How can I have a computer without Intel ME?

I recently read about Intel Me and other spy chips, I wanted to know how I can have a computer without that chip, or if an Orange Pi with the Rockchip is worth it, I have not found information if it has it or not, thank you very much

I believe the ME can be partially or maybe fully disabled with 11th gen or earlier Intel chips. But this will no longer be possible with 12th gen or newer intel stuff. I might be a generation off in one direction or the other. This information comes from System76 (a Linux-first hardware brand and the makers of Pop!_OS).

Also I think it may be a little bit of hyperbole to call Intel ME “a spy chip”. More accurately it is something with valid use-cases that by nature of what it is and how it works is a theoretical risk with respect to surveillance/privacy/backdoors/and control over your own system.

Don’t purchase an Intel computer.

You can set Intel CPUs to High Assurance Platform mode on most devices, which is the undocumented switch designed for use by government agencies like the NSA to “disable” Intel ME, but even in that case there have still been documented security vulnerabilities in Intel ME that were unaffected by HAP mode or any other known forms of disabling IME, because some (boot-related) aspects of it can simply never be disabled inherently.

HAP is the method that the manufacturer you mentioned is using. Some (Purism) go “above and beyond” by using HAP and overwriting the firmware, but that extra step really makes little difference in the attack surface of IME (so this is not a Purism endorsement).

Of course, no CPU will ever be vulnerability-free, that’s an unrealistic expectation anyways.

AFAIK, AMD also has an equivalent called Platform Security Processor AKA PSP. So, it’s not practical to avoid Intel and AMD since those are basically every PC chip out there.

I don’t know much about ARM, though. But I don’t think it’s practical to replace my workflow/usage with ARM chip on Linux. So, it doesn’t matter to me. So, if your workflow/usage lets you use ARM, it would be interesting to find out whether it’s actually safer than x86 for this kind of threat.

In this case it doesn’t matter which architecture (x86 vs ARM), it matters which manufacturer produces the chips. There are a lot more ARM chip producers out there, and they vary in a variety of ways.

From a libre firmware perspective, it ranges from chips which can run almost entirely free firmware like Rockchip and FreeScale i.MX6 devices, to chips which run entirely proprietary firmware like Qualcomm and Samsung Exynos SoCs. The Raspberry Pi with its Broadcom chipset is unfortunately completely non-free firmware.

From an attack surface perspective, ARM manufacturers are also free to implement firmware components that they do include in any way they see fit. Apple Silicon for example has a ton of subsystems that operate behind the scenes much like Intel ME or AMD PSP, but Apple’s firmware blobs are modular and strictly segregated to prevent them from potentially colluding to create a backdoor:

For example, the blob running inside the keyboard controller has no mechanism to communicate with the blob running on the WiFi card, and thus cannot implement a keylogger surreptitiously; the blob running on the display controller similarly has no way to communicate with the network, and thus can’t implement a secret screen scraper.

Contrast Apple’s approach here with AMD PSP, which has full unrestricted access to the same user memory space that all your applications run in (yikes).

Almost all the highest-performing ARM chips (Apple Silicon, Qualcomm, Exynos) run proprietary firmware like IME, but it’s not a requirement for all ARM chips to be like that.

Maybe. Have you done any research into this? Linux provides excellent ARM software support overall, especially due to devices like the Raspberry Pi.

I have 2 Raspberry Pi 4 running as my servers. I ran into some limitations when I tried setting it up as a desktop for my girlfriend. For example, Widevine support in 64-bit browsers, so no Netflix, Prime, etc. It’s fixable by using 32-bit browsers, but it’s not straightforward and not efficient. If I want to use it for work, Android Studio doesn’t have an ARM build, etc.

My brief experience with ARM on Linux was bad. It looks great on the surface, but more like a project device that you can’t really do something serious on it.

I see folks in r/selfhosted have issues getting some stuff to run in raspberry pis. It’s not 100%.

My only first hand experience is that there’s no Mullvad Browser ARM Linux build, so I have to run arkenfox in my Linux VMs.

That’s very interesting. I wonder which of these CPU firmwares have network access as this is the main concern when it comes to security issues or potential hidden backdoors.

