Dell Is Offering Laptops With Intel Management Engine (IME) Disabled

Subject: General Tech | December 4, 2017 - 07:05 PM |
Tagged: system76, security, linux, Intel, IME, dell

Update 12-5-2017: Dell has provided a statement in response to the IME news which is as follows:

  • "Dell has offered a configuration option to disable the Intel vPro Management Engine (ME) on select commercial client platforms for a number of years (termed Intel vPro - ME inoperable, custom order on Dell.com). Some of our commercial customers have requested such an option from us, and in response, we have provided the service of disabling the Management Engine in the factory to meet their specific needs. As this SKU can also disable other system functionality it was not previously made available to the general public.
  • Recently, this option was inadvertently offered online as a configuration option for a couple of systems on Dell.com. Customers interested in purchasing this SKU should contact their sales representative as it is intended to be offered as a custom option for a select number of customers who specifically require this configuration."

(End of update.)

Niche system vendors System76 and Purism are now joined by Dell in offering laptops with Intel's Intel Management Engine (IME) blackbox disabled. The company, one of the largest laptop manfacturers, currently offers three higher-end laptops with the configuration option of "Intel vPro™ - ME Inoperable, Custom Order" where for around $20 Dell will disable IME. IME has come under fire recently due to a major vulnerability that affects many of its Core series processors and has had bugs dating back years.

IME is baked into Intel processors dating back to 2008 and operates at what is known as Ring -3 meaning that it has privileges well above that of software, drivers, OS kernel, and even UEFI. IME is an autonomous subsystem with its own processor running its own software that has full control over the computer and even has its own networking stack. Intel has obfuscated that closed source code and has made it notoriously difficult to enable while also claiming it is necessarly for the processor to hit full performance. Security researchers and companies like Google have committed to disabling it (there is a way to turn it off though Intel has not documented it). IME can be used alongside Intel AMT / vPro features (Ring -2+) for remote management, and since IME runs even when the system is off it makes it easy to roll out OS upgrades and re-image machines. Home users however do not need IME, but have traditionally been stuck with it anyway along with its security holes. (Note that AMD has its own platform management subsystem with the PSP though it has not drawn nearly the high profile reputation Intel has with the latest bugs and promised patches.)

Dell Disable IME.png

Specificlaly Dell is offering to disable IME for a small fee on the Latitude 14 Rugged laptop, Latitude 15 E5570, and Latitude 12 Rugged tablet which all run 6th Generation Core (6000 series and Core M) processors. Purism plans to sell PCs with IME disabled going forward and System76 has promised firmware updates for disabling IME on its PCs sold within the last few years. In reading about IME online, it seems that disabling IME is a tricky endevour with the potential to brick the system, but it can be done and the more documentation these vendors do the better for Linux, open source software, and security concious consumer proponents. For now you will have to pay a small fee to disable it but if you are worried about IME the peace of mind might be worth it. Also, with Dell now on board it shouldn't be long before other vendors start offering systems sans Intel Management Engine. Hopefully they are able to offer this IME disabled feature on models with the latest Intel processors as well for those that want it as the latest round of major bugs affected Skylake, Kaby Lake, and Coffee Lake CPUs.

What are your thoughts on this? Have your systems received an IME security patch? In any case, with the IME bugs, Mac OS High Sierra secuirty hole, and iOS encrypted backup loophole it has not been a good month for security!

Also read:

Source: Liliputing

A look at the latest Radeon graphics driver stack

Subject: Graphics Cards | November 29, 2017 - 03:20 PM |
Tagged: windows 10, vega 64, RX 580, microsoft, linux 4.15, linux, amd

With a new Linux kernel out, Phoronix revisited the performance of two of AMD's new cards running on that kernel as well as the current version of Windows 10.  GPU testing on Linux has gotten more interesting thanks to the upsurge in compatible games, this review encompasses the recent Deus Ex, Shadow of Mordor, F1 2017 and GRID Autosport.  The tests show there is still work to be done on the Mesa Radeon graphics driver stack as in all cases the performance lagged behind on Linux even though the hardware was exactly the same.

image.php_.jpg

"As we end out November, here is a fresh look at the current Windows 10 Pro Fall Creator's Update versus Ubuntu 17.10 with the latest Linux 4.15 kernel and Mesa 17.4-dev Radeon graphics driver stack as we see how various games compete under Windows 10 and Linux with these latest AMD drivers on the Radeon RX 580 and RX Vega 64 graphics cards."

