Google Working To Remove MINIX-Based ME From Intel Platforms (tomshardware.com) 181
An anonymous reader quotes a report from Tom's Hardware: Intel's Management Engine (ME) technology is built into almost all modern Intel CPUs. At the Embedded Linux Conference, a Google engineer named Ronald Minnich revealed that the ME is actually running its own entire MINIX OS and that Google is working on removing it. Due to MINIX's presence on every Intel system, the barebones Unix-like OS is the most widely deployed operating system in the world. Intel's ME technology is a hardware-level system within Intel CPUs that consists of closed-source firmware running on a dedicated microprocessor. There isn't much public knowledge of the workings of the ME, especially in its current state. It's not even clear where the hardware is physically located anymore.
What's concerning Google is the complexity of the ME. Public interest in the subject piqued earlier this year when a vulnerability was discovered in Intel's Active Management Technology (AMT), but that's just a software that runs on ME--ME is actually an entire OS. Minnich's presentation touched on his team's discovery that the OS in question is a closed version of the open-source MINIX OS. The real focus, though, is what's in it and the consequences. According the Minnich, that list includes web server capabilities, a file system, drivers for disk and USB access, and, possibly, some hardware DRM-related capabilities. It's not known if all this code is explicitly included for current or future ME capabilities, or if it's because Intel simply saw more potential value in keeping rather than removing it.
What's concerning Google is the complexity of the ME. Public interest in the subject piqued earlier this year when a vulnerability was discovered in Intel's Active Management Technology (AMT), but that's just a software that runs on ME--ME is actually an entire OS. Minnich's presentation touched on his team's discovery that the OS in question is a closed version of the open-source MINIX OS. The real focus, though, is what's in it and the consequences. According the Minnich, that list includes web server capabilities, a file system, drivers for disk and USB access, and, possibly, some hardware DRM-related capabilities. It's not known if all this code is explicitly included for current or future ME capabilities, or if it's because Intel simply saw more potential value in keeping rather than removing it.
Comment removed (Score:5, Funny)
Re: (Score:2)
Re:Obvious question (Score:5, Funny)
Re:Obvious question (Score:5, Interesting)
Re: Obvious answer (Score:2, Funny)
It's a UNIX system, I know this!
Re:Obvious question (Score:5, Funny)
Re:Obvious question (Score:5, Funny)
Minimal
Re: (Score:2, Funny)
A coincidence, Minnich discovered this while at Munich.
Re: (Score:1)
Only Intel's selected partners have the shell prompt. What would be better business plan than selling the processor to every PC and remote access to them.
Re: Obvious question (Score:1)
Re: (Score:2)
Also, what is Minnich's problem with MINIX?
Re: (Score:3, Informative)
Re:Obvious question (Score:5, Insightful)
Re: (Score:2)
It is now in all chipsets and is the CSE/ME (converged security engine).
Pedantic (Score:2)
Interested move? (Score:5, Funny)
Google Working To Remove MINIX-Based ME From Intel Platforms
... and replacing it with Android. "Just how much juicy monetizable user data could we get that way?"
(I believe I'm joking, but I'm not completely sure...)
No with chrome (Score:2)
Seriously, and no joke, chromebooks disable the ME after boot.
Re: (Score:2)
Do Chromebooks use the off switch, like most people do to turn their PC "off", or do Chromebooks actually unplug ME from the wall socket?
I have more confidence in the second method.
ME and chromebooks (Score:3)
For chromebooks where google can't use their own openbios-based stack,
they use heavily modified firmware, where the ME part running on the micro-controller embed in the chipset is reduced to the base minimum necessary to get the chipset running.
Among other, all the juicy bits that are targeted by ME-exploits (half-broken webserver serving as the user-interface, capability to reflash the UEFI/BIOS while the main Intel CPU isn't even powered, VNC-like server with USB-over-network extensions, etc.) are all rem
Re: (Score:2)
there is a "minSKU" available that Google and Apple use that has ME alive long enough to bring up the system, do the secure boot stuff then dies.
Re: (Score:1)
I doubt it...Ron has long been a linuxBIOS/coreboot guy and he has always been very clear that true open hardware means you can build your firmware from source.
I don't trust google at all any more but I'll gladly trust Ron to do it right....but maybe I trusted him a little more when he was a LANL or Sandia guy ;-) j/k Ron.
