Hi all, glad my glamorous title obtained your attention :-D
I'm joking about Black Friday, I'm _not_ joking about "CPU as a service" since the issue I recently labeled in this ML as the "MINIX on ring -3 discovery" is not clear to at least one of my FSFE-pen-friends, I have be more specific also, please I would like to know if and eventually how FSFE will address this kind of issues when talking with EU or local representatives about the "Consumer rights and device sovereignty" policy goal for 2019 https://fsfe.org/activities/policy/eu/policy-goals/consumer-rights.en.html considering what I'm going to show here, we should definitely extend the device sovereignty to **all users**: public and private companies, governments and all other institutions too, not only consumers (ouch!) :-O ...so please also remind EU and local representative that **(part of) their(sorry: our) IT systems are also affected** by this serious issue
Executive summary ------------------ «One Ring to rule them all, One Ring to find them, One Ring to bring them all and in the darkness bind them» on all Intel processors sold after 2008 there's a running *proprietary* variation of the not copyleft free software MINIX 3 (unknown version), MINIX is running in "ring -3" [1] now we have the proofs that: 1. **no** "user facing OS" operating system have final control of the x86 platform 2. between the "user facing OS" and the hardware there are at least 2 ½ OS kernels (MINIX and UEFI) 3. these are proprietary and very likely exploit-friendly 4. the exploits can persist, i.e. be written to FLASH, and you can't fix that 5. the user have _no access_ to the MINIX running in ring -3 MINIX is running on three separate x86 cores on modern chips, on that OS are running: 1. TCP/IP networking stacks (4 and 6) 2. File systems 3. Drivers (disk, net, USB, mouse) 4. Web servers please **do not** consider this kind of issues specific to a single brand of CPUs, since we still do not have proofs but the development path is the very same *** Are you scared yet? If you're not scared yet, maybe I didn't explain it very well, because I sure am scared. *** (Ronald Minnich) The not so short story ----------------------- the fact: on Wednesday, October 25 2017 Ronald Minnich from Google told the world about this: «With the WikiLeaks release of the vault7 material, the security of the UEFI (Unified Extensible Firmware Interface) firmware used in most PCs and laptops is once again a concern. UEFI is a proprietary and closed-source operating system, with a codebase almost as large as the Linux kernel, that runs when the system is powered on and continues to run after it boots the OS (hence its designation as a “Ring -2 hypervisor"). It is a great place to hide exploits since it never stops running, and these exploits are undetectable by kernels and programs.» this article presents a short version of the story: http://www.zdnet.com/article/minix-intels-hidden-in-chip-operating-system/ I used this for my executive summary ;-) the issue is **not** new (known since 2016, at least) and presented many times also in FSF/FSFE "circles", eg. here https://www.fsf.org/blogs/licensing/intel-me-and-why-we-should-get-rid-of-me and here https://lists.fsfe.org/pipermail/discussion/2016-April/010912.html EFF and Matthew Garrett where more specific about the nature of the issue on May 8 2017 here https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it and here https://mjg59.dreamwidth.org/48429.html so: what's new now?!? since October 25 (save the date!) what **is** new is that we have a scientific proof of the real nature of this _mess_ ...and we know that Google *is* _desperately_ trying to get rid of this issue from their systems *but* they are failing to fully do this please enjoy the full Garrett's talk in this video https://www.youtube.com/watch?v=iffTJ1vPCSo he said: "always use coreboot if you can, but if you are stuck with a situation..." (29:21 of the video) ... libreboot is maybe better, IMHO so, ladies and gentlemen I'll introduce you "CPU as a service" do we have to accept an EULA?!? ciao Giovanni [1] https://en.wikipedia.org/wiki/Protection_ring what the hell is ring -3 ?!?! who "invented" it? where is it documented? should we expect to see "ring -9" in the future? how we could even allow anyone in the world to implement such a perverted environment? -- Giovanni Biscuolo Xelera - IT infrastructures http://xelera.eu/contact-us/ **per favore** Quota Bene: http://wiki.news.nic.it/QuotarBene **please** use Inline Reply: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
signature.asc
Description: PGP signature
_______________________________________________ Discussion mailing list Discussion@lists.fsfe.org https://lists.fsfe.org/mailman/listinfo/discussion
