Announcement

**AsuMagic** · 13 January 2017, 01:11 PM

Originally posted by Master5000 View Post

Intel ME actually has a very good purpose for IT guys and it's not for spying your dumbasses. Leave it alone don't fuck with it, the moron who created that stuff will probably get his ass sued by Intel and get badly fucked. If they want to spy on you you are already fucked. Disabling Intel ME isn't gonna change shit. Be smart! Don't be a conspiracy nutjob. Dumb kids have too much time on their hands to invent shit like this...

No they won't because they can't and because it would be an insult.
You missed out a point. Intel ME *is* backdoored and dangerous. Whether it is an intentional backdoor or not is irrelevant, because there were vulnerabilities that only were fixed on later chipsets. https://en.wikipedia.org/wiki/Intel_...s_and_exploits
I don't agree with everything the FSF claims, I don't agree with all of Libreboot's philosophy, especially not with their leader's, but imo the intel ME paragraph is all true.

Originally posted by stevenc View Post

Or maybe, having some mini- operating system running on the chip has some performance impact after all. Oh Phoronix, please benchmark a system before+after de-blobbing!

No it won't, because it mostly operates on a separate chip, so even if it was to do useful computations on a core it would be extremely insignificant.

**uid313** · 13 January 2017, 04:43 PM

Originally posted by starshipeleven View Post

Are you seriously asking this? You think Intel made the ME to let people disable it at will?

Intel Management Engine is for companies, enterprises, schools, organizations to handle their computers.
It would make sense for home users to want to disable it.

**ssokolow** · 14 January 2017, 02:10 AM

Originally posted by sarfarazahmad View Post

haha there go my hopes down the toilet. Can we have an arm Computer without such proprietary blobs ? is that possible ?

From what I remember, the PSP is actually an ARM TrustZone core, but it's more likely you'll be able to find an ARM dev board which lets you load your own TrustZone firmware.

**starshipeleven** · 14 January 2017, 05:46 AM

Originally posted by uid313 View Post

Intel Management Engine is for companies, enterprises, schools, organizations to handle their computers.
It would make sense for home users to want to disable it.

That's only part of the functions handled by ME firmware. It also handles the secure coprocessors for playing DRM content, board initialization when you start the PC, and other stuff as detailed in the articles linked in the github repo.

You can find options to enable/disable the "ME" in UEFI firmware, but it is not disabling the whole ME, it's disabling only the part that allows remote management (AMT/vPro). http://www.tomshardware.com/reviews/...vm,3003-6.html

And exploits on ME can be done by anything that gets local root access, then once they pwned the ME's firmware they can enable again whatever they feel like is needed.

If you erase most of ME from flash, and like this tool also the modules exposing the APIs used to control it from the OS (and also used for exploits), you have actually "disabled" it. Of course you must keep the board initialization part, but all the rest gets nuked.

**TerraRoot** · 14 January 2017, 07:45 AM

Pointless anyway, ARM is the future!

**AsuMagic** · 14 January 2017, 02:20 PM

Originally posted by TerraRoot View Post

Pointless anyway, ARM is the future!

On the desktop world, not today.

**chithanh** · 15 January 2017, 07:25 AM

Originally posted by uid313 View Post

Are there any side-effects to disabling Intel ME, does anything useful stop working?

We don't know. From observation, fewer things happen, but as everything is closed and proprietary we do not know which functionality remains.

Worst case would probably be if these erase steps cause the Intel ME to enter some kind of debug state where anyone can access it without authentication. (Similar to the recently discovered Skylake USB JTAG debugging function)

Originally posted by stevenc View Post

Or maybe, having some mini- operating system running on the chip has some performance impact after all.

The performance impact by Intel ME activity is measurable but so tiny that you won't notice unless you are specifically looking for it.

Originally posted by starshipeleven View Post

If you erase most of ME from flash, and like this tool also the modules exposing the APIs used to control it from the OS (and also used for exploits), you have actually "disabled" it.

We don't know that.

**starshipeleven** · 15 January 2017, 07:56 AM

Originally posted by chithanh View Post

We don't know that.

If tools can't reach it from userspace (either the ME disappears from lspci or they segfault) as reported, and networking module is erased, it's not exactly going anywhere, isn't it?

**chithanh** · 15 January 2017, 10:06 AM

It was indeed observed that the Intel ME device dropped off the PCI bus, and the usual networking functions stopped. But that is just the previous publicly visible interface.

We don't know how much OOB networking functions remained in the non-erased part. We don't know how much it can still DMA over main memory. We don't know whether it still interfaces with anything else in the chipset. As I wrote, the worst case could be that the Intel ME is now in some kind of free-for-all debugging mode accessible over a non-documented interface.

**starshipeleven** · 15 January 2017, 11:50 AM

Originally posted by chithanh View Post

As I wrote, the worst case could be that the Intel ME is now in some kind of free-for-all debugging mode accessible over a non-documented interface.

Broadly irrelevant, any ME malware won't be targeting an interface enabled by butchering most of it on flash, just because there will be like 10-20 devices with that treatment at any given moment, worldwide.

Announcement

It's Now Possible To Disable & Strip Down Intel's ME Blob

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment