MINIX OS logo

One of the world's lesser-known operating systems may actually be the most used OS in the world, according to new revelations made by Google's Linux experts.

The culprit is MINIX 3, an open-source and highly modular UNIX-like operating system that was designed to work on microkernel architectures.

The OS was launched in 1987 as an educational project by Dutch professor Andrew S. Tanenbaum, who wanted to show students that they don't need to write millions of lines of code to create a basic, functional operating system.

Intel ME runs on MINIX, Google finds

According to Ron Minnich, a Software Engineer at Google, MINIX is at the heart of Intel's Management Engine (ME), a secret processor embedded in all Intel CPUs sold in the last decade.

Despite many people calling ME a backdoor into everyone's computers, Intel has always advertised ME as a way for companies to manage workstations on internal networks by allowing system administrators to monitor, maintain, update, upgrade, and repair Intel-based computers from a remote, central location.

This is because the ME component runs independently from the user's main OS, with separate processes, threads, memory manager, hardware bus driver, file system, and many other components.

MINIX creator reveals Intel's past interest in the OS

Google says MINIX power all these features, a statement the MINIX OS creator has backed up yesterday in a blog post addressed to Brian Krzanich, Intel's CEO.

I knew that Intel had some potential interest in MINIX 3 several years ago when one of your engineering teams contacted me about some secret internal project and asked a large number of technical questions about MINIX 3, which I was happy to answer. I got another clue when your engineers began asking me to make a number of changes to MINIX 3, for example, making the memory footprint smaller and adding #ifdefs around pieces of code so they could be statically disabled by setting flags in the main configuration file. This made it possible to reduce the memory footprint even more by selectively disabling a number of features not always needed, such as floating point support. This made the system, which was already very modular since nearly all of the OS runs as a collection of separate processes (normally in user mode), all of which can be included or excluded in a build, as needed, even more modular.

In the rest of his blog post, Tanenbaum reveals that Intel never told him that they'd use MINIX for ME, something he only found out this week, following press coverage of Minnich's talk at a Linux Foundation conference.

The talk, available for download here and in the YouTube video embedded below, details Google's recent efforts at removing proprietary firmware — like Intel ME — from its internal servers.

Google cited worries that the Intel ME (actually MINIX) code runs on their CPU's deepest access level — Ring "-3" — and also runs a web server component that allows anyone to remotely connect to remote computers, even when the main OS is turned off.

For a company that holds information on almost all Internet users, Intel ME is a gaping security hole its engineers are now actively trying to nuke off their systems.

Researchers found a way to disable Intel ME over the summer

Previous efforts at disabling Intel ME have all ended badly because Intel has interwoven the ME component within the boot-up process, configuring Intel ME to handle the initialization, power management, and launch of the main processor.

As such, for many years, users only had the option to disable some of Intel ME components, but not Intel ME as a whole. One such script is ME_Cleaner.

Things moved in the positive direction this past August when researchers from PT Security found an undocumented method of turning off Intel ME.

The method relies on flipping a big in the ME firmware. Evidence suggests Intel added the ME on/off switch at the behest of the US government who wanted to run Intel-based CPUs inside secure government networks and didn't want Intel or anybody else accessing those computers via ME's built-in web server and remote management capabilities.

Despite the discovery, security experts have warned that flipping the ME disable bit is a complex process and has not been thoroughly tested. Anyone choosing to do so should be prepared for unexpected behavior, even having his PC bricked due to faulty firmware.

The PT Security team also confirmed Google's findings, also noticing that Intel's ME is a customized version of the MINIX OS.

On a side note, taking into account the sheer number of Intel CPUs running Intel ME, this might mean that MINIX is now by far the world's most popular OS.