
Disabling the Intel Management Engine - marksamman
https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Disabling_the_Intel_Management_Engine
======
jordigh
It makes me so unhappy that this is what things have come to. They make
hardware that we can't control, there's no real alternative to buy, and now we
gotta rely on volunteers and wiki pages to give instructions that might work
but who knows you might brick it.

I wish there was more widespread outrage over ME and PSP and "trusted
computing" so we could collectively tell them to stop selling this garbage.
There's so much cynicism out there, though, that I think the public would
hardly bat an eye if they knew that all hardware since 2008 or so has secret
backdoors. We're just used to this kind of abuse and control.

I haven't bought a new computer since 2007 because I don't want backdoored
hardware. If it really is For My Own Safety, as they advertise it to us, then
let me control it!

~~~
jknz
It seems strange to me that the European Union is allowing this. The fact that
a foreign company has a backdoor in every computer running in European
countries is so concerning on so many levels. Defense ministers from European
countries should wake up and outlaw this.

Of course, there is no specificity to the EU here -- this applies to Russia,
China and other countries too.

Edit: maybe Intel is already eligible to a € multiple Billions fine from the
EU based on this? (Disclaimer: I have no clue about how such fine works).

~~~
amelius
The EU has one very strong negotiation point: ASML. Without that company,
Intel wouldn't even be able to produce their CPUs.

~~~
selectodude
I'm not sure that's a negotiation point for Intel, as they own 15 percent of
ASML. Might be a rough ride for everybody if the EU had any intention of
playing that card.

~~~
vixen99
But agreement specifically excludes rights on future development by ASML

------
hilmipilmi
It feels reassuring that you can actually get access and read the assembly of
the IME now, thanks to
[https://github.com/ptresearch/unME11](https://github.com/ptresearch/unME11).
For instance using the the Gigabrix-BSi5ha-6200 IME Firmware update archive:

1\. Download and unzip the Gigabrix-BSi5ha-6200 IME update archive
([http://download.gigabyte.us/FileList/BIOS/brix_bios_bsi5-h-a...](http://download.gigabyte.us/FileList/BIOS/brix_bios_bsi5-h-a-l-6200_f5.zip)).
Use F5_BIOS/image.bin from that archive.

2\. Start "python unME11.py image.bin"

3\. The uncompressed modules are located in image/00004000.FTPR/* after that

4\. You can i.e. load image/00004000.FTPR/kernel.mod in IDA using 80486 in
32bit real-mode or use "objdump -m i386 -b binary -D kernel.mod --adjust-
vma=0x80000" with entry point being 0x80000 or "objdump -m i386 -b binary -D
bup.mod --adjust-vma=0x2d000" with entry point being 0x2D04C

~~~
celeritascelery
Any insights from the code?

~~~
hilmipilmi
I used it to look into Gigabytes response to Intel SA 00075 described in
[https://embedi.com/files/presentations/BH-Las-
Vegas-2017-Int...](https://embedi.com/files/presentations/BH-Las-
Vegas-2017-Intel-AMT-Stealth-Breakthrough-presentation.pdf).

before:
[http://download.gigabyte.us/FileList/BIOS/brix_bios_bsi5ha(a...](http://download.gigabyte.us/FileList/BIOS/brix_bios_bsi5ha\(a\)-6300_f3.zip)

after:
[http://download.gigabyte.us/FileList/BIOS/brix_bios_bsi5ha(a...](http://download.gigabyte.us/FileList/BIOS/brix_bios_bsi5ha\(a\)-6300_f4.zip)

You can see that there is an extra function call added that tests for
response.length.

Given the easy availability of the assembler dump you can expect progress
towards demystifying IME. I'm not a professional in the security field, but I
sense that there is lots of possibilities by just doing a "strings
image/00275000.NFTP/amt.mod". Gigabyte might be special, but they have left
their assert prints in the code and you can get a sense what the thing is
doing...

