www. O S N E W S .com
News Features Interviews
BlogContact Editorials
.
Disabling the Intel Management Engine
By Thom Holwerda on 2017-10-10 23:45:15

The Intel Management Engine ('IME' or 'ME') is an out-of-band co-processor integrated in all post-2006 Intel-CPU-based PCs. It has full network and memory access and runs proprietary, signed, closed-source software at ring -2, independently of the BIOS, main CPU and platform operating system - a fact which many regard as an unacceptable security risk (particularly given that at least one remotely exploitable security hole has already been reported).

In this mini-guide, I'll run through the process of disabling the IME on your target PC.

Apparently, the IME co-processor runs... MINIX 3. That is incredibly fascinating. This means every post-2006 Intel PC runs MINIX.

 Email a friend - Printer friendly - Related stories
.
Read Comments: 1-10 -- 11-19
.
RE: Interesting process but ...
By Flatland_Spider on 2017-10-11 17:20:56
IME is a security risk. The AMT/vPro security holes of the not too distant past illustrate the problem of this technology, and without a compelling reason to keep it around (ie. corporate setting which uses it for remote administration and provisioning of desktops), it should get nuked.

References:
https://semiaccurate.com/2017/05/...
https://security-center.intel.com...
https://en.wikipedia.org/wiki/Int...

Edited 2017-10-11 17:23 UTC
Permalink - Score: 3
.
NOT in all post-2006 Intel-CPU-based PCs.
By bhhenry on 2017-10-11 17:40:12
The Intel Management Engine chip and firmware need to be installed on the motherboard. Not all hardware sold since 2006 has this. It is typically included as a feature for Corporate use.
Permalink - Score: 2
.
RE[4]: Does this mean...
By CaptainN- on 2017-10-12 18:01:57
Android must be the most popular by volume no? Certainly Linux is as far as kernels go.
Permalink - Score: 1
.
RE: Interesting process but ...
By CaptainN- on 2017-10-12 18:12:44
Wow, this FAQ page makes a strong case for Apple (and maybe others) to ditch x86 quickly https://libreboot.org/faq.html#am...

From the FAQ:
"it is our opinion that all performant x86 hardware newer than the AMD Family 15h CPUs (on AMD’s side) or anything post-2009 on Intel’s side is defective by design and cannot safely be used to store, transmit, or process sensitive data. Sensitive data is any data in which a data breach would cause significant economic harm to the entity which created or was responsible for storing said data, so this would include banks, credit card companies, or retailers (customer account records), in addition to the “usual” engineering and software development firms. This also affects whistleblowers, or anyone who needs actual privacy and security."

Apple is really the only larger player that has not only vocally supported privacy, but also actually done some things about it. A switch away from x86 to ARM could allow them to engineer their CPUs without these problems. Of course, I wonder whether they would...
Permalink - Score: 1
.
Can anybody provide proof of the AMD version?
By bassbeast on 2017-10-12 20:30:12
The article claims AMD has an equivalent but all I have found is a bunch of FUD that all link back to a couple of 2012 articles saying "AMD has licensed Trustzone and plan to use it in the future" but I have found ZERO evidence they ever did anything with ARM Trustzone other than use it for the console APUs they sold to MSFT and Sony.

With the Intel version you can find code for the IME, you can find where it is on the chip layouts, I have scoured over everything I can find on AMD chips and have found exactly squat when it comes to AMD having their own IME, instead it all comes back to those same couple of 2012 articles. Even AMD's Trustzone page hasn't been updated since 2013 so unless someone can show us some current code or chip layouts showing Trustzone on current AMD processors? I'm calling FUD.
Permalink - Score: 3
.
Question
By Earl C Pottinger on 2017-10-12 21:45:44
If the CPUs run okay with IME disabled, why did we need it in the first place?
Permalink - Score: 2
.
RE: Can anybody provide proof of the AMD version?
By ssokolow on 2017-10-13 00:33:04
It doesn't help that AMD changed the name twice. First to PSP (Platform Security Processor) and now to "Secure Processor".

According to this article, the first in-the-wild PSP cores back in 2014 were 32-bit ARM Cortex-A5 cores:

http://www.tomshardware.com/revi...

...and here are some more recent links about it:

https://www.amd.com/en-us/innovat...

https://hothardware.com/news/amd-...

Edited 2017-10-13 00:33 UTC
Permalink - Score: 3
.
RE: Question
By ssokolow on 2017-10-14 07:07:06
The system can run without the IME because, originally, its purpose was to allow remote administration of servers even when the primary OS is completely borked. (Hence the "ME" part. [Remote] Management Engine.)

That's probably also the reason that it resets the system if the IME doesn't come up quickly enough. Better to have your server fail while you're still in the datacenter doing the install than to discover the IME is broken just when you need it.

...and, since then, the new modules that were added are so that the entire "decrypt video, then re-encrypt with HDCP" step can be moved completely outside the reach of software the user can inspect or modify.

https://www.alexrad.me/discourse/...

Edited 2017-10-14 07:08 UTC
Permalink - Score: 2
.
minor nit pick
By bn-7bc on 2017-10-14 10:53:24
Just a minor nitpick, but the summaru Mentioned BIOS, dies this allso effect people with UEFI?
Permalink - Score: 1

Read Comments 1-10 -- 11-19

No new comments are allowed for stories older than 10 days.
This story is now archived.

.
News Features Interviews
BlogContact Editorials
.
WAP site - RSS feed
© OSNews LLC 1997-2007. All Rights Reserved.
The readers' comments are owned and a responsibility of whoever posted them.
Prefer the desktop version of OSNews?