Archive

Posts Tagged ‘security’
Orange Pi Development Boards

MINIX NEO N42C-4 Mini PC Review – Part 2: Windows 10 Pro

January 7th, 2018 9 comments

MINIX NEO N42C-4 is the first Apollo Lake mini PC from the company, which also happens to be their first one with a fan, using internal antennas for WiFi and Bluetooth, and offering user-upgradeable storage and memory thanks to M.2 and SO-DIMM slots. The device also features three video output via HDMI 2.0, mini DiplayPort, and USB Type C  ports supporting up to three independent display.

I’ve received a sample and already checked the hardware, and showed how to install an M.2 SSD and SO-DIMM RAM to the device in the first part of the review entitled  MINIX NEO N42C-4 Triple Display Capable Mini PC Review – Part 1: Unboxing and Teardown, so I’ll report my experience with Windows 10 Pro in the second part of the review, and there should also be a third part specifically dealing with Linux support.

MINIX NEO N42C-4 Setup, System Info, BIOS

The device is basically an update to MINIX NEO Z83-4 Pro mini PC, also running Windows 10 Pro but on a Cherry Trail processor instead, and maybe of the part will be similar so I’ll refer to that review from time to time.

I first connected the mini PC with the usual peripherals and cables including USB keyboard & mouse, USB 3.0 hard drive, HDMI cable to my 4K TV, Ethernet cable, and since the computer also comes with a USB type C port supporting DisplayPort Alt mode, I also connected Dodocool DC30S USB-C hub in order to get a second HDMI display.

Click to Enlarge

Time to connect the power supply, press the power button for two or three seconds to get started, with the blue LED on the front panel turning on, and shortly after getting to the Windows 10 Pro Welcome screen, where you could use Cortana voice assistant (or not) in order to go through the setup wizard to select the country and keyboard, accept the EULA, sign-in or create a user, set privacy settings and so on.

I won’t into details since the procedure is exactly the same as their previous moduel, and you can check the Windows 10 Pro setup wizard section of NEO Z83-4 Pro review to get more photos about the initial setup. What was different this time is that a large Windows update (2 to 3GB) was available, and I waited for it to complete before accessing Windows desktop, but as you can see from the photo below there’s also an option to “go to my desktop while my PC updates”.

Now we can get to the desktop, and check info about the Windows 10 license, and basic hardware info in Control Panel-> System and Security -> System. The mini PC runs an activated version of Windows 10 Pro 64-bit, and is equipped with an Intel Pentium N4200 CPU, 4GB RAM as advertised.

Click to Enlarge

I took a screenshot of the “Devices and drives” section in “This PC” right after initial setup, and the 32GB eMMC flash has a 28.1 GB Windows partition (C: drive) with only 7.72GB free, but later on a pop-up will show up asking whether we want to delete the old Window 10 update files, and free space will increase a lot.

The D: drive is the 240GB M.2 SSD I installed myself, but since I partitioned it for another review with EXT-4 and NTFS, only the 59.6GB NTFS shows up. E: and F: drives are the NTFS and EXFAT partition on the USB 3.0 drives, so all my storage devices and (Windows compatible) partitions have been detected and mounted properly.

Click to Enlarge

I tool a Device Manager screenshot for people wanting more technical details, and since we can see Trusted Platform Module 2.0 shown in security devices, I also launched tpm.msc “Trusted Platform Module Management” program to confirm the TPM was indeed ready for use.

Click to Enlarge

HWiNFO64 shows the same information as for other Intel Pentium N4200 systems, except for the CPU microcode (μCU) which has been updated to version 24, and hardware specific items like the motherboard name, and BIOS date and version.

Click to Enlarge

Since I don’t own any DisplayPort capable display, so I could not test triple display support, but I could still work with a dual setup display using the HDMI 2.0 port and USB type C port via my USB-C hub as shown in the photo below. You may want to read the video output ports limitation listed in the first part of the review to make sure the system meets your requirements if you plan to use three displays.

Click to Enlarge

Pressing “Esc” at boot time will allow you to access Aptio Setup Utility, often referred to as “BIOS”.

