That's pretty innocuous stuff actually. Hardware-based remote-management systems usually have their own ethernet port (they can't use the server's own ethernet ports) and many can be simply shut down or disabled with a hardware jumper on the board or BIOS setting.

Also there are many server or workstation boards that don't have any.

I know that vendors usually obfuscate their own code in secret execution areas. That i wanted to know is if i install a game for example, is it possible that the game will also start to execute code inside those protected areas?

It would be most like calling TiVo DRM broken for a buffer overflow that allowed full access to the entire TiVo, and where that signed kernel with the flaw would be accepted by any TiVo in existence at the time. See, the difference is that if / when a flaw is found in Linux, you patch and move on. Heck, you can even limit your attack surface on Linux by only compiling in the code you need. You can't do that when a magic signed blob is running on hardware that does signature checks for signing keys that aren't your own (which, BTW, also raises interesting questions as to who actually owns the platform or parts of the platform. Does your "hardware purchase" EULA only extend to running code inside AMD's little sandbox?)

In summary update bios to ryzen and that I would have to turn off?. In my case gigabyte ax-370 gaming 5

errr, ..? yeah, side channel read bluray, netflix etc. DRM keys, hell yeah! ;-)!!! this bug is useful for something! :-)

Linux kernel can be updated very easily to load a fixed kernel. PSP or ME firmwares can't usually be updated.

A half-assed system would have at least allowed end-users to update ME firmware independently with whatever latest blob Intel/AMD push with the fixes.

Fuck you. IT departments are tiny, even large corporations only have a handfew people managing hundreds or even thousands of PCs, many of which are not even in the same building complex.
Without remote management you would have to hire temporary workers to help them do the job in a reasonable amount of time.

ME/PSP's remote management feature is just ONE of the features they offer, their remote management does NOT use anywhere near the level of control ME/PSP actually have. These systems are about making sure someone maintains control over the client system no matter what (basically some form of DRM, anti-theft features, other security or even just convenience applications).

Next time we need to reconfigure (install/uninstall shit) on 300 workstations by whatever unreasonable schedule a manager comes up I'm going to recruit you as "button-mashing monkey".

Also when we need to fix issues asap on a PC in a remote branch which is far too small to have a resident IT guy on standby.

The entire concept of security without updates is the main reason the whole concept of "hardware-based" security is bullshit. Security is an arms race. If you don't update you get steamrolled. Hardware can assist, but it's update-able software that MUST pull the strings, or it's all security theater that serves nothing.

Intel ME has been present since Core 2 Duo era. So you're pretty much limited to Opterons? That's 2012 at their newest so not really 2-3 years

Could you post a screenshot (yes many UEFI firmwares can make screenshots) or a picture of the screen?

Might also be interesting for micheael.

My point was about "how can you trust a system made of proprietary blobs and with a buggy IOMMU like many consumer boards", not how to avoid ME.

Theoretically yes, but not directly. They can ask to ME to run embedded modules using some API. They can't tell ME to run their own code, unless they flash it as a ME module on flash and it has a valid signature (= have paid to be able to do so).

Malware can do whatever, as usual.