User avatar
evil twin
Posts: 18
Joined: Mon Oct 10, 2011 1:20 am

Is there a management engine in the ARM CPUs?

Tue Jun 14, 2016 9:59 pm

I've been wondering if anyone knows whether there is some kind of equivalent of the AMT (Intel's Active Management Technology) 'black box' built into the ARM CPUs, particularly those used in Raspberry Pi - i.e. how secure those CPUs are?

User avatar
jbeale
Posts: 3517
Joined: Tue Nov 22, 2011 11:51 pm
Contact: Website

Re: Is there a management engine in the ARM CPUs?

Tue Jun 14, 2016 11:27 pm

If the RPi includes such a function, it has never been disclosed to my knowledge. I would tend to doubt it, given the original concept of the RPi was very personal computer for students, not a remotely-managed industrial box.

asandford
Posts: 1997
Joined: Mon Dec 31, 2012 12:54 pm
Location: Waterlooville

Re: Is there a management engine in the ARM CPUs?

Tue Jun 14, 2016 11:38 pm

Most of the soc is the GPU and runs the whole show, the ARM core was initially bolted on as there was space on the die.

User avatar
jbeale
Posts: 3517
Joined: Tue Nov 22, 2011 11:51 pm
Contact: Website

Re: Is there a management engine in the ARM CPUs?

Tue Jun 14, 2016 11:50 pm

asandford wrote:Most of the soc is the GPU and runs the whole show, the ARM core was initially bolted on as there was space on the die.
A good point- I guess, in essence, there is a management engine outside the CPU. It's called the VideoCore IV GPU and among other things it does control the ARM CPU.

User avatar
evil twin
Posts: 18
Joined: Mon Oct 10, 2011 1:20 am

Re: Is there a management engine in the ARM CPUs?

Wed Jun 15, 2016 12:13 am

jbeale wrote:If the RPi includes such a function, it has never been disclosed to my knowledge. I would tend to doubt it, given the original concept of the RPi was very personal computer for students, not a remotely-managed industrial box.
Well, the RPi is a core(s) that Broadcom has had already for other purposes, most likely developed for them by ARM as that's how it's usually done. Also it's apparently illegal for CPUs manufactured in the US to not have such funcionality and Broadcom is a US company.

SonOfAMotherlessGoat
Posts: 690
Joined: Tue Jun 16, 2015 6:01 am

Re: Is there a management engine in the ARM CPUs?

Wed Jun 15, 2016 12:28 am

evil twin wrote:Well, the RPi is a core(s) that Broadcom has had already for other purposes, most likely developed for them by ARM as that's how it's usually done. Also it's apparently illegal for CPUs manufactured in the US to not have such funcionality and Broadcom is a US company.
So basically you've already made up your mind and this question wasn't a question but a statement? You're not going to get an official statement from anyone here on the Forums, if you'd like to know, contact the Foundation directly or Broadcom and see what their response is.
Account Inactive

Heater
Posts: 13913
Joined: Tue Jul 17, 2012 3:02 pm

Re: Is there a management engine in the ARM CPUs?

Wed Jun 15, 2016 12:29 am

No idea about a management engine but the Video Core/GPU boots the thing and has total control an visibility to all your RAM at all times.

Is it secure?

No.

The video core code is all closed source. So the whole thing can only be trusted as much as you trust the Pi foundation.

As it happens I trust them. Not just because they all seem to bee good chaps, but also because they know the whole Pi Foundation would collapse if it was ever discovered some shinanigans was going on.

I'm not complaining about the situation.

@evil twin
Also it's apparently illegal for CPUs manufactured in the US to not have such funcionality.
I have never heard o f such a thing before. You have any links to such law?
Memory in C++ is a leaky abstraction .

W. H. Heydt
Posts: 11091
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: Is there a management engine in the ARM CPUs?

Wed Jun 15, 2016 2:47 am

evil twin wrote:Also it's apparently illegal for CPUs manufactured in the US to not have such funcionality and Broadcom is a US company.
First I've ever heard such a thing. Got s source for it?