Click to Enlarge

In previous models, MINIX had added several extra features in Advanced->MINIX Feature Configuration, but when I went there I could only find EarPhone Standard selection, no more restore AC power loss, wake-on-lan, etc…But then I found the other extra MINIX options had moved to Advanced->Power Management Configuration, and we still have WoL, resotre AC power loss, RTC wakeup, etc.. functions. So all is well…

MINIX NEO N42C-4 Benchmarks

The performance of Intel Apollo Lake processor is now well know, but let’s still go through the usual benchmark to make sure everything is working as expected.

Click to Enlarge

A PCMARK 10 score of 1,568 points is actually quite better than the score I obtained with MeLE PCG03 Apo (Celeron N3450 – 1,334 points),  and MeLE PCG35 Apo (Pentium J3455 – 1,391 points), both quad core fanless Apollo Lake mini PCs, so it looks like the fan may be helping, as well as the faster storage as we’ll see below. For reference, NEO Z83-4 Pro’s PCMARK 10 score was 896 points, so there’s a clear performance benefit here.

Click to Enlarge

NEO N42C-4 passmark 9.0 score: 768.3 points. In this case, the mini PC is slower than MeLE PCG35 Apo with 790.7, which should be expected since Pentium J3455 (1.5/2.3 GHz, 10W TDP) is supposed to be a bit faster than Pentium N4200 (1.1/2.5 GHz, 6W TDP). However, if we compare to Voyo (V1) VMac Mini‘s score (1087.0 points) also based on Pentium N4200 processor, then it’s disappointing. But there’s an explanation, as PassMark attributes a significant share of the score to storage performance, and Windows 10 is install in the faster SSD in the Voyo mini PC, breaching Microsoft’s low cost license agreement in the process… However, there’s also another element of the score that is weak in N42C-4: 3D graphics mark (132.2 vs 325.8), and both systems were configured to use 1080p60.

I’ve run the 3G graphics mark manually again to make sure the issue was reproducible (it is), and get some data to compare to similar system with better score in the future.

Click to Enlarge

However, switching to 3DMark’s 3D graphics benchmarks, MINIX NEO N42C-4 performs better than Voyo V1 with respectively 366, 1,567, and 2,658 points for respectively Fire Strike 1.1, Sky diver 1.0, and Cloud gate 1.1, against 267, 1,384, and 2,347 points for the Voyo mini PC. Ice Storm benchmark failed to complete on NEO N42C-4 after three tries, even after a reboot, so there may be a problem with the 3D graphics drivers.

Links to results:

MINIX used a pretty good 32GB eMMC flash with sequential read up to 307.5 MB/s and writes around 81 MB/s, nearly twice as fast as their MINIX NEO Z83-3 Pro for reads, but random I/Os are roughly the same.

I also benchmarked KingDian N480 M.2 SSD, and results were even better than in MeLE PCG03 Apo mini PC with significantly better sequential and random speeds in most tests.

USB 3.0 NTFS write speed was rather poor (35 to 45MB/s) in MINIX NEO Z83-4 Pro mini PC, but NEO N42C-4 has no such problem getting over 100 MB/s for both read and write.

Full duplex Gigabit Ethernet performance is excellent:

802.11ac WiFi performance is also very good, and much better than MINIX NEO Z83-4 Pro:

  • Download

  • Upload

So in my case, having switched to internal antennas do not negatively affect performance at all.

I’ve compared MINI NEO N42C-4 mini PC to other Apollo Lake mini PCs, as well as Cherry Trail based MINIX NEO Z83-4, and an Intel Core M3-6Y30 Compute Stick, whenever scores are available. First, there’s a clear advantage of upgrading from the Cherry Trail model to the Apollo Lake one, N42C-4 has the best eMMC storage performance (although systems run Windows 10 on an SSD will be faster), and usually performs better than other Apollo Lake mini PCs, except for Passmark 9.0 due to poor 3D graphics issues in that benchmarks.

Click to Enlarge

Note that the values above have been adjusted with different multipliers for each benchmarks (e.g. 3DMark Fire Strike multiplied by 5) in order to display all benchmarks in a single chart.