Re: (Score:2)
This actually came to my mind. Imagine the power of this. There can only be one here. [youtube.com]
Most Widely Deployed OS? (Score:5, Informative)
Hrmm, so some of these intel systems would have linux on it, and linux would be on some AMD x86 systems, and intel ME isn't on Qualcomm/ARM chips in mobiles that android (linux) runs on, or any of these IoT devices. I'm willing to wager there are more mobile phones in the world than intel ME enabled PCs at this point.
Re:Most Widely Deployed OS? (Score:4, Informative)
Hrmm, so some of these intel systems would have linux on it, and linux would be on some AMD x86 systems, and intel ME isn't on Qualcomm/ARM chips in mobiles that android (linux) runs on, or any of these IoT devices. I'm willing to wager there are more mobile phones in the world than intel ME enabled PCs at this point.
On top of that, I'm willingto be there are more linux VM's than intel ME enabled CPU's.
ARM has TrustZone... (Score:1)
Which is enabled/disabled in the stage0 bootloader usually, with signing/hashing just like the Intel ME firmware.
The only difference is that the TrustZone stuff runs on ARM cores and may run either on the primary cores, or a dedicated coprocessor depending on the design chosen by the downstream chip designer.
Earlier versions of TrustZone as well as the ARM Java/JVM stuff (I forget what those extensions were called, but they were basically the predecessor to TrustZone) were completely proprietary, required e
Year of the MINIX on desktops (Score:2)
intel ME isn't on Qualcomm/ARM chips in mobiles that android (linux) runs on, or any of these IoT devices. I'm willing to wager there are more mobile phones in the world than intel ME enabled PCs at this point.
The correct mention would be :
MINIX is the most widely deployed OS on desktops in the world.
But indeed, the desktop themselves are completely dwarfed by the embed world, were Linux seems to be the king.
and linux would be on some AMD x86 systems
BTW, IPMI [wikipedia.org] is the industry standard for "lights-out management" (and Intel ME/AMT is the Intel proprietary "lights-out management").
According to several presentation at conferences :
- lots of IPMI implementation run actually Linux on their embed micro-controller.
(Meaning that even in the server room/cluster/da
Re: (Score:2)
Except that the IPMI on a server usually is plugged into a dedicated ethernet port all of it's own. Well at least all of mine are.
Those ethernet ports are all highly segregated into a VLAN all of their own with very limited access to the outside world. They can hop to specific NTP servers and that's it. Everything else is contained within the VLAN itself.
So while I expect the lights out management to be buggy and badly maintained (I have to keep a raft of ancient web browsers available on console server to
Re: (Score:3)
Due to MINIX's presence on every Intel system, the barebones Unix-like OS is the most widely deployed operating system in the world.
Finally I can declare this is the year of Linux on desktop :)
It's in the SouthBridge not CPU dammit (Score:1, Informative)
Guys, can you at least get your facts straight before doing another FUD piece on the Intel ME?
1) The ME is not in the CPU, it's in the chipset, specificly it's loaded in the firmware of the firmware hub, and the "hidding processor" is in the chip we typically call the South Bridge.
2) It's OFF BY DEFAULT.
Go ahead and check it yourself:
INTEL-SA-00075 Detection and Mitigation Tool
https://downloadcenter.intel.com/download/26755
Re:It's in the SouthBridge not CPU dammit (Score:5, Insightful)
The remote management tools are off by default, but you still need the chip on to run the power management software on it, or the CPU turns off in 30 minutes.
And as it is a black box, it might be doing several other tasks while doing the power management.
Re:It's in the SouthBridge not CPU dammit (Score:5, Insightful)
2) It's OFF BY DEFAULT.
We don't believe Intel's claims. After the Edward Snowden revelations, after the way that an exploitable backdoor was hidden in the Dual_EC_DRBG standard [arstechnica.com], after news that Microsoft works to provide backdoors in its Windows operating system [archive.org], and after government officials have insisted that backdoors must be provided [theintercept.com], we just don't trust Intel. The ME has the potential to be the most perfect backdoor in almost every computer. And if the Intel ME is a backdoor, then most of our computers are vulnerable if anyone (anywhere in the world) learns how to exploit it.
