MINIX: Intel’s hidden in-chip operating system
Maybe you’re not paranoid. Maybe they are out to get you. Ronald Minnich, a Google software engineer, who discovered a hidden MINIX operating system inside “kind of a billion machines” using Intel processors, might agree with this.
Why? Let’s start with what. Matthew Garrett, the well-known Linux and security developer who works for Google, explained recently that, “Intel chipsets for some years have included a Management Engine [ME], a small microprocessor that runs independently of the main CPU and operating system. Various pieces of software run on the ME, ranging from code to handle media DRM to an implementation of a TPM. AMT [Active Management Technology] is another piece of software running on the ME.”
In May, we found out that AMT had a major security flaw, which had been in there for nine — count ’em — nine years.
“Fixing this requires a system firmware update in order to provide new ME firmware (including an updated copy of the AMT code),” Garrett wrote. “Many of the affected machines are no longer receiving firmware updates from their manufacturers, and so will probably never get a fix,” he said. “Anyone who ever enables AMT on one of these devices will be vulnerable.”
Quick! How many of you patched your PC or server’s chip firmware? Right. Darn few of you. That’s bad. It’s not every processor, but if you or your hardware vendor has “explicitly enabled AMT”, your machine is still vulnerable to attack.
The Electronic Frontier Foundation (EFF) has called for Intel to provide a way for users to disable ME. Russian researchers have found a way to disable ME after the hardware has initialized, and the main processor has started. That doesn’t really help much. ME is already running by then.
But Minnich found that what’s going on within the chip is even more troubling. At a presentation at Embedded Linux Conference Europe, he reported that systems using Intel chips that have AMT, are running MINIX.
If you learned about operating systems in the late ’80s and early ’90s, you knew MINIX as Andrew S Tanenbaum’s educational Unix-like operating system. It was used to teach operating system principles. Today, it’s best known as the OS that inspired Linus Torvalds to create Linux.
So, what’s it doing in Intel chips? A lot. These processors are running a closed-source variation of the open-source MINIX 3. We don’t know exactly what version or how it’s been modified since we don’t have the source code. We do know that with it there:
- Neither Linux nor any other operating system have final control of the x86 platform
- Between the operating system and the hardware are at least 2 ½ OS kernels (MINIX and UEFI)
- These are proprietary and (perhaps not surprisingly) exploit-friendly
- And the exploits can persist, i.e. be written to FLASH, and you can’t fix that
In addition, thanks to Minnich and his fellow researchers’ work, MINIX is running on three separate x86 cores on modern chips. There, it’s running:
- TCP/IP networking stacks (4 and 6)
- File systems
- Drivers (disk, net, USB, mouse)
- Web servers
MINIX also has access to your passwords. It can also reimage your computer’s firmware even if it’s powered off. Let me repeat that. If your computer is “off” but still plugged in, MINIX can still potentially change your computer’s fundamental settings.
And, for even more fun, it “can implement self-modifying code that can persist across power cycles”. So, if an exploit happens here, even if you unplug your server in one last desperate attempt to save it, the attack will still be there waiting for you when you plug it back in.
How? MINIX can do all this because it runs at a fundamentally lower level.
x86-based computers run their software at different privilege levels or “rings”. Your programs run at ring three, and they have the least access to the hardware. The lower the number your program runs at, the more access they have to the hardware. Rings two and one don’t tend to be used. Operating systems run on ring zero. Bare-metal hypervisors, such as Xen, run on ring -1. Unified Extensible Firmware Interface (UEFI) runs on ring -2. MINIX? It runs on ring -3.
You can’t see it. You can’t control it. It’s just humming away there, running your computer. The result, according to Minnich is “there are big giant holes that people can drive exploits through.” He continued, “Are you scared yet? If you’re not scared yet, maybe I didn’t explain it very well, because I sure am scared.”
What’s the solution? Well, it’s not “Switch to AMD chips”. Once, AMD chips didn’t have this kind of mystery code hidden inside it, but even the latest Ryzen processors are not totally open. They include the AMD platform security process and that’s also a mysterious black box.
What Minnich would like to see happen is for Intel to dump its MINIX code and use an open-source Linux-based firmware. This would be much more secure. The current software is only secured by “security by obscurity”.
Changing to Linux would also enable servers to boot much faster. According to Minnich, booting an Open Compute Project (OCP) Server takes eight minutes thanks to MINIX’s primitive drivers. With Linux it would take less than 17 seconds to get to a shell prompt. That’s a speedup of 32 times.
There’s no reason not to make this improvement. Minnich noted, “There are probably 30 million-plus Chromebooks out there and when your Chromebook gets a new BIOS, a new Linux image is flashed to firmware and I haven’t heard of any problems.”
Specifically, Minnich proposes that Intel, and AMD for that matter:
- Make firmware less capable of doing harm
- Make its actions more visible
- Remove as many runtime components as possible
- In particular, take away its web server and IP stack
- Remove the UEFI IP stack and other drivers
- Remove ME/UEFI self-reflash capability
- Let Linux manage flash updates
Over this, the new Linux firmware would have a userspace written in Go. Users would work with this Linux shell using familiar commands. This would give them a clear view of what was happening with the CPU and other system components.
At the same time, since UEFI is so easy to hack, he wants the “UEFI ROM reduced to its most basic parts”.
Will this work? It’s still early days, Minnich warned, and you may turn “your laptop into a brick”. But both for security and performance, it needs doing.
It’s neat that an obscure Unix like MINIX, thanks to Intel putting it on multiple cores in its chips, may be the world’s most widely used operating system. But it’s no way to run modern servers and PCs.