------
jadbox
I bet you that the next generation of Intel processors will have patched this
workaround from working, and maybe go as far removing the ability to kill IME
unless you use some kind of rotating encryption dongle. Unfortunately for
consumers, there's no way to escape this as even AMD has their own IME.

~~~
Chaebixi
> I bet you that the next generation of Intel processors will have patched
> this workaround from working, and maybe go as far removing the ability to
> kill IME unless you use some kind of rotating encryption dongle.
> Unfortunately for consumers, there's no way to escape this as even AMD has
> their own IME.

What would be the justification for Intel going through all that trouble to do
that (besides a conspiratorial "the NSA needs it to spy on everyone")?

The impression I've gotten, to this point, is that Intel just doesn't care
enough about people in the general public who are bothered by the IME to
publicly support ways to disable it. Governments had enough buying-power to
get Intel to implement an unsupported workaround, but I'm not convinced Intel
has a motivation to make accessing that workaround hard.

~~~
tree_of_item
> besides a conspiratorial "the NSA needs it to spy on everyone"

Besides the real reason? I dunno.

~~~
Ajedi32
Do you have any specific evidence that the NSA is directly involved in pushing
implementation of IME for the purposes of espionage? That's an extraordinary
claim; the mere existence of the NSA isn't sufficient evidence that it's true.

Yes, the NSA exists. Yes, it's their job to spy on people. And yes, it's
perfectly valid to include mass surveillance in your threat model. But these
constant, uncorroborated claims that the NSA boogeyman is hiding behind every
rock and tree are starting to become quite tiresome.

~~~
rantanplan
> the NSA boogeyman is hiding behind every rock and tree are starting to
> become quite tiresome.

Yeah indeed, they have backdoor-ed every ISP, nation, router, HDD, what-have-
you in existence and these people keep telling boogeyman tales.

Tsk tsk tsk. How tiresome.

~~~
Ajedi32
> they have backdoor-ed every ISP, nation, router, HDD, what-have-you in
> existence

This is exactly the kind of hyperbolic nonsense I'm talking about. You can't
claim that every HDD in existence has an NSA-installed backdoor installed in
it without providing any evidence.

If the NSA's capabilities were nearly as extensive as you're claiming, the US
wouldn't need to bother maintaining a military. They could just remotely
command all of North Korea's computers to shut themselves off, then sit back
and wait around for their surrender.

I'm not saying mass surveillance isn't a problem, or even that the NSA doesn't
have a backdoor installed in IME (I certainly don't have evidence to the
contrary); just that people need to stop exaggerating the threat, or making
claims about the NSA having compromised any specific system without providing
any evidence to back those claims up.

~~~
roblabla
Remember when the NSA crippled a standardized CSPRNG ?
[http://www.reuters.com/article/us-usa-security-nsa-
rsa/exclu...](http://www.reuters.com/article/us-usa-security-nsa-
rsa/exclusive-nsa-infiltrated-rsa-security-more-deeply-than-thought-study-
idUSBREA2U0TY20140331)

Remember when the US shut down NK's internet ? [https://gizmodo.com/so-who-
shut-down-north-koreas-internet-1...](https://gizmodo.com/so-who-shut-down-
north-koreas-internet-1674589139)

Remember when the NSA was revealed to have a malware that could infect hard
drives, being potentially undetectable ?
[https://motherboard.vice.com/en_us/article/ypwkwk/the-
nsas-u...](https://motherboard.vice.com/en_us/article/ypwkwk/the-nsas-
undetectable-hard-drive-hack-was-first-demonstrated-a-year-ago)

Remember PRISM ? How about stuxnet, and the other couple of viruses that are
almost surely the NSA's.

Sure, those are not backdoors installed by the OEM, rather they are malware
that the NSA can use to infect (lots of) systems. But let's not kid ourselves,
the NSA _does_ have a ridiculous amount of power, and we have lots of evidence
of it.