MINIX NEO Z83-4 Stress Testing, Power Consumption, and Fan Noise

 

I also use the device as a desktop computer, doing my usual tests such as multi-tasking with Thunderbird, LibreOffice, Firefox, etc, as well as multitab web browser, YouTube, playing Aaphast 8: Airborne game, etc… It works well with a user experience similar to most Apollo Lake mini PC, and the usual caveat like YouTube 4K working better in Microsoft Edge, but usual in Chrome/Firefox as long as you disable VP9. Whether Kodi 17.6 works suitably well with depending on your requirements. Automatic frame rate switching, HDMI audio pass-through for Dolby Digital 5.1, and 4K H.265 / H.264 are usually all working, but VP9 is using software decode and is quite slow, pass-through for TrueHD and DTS HD is not working, and from time to time some H.265 videos just show a black screen.

I stress-tested the mini PC using Aida64’s stability test for two hours, and CPU temperature never exceeded 60°C, so no thermal throttling problem at all, and it should make a good mini PC in relatively hot environments. CPU frequency averaged 1.8 GHz.

 

Click to Enlarge

While there was not thermal throttling, the power limit was exceeded during spikes to burst frequencies, but I’d assume this may be normal behavior.

Click to Enlarge

While the mini PC comes with a fan it is incredibly quiet, and if my main computer – which I admit is rather noisy – completely overwhelm whatever noise comes from NEO N42C-4. When I turn off all other equipment, I cannot hear anything while idle, unless I place my hear close to the device, in which case I hear some low level noise, either the fan turning slowing, or another source of noise. Under load, it’s possible to hear the fan, but again noise is very low.

I used GM1352 sound level meter, placing the device about 2cm above the enclosure (since I don’t happen to own an anechoic chamber), and as you can see from the table below measured sound levels are really low compared to a device like Voyo VMac Mini.

Noise Level (dBA)
Ambient voise (aka Silence) 38.5 to 38.9
MINIX NEO N42C-4 Idle 39.1 to 39.5
MINIX NEO N42C-4 Stress test 39.7 to 40.4
Voyo Vmac Mini – Idle 52.3
Voyo Vmac Mini – Stress test 52.5 to 57.5

Finally some power consumption numbers without USB-C hub, nor USB 3.0 expansion drive unless otherwise noted:

  • Power off –1.1 to 1.2 Watts
  • Sleep – 1.2 Watts
  • Idle – 6.4 Watts
  • Aida64 stress test – 13.4 Watts
  • Kodi 4K H.264 from HDD – 14.3 to 16 Watts
  • Kodi 4K H.265 from HDD – 15 to 17.1 Watts

Conclusion

If you’ve been using MINIX NEO Z83-4 Pro mini PCs, MINIX NEO N42C-4 will offer a nice upgrade with significantly better performance, and all some problems I found in the Cherry Trail  device are gone: USB 3.0 NTFS write speed is normal (100 MB/s), and 802.11ac WiFI performance is excellent, the best I’ve tested so far (with iperf). Compared to other Apollo Lake mini PCs, the performance is also a bit higher, running temperature is very low (< 60 °C) thanks to the quiet fan, and you’ve got a TPM 2.0 chip, VESA mount, support for triple display setup, an activated Windows 10 Pro OS, all features normally not found in other cheaper models. The low running temperature should make it ideal in hot climates where room temperature may be 35 to 40ºC.

The mini PC has some of the same limitations as other Apollo Lake mini PCs, with Kodi 17.6 handling VP9 codec with software decode, and no TrueHD, nor DTS-HD pass-through), and watching online videos for example with YouTube works better in Microsoft Edge. The only small issues I found are low 3D graphics performance in Passmark 9.0 – but no such performance issues in other benchmarks – and 3DMark Ice Storm benchmark would not complete successfully.

MINIX NEO N42C-4 Pro mini PC sells for $299.90 and up on various sites including Amazon US, Amazon UKGearBest, GeekBuying, etc…

Intel Apollo Lake Windows 10 Benchmarks Before and After Meltdown & Spectre Security Update

January 6th, 2018 36 comments

So this week, there’s been a fair amount of news about Meltdown & Spectre exploits, which affects all major processor vendors one way or another, but especially Intel, and whose mitigations require operating systems and in some case microcode updates that decrease performance for some specific tasks.