Here is some more Tech News from around the web:

Gaming

 

Source: Phoronix

Intel Optane on Linux

Subject: Storage | November 24, 2017 - 04:59 PM |
Tagged: Optane, Intel, linux, 900P, Ubuntu 17.10

Phoronix installed an Optane 900P SSD into their AMD EPYC system to test the performance the new drive provides running under Ubuntu.  Their results were very similar to Al's, showing that this fairly expensive 280GB SSD can justify its premium price by leaving the competition in the dust.  The testing suite they used is quite different from the one here at PCPer but the proof that Optane gets along well with Linux is indisputable.

image.php_.jpg

"At the end of October Intel released the Optane 900P solid-state drive as their new ultra high-end performance SSD. Windows reviews have been positive, but what about using the Optane 900P on Linux? It's working well and delivers stunning NVMe SSD performance."

Here are some more Storage reviews from around the web:

Storage

Source: Phoronix

EPYC Linux performance from AMD

Subject: Processors | September 18, 2017 - 05:13 PM |
Tagged: linux, EPYC 7601, EPYC

Phoronix have been hard at work testing out AMD's new server chip, specifically the 2.2/2.7/3.2GHz EPYC 7601 with 32 physical cores.  The frequency numbers now have a third member which is the top frequency all 32 cores can hit simultaneously, for this processor that would be 2.7GHz.  Benchmarking server processors is somewhat different from testing consumer CPUs, gaming performance is not as important as dealing with specific productivity applications.   Phoronix started their testing of EPYC, in both NUMA and non-NUMA configurations, comparing against several Xeon models and the performance delta is quite impressive, sometimes leaving even a system with dual Xeon Gold 6138's in the dust.  They also followed up with a look at how EPYC compares to Opteron, AMD's last server offerings.  The evolution is something to behold.

image.php_.jpg

"By now you have likely seen our initial AMD EPYC 7601 Linux benchmarks. If you haven't, check them out, EPYC does really deliver on being competitive with current Intel hardware in the highly threaded space. If you have been curious to see some power numbers on EPYC, here they are from the Tyan Transport SX TN70A-B8026 2U server. Making things more interesting are some comparison benchmarks showing how the AMD EPYC performance compares to AMD Opteron processors from about ten years ago."

Here are some more Processor articles from around the web:

Processors

Source: Phoronix

Benchmarking a beast of a box, a dual Xeon Scalable Gold Server

Subject: Systems | August 30, 2017 - 03:42 PM |
Tagged: linux, xeon, Xeon Gold 6138, dual cpu, LGA-3647, Intel

The core counts and amount of RAM on enthusiast systems is growing quickly, especially with Threadripper, but we won't be seeing a system quite like this one under our desks in the near future.  The server which Phoronix tested sports dual Xeon Gold 6138 for a total of 40 physical cores and 80 threads, with each CPU having 48GB of RAM for a total of 96GB of DDR4-2666.  Not only did Phoronix run this system through a variety of tests, they did so on eight different Linux distros.   Can any benchmark push this thing to its limits?  Was there a clear winner for the OS?  Find out in the full review.

image.php_.jpg

"While we routinely run various Linux distribution / operating system comparisons at Phoronix, they tend to be done on desktop class hardware and the occasional servers. This is our look at the most interesting enterprise-focused Linux distribution comparison to date as we see how Intel's Xeon Scalable platform compares on different GNU/Linux distributions when using the Tyan GT24E-B7106 paired with two Dual Xeon Gold 6138 processors."