Re: (Score:3, Insightful)
we just don't trust Intel.
Fair enough, but why would you trust Google?
Re: (Score:3, Interesting)
why would you trust Google?
I don't trust Google. But it certainly is interesting news that Google doesn't trust Intel, either.
Re: (Score:2)
Re: (Score:2)
Come to think about it, the one thing I'd want even less than an Intel-run ME is a Google-run ME...
Re: (Score:3)
And... why are Intel unwilling to sell a CPU without the ME, when a client like Google - who build 1 million+ machines running their CPUs - don't want it?
Re: (Score:3)
I agree. Supposedly it's built into every Intel chipset, which means they spent money reserving the silicon and firmware real estate to have it there.
Its existence is default, even in low-end chipsets aimed at the consumer market, but 99.99% of the time it's disabled and simply a total waste of money and resources. Honest!
I don't buy it.
Re: (Score:2, Informative)
2) If the ME isn't running or is running incorrectly, the platform will not power on. It may be completely unreachable from the network in some implementations, but it is the arbiter of whether the system will turn on or not. It's easier to describe it as 'disabled', but it certainly is running.
Re: (Score:3, Insightful)
It is not in the CPU, but that hardly makes a real difference. I'm not sure why people are getting all pedantic about whether it is in the CPU or in some part that is always paired with the CPU to run. The ME seems to be able to make out-of-band requests to the CPU to do potentially anything (including read memory locations). Sure it may not be able to be super high performance over DMI compared to being on CPU, but it's plenty good enough to be worried about it.
Re: (Score:2)
Yea nope. Read the previous slashdot article on this. Minix is running even with your desktop pc powered down. Which makes this doubly pernicious for even those just casually concerned with security.
Re: (Score:1)
Trust is so easy to loose and so hard to regain, they have some history of making shaddy things, remember their compilers tampering code to run bad on non-Intel processors? or that time when they shipped "Windows vista ready" GPUs that weren't (Microsoft had to lower their requirements)
https://www.theinquirer.net/inquirer/news/1558372/intel-caught-dodgy-gpu-drivers
Or all those laughs accounting had when the Pentium's FDIV bug appeared.
Well, sometimes they fix problems fast: https://www.pcworld.com/article/2
Re: (Score:2)
Actually some sources say that it has been in the "North Bridge", e.g. what has been known as "Platform Controller Hub" ( https://en.wikipedia.org/wiki/... [wikipedia.org] ) for some time. For example, see ME references in https://www.intel.com/content/... [intel.com]
However, it is stated in the above Wikipedia article: "Beginning with ultra-low-power Broadwells and continuing with mobile Skylake processors, Intel incorporated the clock, PCI controller, and southbridge IO controllers into the CPU package, eliminating the PCH for a sys
More instances of MINIX than Linux! (Score:5, Funny)
Tanenbaum gets the last laugh over Torvalds.
Re: (Score:3)
Yes. We should put Andy in the hall of fame with the guy who invented stock derivatives. He wasn't responsible for the way others used it, either. :-)
Insert your story of unwitting engineers facilitating people who do really bad stuff here.
Its official (Score:5, Funny)
It's the year of the Minix desktop!
Re: Not bad, so why not a RTlinux? (Score:2)
Twisted facts... (Score:1)
"Intel's Management Engine (ME) technology is built into almost all modern Intel CPUs."
and
"Intel's ME technology is a hardware-level system within Intel CPUs that consists of closed-source firmware running on a dedicated microprocessor."
How can the IME be INSIDE the CPU, when it's widely known that it monitors packets coming from your ethernet connection EVEN IF YOUR COMPUTER IS POWERED OFF? If it's powered off, there is no power going
Re:Twisted facts... (Score:4, Interesting)
If ever notice that when thigns are powered off they are still using 1-10wats? Or that LED's are still lit or blinking?
This is the case with PC's, Microwaves, Dumb TV, VCR's, your name it.
PC's no longer have an on/off button. It's now a button that asks the CPU to shutdown. Power is not cut removed, and some parts stay powered on. Can't ask the CPU to power on, if there's no power for it to reconize the input.
Re: (Score:2)
Talk to Purism? (Score:4, Funny)
Google might want to talk to Purism, who claim to have completely disabled Intel's ME in their secure Linux based laptops.
