Announcement

Collapse
No announcement yet.

It's Now Possible To Disable & Strip Down Intel's ME Blob

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by uid313 View Post
    It is silly how difficult it is to disable this Intel Management Engine (ME). I wish there was just an option in the UEFI setup screen to disable this feature.
    Why isn't there?

    Is it possible to restore this functionality once disabled with this Python script?
    Are there any side-effects to disabling Intel ME, does anything useful stop working?
    I think mine has the option if i remember correctly. But you cant trust it really. Also it can flash ME alongside with the BIOS.

    Comment


    • #12
      Originally posted by uid313 View Post
      It is silly how difficult it is to disable this Intel Management Engine (ME). I wish there was just an option in the UEFI setup screen to disable this feature.
      Why isn't there?
      Are you seriously asking this? You think Intel made the ME to let people disable it at will?

      Is it possible to restore this functionality once disabled with this Python script?
      Reflash the board firmware.

      Are there any side-effects to disabling Intel ME, does anything useful stop working?
      Stuff connected to DRM systems stops working, the rest is unknown, but probably a "no"

      Comment


      • #13
        Originally posted by uid313 View Post
        Are there any side-effects to disabling Intel ME, does anything useful stop working?
        It seems that sometimes the network card doesn't wake up on cold boot if ME it's initialization code is removed. I don't know if this applies only to Linux and anyway it will work after reboot.

        My laptop doesn't have ethernet, but I still would like to get suitable flasher (and take a backup) before I mess with this one... There are some annoying things in the firmware, so it would be really cool to switch to Coreboot. Too bad this laptop is not supported.

        Oh, and you should also read the end of this page (title: Cool, how can I apply it?): https://github.com/corna/me_cleaner/...oes-it-work%3F

        Edit again: Well, it actually contradicts some of the things I said and I realized that I'd need the flasher anyway to actually flash the firmware. Flashrom doesn't support my board (and many other laptops).
        Last edited by Tomin; 12 January 2017, 06:18 PM.

        Comment


        • #14
          Originally posted by starshipeleven View Post
          Are you seriously asking this? You think Intel made the ME to let people disable it at will?
          Intel does not implement UEFI or BIOS on most motherboards (though I think it does with the NUC). What's stopping a board manufacture such as ASUS from adding this as an advanced option in their BIOS/UEFI?

          Comment


          • #15
            Originally posted by Adarion View Post
            It's a start and step in the right direction. But to get rid of all this blob stuff in the firmware could be a lengthy walk...
            I really dislike the idea of something that runs at ring <0 and is totally transparent to my OS kernel - but is possibly always active and has higher rights than my kernel. Especially when it can possibly be activated from a remote position or send data. Regardless if it's from intel, AMD, some ARM implementer...
            There is the Talos Secure Workstation which is free from any such garbage. But at $3,700 it's one heck of an expensive motherboard

            Comment


            • #16
              I think what might be more interesting to me in the long run would be open-source implementations of firmware for the MEI. It might be good to, for example, have some kind of virus/etc scanner that's running external to the operating system itself, allowing sanity checks on the system. There could be positive use-cases for the MEI, if users were actually able to control it in some way.

              Comment


              • #17
                Time to put the tin foil hats away and get a job you hippies! Let me guess, did fake news tell you that NSA is spying on you? Before all you conspiracy theorists run out and try to deblob your computers you should be aware that Vladimir Putin personally authored this deblobbing software. He hates our freedoms and is jealous of the loving concern the intelligence agencies have for the common man. Besides, anyone who believes that a black box might contain anything but loving concern for your privacy and personal well-being clearly needs to take a shower and leave the basement more often. You are either with us or you are with the terrorists!

                Comment


                • #18
                  Partially?
                  ## VGA ##
                  AMD: X1950XTX, HD3870, HD5870
                  Intel: GMA45, HD3000 (Core i5 2500K)

                  Comment


                  • #19
                    Originally posted by quaz0r View Post
                    Time to put the tin foil hats away and get a job you hippies! Let me guess, did fake news tell you that NSA is spying on you? Before all you conspiracy theorists run out and try to deblob your computers you should be aware that Vladimir Putin personally authored this deblobbing software. He hates our freedoms and is jealous of the loving concern the intelligence agencies have for the common man. Besides, anyone who believes that a black box might contain anything but loving concern for your privacy and personal well-being clearly needs to take a shower and leave the basement more often. You are either with us or you are with the terrorists!
                    I know you're joking but I do slightly agree - I couldn't care less about ME existing. As long as it isn't interfering with my user experience, I'll just leave it alone.

                    Comment


                    • #20
                      Originally posted by Tomin View Post

                      It seems that sometimes the network card doesn't wake up on cold boot if ME it's initialization code is removed. I don't know if this applies only to Linux and anyway it will work after reboot.

                      My laptop doesn't have ethernet, but I still would like to get suitable flasher (and take a backup) before I mess with this one... There are some annoying things in the firmware, so it would be really cool to switch to Coreboot. Too bad this laptop is not supported.

                      Oh, and you should also read the end of this page (title: Cool, how can I apply it?): https://github.com/corna/me_cleaner/...oes-it-work%3F

                      Edit again: Well, it actually contradicts some of the things I said and I realized that I'd need the flasher anyway to actually flash the firmware. Flashrom doesn't support my board (and many other laptops).
                      Any time you need to "render safe" a board that comes with things like management engines or out-of-band management (v-Pro), the simplest, lowest hanging fruit you can pick is to remove the Intel (or AMD) network hardware or ensure it is never connected to any network. It is better yet to exile all network hardware to USB, as this prevents DMA access from the network card and blocks a multitude of possible firmware-level attacks from over the network.

                      On Intel hardware, using the Intel network hardware is a specific risk for vendor-provided backdoors. If you recall, the publicly admitted to, user-available functions of v-Pro at least used to require the Intel network adapter. Could this have been behind the heavy "Centrino" marketing campaign to force laptop makers to use Intel network hardware?

                      My advice is to "break Centrino" and fulltime disable that network adapter that sometimes wakes up and sometimes does not. A USB device can be easily re-initialized by unplugging and replugging it if you have resume issues with it as well. While removing the management engine's network stack will make the Intel network adapter a lot safer, we don't know for sure if all the backdoors use the management engine's network stack in the first place.

                      Comment

                      Working...
                      X