Here are some more Systems articles from around the web:

Systems

 

Source: Phoronix

WAAAGH penguins; like Squigs only open sores

Subject: General Tech | June 14, 2017 - 01:51 PM |
Tagged: linux, gaming, dawn of war III

Dawn of War 3 released its Linux version earlier this year with support for both OpenGL and Vulkan.  Vulkan performance is much better in CPU bound testing with resolutions under 1080p and when gaming above that resolution it utilizes far less CPU resources than OpenGL.  Overall on NVIDIA performance is the same on both APIs, with the current Radeon driver you are better off on OpenGL.  As is their usual style, Phoronix tested 18 GPUs, a dozen from NVIDIA and six of AMD's cards with differing resolutions and graphics quality settings, all the way up to 4k. 

Check the full results here.

image.php_.jpg

"Today marks the highly anticipated debut of Dawn of War III for Linux (and macOS) ported by Feral Interactive. Here are a number of OpenGL and Vulkan benchmarks of NVIDIA GeForce and AMD Radeon graphics cards running Ubuntu Linux with this game."

Here is some more Tech News from around the web:

Gaming

 

Source: Phoronix

Dawn of War III Vulkan Support on Linux to Add Intel GPUs

Subject: General Tech | June 7, 2017 - 04:54 PM |
Tagged: pc gaming, linux, vulkan, Intel, mesa, feral interactive

According to Phoronix, Alex Smith of Feral Interactive has just published a few changes to the open source Intel graphics driver, which allows their upcoming Dawn of War III port for Linux to render correctly on Vulkan. This means that the open-source Intel driver should support the game on day one, although drawing correctly and drawing efficiently could be two very different things -- or maybe not, we’ll see.

feral-2017-dawnofwar3.png

It’s interesting seeing things go in the other direction. Normally, graphics engineers parachute in to high-end developers and help them make the most of their software for each respective, proprietary graphics driver. In this case, we’re seeing the game studios pushing fixes to the graphics vendors, because that’s how open source rolls. It will be interesting to do a pros and cons comparison of each system one day, especially if cross-pollination results from it.

Source: Phoronix

51 flavours of Radeon to choose from

Subject: Graphics Cards | June 2, 2017 - 03:02 PM |
Tagged: amd, radeon, linux

When Phoronix does a performance round up they do not mess around.  Their latest look at the performance of AMD cards on Linux stretches all the way back to the HD 2900XT and encompasses almost every single GPU released between that part and the RX 580, with a pair of Firepro cards and the Fury included as well.  For comparative performance numbers you will see 28 NVIDIA cards on these charts, which makes the charts some of the longest you have seen.  Drop by to check out the state of AMD performance on Linux in a variety of games as well as synthetic benchmarks.

image.php_.jpg

"It's that time of the year where we see how the open-source AMD Linux graphics driver stack is working on past and present hardware in a large GPU comparison with various OpenGL games and workloads. This year we go from the new Radeon RX 580 all the way back to the Radeon HD 2900XT, looking at how the mature Radeon DRM kernel driver and R600 Gallium3D driver is working for aging ATI/AMD graphics hardware. In total there were 51 graphics cards tested for this comparison of Radeon cards as well as NVIDIA GeForce hardware for reference."

Here are some more Graphics Card articles from around the web:

Graphics Cards

 

Source: Phoronix

Samba Developers Release Patch For Remote Code Execution Vulnerability (CVE-2017-7494)

Subject: General Tech | May 28, 2017 - 07:10 PM |
Tagged: samba, linux, ransomware, security, networking

Last week, the development team behind Samba – popular software suite used on Linux and Unix clients and servers that uses TCP/IP protocol for file and print sharing to SMB/CIFS clients (including Microsoft Windows) – released a security advisory along with patches for a remote code execution hole that has been present in Samba for seven years since the release of Samba 3.5.0 in March 2010. The vulnerability, classified under CVE-2017-7494, allows an attacker to upload malicious code to a Samba server and get the server to run the code by sending a malformed IPC request that references the local file path. The Samba server will run the code in the malicious shared library (.so) file even though it is from an untrusted remote source.

