19, 20354 Hamburg
> Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft:
> Hamburg
> Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle
>
> --
> coreboot mailing list: coreboot at coreboot.org
> https://mail.coreboot.org/mailman/listinfo/coreboot
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20170430/0543d579/attachment.html>

More information about the coreboot mailing list