The Intel Management Engine (ME) has been a motherboard component that has remained under the radar until recent years. Since 2008, it has been available on most motherboards as a removable chip, with the option to disable it. However, motherboards produced in 2016 and beyond have the ME integrated within the Northbridge, meaning it cannot be removed.
This component features a modified version of the MINIX 3 operating system running a discreet web server. MINIX continues to run when your computer boots up, is put to sleep, or even while your operating system is running. It’s like an embedded computer within your computer, as it has its own processor, memory, and storage.
Not surprisingly, the general public is starting to question their security and privacy with such an intricate subsystem running without their permission. MINIX is receiving more attention than ever since we now know of its presence in most x86 desktop and server computers.
What is MINIX?
MINIX was created in 1987 by Andrew S. Tanenbaum as a teaching tool for operating system design. It was designed to be a simple, modular microkernel operating system that could run on limited hardware, making it an ideal educational resource. The accompanying textbook, “Operating Systems: Design and Implementation,” which includes MINIX, became a staple in computer science curricula, helping students grasp fundamental concepts of operating systems.
In the early 1990s, MINIX gained attention as a precursor to Linux. Linus Torvalds, the creator of Linux, was inspired by MINIX’s design and functionality. While MINIX was primarily used in academic settings, its microkernel architecture offered advantages in reliability and security, making it appealing for certain embedded applications.
Intel’s decision to incorporate MINIX into the Intel Management Engine can be traced back to the need for a lightweight, reliable operating system that could operate independently of the main CPU. The ME is a small, low-power processor embedded in Intel chipsets that runs its own firmware, allowing it to perform various tasks such as remote management, system monitoring, and security functions. By utilizing MINIX, Intel could leverage its microkernel architecture, which is designed to be secure and resilient.
The Controversy Surrounding MINIX in Intel’s Management Engine
The inclusion of MINIX in the Intel Management Engine has not only raised technical questions but also sparked discussions about ethics and communication in the tech industry. In November 2017, Andrew Tanenbaum, the creator of MINIX, publicly addressed Intel in an open letter expressing his surprise and concern regarding the use of his operating system in Intel’s ME technology.
Tanenbaum humorously noted that the widespread deployment of MINIX made it the most widely used operating system in the world, even surpassing Windows, Linux, and macOS. However, he was taken aback to learn about this development through media reports rather than direct communication from Intel. While he had previously collaborated with Intel engineers on technical modifications to MINIX, he felt it would have been courteous for Intel to inform him of their intentions to utilize his work in such a significant way.
In his letter, Tanenbaum emphasized that he did not seek financial compensation for the use of MINIX, as it was released under the Berkeley license, which allows for such use without obligation. Nonetheless, he expressed disappointment over the lack of communication from Intel regarding the project’s completion and the role MINIX was playing in their technology. He also raised broader concerns about privacy and security, cautioning against the implications of embedding a management engine in personal computers. Tanenbaum’s open letter serves as a reminder of the responsibilities that come with technological advancements and the need for transparency in their implementation.
Security Concerns for the Intel Management Engine
For those that are not familiar with protection rings, they prevent certain applications from having access to different levels of processor instructions. For security reasons, higher-level rings won’t have access to lower-level rings, but lower-level rings can access the processor space above.
This embedded MINIX variant runs in Ring -3, which is the lowest level in protection rings that software can go. An operating system may typically utilize rings 0 and 1, meaning that it operates at a much higher level than the Intel Management Engine. If this subsystem is compromised, your entire system is at risk.
Since the ME has internet connectivity, a remote hacker may access otherwise protected data and execute any root-level commands within your helpless operating system. Even scarier, unauthorized access extends into any network interfaces, RAM, and built-in cryptographic engines.
Using and Building MINIX 3
MINIX 3 is not only a powerful educational tool but also a versatile operating system that can be used in various applications, particularly in environments where reliability and security are paramount. Building and using MINIX 3 involves several steps, which can be undertaken by both novice and experienced users.
Getting Started with MINIX 3
To begin using MINIX 3, follow these steps:
- Download: Obtain the latest version from the official MINIX website.
- Installation Media: Create a bootable USB drive or CD-ROM to install MINIX 3 on your target hardware or run it in a virtual machine.
Building MINIX 3 from Source
For those interested in building MINIX 3 from source for testing or security audits, the process is straightforward. Here’s how to do it:
Prerequisites
Ensure you have the necessary development tools installed on your system, including:
- A C compiler
- Make utility
Steps to Build
- Clone the Repository:
git clone https://github.com/0xffea/MINIX3.git cd MINIX3
Configure the Build Environment
- Set Up Paths: Ensure all necessary paths are configured correctly.
- Install Dependencies: You may need to install additional libraries depending on your system.
Compile the Source Code
To compile the source code, run the following command:
./build.sh
Final Thoughts
In combination with the intrusive nature of the ME and other recent processor exploits (like Spectre & Meltdown), users are tempted to migrate towards AMD and other processor architectures. With ARM catching up in performance, RISC-V becoming commercial, and Talos II resurrecting the POWER ISA for desktops, Intel may not have dominance in the desktop market in the near future. On the other hand, if the Intel ME proves to be rock solid against exploit attempts, this could only mean good things for MINIX in the embedded device market.