Re:Talk to Purism? (Score:5, Informative)
First of all neutralized, then disabled. The next step is to completely remove it.
Re: (Score:2)
It's not disabled, it's "neutralized". In other words they believe they've cut it's access but they can't be certain. You can't disable it completely as severing it's connection to the main CPU kills the CPU.
Google is a major computer purchaser, rather than trying to disable the ME they should use their market power to force intel to sell CPU's without the ME. It should be trivial for Intel to spin up die without the ME integrated or fully disabled. Hell they should have the knowledge on how to disable the
slashdot (Score:2)
You should peruse this great website which talked about this three days ago...
https://tech.slashdot.org/stor... [slashdot.org]
Cue the skeptics (Score:5, Insightful)
It seems like just a day ago, there was a Slashdot posting about this [slashdot.org], and several highy-rated comments amounting to "naw man, there's no way this could be a problem!" [slashdot.org]
So with all the verifiable, proven news of backdoors being built-in to software and hardware over the past decade, and all the news of vulnerabilities in software and hardware that compromise systems, people say "nah, not a problem, see, you can turn it off" about this "computer in my computer." Really? It's off?
I'm not seeing reports saying "The Intel ME is off by default in consumer devices, and this is verified by researchers." In fact, I'm seeing the opposite, which says that the Intel ME is always on. Do we have any proof that the "off switch" in BIOS actually makes this feature unexploitable? Because, really, that's what I want: I want this feature to be unexploitable, and the only way I can be sure of that is for it to be disabled, for real, because I don't need this feature.
So yeah, please forgive us all if we are just a BIT skeptical about Intel ME. Forgive us if we're skeptical of spokespersons at Intel saying "There's no problem with this feature."
Re: (Score:2, Insightful)
ME is always on, but it has many functions that do not involve any kind of remote access. By contrast the remote functions are disabled.
Now really? Are they? Well until someone can prove to me that there's some way of getting a TCP packet to fly through the internet and into an ethernet port without a second IP address, without additional MAC address, and which doesn't appear to respond to any normally routable packet on any port, I really don't care how off or on it is.
As the old adage goes: If someone has
My thoughts (Score:3)
Re:My thoughts (Score:5, Interesting)
This may be worth 0.02 or less but I believe the vulnerabilities can be mitigated somewhat by using disk encryption.
And what do you use to encrypt and decrypt that data, so it never passes through the CPU or south bridge?
Re: (Score:2)
The ME has DMA access to memory and disks and can open a network socket the main computer won't even be aware of. Any protection scheme on the computer can easily be subverted by the ME because it has ring 0 access to everything in the CPU such as, the kernel, the RAM, the disks and the network port. All communication to the CPU goes through the ME first. So when your computer decrypts that drive the ME can intercept and record the decryption key, it's also fully capable of decrypting the disk itself.
Now do
Re: (Score:2)
The ME has DMA access to memory and disks and can open a network socket the main computer won't even be aware of. Any protection scheme on the computer can easily be subverted by the ME because it has ring 0 access to everything in the CPU such as, the kernel, the RAM, the disks and the network port. All communication to the CPU goes through the ME first. So when your computer decrypts that drive the ME can intercept and record the decryption key, it's also fully capable of decrypting the disk itself.
Now do you realize why people are so scared of it?
I had no idea that the vulnerability ran that deep! This is bad
Old news (Score:2)
Re: (Score:2)
During the week, Tanenbaum was trying to troll Linus and RMS by suggesting there were more MINIX installs than Linux and that was because Linus had chosen the GPL.
Re: (Score:2, Insightful)
Minix most widely deployed, wait what? (Score:3)
Due to MINIX's presence on every Intel system, the barebones Unix-like OS is the most widely deployed operating system in the world.
I seriously doubt this claim. Phones have outnumbered PCs for years, for one thing. And Linux is deployed maybe even in more TVs and routers than phones, and numerous other embedded systems, now increasingly including cars. Anybody with decent stats on this?
Re: (Score:2)
From everything I've read, this started before the smart phone craze, some where around 2007-2008. With that being said, they had a very good head start which may still allow them to claim the biggest installation base. Also don't forget all those "cloud" servers...
Re: (Score:2)
From everything I've read, this started before the smart phone craze, some where around 2007-2008. With that being said, they had a very good head start which may still allow them to claim the biggest installation base.