Microsoft has now pushed an update for Windows 10, and since I’m reviewing MINIX NEO N42C-4 mini PC powered by an Intel Pentium N4200 “Apollo Lake” processor, and just happened to run benchmarks before the update, so I decided to run some of the benchmarks again to see if there was any significant difference before and after the security update.

First I had to verify I had indeed received the update in the “installed update history”, and Windows 10 Pro was updated on January 5th with KB4056892, which is what we want, so let’s go ahead.

Benchmarks before Update

PCMark 10 is one of my favorite benchmark since it relies on typical program that many people would use on their desktop computer.

Click to Enlarge

Link to full results.

Let’s through 3DMark Sky Diver to get some 3D graphics performance.

Click to Enlarge

Link to 3DMark result.

Finally, I’ve run CrystalDiskMark to test I/O performance of the internal eMMC flash.

Benchmarks after Update

Let’s see if there are any significant differences, bearing in mind there’s always some variation for each benchmark run.

Click to Enlarge

Link to full results.

Right the score is lower, but it’s really insignificant, and represents at 0.63% decrease in performance, which should likely have nothing to do with the update. So no difference before and after update here.

Click to Enlarge

Same story for 3DMark Sky Diver 1.0, basically the same score as before the update. Link to 3DMark result.

Before (left) and After (right) – Click to Enlarge

There’s normally a lot more variation for I/O benchmarks like CrystalDiskMark, so results are a bit  more difficult to analyze, and have both screenshot side-by-side. We can safely say there’s no difference for sequential read/write (Seq Q32T1 & Seq), and I even got slightly better numbers after the updates. Random I/O look fairly good after the update, except for “4K Read” test. I repeated it several times, and always got 14 to 17 MB/s after the update (23 to 37% slower), while the “4K write” was always higher. This should not matter to most use cases.

At this stage, I was expecting to draw a table showing a 5% difference after the update, but I won’t, because there’s no clear performance hit after the update, despite Apollo Lake architecture being impacted by Meltdown and Spectre. Maybe some other database specific tests would have shown a difference, or the security fixes may mostly impact the performance of higher-end processors.

Intel Hardware Security Bug Fix to Hit Performance on Windows, Linux…

January 3rd, 2018 15 comments

Many security bugs can be fixed without performance penalty , but according to reports Intel processors have a hardware bug – whose details have not been disclosed yet (embargo) – that seems to affect all operating systems including Windows, Linux, Mac OS, etc…, and the fix may lead to significant performance hits for some tasks.

We know a bit more thanks to the Kernel Page Table Isolation (KPTI) patch for Linux that enables the fix/workaround with X86_BUG_CPU_INSECURE feature. The fix used to be called KAISER, and there’s an explanation on LWN about “hiding the kernel from user space” about the issue:

On contemporary 64-bit systems, the shared address space does not constrain the amount of virtual memory that can be addressed as it used to, but there is another problem that is related to security. An important technique for hardening the system is kernel address-space layout randomization (KASLR), which randomizes the placement of the kernel in the virtual address space at boot time. By denying an attacker the knowledge of where the kernel lives in memory, KASLR makes many types of attack considerably more difficult. As long as the actual location of the kernel does not leak to user space, attackers will be left groping in the dark.

The problem is that this information leaks in many ways….

More recently, a concerted effort has been made to close off the direct leaks from the kernel, but none of that will be of much benefit if the hardware itself reveals the kernel’s location. And that would appear to be exactly what is happening.

This paper from Daniel Gruss et al. [PDF] cites a number of hardware-based attacks on KASLR. They use techniques like exploiting timing differences in fault handling, observing the behavior of prefetch instructions, or forcing faults using the Intel TSX (transactional memory) instructions. There are rumors circulating that other such channels exist but have not yet been disclosed…

and the fix:

Fixing information leaks in the hardware is difficult and, in any case, deployed systems are likely to remain vulnerable. But there is a viable defense against these information leaks: making the kernel’s page tables entirely inaccessible to user space. In other words, it would seem that the practice of mapping the kernel into user space needs to end in the interest of hardening the system.

The paper linked above provided an implementation of separated address spaces for the x86-64 kernel; the authors called it “KAISER”, which evidently stands for “kernel address isolation to have side-channels efficiently removed”. This implementation was not suitable for inclusion into the mainline, but it was picked up and heavily modified by Dave Hansen.

