Announcement

Collapse
No announcement yet.

It's Now Possible To Disable & Strip Down Intel's ME Blob

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • starshipeleven
    replied
    Originally posted by uid313 View Post
    Intel Management Engine is for companies, enterprises, schools, organizations to handle their computers.
    It would make sense for home users to want to disable it.
    That's only part of the functions handled by ME firmware. It also handles the secure coprocessors for playing DRM content, board initialization when you start the PC, and other stuff as detailed in the articles linked in the github repo.

    You can find options to enable/disable the "ME" in UEFI firmware, but it is not disabling the whole ME, it's disabling only the part that allows remote management (AMT/vPro). http://www.tomshardware.com/reviews/...vm,3003-6.html

    And exploits on ME can be done by anything that gets local root access, then once they pwned the ME's firmware they can enable again whatever they feel like is needed.

    If you erase most of ME from flash, and like this tool also the modules exposing the APIs used to control it from the OS (and also used for exploits), you have actually "disabled" it. Of course you must keep the board initialization part, but all the rest gets nuked.
    Last edited by starshipeleven; 14 January 2017, 05:48 AM.

    Leave a comment:


  • ssokolow
    replied
    Originally posted by sarfarazahmad View Post

    haha there go my hopes down the toilet. Can we have an arm Computer without such proprietary blobs ? is that possible ?
    From what I remember, the PSP is actually an ARM TrustZone core, but it's more likely you'll be able to find an ARM dev board which lets you load your own TrustZone firmware.

    Leave a comment:


  • uid313
    replied
    Originally posted by starshipeleven View Post
    Are you seriously asking this? You think Intel made the ME to let people disable it at will?
    Intel Management Engine is for companies, enterprises, schools, organizations to handle their computers.
    It would make sense for home users to want to disable it.

    Leave a comment:


  • AsuMagic
    replied
    Originally posted by Master5000 View Post
    Intel ME actually has a very good purpose for IT guys and it's not for spying your dumbasses. Leave it alone don't fuck with it, the moron who created that stuff will probably get his ass sued by Intel and get badly fucked. If they want to spy on you you are already fucked. Disabling Intel ME isn't gonna change shit. Be smart! Don't be a conspiracy nutjob. Dumb kids have too much time on their hands to invent shit like this...
    No they won't because they can't and because it would be an insult.
    You missed out a point. Intel ME *is* backdoored and dangerous. Whether it is an intentional backdoor or not is irrelevant, because there were vulnerabilities that only were fixed on later chipsets. https://en.wikipedia.org/wiki/Intel_...s_and_exploits
    I don't agree with everything the FSF claims, I don't agree with all of Libreboot's philosophy, especially not with their leader's, but imo the intel ME paragraph is all true.

    Originally posted by stevenc View Post
    Or maybe, having some mini- operating system running on the chip has some performance impact after all. Oh Phoronix, please benchmark a system before+after de-blobbing!
    No it won't, because it mostly operates on a separate chip, so even if it was to do useful computations on a core it would be extremely insignificant.

    Leave a comment:


  • starshipeleven
    replied
    Originally posted by Tomin View Post
    Edit again: Well, it actually contradicts some of the things I said and I realized that I'd need the flasher anyway to actually flash the firmware. Flashrom doesn't support my board (and many other laptops).
    In any case you want a flasher, as in case something goes wrong and the board does not boot, only way to flash the chip with the backup of the firmware is with an external flasher.

    Leave a comment:


  • starshipeleven
    replied
    Originally posted by Master5000 View Post
    Intel ME actually has a very good purpose for IT guys and it's not for spying your dumbasses. Leave it alone don't fuck with it, the moron who created that stuff will probably get his ass sued by Intel and get badly fucked. If they want to spy on you you are already fucked. Disabling Intel ME isn't gonna change shit. Be smart! Don't be a conspiracy nutjob. Dumb kids have too much time on their hands to invent shit like this...
    Thanks for confirming that your puppet masters don't want people to deblob their PCs.

    Leave a comment:


  • starshipeleven
    replied
    Originally posted by zboson View Post
    Intel does not implement UEFI or BIOS on most motherboards (though I think it does with the NUC). What's stopping a board manufacture such as ASUS from adding this as an advanced option in their BIOS/UEFI?
    The fact that ME was not supposed to be disabled by the user, note how this script to disable it actually goes and erases partitions on flash.

    Leave a comment:


  • starshipeleven
    replied
    Originally posted by Tomin View Post
    It seems that sometimes the network card doesn't wake up on cold boot if ME it's initialization code is removed. I don't know if this applies only to Linux and anyway it will work after reboot.
    That same guy said that if he ran the more through erase, the network card issues disappeared.

    Leave a comment:


  • stevenc
    replied
    Originally posted by darkbasic View Post
    Partially?
    I'm quite afraid of what 8 MiB or 16 MiB of code could be doing in the background. *If* that was reduced to something like 64 KiB though, I'd feel quite comfortable. How could such small code locate and make sense of kernel data structures in memory like the ones storing disk-encryption keys? Or implement networking protocol to exfiltrate data or fetch additional code at run-time? Or interface with any hardware? Maybe it could hook into or insert some backdoor in a running kernel, but if I run a recent kernel version, one that didn't even exist yet when the ME blob was written, would that still be able to function at all?

    Originally posted by schmidtbag View Post
    I know you're joking but I do slightly agree - I couldn't care less about ME existing. As long as it isn't interfering with my user experience, I'll just leave it alone.
    Or maybe, having some mini- operating system running on the chip has some performance impact after all. Oh Phoronix, please benchmark a system before+after de-blobbing!

    Leave a comment:


  • cj.wijtmans
    replied
    Originally posted by sarfarazahmad View Post

    haha there go my hopes down the toilet. Can we have an arm Computer without such proprietary blobs ? is that possible ?
    Probably not, i wonder who has pushed AMD to do this.

    Leave a comment:

Working...
X