At this point I'd be rather surprised if the NSA haven't hacked my fridge yet
somehow.

~~~
Ajedi32
And I agree, those are some pretty impressive feats. Whenever your threat
model includes state actors, it's probably not a bad idea to be paranoid.
Let's not carry that paranoia to ridiculous extremes though.

_Could_ the NSA have the ability to utilize IME somehow as a means to infect
computers? Certainly. Do they _actually_ have that capability? We have no
idea. Same goes for your motherboard's firmware, your hard drive's hardware,
and any number of other possible vectors. They _could_ be compromised somehow,
yes, but let's not claim that any specific motherboard firmware, HDD model, or
CPU processor brand definitely _is_ compromised without evidence.

------
silversmith
What caught my eye was "removes (...) Java VM" \- I had imagined the ME to be
some kind of very basic maintenance task runner, not a full-blown dynamic app
environment.

~~~
gregschlom
Same here. I was like "what, there's a JVM in there?". But then again,
apparently there's a JVM in most (all?) SIM cards
([https://en.wikipedia.org/wiki/Java_Card](https://en.wikipedia.org/wiki/Java_Card))

~~~
JPLeRouzic
Before Java card, all smartcards were programmed in assembly, Each brand
incompatible with others. And even if smartcards were introduced as security
devices, their "security" was actually a joke.

Then there was an effort to create a secure interoperable platform for
smartcards, it was Global Platform and it uses Java card for implementing
their goals. All post 2000 smartcards are compatible with GP:

[https://en.wikipedia.org/wiki/GlobalPlatform](https://en.wikipedia.org/wiki/GlobalPlatform)

~~~
sanbor
I wonder if it really needs the JVM in the chip. It could just contain the
compiled bytecode and the phone could have a JVM that runs the bytecode.

~~~
zAy0LfpBZLC8mAC
The whole point of the smartcard is that the outside world cannot access its
memories other than through services running on the card.

------
hoodoof
Really Intel/Apple/Microsoft should provide an official and reliable way to do
this.

We see you Intel... with your stinky spies peeping out from the depths of our
computers....

~~~
jordigh
I think it's very likely that the order to backdoor all hardware came from the
government and Intel decided to market it as some kind of advanced management
benefit for the consumer. Evidence in favour is reverse-engineered functions
in Intel ME that have NSA's name in them:

[https://www.bleepingcomputer.com/news/hardware/researchers-f...](https://www.bleepingcomputer.com/news/hardware/researchers-
find-a-way-to-disable-much-hated-intel-me-component-courtesy-of-the-nsa/)

There's no way that both Intel and AMT simultaneously decided to backdoor
their hardware out of consumer demand. The order must have come from above.

(Okay, sorry, that's as much of a conspiracy theorist as I get to be.)

~~~
openasocket
That's a blatant misinterpretation of that article. Here's the main quote:

"According to a highly technical blog post, Positive Technologies experts
revealed they discovered a hidden bit inside the firmware code, which when
flipped (set to "1") it will disable ME after ME has done its job and booted
up the main processor.

The bit is labelled "reserve_hap" and a nearby comment describes it as "High
Assurance Platform (HAP) enable."

High Assurance Platform (HAP) is an NSA program that describes a series of
rules for running secure computing platforms.

Researchers believe Intel has added the ME disabling bit at the behest of the
NSA, who needed a method of disabling ME as a security measure for computers
running in highly sensitive environments."

TL;DR the evidence is that the NSA made Intel give them a way to DISABLE the
management engine on their machines, not a backdoor.