So in short, Intel processors leak the kernel’s location, so now efforts have to be made to close this hole at the OS level since the current hardware or microcode can be updated to fix this issue. In theory, having a fix in the operating system should be good enough, but there’s a caveat: performance hit!

Most workloads that we have run show single-digit regressions. 5% is a good round number for what is typical. The worst we have seen is a roughly 30% regression on a loopback networking test that did a ton of syscalls and context switches.

and from The Register article linked above:

So PostgreSQL SELECT command is about ~20% slower with KPTI workaround, and I/Os in general seem to be impacted negatively according to Phoronix benchmarks especially with fast storage, but not gaming performance, Linux kernel compilation, H.264 encoding, etc…

However, if you own an AMD system you can do a victory dance since the processors are not affected, so the “fix” is disabled:

AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.

Disable page table isolation by default on AMD processors by not setting the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI is set.

The Intel bug will be fully revealed later this month after all main OS have been patched, and I’d assume Intel will fix the hardware in its processors too, so we’ll live in interesting times when people may/will want to check the CPU revision / stepping number before purchasing an Intel system.

Help Testing TLS 1.3 Compatibility for a More Efficient & Secure Internet

December 28th, 2017 7 comments

Transport Layer Security (TLS) is the protocol that allows for secure websites (via https), and currently, TLS 1.2 is the version most commonly used today, with 1.0 and 1.1 still supported by many servers for backward compatibility with older browsers, including the one running this blog. TLS 1.3 is the next version, already supported in libraries and server software such as wolfSSL or nginx, and promises to be more efficient – important for battery operated devices (IoT) – thanks to features like zero-RTT (0-RTT) mode, speedy with a restructured handshake state machine, and more secure.

However, changes in security protocol may mess up connection with some browsers or middleboxes, as I experience when I enabled https on CNX Software using Let’s Encrypt with nginx and Cloudflare, with around 0.5% of users losing access due to using older web browsers and operating systems such as Internet Explorer on Windows XP. According to Cloudflare, compatibilities issues are the main reasons why TLS 1.3 has not been enabled in web browsers, since around 3% of traffic fails when TLS 1.3 is enabled, mostly due to incorrect implementation of TLS version negotiations in some middleboxes.

TLS 1.3 draft 22 improves compatibility by making TLS 1.3 look like TLS 1.2 to those middleboxes, and success rates have increased to 98+%, but more testing is needed. You can help as Cloudflare has setup a website to test TLS 1.3 in your browser (Adobe Flash is used for maximum compatibility). In my case only IPv4 worked, since my ISP does not support IPv6, but I got no problem with TLS 1.3.

If the TLS 1.3 test fails, you can contact Cloudflare by email with your test identifier, middlebox information if you’re in a corporate environment, or ISP name if you are on a residential network.

Categories: Testing Tags: cloudflare, internet, IoT, security

Haven Open Source App Transforms Your Old Android Smartphone into a Smart Security Camera

December 23rd, 2017 3 comments

About two years ago, I wrote a post asking what to do with old devices instead of throwing them away. My own proposals included giving them away, reselling them on eBay, recycling them for other purpose like servers or download clients, or scavenging some parts. Other people also comments what they did with theirs, for example setting up a Linux cluster with old TV boxes.

Another way to recycling an old (Android) smartphone – albeit you could always buy an inexpensive one – is to install and run Haven, an open source app that transforms your phone into some sort of smart security camera, but instead of only using the camera from the phone, the app also logs audio events using its microphone (array), as well as data reported by sensors.

Click to Enlarge

One of you first reaction might be: “cool! somebody may an app that would allow hackers or government to make spying on your ever easier”. But actually, the app was initially intended to protect journalists against raids, or more exactly record their occurrence (as proof), and is released by the Guardian Project that aims to “create secure apps, and open-source software libraries that can be used around the world by any person looking to protect their communications and personal data from unjust intrusion, interception and monitoring”.  Haven can also be used to monitor anything you care about, or even as a baby monitor for instance.

While audio and video is continuously monitored, the app only logs the data inside the phone if “thresholds” are exceeded (e.g. motion sensing, audio level…). If you decide to enable notifications, it does not transform your smartphone into another IoT device that relies on the cloud, but instead leverages Signal secure communication app, and the Tor network via Orbot app. A SIM card is not needed, unless you plan to use the optional (and less secure) SMS options.