FYI...while the SoC *might* be designed in the US, they are manufactured in--IIRC--Taiwan. (Actually, to CPU cores are, so far as I know, designed in the UK by ARM.)

Note that there are multiple meaning of "secure". In one classic example, some people who were up to no good asked the IT people where they worked if the e-mail servers were "secure", meaning, could they be trusted not to have anyone break in and if they erased any e-mails, they were gone for good. The IT people replied that the servers were "secure", meaning they never lost *anything* because they maintained regular backups. In the end, those backups contained the log records and data on incriminating e-mails where the bad guys deleted the messages. Look up the "Iran-Contra Affair" for the details.

User avatar
bensimmo
Posts: 4187
Joined: Sun Dec 28, 2014 3:02 pm
Location: East Yorkshire

Re: Is there a management engine in the ARM CPUs?

Wed Jun 15, 2016 6:59 am

SonOfAMotherlessGoat wrote:
evil twin wrote:Well, the RPi is a core(s) that Broadcom has had already for other purposes, most likely developed for them by ARM as that's how it's usually done. Also it's apparently illegal for CPUs manufactured in the US to not have such funcionality and Broadcom is a US company.
So basically you've already made up your mind and this question wasn't a question but a statement? You're not going to get an official statement from anyone here on the Forums, if you'd like to know, contact the Foundation directly or Broadcom and see what their response is.
Or in the few hours between posts, did some searching and reading?

fruitoftheloom
Posts: 21081
Joined: Tue Mar 25, 2014 12:40 pm
Location: Delightful Dorset

Re: Is there a management engine in the ARM CPUs?

Wed Jun 15, 2016 8:16 am

evil twin wrote:I've been wondering if anyone knows whether there is some kind of equivalent of the AMT (Intel's Active Management Technology) 'black box' built into the ARM CPUs, particularly those used in Raspberry Pi - i.e. how secure those CPUs are?
http://www.intel.co.uk/content/www/uk/e ... ology.html

http://www.tomshardware.com/reviews/vpr ... 03-13.html

It is more than you have explained, but only Intel have decided to offer this function, open-source DASH was not implemented by AMD:

Using integrated platform capabilities and popular third-party management and security applications, Intel® Active Management Technology (Intel® AMT) allows IT or managed service providers to better discover, repair, and protect their networked computing assets. Intel AMT enables IT or managed service providers to manage and repair not only their PC assets, but workstations and entry servers as well, utilizing the same infrastructure and tools across platforms for management consistency. For embedded developers, this means that devices can be diagnosed and repaired remotely, ultimately lowering IT support costs. Intel AMT is a feature of Intel® Core™ processors with Intel® vPro™ technology1 2 and workstation platforms based on select Intel® Xeon® processors.
Retired disgracefully.....
This at present is my daily "computer" https://www.asus.com/us/Chrome-Devices/Chromebit-CS10/

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 24162
Joined: Sat Jul 30, 2011 7:41 pm

Re: Is there a management engine in the ARM CPUs?

Wed Jun 15, 2016 10:11 am

The 2835 uses an Armv6 core, designed in the UK. The GPU, the Videocore4 was designed in the UK (some subcomponents were designed elsewhere, but mostly UK, and integrated in the UK)

The 2836 and 2837 uses the same videocore4 GPU, the ARM cores are off the shelf ARM designs (UK), and again mostly integrated in the UK, although with USA involvement in some areas.

Just so you know!

As for a 'management engine', I've never heard of that, and I worked on the VC4 for 6 years.

What do you mean by management engine?
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
“I think it’s wrong that only one company makes the game Monopoly.” – Steven Wright

User avatar
evil twin
Posts: 18
Joined: Mon Oct 10, 2011 1:20 am

Re: Is there a management engine in the ARM CPUs?

Wed Jun 15, 2016 10:39 am

SonOfAMotherlessGoat wrote: So basically you've already made up your mind and this question wasn't a question but a statement? You're not going to get an official statement from anyone here on the Forums, if you'd like to know, contact the Foundation directly or Broadcom and see what their response is.
No, I haven't. That's what I've read so far, and I would like to find out by asking people with (hopefully) more knowledge.