• x86
  • Intel ME: yes
  • AMD PSP: ?
• ARM
  • Apple Silicon: no
  • Qualcomm Snapdragon: ?
  • Samsung Exynos: ?
  • Google Tensor: ?
  • Mediatek Dimensity: ?
  • Raspberry Pi: ? (probably not)
  • Rockchip / Allwinner / Freescale SBCs: ? but open source
• POWER
  • Raptor Computing: ? but open source

Up until now there hasn’t been any evidence of actual backdoors existing, just speculative nonsense. A real backdoor wouldn’t necessarily be so obvious as the XZ backdoor or god mode bit in the C3 Nehemiah Core and is likely to just be a cpu based vulnerability that can be exploited.

Nation states (NSA, GCHQ etc) have nearly unlimited resources to waste on finding them so that’s likely what they do. I also think these organizations are abundantly knowledgeable about the risks of inserting backdoors. Such as those backdoors being used against themselves and companies in which they’re supposed to protect.

When the argument of backdoors comes up it tends to be from lazy domestic law enforcement agencies looking to expand their powers and bemoan the existence of E2EE - Eg. “Going Dark” and the countless campaigns about child safety in an attempt to pull public heartstrings in their favor.

It’s also worth noting that with ARM there isn’t really a standardized approach like the UEFI specification, so they often have very specific (and not open source) approaches to things.

We really don’t have much besides the Raptor POWER arch, and maybe in the future something that is RISC-V based. Also ARM requires licensing and is patent encumbered. It’s not really any better than x86 in that respect.

What we know up until now: a full cpu with full access to all of the computer’s resources, closed source, undocumented, unaudited and forbidden in government computers.

That’s just the government being security paranoid. The feature I assume you’re talking about is just an enterprise feature for remotely managing machines and is off by default afaik. I agree that there’s certainly features that when disabled reduce your attack surface.

The same paranoid people who tolerated Tiktok in their phones for 8 years and only banned it because of political noise.

Eh what can tiktok do on your phone, it is restricted by the same sandbox as any other app. It can only do what you give it permission to do. I agree banning TikTok was entirely a weird political move and has no actual security value.

Of course, because the first thing regular people do when they install tiktok is to revoke permissions.

By now China has facial recognition on a large number of us go employees and probably listened to a lot of meetings as well. But no security value, sure.

God help you if your security relies on no one having a 2D image of your face. But yeah if china really wants their face so bad they can just see where they post public pictures/videos on countless American social media sites including YouTube, Facebook, Twitter, instagram, LinkedIn, etc. it would make more sense to me if they banned all social media on government devices.

You would think they would just ban recording meetings? Like who is making TikToks at secret government meetings lmao. Or just ban phones in meetings entirely.

I’m curious to know what you think governments use instead.

Wtf. On Android and iOS you need to actively grant permissions. Apps don’t get runtime permissions by themselves.

Well, governments reduce their attack surface in this case by enabling High Assurance Platform mode…

Well they don’t generally and I’m not even sure if that feature actually exists in modern laptops at least in a way that users can control.

As far as I’m aware it’s only requested from the OEM in some isolated cases and not something they generally require otherwise you’d see it in things like FIPS etc.

In any case disabling the HAP bit does make the device less secure, if you set it you lose fTPM (which prevents tampering) and are downgraded to only having dTPM. Other features are also broken like modern standby so there’s really nothing much to gain by having a laptop with it, at least in my opinion. Not to mention Intel BootGuard (p2) which is a pretty important part of the firmware protection nowadays.

Regardless x86_64 platform will always have some proprietary code.

It certainly does exist, government agencies can order laptops in that configuration directly from OEMs today. I’ve spoken with sales reps about this functionality. Researchers from e.g. Google have presented on the security benefits of doing so.

This is also a native feature in Coreboot, and some consumer OEMs like System76 do so by default (via Coreboot and not me_cleaner in their case, I believe). This is as recent as 13th-gen Intel.

Of course System76 lies is misleading because they claim it disables Intel ME, which is not what the HAP bit does. But, the reduction in attack surface is pretty obviously a good thing, if the drawbacks to enabling the HAP bit are okay with you.

Off the top of my head I believe you would lose some notable consumer-facing features like being able to play DRM-protected Netflix on the iGPU lol