Commercial Products vs Haven – Click to Enlarge

The app only runs in Android, but iPhone users can still receive notifications via Signal + Tor, they’d just need to buy a cheap Android phone acting as the “camera”. You may want to check out the presentation slides for a quick overview, and visit the app page for more details.

The app can be downloaded from the Google Play Store, F-Droid, or as an apk, and the source code can be cloned from Github.

Fingbox Helps You Monitor & Manage Devices on Your Network with Your iOS/Android Smartphone

November 19th, 2017 10 comments

Fing network scanner mobile app available for iOS and Android that allows you to discover which devices are connected to your Wi-Fi network, map devices, detect intruders, assess network security risks, troubleshoot network problems, and optimize wireless network performance.

But in order to go beyond network monitoring, the developers have designed Ubuntu Core based Fingbox hardware to add features such as access control (e.g. parental control), analyze the usage of bandwidth for each clients, find Wi-Fi sweet spots/ avoid black spots, verify your Internet speed, monitor devices in your network, and protects it with a digital fence that works against threats.

From a hardware perspective Fingbox is a round shaped Ethernet node with the following specifications:

  • Processor – ARMv7 processor
  • System Memory – 1GB RAM
  • Connectivity – Gigabit Ethernet

The Linux (Ubuntu Core) device just needs to be connected to your network via an Ethernet cable, and powered by its adapter. You’d then run Fing app on Android or iOS, which will automatically detect the Fingbox, and allow you to easily monitor and control devices on your home network. The best way to clearly understand what the device brings to the table is to watch the demo embedded below.

Fingbox was launched through an Indiegogo campaign, that ended up very successfully with 20,000 backers, and over @1.6 millions raised, but now you can purchased it directly from Amazon for $129 with shipping to US, UK, EU, and Canada, or Fing website for other countries.

When I think about it, I’m wondering why we don’t get such functionality from the router directly, as surely that’s something vendors could implement in the firmware, except possibly on the cheapest models due to storage and/or memory limitations, with no added hardware cost. Feel free to comment if you can already use your smartphone to monitor and manage other devices via your router, or is Fingbox the only workable solution right now?

MINIX based Intel Management Engine Firmware & UEFI are Closed Source & Insecure, NERF to the Rescue!

November 7th, 2017 12 comments

You may have heard a few things about Intel Management Engine in recent months, especially as security issues have been found, the firmware is not easily upgradeable, and the EFF deemed it a security hazard asking Intel for ways to disable it.

In recent days, I’ve seen several media reports about the Management Engine being based on an Intel Quark x86-based 32-bit CPU running MINIX open-source operating system. Keep in mind, there’s nothing nefarious about MINIX, it’s just that Intel keeps its own developments on top closed. One of sources for the information is a blog post explaining how to disable Intel ME 11, but ZDNET also points to one of the talks at the Embedded Linux Conference Europe 2017 entitled “Replace Your Exploit-Ridden Firmware with Linux” by Ronald Minnich, Google which explains the problem, and proposes a solution to (almost) disable Intel’s ME, and replace UEFI by a small open source Linux kernel and ramdisk.

Click to Enlarge

To better understand about the issue, we’ll first need to talk about rings… yes… rings. Protection rings with numbers from -3 to +3 indicate the level of privileges with Ring 3 being the lowest priviledge, and Ring -3 giving full access to all hardware. It’s unrelated to OS privileges and normal users and root are are part of the same Ring 3 privileges.

Ring 0 to 3 are well documented, Ring -1 is for hypervisors like Zen so “known to mankind”, but while we know something about Ring -2 CPU, the code for the UEFI kernel and SMM half kernel are not always known, and in the case of Ring -3 kernels which include the Management Engine, Integrated Sensor Hub (ISH), and Innovation Engine (IE) we know very little about the hardware and software, despite them having the highest privilege.

We do know the Management Engine Ring -3 OS provides the following features.

