While the Intel Management Engine (and, to a similar extent, the AMD Platform Security Processor) continues to plague modern computer processors with security risks, some small progress continues to be made for users who value security of the hardware and software they own. The latest venture in disabling the ME is an ASRock motherboard for 8th and 9th generation Intel chips. (There is also a link to a related Reddit post about this project).
First, a brief refresher: The ME is completely removable on some computers built before 2008, and can be partially disabled or deactivated on some computers built before around 2013. This doesn’t allow for many options for those of us who want modern hardware, but thanks to a small “exploit” of sorts, some modern chipsets are capable of turning the ME off. This is due to the US Government’s requirement that the ME be disabled for computers in sensitive applications, so Intel allows a certain undocumented bit, called the HAP bit, to be set which disables the ME. Researchers have been able to locate and manipulate this bit on this specific motherboard to disable the ME.
While this doesn’t completely remove the firmware, it does halt all execution of code in a way that is acceptable for a large governmental organization, so if you require both security and modern hardware this is one of the few ways to achieve that goal. There are other very limited options as well, but if you want to completely remove the ME even on old hardware the process itself is not as straightforward as you might imagine.
Header image: Fritzchens Fritz from Berlin / CC0
Sure wish there was an option somewhere for a modern, powerful computer that runs the software I need and has an OS and hardware that aren’t all shamefully vulnerable spyware that I have to hack myself to achieve any level of ownership whatsoever. Our software is all slowly drifting away from us and becoming SaaS. Hardware too, actually. And if they can’t manage that, they’ll bug the hell out of it. Eventually to won’t be allowed to own anything.
I’m hoping that in few years, computers without that backdoor will be widely available.
In the meantime, current OpenBSD works well on 2 old computers I tried, one 2003, other 2006. One has only 384 MB of RAM. Plus, it’s one of the most secure OS’s in existence.
security != utility. if you can’t do The Things You Need To Do on it, you end up shunting it aside as a curio, instead using a far less-secure but much more useful system instead, thus rendering all the security a moot point. a balance must be struck between forceful hardware-software security and non-intrusion on everyday tasks.
I know Linux Et Al have been making great strides in the last ten years for improved non-techie utility, but it’s still not ready for prime time in the lap or on the desk of the average user, due in part to the relative ease of accidental FUBAR compared to even Windows (which, I freely admit, is fairly easy to Mess Up), but it’s rarely truly unrecoverable from a software Oops.
It’s very easy to get lost in Analysis Paralysis deciding on a Distro, Window Manager, and then all the layers in between, if you’re doing anything more sophisticated than loading Ubuntu with the default WM for using a browser to look at cat videos.
this isn’t even getting into the quagmire that is Linux Support in gaming – there’s an increasing number of native-linux games, but some Win-built games run happy under WINE, even with performance improvements. Some are crashy messes, and some Just Won’t Do It.
“Just dual-boot” is a literal Non-Answer, because you lose continuity and simultaneity of tasks during the transition and it defeats the point of trying to make the system secure to begin with.
Neither is “Run it in a Win VM” – that comes with its own performance overhead, and a substantial number of games perform even worse in VM than in WINE or similar
We are not having the linux vs windows debate here. We are talking about the horrors of the management engine. And we can all be assured there is no true utility which the management engine provides. Get rid of it, if only there was a ruly easy and reliable way, and you can still run whatevr OS you like.
The ME runs the AMT which enables you to remotely power on and configure servers and workstations even if they don’t have any operating system installed. It’s a boon to corporate IT because your machine may be riddled with viruses and completely locked up, and they can still access it and fix it remotely.
Adding to Luke’s reply:
It can be hard to explain unless you have used a ‘lights out’ management solution before.
The ME and AMT parallels a BMC and IPMI pretty well for the most part. Both BMCs and MEs have been used to perform similar additional roles in their respective environments. An example would be power sequencing of the hardware. Both an ME and a BMC use similar hardware interfaces into the hardware.
ECs have been around before the ME without much fuss too.
So why all the fuss over MEs and not BMCs especially when BMCs have been shown as viable attack vectors and arguably servers are a much more appealing target than consumer gear?
Is ASpeed, Avocent, AMI, inherently more trustworthy than Intel?
If OSS and OSHW is the solution, what’s the hold up?
The intent was good. The implementation was not. I could not imagine dealing with the server infrastructure in a large company without utilizing the ILO on the servers. In fact, the last place I worked, all of the servers were provisioned via the ground up via the ILO. One group would rack them up in the data center and we would have at them from our desks.
ME can actually be useful. But it must offer at least a *dedicated* interface, like IPMI/iLO. If (and only if) I need it, I connect a cable there (or choose to use a VLAN on the main network interface, but that’s WAY less secure!). No need to play with hidden bits to disable it.
Too bad the engineers that designed it did not think this way. As it is, ME is just a ticking bomb.
I see your point. I was talking about systems that do important tasks such as servers and industrial process control. Those are not used to play games, have fancy GUIs etc. And they must be as secure as possible – you don’t want your competitor to get your secrets.
The thing with the ILO’s is they are generally brought out on their own net jack, they can be routed along with traffic to the server or differently, or not at all if you choose. The thing about most servers is that they live on the inside so to speak so they are supposed to be swimming in swimming in friendly(er) waters, that is a more protected place.
SCADA, and yes bad people have fun with those.