User avatar
evil twin
Posts: 18
Joined: Mon Oct 10, 2011 1:20 am

Re: Is there a management engine in the ARM CPUs?

Wed Jun 15, 2016 10:50 am

jamesh wrote:The 2835 uses an Armv6 core, designed in the UK. The GPU, the Videocore4 was designed in the UK (some subcomponents were designed elsewhere, but mostly UK, and integrated in the UK)

The 2836 and 2837 uses the same videocore4 GPU, the ARM cores are off the shelf ARM designs (UK), and again mostly integrated in the UK, although with USA involvement in some areas.

Just so you know!

As for a 'management engine', I've never heard of that, and I worked on the VC4 for 6 years.

What do you mean by management engine?
Thanks for a reply.
Intel Active Management Technology: https://en.wikipedia.org/wiki/Intel_Act ... Technology
An article at the Free Software Foundation web site: https://www.fsf.org/blogs/community/act ... technology

SonOfAMotherlessGoat
Posts: 690
Joined: Tue Jun 16, 2015 6:01 am

Re: Is there a management engine in the ARM CPUs?

Wed Jun 15, 2016 7:22 pm

evil twin wrote:No, I haven't. That's what I've read so far, and I would like to find out by asking people with (hopefully) more knowledge.
Then my apologies for the harshness of my tone, and I do hope you find the answers you are looking for.
Account Inactive

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 24162
Joined: Sat Jul 30, 2011 7:41 pm

Re: Is there a management engine in the ARM CPUs?

Thu Jun 16, 2016 8:51 am

evil twin wrote:
jamesh wrote:The 2835 uses an Armv6 core, designed in the UK. The GPU, the Videocore4 was designed in the UK (some subcomponents were designed elsewhere, but mostly UK, and integrated in the UK)

The 2836 and 2837 uses the same videocore4 GPU, the ARM cores are off the shelf ARM designs (UK), and again mostly integrated in the UK, although with USA involvement in some areas.

Just so you know!

As for a 'management engine', I've never heard of that, and I worked on the VC4 for 6 years.

What do you mean by management engine?
Thanks for a reply.
Intel Active Management Technology: https://en.wikipedia.org/wiki/Intel_Act ... Technology
An article at the Free Software Foundation web site: https://www.fsf.org/blogs/community/act ... technology
As far as I know, there is nothing like that in the Raspberry Pi -it doesn't really have a BIOS in the conventional sense. But carefully read the posts above on how the Raspi architecture (VC4->ARM) works, because you could look on the GPU binary blob in the same way.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
“I think it’s wrong that only one company makes the game Monopoly.” – Steven Wright

User avatar
r3d4
Posts: 968
Joined: Sat Jul 30, 2011 8:21 am
Location: ./

Re: Is there a management engine in the ARM CPUs?

Thu Jun 16, 2016 11:23 am

jamesh wrote: because you could look on the GPU binary blob in the same way.
Ambiguity inside. :lol: :roll:

mfa298
Posts: 1387
Joined: Tue Apr 22, 2014 11:18 am

Re: Is there a management engine in the ARM CPUs?

Thu Jun 16, 2016 12:14 pm

evil twin wrote: Thanks for a reply.
Intel Active Management Technology: https://en.wikipedia.org/wiki/Intel_Act ... Technology
An article at the Free Software Foundation web site: https://www.fsf.org/blogs/community/act ... technology
AIUI(1) AMT requires support in the CPU and the Chipset, whilst most (maybe all) Intel CPUs have AMT support there are very few motherboards that have the required chipset. Similar technology has been around in the server world for a while in the form of IPMI / iLOM / iDRAC. and is there to allow remote management of the servers by relevant people (such access is usually behind a firewall and has authentication). I've used IPMI in this way to manage servers on another continent.

The AMT/vPRO features are aimed at the enterprise market where being able to manage a machine remotely is highly useful (e.g. power it up overnight to apply OS updates rather than having the machine unusable for the first hour after someone turns it on).

1) It's something I've been looking at recently as it's a technology that's useful for my usecase.

hippy
Posts: 6258
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Is there a management engine in the ARM CPUs?