Most of those PCs are in landfill today. I guess somebody just pulled the claim out of their ass.
Re: (Score:2)
Re: (Score:2)
You are right that there are more RTOS computers out there than the sum of all general purpose computers, including personal, handset and data center. However, you are most probably not right that any one RTOS covers more devices than Linux does. Hell, I strongly suspect that my thermostat is running Linux, judging by the web connectivity options it has. And Wind River, one of the biggest vendors in the RTOS space, has been offering https://www.windriver.com/prod... [windriver.com]>its own flavor of Linux for years. Plu
Re: Minix most widely deployed, wait what? (Score:2)
Re: (Score:2)
What is "it", PREEMPT_RT or Xenomai? Not doubting your report, but 2.4 and 2.6 are both ancient.
Re: (Score:2)
We tried really hard with 2.4 and 2.6 kernels, and could not come near the vxworks performance for a wireless BS/CPE.
By the way, Linux seems to work out fine for these guys [saankhyalabs.com] and you already know the license cost.
Lots of Problems With That Statement (Score:4, Insightful)
First, not all Intel systems that are capable of it actually have the management engine software. Second, the Intel PC motherboard probably does not hold the "largest number of systems" title, that might belong to Android phones. And anyway isn't the fact that MINIX with its BSD/MIT style licensing was used for the most user-hostile system in recent time an indictment of that license? You would not see GPL software used for this, for obvious reasons, and people who use GPL should be proud of that.
Re: (Score:2, Informative)
The idea that a GPLed operating system wouldn't be used for this doesn't make sense. There is nothing preventing a company like Intel from using a minimal GPLed OS for this task. In fact, companies have used GPLed kernels, like Linux, in the past for locked down or embedded devices. Just look at the TiVo issue.
So not only can you use a GPLed kernel for this sort of thing, people have, GPL advocates have nothing to be proud of in this instance because there is nothing in the license which prevents a company
Re: (Score:2)
Re:Lots of Problems With That Statement (Score:4, Interesting)
Sure, the GPL would be better than what there is now. But I think even that would not be good enough. GPL source code would be the start of making a system that users could trust. Besides that, there would have to be an explicit way to turn it off that could be confirmed to work reliably, and I would prefer a way to permanently remove it from the system with confirmation that worked too.
There would be a lot of concern related to the overall security of that system (researchers tell us there are Minix bugs they will be reporting) and what that system is capable of doing for anyone but its owner.
I am not sure I would want anything other than a very minimal system written in some sort of functional language that could be proven correct (and we know how expensive that is to write).
Overall, I think I'd rather just have it out of my system.
Re: (Score:1)
The source code isn't worth much if you can't use it to rebuild and install the whole system.
For most android phones and wireless routers the "gpl source code" usually consist of some old / incomplete tarred archive of the linux source code which does NOT correspond to the kernel installed on the device; for many drivers, the source files are a mix of magic numbers and binary arrays; and no change logs or version history are ever provided.
The fact that they're able to pull this shit without anybody crying f
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The source of windows nt4 is available on the internet too, but the version available will be significantly different from the versions currently being sold.
Re: (Score:2)
What Tivo did is find and exploit a bug in the GPL 2 which was fixed in the next version to prevent that exploit.
In the meantime, this stalls AMT/ME (Score:4, Interesting)
See subject: Stop it's ability to send info. outward via router port filtering ala ports 16992-16995 that Intel AMT/ME uses so filter those ports in a modem/router external to OS/PC. Intel ME/AMT operates from your mobo but has NO CONTROL OF YOUR MODEM/ROUTER!
(This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)
Additionally, once you disable the AMT engine's software interface (ez via software these articles note)? A malware to 'repatch' this = impossible (bios updaters require it in usermode ware, e.g. ASUS).
(I only allow 80, 8080 & 443 in/out here on a SINGLE stand-alone system (no home LAN but TCP/IP connected online in BOTH my modem or router port filters or software firewalls))
HOWEVER - Be CERTAIN your modem/router's internal ware is "solid" as well (turn off things like UPnP etc. & CHECK router/modem HAS NO KNOWN BACKDOOR EXPLOITS (tons do unfortunately)) - get it patched ASAP if it's KNOWN exploited & TONS of routers, ARE https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/ [slashdot.org]
* GOOD ROUTERS/MODEMS HAVE PORT FILTERING OPTIONS (crappy ones do not)!