~~~
diabeetusman
I interpret that to mean that the NSA said "Add this and give only _us_ a way
to turn it off"

~~~
openasocket
So, your comment is as good a place as any to put this. There's a ton of
allegations about ME being a backdoor for the NSA or some other government
entity, but very little in the way of good evidence, at least that I've seen.
Many proponents seem to provide circumstantial evidence or simple accusations
as opposed to what I would consider substantial evidence.

Here's some examples of solid evidence

\- Leaked documents either from Intel or the NSA documenting the NSA pressing
Intel to provide backdoors, and Intel accepting

\- One of the APT groups believed to be associated with the US government is
found using an ME vulnerability in the wild, before the vulnerability became
publicly known

\- Refusal or extreme reluctance on the part of Intel to fix a discovered
vulnerability

\- A vulnerability which is clearly intentional, like having ME automatically
execute any shell script sent over the network signed with a particular
certificate or something.

Examples of circumstantial, but still quite compelling evidence:

\- A vulnerability which appears intentional, as in it doesn't require any
buffer overflow or shell code injection or abuse of certain registers, but
rather seems to be a part of normal operations.

\- Intel pushes a change to fix an ME vulnerability, but that change
simultaneously introduces another vulnerability.

\- Evidence that Intel, while giving the US government the ability to disable
ME, refuses to give such an ability to other large customers (Google, Amazon,
other governments, etc.), for any amount of money.

Seriously, if someone comes forward with evidence like the above, I'm
completely open to accepting the possibility Intel ME is an active backdoor
for the US government.

~~~
platinumrad
Re: Evidence that Intel, while giving the US government the ability to disable
ME, refuses to give such an ability to other large customers (Google, Amazon,
other governments, etc.), for any amount of money.

I'm not intimately familiar with the situation but I heard some chatter a few
years ago about Google (which likes to use Coreboot on its Chromebooks) asking
Intel for documentation and source code for various firmware components
including the IME and being turned down.

Researchers recently found an undocumented bit can be set in recent IME
versions with a name ("High Assurance Program (HAP)") said to be associated
with the US government which disables most functions of the IME.[1]

[1] [http://blog.ptsecurity.com/2017/08/disabling-intel-
me.html](http://blog.ptsecurity.com/2017/08/disabling-intel-me.html)

~~~
openasocket
I'm completely aware of the hap bit, I explicitly linked it in the GP, and so
did the OP.

If you have a source to back up the claim that Google offered money for
access/documentation for disabling ME and were rejected, that's something,
though.

~~~
platinumrad
Ah, I was reading quickly and didn't realize that "while giving the US
government the ability to disable ME" was a given, not one of the things that
had to be shown.

I did some quick searching (I mostly skipped the coreboot mailing list which
is probably the most interesting place to look but I didn't want to spend too
much time) and every reference I've found alludes to someone from Google or
Coreboot _asking_ for Intel's assistance in the form of documentation or
source code, which Intel has plenty of non-NSA-related reasons to refuse to
provide for free (licensed code, preserving competitive advantage, DRM shit,
etc.). I couldn't find any references to anyone offering to _pay_ Intel for ME
firmware source code or similar but then again such an offer would hardly be
public. So this is weak circumstantial evidence at best.

I find AMD's refusal to cooperate with the FOSS community on the matter of its
management coprocessor to be slightly suspicious as well as it's an area where
it could possibly gain a significant competitive advantage vs Intel but a lot
of Intel's reasons for keeping the IME locked down apply to AMD's insistence
on black boxing its PSP as well.

------
Fice
We know that Intel CPUs have IME and AMD CPUs have PSP, but is anything known
about VIA processors
([https://www.viatech.com/en/silicon/processors/](https://www.viatech.com/en/silicon/processors/))
and boards
([https://www.viatech.com/en/boards/](https://www.viatech.com/en/boards/))?
Are there any other producers of x86-64 CPUs?

