Unfortunately not all consumers place high value on the security of their computers, but one group that tends to focus on security are businesses with a dedicated IT group. When buying computers for users, these groups tend to have higher demands, like making sure the Intel Management Engine (IME) has been disabled. To that end, Reddit user [netsec_burn] has outlined a pretty simple method to where “normal people” can purchase one of these IME-disabled devices for themselves.
For those unfamiliar with the IME, it is a coprocessor on all Intel devices since around 2007 that allows access to the memory, hard drive, and network stack even when the computer is powered down. Intel claims it’s a feature, not a bug, but it’s also a source of secret, unaudited code that’s understandably a desirable target for any malicious user trying to gain access to a computer. The method that [netsec_burn] outlined for getting a computer with the IME disabled from the factory is as simple as buying a specific Dell laptop, intended for enterprise users, and selecting the option to disable the IME.
Of course Dell warns you that you may lose some system functionality if you purchase a computer with the IME disabled, but it seems that this won’t really effect users who aren’t involved in system administration. Also note that this doesn’t remove the management engine from the computer. For that, you’ll need one of only a handful of computers made before Intel made complete removal of the IME impossible. In the meantime, it’s good to see that at least one company has a computer available that allows for it to be disabled from the factory.
Yes, more wallet-voting.
Great to see people being aware of their buying power.
Or you could just buy any system with an AMD processor, y’know.
However, I’d be shocked if the NSA doesn’t have a nice deal with AMD, too.
They do.
https://en.wikipedia.org/wiki/AMD_Platform_Security_Processor
It mentions it in the thread, but for those who also hate digging through Reddit you can also order laptops from system76 and purism that are better and cheaper than Dell’s stuff. Dunno why someone would want a Dell when those options exist.
They may want to run Windows?
Does windows not run on a computer with IME disabled? Bonkers.
That I don’t know. But System76 and Purism don’t sell laptops with Windows installed: if the user needs Windows, that might be a reason to buy from Dell.
Oh, I forgot you couldn’t get Windows unless it came preinstalled…
I think I blacked out when I built my system and when I came to it had just appeared.
It does, my desktop machine runs W10 with ME disabled since 2+ years with no noticeable issues
Lol. With all of W10’s telemetry “features” they’ve rendered the ME redundant.
Why on earth would they want to do that? :-)
(Why, yes, I do run Linux…why do you ask?)
They’re still using Clevo chassis aren’t they? How’s the quality these days? They used to be alright but less sturdy than a business grade laptop from Dell and the like plus spare part availability was not good.
For laptops, yes – but they’ve started making their own server chassis:
https://system76.com/desktops
$900 for a Ryzen 3, 8gb of ram, and 128GB of storage? And they’re not paying the OEM windows licensing fees?
Yeaaaaaah, no.
Dude, you’re getting a Dell!
Looks like 14″ is the smallets laptop they sell, too big for me
No need to rely on the manufacturer, me_cleaner does the job for most devices
Do you know if it works with Macs? The page here: https://github.com/corna/me_cleaner/wiki/me_cleaner-status only specifies the chipset, but it’s not clear if a given OS may check for ME active.
Sorry, no idea. Browsing through gitlab issues and google I noticed people got it working with 2017 mac notebooks. And I know for a fact that not that long ago it was possible to run functional macos including icloud access in a virtual machine, after only adjusting some information reported by virtual machine firmware to the OS. Because virtual machines do not implement ME so I assume it might not be utilized at all or used only for niche features like DRM
Hey now, looking at that me_cleaner info page, mentioning the 30 minute shutdown for invalid firmware. Now is it the IME doing that when you put say an i5 in a pentium or celeron system and it shuts down in 30 min. Despite voltages, chipset, socket, TDP, process generation and every other detail being right??? Just thinking that if it’s the IME getting in the way rather than a BIOS thing (They usually work great for 30 mins, ppl that have reported this) then nobbling the ME with this might allow these upgrades to work properly.
Are you talking about HM70 chipset? I remember this issue and AFAIR disabling ME did not help. This “feature” is probably handled in the chipset boot ROM before loading ME image is even attempted.
Not sure, it’s 3 or 4 years since I was up on it. More than one chipset was involved I think.
After all the vulnerabilities that have been exposed in Intel chips, who in their right mind would buy something with one?
Boeing?
One plan would be to vote with your money and choose not to buy devices with separate a management CPU
IME (rerf: https://libreboot.org/faq.html#intel )
PSP (ref: https://libreboot.org/faq.html#amd)
I’m hope that future RISC-V CPU’s improve the situation.
Such as what?
> For that, you’ll need one of only a handful of computers made before Intel made complete removal of the IME impossible.
Or, presumably, a non-Intel chipset? Do AMD have an equivalent to the IME, and can it be disabled?
They have this:-
https://en.wikipedia.org/wiki/AMD_Platform_Security_Processor
How are you shure about the real deactivation of that sub-system?
May be that this menu only says “disabled” and isn’t true.
It seems to me this is all about trust. If you can’t trust Intel what makes you think you can trust Dell?
what if you simply desolder the chip from the board
The chip that has the IME silicon in it also handles the system clock, video, and cpu to memory transactions.
The irony being that the ME is aimed at enterprise customers who are buying 500 identical computers and want to be able to manage them all at once.
I’m still not sure why Intel decided to put it in all their chips, instead of leaving it as an expensive add-in option for businesses.
Probably because someone liked how the power felt
…and then install Windows 10 LTSC. (If you don’t want Linux.)
Thanks for sharing this great information But my question is that where laptops are made??