You mention disabling IME using me_cleaner would introduce more issues, but what if you disabled it using the HAP bit instead?
@dngray commented in another thread that no one fully understands what the HAP bit does but that it might affect things like Boot Guard. I still have a couple thoughts/questions.
-
Why would the U.S. government require the ability to disable IME for their High Assurance Program if it worsened rather than improved security? Not saying that disproves anything but something doesn’t add up right.
-
If disabling IME with the HAP bit ruins things like Boot Guard, would that negatively affect Qubes OS machines that can’t use secure boot anyways? If not, couldn’t disabling IME in those specific cases be beneficial?