------
j_s
This is particularly relevant in light of the pending BlackHat EU presentation
(Dec 2017):

How to hack a turned-off computer, or running unsigned code in Intel ME |
[https://news.ycombinator.com/item?id=15298833](https://news.ycombinator.com/item?id=15298833)
(Sep 2017, 239 comments)

~~~
hilmipilmi
If there is a IME firmware update popping up before this talk, dont apply it
if you want to be able to run unsigned code yourself.

------
subway
Reading through this thread, I can't help but long for the days of it only
being a crackpot theory that everything everywhere is owned.

------
Sir_Cmpwn
Since you're playing with your Flash chip anyway, install Coreboot too:
[https://github.com/bibanon/Coreboot-
ThinkPads/wiki/ThinkPad-...](https://github.com/bibanon/Coreboot-
ThinkPads/wiki/ThinkPad-X200)

------
jkxyz
This is off-topic, but the Gentoo installation guide that this page is a part
of is one of the most comprehensive and accessible Linux guides I've ever
read. It taught me a lot of Linux concepts that I never needed to use before
when setting up cloud VMs, and now I have a fully working installation of
Gentoo + GNOME (with an encrypted root partition) that I'm confident in
managing and upgrading. I definitely recommend checking out the rest of the
guide.

[https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide](https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide)

------
squarefoot
Disabling IME and similar bugging subsystems is only a temporary solution:
vendors will create a different one with next gen CPUs and all those brave
folks dedicating their time to the task of removing/disabling it will be
forced to go back to square one: study again, reverse engineer, reflash,
brick, try again, etc. That way CPU makers will always be ahead.

We instead need a platform (CPU+peripherals) which is open by design; no more
ME or closed device drivers, blobs etc. No matter if it's 10 times slower than
the equivalent by Intel or AMD or draws 10 times more current than the
corresponding ARM processor; the point is funding such a development,
producing it and selling it even to a small fraction of users will send a heck
of a message. Also a well crafted PR campaign could do the rest (does your
boss know that all his/her files and communications can be accessed by Intel,
AMD and every government with ties to them? What about making him/her aware?).
If someone starts a project like that, I'm pretty sure I won't be the only one
ready to donate a few quid right now.

~~~
trendia
New Intel chips have only had minimal improvements to previous chips, so there
isn't a huge incentive to upgrade if you don't mind giving up a little
performance in exchange for security.

------
noobermin
Can I get a serious alternative view on this? What purpose does Intel have for
things like this exactly? Also, are AMD chips an alternative that can help
here?

~~~
platinumrad
The IME, like Computrace which is similarly awful[1], is intended to be used
for enterprise management. It's nice for someone in IT to be able to remotely
wipe a company laptop that was left in an airport, but there's absolutely no
reason why consumer devices should be burdened with these backdoors.

AMD has something called the PSP which essentially serves the same purposes of
the IME which is also undocumented and cannot be disabled.

[1] [https://securelist.com/absolute-computrace-
revisited/58278/](https://securelist.com/absolute-computrace-revisited/58278/)

~~~
acdha
> there's absolutely no reason why consumer devices should be burdened with
> these backdoors.

Beyond the obvious economy of scale argument, why don’t consumers want that? I
thought things like Apple’s remote lock/wipe feature were selling points for
anyonel concerned with theft.

(As an aside, it doesn’t feel accurate to term this a backdoor without
evidence that it’s being used without the owner’s consent)

~~~
snarfy
The article mentions they've already found a remotely exploitable security
hole. Backdoor or not, nobody wants that.

We would all be fine with IME if we had access to it, could define the keys,
and enable/disable features of it. Locking users out of their own hardware is
not acceptable. I'm the only one that should be able to remote lock/wipe my
phone. It should not be possible for Apple. They shouldn't have the keys. It's
my phone. Even if I did trust Apple, I don't trust the government.

~~~
acdha
Look, I’d also like this to be open and documented but hyperbole isn’t helping
that. If it’s undocumented, say that rather than pretending anyone is locked
out of their own hardware — nobody has lost the use of their device due to
IME. Similarly, calling it a backdoor and implying that the NSA is behind it
without any proof is only going to reflect badly on the person making those
claims.

The other thing to remember for effective advocacy is thinking about what
normal people experience. If you say Apple shouldn’t have the keys, you’re
also saying the average person has to be good at key management; most people
are happy to outsource that. Conflating the issues of mass surveillance with
control over your own hardware is great if your goal is confusion but I don’t
see it producing results.