Full Network manageability ICC Over Clocking
Regular Network manageability Protected Audio Video Path (PAVP)
Manageability IPV6
Small business technology KVM Remote Control (KVM)
Level III manageability Outbreak Containment Heuristic (OCH)
IntelR Anti-Theft (AT) Virtual LAN (VLAN)
IntelR Capability Licensing TLS
Service (CLS) Wireless LAN (WLAN)
IntelR Power Sharing Technology (MPC)

If you have no idea what some of the feature do, that’s OK, as even Richard is unclear. The important part is that the firmware has a full network stack, and web servers are running for remote management, which has recently become a serious problem as Intel found a vulnerability in “Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology” that can allow “an unprivileged attacker to gain control of the manageability features”.  It requires a firmware update, but considering this affect Intel’s first to seven generation, the bug is at least 9 years old, and most systems won’t be updated. Read this PDF for a detailed (71 pages) security evaluation of Intel’s ME

Beside the Management Engine, the presentation also goes through Ring -2 OS (UEFI), an extremely complex kernel (millions of lines of code) running on the main CPU, and whose security model is… obscurity. UEFI exploits also exist, and can be made permanent since UEFI can rewrite itself. The firmware also always runs, and exploits are undetectable by kernels and programs.

The solution proposed to address the privacy and security issues related to ME and UEFI is called NERF (Non-Extensible Reduce Firmware).

It’s only a partial solution because the system cannot fully boot without ME, but they’ve managed to reduce the size from 5MB to 300KB, removing the web server and IP stack in the process on Minnowboard MAX board thanks to me_cleaner. The SMM Ring -2 semi kernel can be disabled however.

UEFI stands for Unified Extensible Firmware Interface, so to simplify the code and make it less vulnerable to exploits they’ve made their implementation NON-extensible, and as a result it’s much simpler, as illustrated in the diagram below.

UEFI vs NERF

UEFI DXE stage is replaced with a single Linux kernel (tied to the BIOS vendor), and a 5.9MB firmware-based root file system written in Go (u-root.tk). If you are interesting in the details watching the 38 minutes ELCE 2017 presentation.

You may also be interested in the slides.

Arm’s Platform Security Architecture Aims to Secure the Internet of Things (IoT)

October 25th, 2017 No comments

News are published nearly everyday about a security breach or flaw in IoT devices, and last year, Softbank CEO, and new Arm owner, Masayoshi Son explained that to reach his goal of one trillion IoT devices and singularity, security had to be addressed, as everything was currently too easily hackable, including cars equipped with lots of electronics but very weak security.

As Arm Techcon 2017  is underway, the company has been working on improving IoT security and announced the Platform Security Architecture (PSA) designed for low cost IoT devices.

PSA components – Click to Enlarge

PSA has three major components:

  • Threat Models and Security Analyses derived from a range of typical IoT use cases.
  • Architecture specifications for firmware and hardware.
  • An open source project, similar to Arm Trusted Firmware for mobile clients.

PSA is designed for low cost IoT devices, which would have not the resources (processing power, memory, battery power…) to run a full Trusted Execution Environment (TEE) , aims at protecting assets such keys, credential or firmware by separating them from application and hardware, and defines a Secure Processing Environment (SPE) for the codes that manages those assets and its trusted hardware resources.

Example of PSA compliant IoT device

While the architecture is agnostic, Arm and their partners will initially focus on Cortex-M based devices, specifically Arm v8-m ones such as Cortex M33. PSA defines hardware, firmware and process requirements and interfaces, but most people can’t see anything of it yet, as the first draft specification and reference firmware implementation (Trusted Firmware-M) will be made available in Q1 2018. Arm will also provide tools for evaluation and compliance, including a validation suite for the functional hardware requirements, potentially a validation suite for the firmware specifications, as well as ways to evaluate robustness compliance by working with partners part of the secure chain from silicon vendors to IoT cloud companies.

While on the subject of security, Arm also announced two new secure IP components with Arm TrustZone CryptoIsland family of smartcard-level security subsystems – starting with CryptoIsland-300 – targeting general purpose MCUs, LPWA connectivity, storage, automotive and more, as well as Arm CoreSight SDC-600 Secure Debug Channel enablingfull debug capabilities without compromising system security.

A few more details about PSA can be found on the product page, where you can also download an 18-page whitepaper entitled “Arm Platform Security Architecture Overview”.