Thu Jun 16, 2016 12:18 pm

A "management engine" seems to be a more advanced version of "lights out management", a separate-but-integrated system which can have access and control over everything else which can be communicated with remotely.

I have never heard anyone say there is such a thing within a Pi SoC. JTAG is catered for but that requires physical access and isn't the same thing. In terms of there being some 'backdoor' which isn't acknowledged and cannot be disabled, allows others to remotely and surreptitiously gain access to the system or spy upon it; I very much doubt that.

Perhaps the only way to be sure there isn't is to x-ray or de-cap the chip, figure out which bits of silicon do what, and see what's left over.

User avatar
PeterO
Posts: 5147
Joined: Sun Jul 22, 2012 4:14 pm

Re: Is there a management engine in the ARM CPUs?

Thu Jun 16, 2016 12:31 pm

Seems to be the same conspiracy theorists as this : https://hardware.slashdot.org/story/16/ ... t-audit-it

PeterO
Last edited by PeterO on Thu Jun 16, 2016 12:49 pm, edited 1 time in total.
Discoverer of the PI2 XENON DEATH FLASH!
Interests: C,Python,PIC,Electronics,Ham Radio (G0DZB),1960s British Computers.
"The primary requirement (as we've always seen in your examples) is that the code is readable. " Dougie Lawson

SonOfAMotherlessGoat
Posts: 690
Joined: Tue Jun 16, 2015 6:01 am

Re: Is there a management engine in the ARM CPUs?

Thu Jun 16, 2016 12:34 pm

It's FSF (Richard Stallman) taking (yet) another "Oh my god you guys, 'They' could use this for nefarious purposes. It's closed source, so who knows what 'They' are doing with your suffs".

If you're concerned about other people having access to your Pi stored data, then airgap it. If you are concerned that airgapping won't help when 'They' seize your equipment, then a small dab of Semtex works...
Account Inactive

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 24162
Joined: Sat Jul 30, 2011 7:41 pm

Re: Is there a management engine in the ARM CPUs?

Fri Jun 17, 2016 8:50 am

PeterO wrote:Seems to be the same conspiracy theorists as this : https://hardware.slashdot.org/story/16/ ... t-audit-it

PeterO
Why do I always end up reading the unadulterated drivel that seem to be the major content of slashdot nowadays.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
“I think it’s wrong that only one company makes the game Monopoly.” – Steven Wright

hippy
Posts: 6258
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Is there a management engine in the ARM CPUs?

Fri Jun 17, 2016 10:10 am

PeterO wrote:Seems to be the same conspiracy theorists as this : https://hardware.slashdot.org/story/16/ ... t-audit-it
It is true, if one has a system which has full access and control over another and its resources, compromising that can lead to the other being compromised. It is a potential attack vector. The question is how much of a potential attack vector it would be, whether that can even be properly assessed.

I would be cautious about making a Pi or anything else accessible via the public Internet if it had full read-write access to other systems on the LAN, which is what some are saying the Intel ME set-up amounts to.

It seems to me there is some legitimacy to the concerns raised.

mfa298
Posts: 1387
Joined: Tue Apr 22, 2014 11:18 am

Re: Is there a management engine in the ARM CPUs?

Tue Jun 21, 2016 10:20 pm

To hopefully clear up some of the FUD, I now have a motherboard with a chipset that supports AMT (Asus Q170M-C). These are the early observations:
  • Firstly the AMT network access isn't enabled by default - you have to enable it it.
  • When enabling it the first thing it requires is a secure password (more secure than some banks/credit card companies allow).
  • By default to connect via VNC as well as a password you also need a code that's shown on the local screen (although this can be changed)
  • When connected via VNC there's a very obvious flashing red and yellow border on the local screen.
Finally there's a jumper on the motherboard that supposedly disables AMT (I've not tested as I wanted the AMT setup as the machine is designed to be headless).

Obviously all features the Pi doesn't have, but also no where near as bad the tin-foil hat brigade will try and make out. In comparison IPMI on servers is often enabled by default with obvious default username/password and provides similar features to AMT.

Return to “General discussion”