------
binaryapparatus
Let's say I disable or pull out all the network/wireless cards I have. Then
what? Any ideas how to connect to the internet otherwise?

I am seriously thinking going Stallman because of this and not connecting to
the internet at all, at least not from all the machines.

~~~
Skunkleton
rfc1149 is your last option.

[https://tools.ietf.org/html/rfc1149](https://tools.ietf.org/html/rfc1149)

~~~
binaryapparatus
This is much closer to what I have in mind then what you can expect :)

Current draft involves two monitors, two cameras, and protocol crazy enough to
confuse any firmware.

~~~
Skunkleton
If you are serious, I would recommend using local firewall rules to modify
your outgoing packets so that they are in some way non-standard, and then
filtering all but the non-standard packets at your networks firewall.

------
fdchn2016
I don't know why everyone thinks doing this much is safe. If I was the NSA/CIA
director, I would put this in as a first level and if anyone figured out how
to hack this backdoor, I would have a 2nd and 3rd hidden backdoor or maybe
more. Maybe a particular sequence of instructions which opened a backdoor.

------
partycoder
Having to build a modchip for your PC exacerbates the need for open source
hardware.

------
internalfx
Does anyone know if AMD PSP can be disabled?

~~~
platinumrad
It's entirely possible that there exists something analogous to the HAP bit[1]
or that something like me_cleaner could be developed for the PSP but AMD is
not the market leader (and is frankly negligible when it comes to laptops) so
much less research has been done on the AMD PSP. I remember that when
excitement was building for the release of Ryzen there were petitions for AMD
to open source the PSP and some talk that it might actually happen but they
eventually shut the idea down during a Q&A.[2] It's a shame because it would
have given AMD something to really distinguish itself from Intel and would
have been viewed very positively by a lot of different communities/market
segments. Really makes you think about why they didn't do it...

[1] [http://blog.ptsecurity.com/2017/08/disabling-intel-
me.html](http://blog.ptsecurity.com/2017/08/disabling-intel-me.html)

[2]
[https://news.ycombinator.com/item?id=14803373](https://news.ycombinator.com/item?id=14803373)

------
GlenTheMachine
Can someone point me to an explanation of exactly what this is, and whether I
need to worry about it? Particularly on a home server I built myself from
parts?

~~~
zaggynl
In short, the Intel Management Engine and AMD Platform Security Processor,
which are on many motherboards, allow for remote power on and remote control
of a PC if connected to Ethernet, are closed source and have known
vulnerabilities.[1] This website has a more elaborate explanation:
[https://libreboot.org/faq.html#intel](https://libreboot.org/faq.html#intel)
[1]: [https://www.intel.com/content/www/us/en/architecture-and-
tec...](https://www.intel.com/content/www/us/en/architecture-and-
technology/intel-amt-vulnerability-announcement.html)

~~~
GlenTheMachine
...but this varies depending on motherboard? ie if I buy an Intel CPU, and
(say) an ASRock motherboard, is this still a thing?

~~~
corna
Any Intel CPU has Intel ME, independently from the MB vendor

------
std_throwaway
What advantage do I, as a lowly user, have from the ME?

~~~
criddell
The management engine is the little computer that is used to get the big
computer running.

Back when I was a kid, after hiking to school in 4 feet of snow uphill with no
shoes, if I were building a PC or adding a new card, I would spend a bunch of
time flipping little DIP switches to set things like addresses and assign
IRQs. I'd reboot and my Gravis Gamepad controller would work, but the
SoundBlaster wouldn't. So I'd power down, flip some switches and try again
until I could get everything working.

Those switches went away, but the underlying issues remained. The new method
was some firmware that did a bunch of pre-boot configuration. That was refined
over the years and now today there's an entire computer running it's own OS
that manages all this stuff. It works amazingly well.