APK
P.S.=> Good luck - it's the BEST EASIEST & CHEAPEST DEFENSE using what you already have (hopefully, again as not ALL modems have port filtering but most do & certainly GOOD ONES DO) vs. this threat by stopping it being able to communicate in/out period, from OUTSIDE of the INTEL chipset external to it via a router/firewall hardware... apk
Re: (Score:1)
Re: (Score:3)
As the ME is a black box, we still have no idea what ports it uses... We know for sure that it does use those ports listed, but can you prove it doesn't use any others?
Lack of evidence does not prove innocence.
Re:Bert64 - read what u said "we know/have no idea (Score:5, Insightful)
There's no contradiction, we know for sure it uses *some* ports but do not know what other ports it *might* use. Your notion of blocking the known ports is flawed as it may well communicate via other as yet unknown ports.
See subject: Point me to a valid reputable security community source that shows more ports being used than what I listed.
I don't need to prove that more ports are being used, you need to prove that other ports are *NOT* being used in order to validate your claim that filtering at the network layer is effective.
Monitoring in/out communique from router logs external to the PC would tell fact of what ports it used easily beyond Intel's docs.
Monitoring the network traffic only shows the communication that actually takes place, not the communication that *could* take place. We don't know if any circumstances exist in which it could attempt other forms of communication. Sure the network router could log this traffic were it to take place, but we cannot be sure of all the triggers which would make it do so. That also assumes that the device only has wired connectivity, which is connected directly to your networking equipment. If the device has any form of wireless connectivity it could attempt communication with anything that's within range.
Unless we are 100% sure of all the possible network communication the device could perform, and what could potentially trigger it, a blacklist approach at the network gateway can never be truly effective.
We don't know, and a lack of knowledge is dangerous.
Re: (Score:2)
Not only do we know what ports it could use, it could easily piggyback it's communications on a known port while it's being used. It's code may include anti-circumvention code that in the case it can't communicate with it's home base that it starts trying all available ports including port 80. It's ability to edit packets at transmission.
apk gets butthurt over tiniest things (Score:2)
UPDATE: Ports 623-625 also filter them (Score:1)
UPDATE: Ports 623-625 also filter them - JUST picked that up today (new information apparently, maybe for versions past 5-11.6 Intel AMT/ME have).
APK
P.S.=> An unidentifiable ac (probably a troll harassing me as usual) noted it uses port 80 in his reply to my original post (maybe in the usermode software interface, that's easily removed, but I have not seen news of it being in the MINIX on motherboard chip portion)... apk
Re: (Score:2)
Re: (Score:2)
Can't I just use a hosts file to fix the problem?
Intel ME (Score:2)
Google, our saviour (Score:2)
Re: (Score:2)
Re: Google hold back? Backfired on them... apk (Score:2)
Re: I do what Dr. Mark Russinovich did... apk (Score:2)
Intel should be forced to pay compensation (Score:1, Insightful)
Intel is running their software on your CPU, using electricity
which you pay for. If they do not compensate for that, they are essentially
stealing money from you, which is an offense for which they can be held liable in court.
I propose everbody with such a CPU starts sending Intel invoices.
If they do not compensate, a class action law-suit should be started.
EFF analysis (Score:5, Informative)
So how is google going to remove something from (Score:2)
hardware built into every PC? Are they going to somehow overwrite the Minix OS? Any side effects?
Re: (Score:2)
Re: (Score:2)
More questions (Score:2)
Are AMD CPUs clear of it?
Has someone got it onto RISC chips?
Has the NSA or other criminals got their hooks into it?
Can it be "zapped" with some xrays like cancer patients?
Re: (Score:2)
Older AMD CPUs (read: Phenom 2 and earlier) do not have any kind of management processor. I don't know about the desktop versions of the earthmover cores (the FX-series), but a fair few of the mobile chips (the A-series) have it
The FX series don't have it, as they are family 15, and the PSP is only there starting from family 16: https://libreboot.org/faq.html... [libreboot.org] I think you can continue to buy FX CPUs for a while, as the (Ry)?Zen series is only now starting to make an impact in the marketplace.