General Discussion  - 
 
Intel processors now get OS locked

In an GOLEM interview at CEBIT 2014 fair, Frank Kuypers, technical account manager at INTEL corp., proudly presented a new feature in INTEL processors, called "hooks", beginning with the new 2014 "Merrifield" 64 bit SoC chip generation.

The manager gave an example: In the Intel network only mobiles with certain Android versions are allowed to use certain functionalities. If you then replace your Android version, e.g. by a free Cyanogenmod Android kernel, not only some chips would stop working, e.g. LTE/UMTS, but also mails from your employer would be blinded out, because now the processor itself would 'classify' the new software as 'risk'.

'Hooks' allow custom code to be executed when some defined event (such as saving an article or a user logging in) occurs. This technology is well known and often used to patch binaries or to add functionality to binary code.

But now this functionality is implemented in hardware, so that the OS itself doesn't even notice the execution of e.g. a virus scanner, Frank Kuypers said.

By design, INTEL processors, in opposite to 'hard coded' ARM processors, use microcode. Microcode is used to decode CISC operations (Complex Instruction Set Computer), breaking down instructions to RISC code. Bugs in the processor instruction set so can be corrected by just updating the microcode.

Now, beginning with the new 2014 power efficient mobile "Merrifield" processor generation, this functionality can and will (so are WINTEL alliance plans) be used to lock the processor for certain OS'es or OS versions.

First implementation will be the INTEL owned McAffee virus scanner, which now operates in the background on microcode level, completely unnoticeable by the OS or system operator, Frank Kuypers proudly added.

Whether there will be a SDK or use of this 'functionality' will be kept a secret, still is undecided, Kuypers said.

Have fun!

Source: http://www.golem.de/news/intel-hooks-im-kernel-sollen-android-sicherer-machen-1403-105054.html
65
151
Michael Stuhr's profile photoSteve Watson's profile photoRoberto Uzcategui's profile photoAndres Costa's profile photo
45 comments
 
This sounds crazy and appears to be a move for so-called security over freedom, but I'm sure many people would argue the security aspect.
 
If they try to make this stop Linux I bet they have giant protests at the plant or get people barraging them with phone calls.
 
The main issue I see is that you'll buy a computer from a shop with Windows os and not be able to change to Linux or another os in the future. You may be able to buy the processor unlocked for a sum. With mobile phones/tablets it can be worse with phone networks also potentially have a lock-in. It's a disaster for the consumer or a blessing for other processor manufacturers ;-)
 
The technology is awesome but what they're doing with it is terrible.

If OEM X wants to restrict me in what OS I can run on MY device it now has all the tools from Intel to do so. MY DEVICE!

If this would have been implemented by say HTC nobody would even remember the HD2 by now.

They'd better release that SDK to let users/developers decide if/how they want that feature to work on THEIR phones/tablets/etc.
 
+Stefan Lang Microcode is very similar to ASIC or FPGA technology (ASIC is much faster, up to 15 GHz possible). By updating 'microcode' you burn new circuits into the processor, which then has same functionality as software code.

Functionality should be similar to the well known 'traps' or 'processor exceptions', which can be used e.g. for virtualization or former floating point emulation in 386/486sx. http://wiki.osdev.org/Exceptions

But now - invisible to the OS and software running. The OS can neither control nor debug nor stop these processes.
 
After NSA, I would never buy a processor with the potencial to spy on me. Not because NSA (they should be too busy looking for naked ladies), but because all this tech will be available to criminals. This, added with the (in)security we have on Windows, can be a big problem.
P.S.: Yes, today all processors can spy on me, this is a software issue from current architecture. But the new one allows that without any control and without even my knowledge, protected inside the chip. Just to make things clear.
 
Great, builtin McAffee. Because it wasn't hard enough to remove before.
 
Although I am skeptical as to the verifiability of these claims, if this happens, I will certainly avoid Intel for the rest of my life and will also not recommend it to anyone. I will stick to ARM Chromebooks with a full Linux distro installed.
 
+Stefan Lang First, you can't modify microcode without knowing, what the 1s and 0s are good for. You need exact knowledge of the circuits. Second, kernel modifications are not needed. These are needed just for notifying the user about e.g. a possible virus. So, INTEL may code anything into its microcode, be it doing kernel checksuming during runtime or sending data over the network. Imagine a virtual machine controlling execution of software in the other VM.
 
It means the NSA can embed spy software in your phone and you can't detect it.
 
Lol welcome to the world of ring -1 root kits
 
"hooks in the kernel to make Android more secure".

Translation: we have to stop people from removing our spy software.
 
+Stefan Lang You can change it to something clean if it's open source. The idea is that hardware security prevents changes to the OS unless authorized. And who holds the authorization key? It won't be you.
 
Bonus points for the first microcode malware author.  If you're at ring0, the OS can't see you evading the anti-virus, nor can it remove you.
 