“it’s still not ready for prime time in the lap or on the desk of the average user, due in part to the relative ease of accidental FUBAR compared to even Windows (which, I freely admit, is fairly easy to Mess Up)”
The only way your comment makes sense is if you’re part of marketing at windows.
Maybe if you all repeat it over and over again it will stop being blatantly untrue.
There is one: Raptor Talos (https://www.raptorcs.com/TALOSII/) a workstation with POWER9 processor. Fully auditable, no binary blobs, no government backdoors.
The mainboard alone costs $3,500
Wouldn’t the HoneyComb LX2K be a better example? It’s not so completely free but still has open source uBoot and UEFI firmware, but sixteen A72 cores and up to 64GB DDR4-3200 for passable performance, NVME gen 4, 4xSata 3 and 4x10GBe SFP+ for storage, the last one of which you can also use for general networking as well if the GBe port isn’t good enough, PCIeG3x8, USB 3 plus internal 2, 3 headers for front USB ports on your case…
It’s not going to replace a gaming PC or a laptop, but it’s mostly-open hardware, a viable desktop board – and $750 is a little less insane than $3500.
ARM also has a ring 0 security solution, so you haven’t escaped you’ve just traded one vendor for another.
Which in particular you mean? TrustZone + TrustedFirmware is OSS – https://github.com/ARM-software/arm-trusted-firmware
Besides first stage bootloader can than be OSS of course excluding binary blobs for various peripherals
@pigster6
Oh my, I didn’t know it was open source. Then yeah any ARM workstation board is a viable alternative to those power boards.
What’s Intel and AMDs justification for not making it possible to disable?
My guess is corporate customers. These features are used for remote admining machines and might be used for locking of stolen or not yet returned hardware from someone who has left a company. If there were an easy way to defeat it, people would be screwing around with it on their work laptops/desktops.
There is not a shred of evidence or reasoning to suggest this. Stop making things up.
(S)He’s saying “guess” and “might be”. That’s hardly “making things up”. Deep breath NOW!
Probably visit by nice people from three-letter agency.
I believe the Open Compute Project is requiring open firmware on the next generation of hardware. That could have an effect on other hardware as well, and even if it doesn’t you’d eventually be able to buy ocp systems used.
I suspect a history scholar would point to various periods in history where most people ‘rented’ the majority of their things. The ownership of property seems to be connected to certain characteristics of society and as we see things shift, we are returning to a n environment of consolidated ownership rather than democratized ownership.
I’m not saying “There is not a shred of evidence or reasoning to suggest this. Stop making things up.” but it would be nice if you researched this and came back with an example or two, keeping in mind that land is a totally separate thing.
I kinda want a system where the ME is missing the modules for network access but retains all the nice security capabilities like secure boot.
So what you want is a computer that can be trusted.
You can get such computer by stopping hand-out money on computers you do NOT trust.
The purchase departments that demanded the ME be disabled are heading the right direction.
That’s like saying “Stop using google for searches.”
Yes, you can use DuckDuckGo, but they’re partnered up with Yandex and relay your searches to the Russians instead.
But what about Yahoo or the dreaded bing?
Otherwise one can actually jump from one website to another, or just rely on personal recollection (or bookmarks) for navigating to various sits one uses.
A search engine is only needed when one wants to find something one doesn’t know where to look for it.
Just remember not to type in addresses in the form of “address.com” because your browser typically calls your default search engine to complete the http and www and other preceding bits to complete the URL. Also, remember to turn of address completion, because that does the same thing.
“A search engine is only needed when one wants to find something one doesn’t know where to look for it.”
I remember well the tipping point when Google became so popular that no one uses it anymore.
I hear the kids are all talking about this new thing called a “proxy browser”.
Ugh. Duck Duck Go!
I want to like Duck Duck Go but every time I try to use them, click a result then click back instead of returning to the results page I end up back at an empty Duck Duck Go search and have find where I left off all over again.
I know that I should just expect this behavior, right click and open results in new tabs but in the moment old habits and muscle memory always win.
It makes me want to strangle the duck every time.
Wheel clicking is even faster.
You don’t even have to right click, you can middle click. Unless you don’t have a middle.
I’d rather be spied on by a far away government that can’t majorly screw around with my work/health/life vs being spied on by a “helpful” nearby government that thinks it exists to screw me around.
That’s why I Ameliorate Windows 10 with AtlasOS and use Kaspersky antivirus ;)
and the USA complain about the Chinese putting things in chips…
The USA complain about China putting things in chips the USA doesn’t know about or how to exploit. I bet they’re overjoyed about exploits they can use to their own advantage..
“While the Intel Management Engine (and, to a similar extent, the AMD Platform Security Processor) continues to plague modern computer processors with security risks, some small progress continues to be made for users who value security of the hardware and software they own.”
Well in the context of management of a large number of computers, ME and PSP were meant to be behind other forms of security.
Gov: So we can’t turn it off?
Intel: No, you can’t.
Gov: So what if we “really” want to turn it off?
Intel: We will incorporate a feature disable bit.
Gov: So what happens when someone else figure out how to turn the system off.
Intel: Ahh, that’s when we release IME 10. Self-updates, monitoring and reporting with a friendly “app” view.
Gov: So what if we “really” want to turn that off as well?
Intel: Err, then we’ll incorporate a feature disable bit for that too.
Repeat script ad nauseum.
Does anybody know if things still run fine without ME?