On Thu, 7 Sep 2017 at 21:17:20 +1000
Erik Christiansen <dvalin@???> wrote:

> The notion of an extra embedded CPU or two on big Intel chips is not
> difficult to credit, but where is the postulated entire minix OS loaded
> from?

It's in the report by the Positive Technologies team:
http://blog.ptsecurity.com/2017/08/disabling-intel-me.html

    We see increasing interest in Intel ME internals from researchers all
    over the world. One of the reasons is the transition of this
    subsystem to new hardware (x86) and software (modified MINIX as an
    operating system). The x86 platform allows researchers to make use of
    the full power of binary code analysis tools. Previously, firmware
    analysis was difficult because earlier versions of ME were based on
    an ARCompact microcontroller with an unfamiliar set of instructions.

> If our hosts cannot be trusted not to phone home to folk wearing dark
> glasses,

They do not just that they phone home, the worst part is that they pick up
the phone, your phone!

> then would it not suffice to employ a simple embedded host with
> a small die, such as an ARM, e.g. Beaglebone Black, as a firewall?

Maybe, but it's difficult to know exactly what triggers the numerous ME
modules and functions of a running system - it's best disabling everything
at boot time. You are supposed to filter both incoming and outgoing traffic,
which is not very easy when you do not know what you need to block. Plus, I
do not remember where I read it, but there are functions in WiFi AP/DSL
modems that were found to have backdoors that are triggered by a precise
sequence of IP packets the unit receives where both headers and payload
matter, which makes for a complicated deep packet inspection firewall that
you need to set up.

What we actually need is Openhardware products ready to supplant current
off-the-shelf proprietary chips and controllers.


--
Alessandro Selli http://alessandro.route-add.net
VOIP SIP: dhatarattha@???
Chiavi PGP/GPG keys: B7FD89FD, 4A904FD9