Samba logo.jpg

The bad news is that this is a fairly serious flaw that could lead to an attacker successfully holding a business or home user’s files (including backups!) at ransom, stealing data, or using the now owned file server to attack other network resources that trust the file server. If not securely configured (e.g. allowing anonymous writes), the attack could even be wormable which would allow it to self-replicate across the network or Internet. Further, while various security firms have slightly different numbers, they all seem to agree that around 100,000 Internet-accessible machines are running vulnerable versions of Samba.

It is not all bad news though, and in some respects this vulnerability is not as big of an issue as the WannaCry ransomware and EternalBlue SMB vulnerability because in order to successfully exploit the Samba flaw an attacker needs to obtain credentials to upload the malicious code to the file share(s) which need to be writeable in the first place and not running as noexec under a SELinux policy. Also, attackers need to know or guess the local path name of the files on the file share to send the malformed IPC request. More importantly, the Samba team released three security releases (4.6.4, 4.5.10, and 4.4.14) for the newer branches and is working with OS distributions on providing patches for older Samba versions. For systems that cannot be updated or patched, there is also a workaround that can be implemented by modifying the global Samba config file to contain the setting “nt pipe support = no”. While this will break some expected Windows functionality (mainly machines will not be able to access null shares and will need to use the specific share path rather than just the server path), it will make it so that Samba will not accept the malicious requests.

Perhaps the most worrying aspect of this vulnerability is that security researchers estimate that up to 90% of the vulnerable Internet-connected Samba endpoints do not have a direct patch or update available yet and may not ever get one. While the enterprise hardware and even bigger consumer and SMB hardware providers will provide support for this in the form of patches or firmware updates, there is a sea of home routers, NAS boxes, file and print servers, and IoT devices running on home networks that are not open to user updates and may not ever get firmware updates. The best thing to do in this scenario according to the security advisory (if you can’t just not use it or replace it with different hardware that can be patched or isn’t affected of course) is to not expose it to the Internet. There would still be a risk of it being exploited should someone get a virus on a client machine through email, malicious downloads, or social engineering though. Considering these home NAS devices are usually used as destinations for backups, the risk of ransomware not only infecting client machines but also the main file share and network backups is scary. I have always been a fan of offline and/or cloud backups and in these modern times they are more important than ever with the rise of ransomware and other profit motivated viruses.

If you are not sure if your network is affected, there are tools being made available (including a Metasploit module, nmap scripts, and Internet scans) to help you determine that and reduce your attack surface using that information by updating to the latest security release, applying patches, updating, using SELinux policies to prevent the server from executing files itself, and preventing them from communicating with the Internet in order of effectiveness.

All that is to say don’t panic, stay vigilant, and make sure your important data is properly backed up and secured as much as possible!

Source: Samba.org

The RX 580 on Linux, locked stock and overclock

Subject: Graphics Cards | April 24, 2017 - 06:08 PM |
Tagged: linux, RX 580, amd, overclocking, Polaris

Phoronix have had a chance to test out the refreshed Polaris RX 580 on the Linux 4.11 kernel and Mesa 17.1-devel, initially the AMDGPU-PRO 17.10 driver update was not included thanks to interesting timing.  The performance deltas are as you would expect, a slight increase in performance that is relative to the increased clock speeds, just as when run on Windows.  They also had a chance to try overclocking the new card, AMD added support for overclocking GCN 1.2 and newer cards on their proprietary Linux driver in 2016.  They managed to increase the core by 6% without running into stability issues however when they overclocked the memory, they saw serious performance decreases.  Check out the steps they tried along with the results from the overlocked GPU here.

image.php_.jpg

"Yesterday I posted the initial Radeon RX 580 Linux benchmarks while now with having more time with this "Polaris Evolved" card I've been able to try out a bit more, like the AMDGPU Linux overclocking support. Here are the ups and downs of overclocking the Radeon graphics card under Linux."

Here are some more Graphics Card articles from around the web:

Graphics Cards

Source: Phoronix