+Guido Stepken should have read the Intel DPT factsheet first :) The original announcement is practically telling that Intel follows the other major mobile players to add support for RSA signed boot/code to its mobile processors (somewhat "mobile UEFI").
Obviously Apple and Qualcomm already have this. And still you can run CM on Qualcomms.
Obviously the security framework of McAfee is above the microcode, nobody can expect daily microcode updates to be released with new virus definitions, can you?
 
+Stefan Lang As human brain also is being "programmed" by restructuring its neurons, changing "circuits", you can't speak from "it's still in the software, not in the hardware". In fact, INTEL is ringing up a revolution.
 
+Tibor Hársszegi You haven't yet really understood. The virus filter implementation is neither implemented in x64 machine code nor does it consume DDR3 memory space! Virus scanning, as Kuypers said, runs parallel to "offical" CPU instructions, so not consuming CPU resources.
 
+Stefan Lang "Just one more time: can you please point to the source of information that proves or at least makes you think Intel's new SoCs will take the control over the device completely out of it's owner's hands..."

Sure: http://www.nsa.gov/
 
Every feature has an exploitable downside, and this one packs an expensive wallop.

The first time a malicious hacker releases code into the wild that can brick your shiny new CPU, there will be hell to pay. This is a terrible idea.
 
+Stefan Lang DPT "fact sheet" is just about how it is advertised, not about how it is implemented.

Being able to detect an illegal kernel, switching off hardware, filtering a data stream parallel to normal CPU instructions require significant changes to processor architecture, that go down to microcode.
 
+Stewart Gee I have a better idea: how about a microcode cryptocurrency miner?  Steal 2-5% of CPU (small enough not to be noticed).  Once there are thousands of these infected, you've got serious computing power for free.
 
It sounds like people overreacting and assuming it will block other OS's from being an option.

It seems this could be useful for company security on smartphones since currently, root access allows you to bypass all security practices you agree to and give a fake response lying about the phone's security settings.

I'm not sure how well it will work in practice though.
 
+Stefan Lang Just because you're not paranoid doesn't mean the FBI, the NSA, and the CIA don't have a file on you.

+William Eddins Since every US company has done everything it can to squeeze as much money out of their customers as possible, I don't think I'm overreacting.

This is what has happened in the past. Why shouldn't it happen in the future?
 
With ARM having licensed 10 billion processors in 2013, 1/3 of them faster CORTEX ones, mostly running Linux, i doubt, that INTEL will ever play an important role in mobile computing as well as cloud computing, since a small RPi "dedicated server" is just $30, RK3188 quad core $8 in 1000 quantities. These only have a 10 kbyte "zero bios" FPGA on board for being able to boot from flash. No place to hide trojans in.
AMD Kaveri two and quad cores with its fast GPU is about to become mainstream in gaming, but not under Windows - under Linux!!! See http://phoronix.com OpenGL/Mantle benchmarks.
 
+Tibor Hársszegi Kuypers spoke about "processor hooks", a hardware implementation! I mentioned software hooks just as reminder, how these work and are typically used. 
 
+Stefan Lang Those hooks, INTEL plans to introduce with the new processor generation! With an open Linux kernel you otherwise could directly code things into the kernel, no "hooks" neccessary! Compris?
 
And what if a virus gets into this microcode? It can run with no way for the OS to notice it?
 
Generalised Reduction: "It makes it much easier to execute code at a hardware level WITHOUT THE OS NOTICING". Hmm.....Sounds like the designers at Intel have been working with the NSA on this new implementation.
 
Interesting...the first thing I do when I get any new computer is remove McAfee because it's such a hideous, bloated resource hog. Looks like you will not longer be able to do that with these machines. I'll be sticking with open-source, thanks...
 
This is the death of indivisuality and personal preference
We love android because its customable if they do this we might as well buy a locked up Iphone
 
Looks like AMD/ARM are going to have a field day with this dumb move by Intel.
 
Not to be alarmist, but I appreciate the heads up letting me know not to purchase an Intel based tablet or phone. 
 
I guess it's for businesses. Personally I'd never buy such a chip set.
 
When God is made known to the world and people see I have made His temple, an operating system.  We (the world) will spend a year finalize a 100,000 line version that is perfect and Intel will burn TempleOS into PC CPUs.  Hopefully, it is as unchanged as a Commodore 64 ROM.

We will develop future PC hardware to have low-driver-linecount interfaces and perfect TempleOS even more in the future.

Microsoft and Linux will add support for RedSea filesystem so that FAT32 and ISO9660 code will be removed, making more linecount available.

See my demands.  http://www.templeos.org/Wb/Doc/Demands.html
 
I will stick to ARM + FPGA or Open Core thank you very much.
 
* Correction: I don't mean custom CPU architecture, just putting TempleOS in a on-chip flash memory at the Intel factory.  Once you learn God really talks and He claims TempleOS as His temple, this will not seem unreasonable.  We need RESET buttons on computers again and a fast BIOS bypass for booting would be good.  Somebody had the idea of a hotkey to change context to TempleOS. 
Add a comment...