Hello.
What are the current options for neutralize the Intel Management Engine on newer machines? Everything I read contradicts the previous article and I don’t know what to think about it anymore.
Some information?
I don’t know, maybe there’s an option on the BIOS 
The easiest thing to do is buy a device that disables IME and has Coreboot pre-installed! Of course, this method isn’t for everyone.
What rollsicecream said, if you have a BIOS switch for this turn it off - otherwise simply forget about it, it’s not worth the hassle.
2 Likes
Im going to reiterate my sentiments again from previous posts:
Its fine, generally. You also need an Intel LAN to complete the platform requirement so if you are on Realtek, it should be fine.
You can use coreboot laptop from Sys76 or you can buy from Dell that is verifiably disabled but that requires (IIRC) a military/government purchase.
Speaking of “disabled”, its risky to do a “full” manual disable because that involves desoldering board components and that requires a certain skill level and tools beyond what most people have.
Security researchers are actively paranoid about this and you’d get real famous and rich fast if you can prove the existence of one.
Also, if there is an Intel ME exploit, that would be some sort of holy grail of zero days. It wont be used and burned on you, me, anti-government journalists, and politicians, etc. There is a great risk being caught and patched. If such a thing exist it would be used on some sort of doomsday scenarios like cancelling nuke launches and exploding the nuke payload on enemy launchpad.
4 Likes
I wanted to find a solution to neutralize the vast majority of the IME modules like on the Librem.
Nevertheless, if a physical deactivation is possible, I am interested, even if I think it is impossible. I read that a parity was engraved on the scilicium of the processor.
As far as the risk is concerned, I think it is real. This is a backdoor to hardware that is able to bypass all security and, in addition, has been susceptible to several vulnerabilities in the past.
I don’t want to buy a ready-made solution like Purism or System76 machines.
from a quick web search, the most widespread vulnerabilities in ME have required physical access. as @HauntSanctuary has said, if you don’t have an Intel NIC alongside the Intel CPU, you’re probably fine. it’s a common trope in privacy spaces to see Intel ME/AMD PSP/Apple just existing as this big boogeyman without actually considering the facts and how things actually work.
also Purism is kinda untrustworthy generally, just take a look at their security (or lack thereof) when it comes to their phone, or the problems with their other hardware that some people in the GOS matrix rooms have had (i.e., nonfunctional killswitches), or even just check out how many people actually got their Librem 5s
1 Like
This is still very serious. In addition, the IME can communicate very well with the internet and allow an authorized attacker to do anything on the machine.
Is there more information on this?
The IME is at the lowest level of the machine. It can do it all. I don’t see how this could be anything more than a backdoor. Intel has gone so far as to burn some of the Intel Management Engine code into the processor’s sicilicon and definitely wants you to keep it enabled.
I don’t want to buy Librem. I made that clear, I simply quoted from one of their articles on the IME.
Okay if you’re that worried about Intel existing, just get a pinebook or build a custom risc-v based laptop and run linux-libre, because you can’t really do much as an end user about the big scary boogeyman IME
2 Likes
Please remain courteous, this is the only solution for a constructive discussion.
I specified that I was looking for a solution to render the Intel Management Engine almost completely inoperable.
Both Intel and AMD have the same remote management feature set, IIRC ARM doesnt have the same issue of remote management. If you want a fully libre solution, IIRC, NXP ARM chipsets is fully libre and approved by FSF.
Also @pinkandwhite did not really come off as not courteous or dismissive. x86 platform is Intel (despite AMD pioneering the x86_64)
2 Likes
There is no general answer how to do that. It involves manipulating chips on the mainboard that are not meant to be reflashed, i.e. there is considerable risk permanently bricking your device and it’s different for different hardware.
There are a few instructions for specific mainboards/CPUs out there on the web and there’s GitHub - corna/me_cleaner: Tool for partial deblobbing of Intel ME/TXE firmware images but you will not get a definitive answer here.
This kernel isn’t recommended by PrivacyGuides. See :
I think their point was that people shouldn’t be concerned about IME…
3 Likes