However, once the machine is up and running, most people (especially
consumers) have no need for it after that. It would be nice if it just powered
down and waited for the next reboot. However, a little hidden computer was too
useful to be ignored and it's used for a bunch of things including DRM (it can
have _secure-enclave_ -like functionality) and remote management. I'm not sure
we have an exhaustive list of what it can do.

~~~
temac
> Those switches went away, but the underlying issues remained. The new method
> was some firmware that did a bunch of pre-boot configuration. That was
> refined over the years and now today there's an entire computer running it's
> own OS that manages all this stuff.

I'm really impressed about how people manage to self-convince themselves so
much about something they don't know about to the point they can explain their
imaginary tech stack with such aplomb.

The ME is not needed to do PnP conf (or whatever it has been renamed too those
days), and to the best of my knowledge is not used to do that and has never
been.

ACPI/EFI & their friend are sufficiently hosted on the CPU, and can run
platform code at so called negative privilege level at runtime. I expect those
computers with ME disabled to run as well as if ME would not have been
disabled, including if you add or remove an extension card.

However you are right about remote management (that's the main advertised
application of ME) and probably DRM stuff.

~~~
criddell
So, as I understand it, the first the ME does on boot is run a module that
configures everything. It's called the bring-up (or BUP) engine. I _thought_
that it was doing IRQ and other conflict resolution.

------
kxyvr
I'm wondering if someone could clear something up for me. There's the
me_cleaner project that the above guide relies on in order to generate the new
BIOS image. However, I thought me_cleaner could be run directly without
dumping, modifying, and reflashing an image using the Pi. What's the
difference in efficacy between the above guide and just using me_cleaner
directly?

~~~
corna
me_cleaner is Python script that operates on a dump, it can't modify the
firmware without the help of other tools; this guide just explains in detail
the complete process of using me_cleaner.

------
craftyguy
Does this require a system with coreboot support? If not, I'm super tempted to
try this on my Dell XPS 13 9333..

~~~
zanny
It doesn't, but because the IME is so undocumented and most firmwares are so
horribly written its dangerous to remove these parts of the firmware image
because it might brick your system for completely nonsense reasons (all it
takes is the firmware randomly misaddressing into an IME area where there is
now no data and failing to make your system unrecoverable without the ability
to operate on the flash chip by hand).

Make sure someone else has managed it with your same board to know it works.

------
e12e
Imagine the havoc if (when?) Intel's code signing keys for IME are leaked?
Sure it might be _possible_ to update keys in all the world's post-2006 Intel
computers. But in reality it'd be a free for all that makes botnets of home
routers look like a needle on a football field...

------
achillean
The feature is sometimes also available over the Internet btw. Here is an
overview of publicly-accessible Intel Active Management services:

[https://www.shodan.io/report/PuIRbQpt](https://www.shodan.io/report/PuIRbQpt)

------
jlgaddis
I think I'm gonna order the hardware and finally do this on my T420 and W530.

~~~
bubblethink
If you port coreboot to w530, please post it somewhere. I am interested in it,
but the information about coreboot on w530 is a bit scarce.

------
wheresmyusern
i remember when it was found that me had a "kill switch," wasnt it found that
this kill switch still leaves a rather lot of power in the hands of the IME?

------
Sephr
In order to test if this breaks any silicon workarounds, someone should run
comprehensive benchmarks on their CPU pre and post-IME disabling.

------
gigatexal
Makes me happy I am moving to AMD not systems and staying away from their pro
line that has this nonsense built in.

------
listic
I wonder how should I go about finding a service center/technician competent
enough to do that for me?

------
earenndil
It says raspberry pi 3b. Can I do it on a pi 0?

~~~
bromonkey
I don't see anything that would make it specific to version 3, except that you
might have to build your own version of gentoo. It would be nice if anyone
else has an idea because I'd like to do this with the raspberry pi2 I already
have.

~~~
earenndil
Well again, I don't see why the pi _has_ to run gentoo. It could run any other
linux.

------
thresh
Does that ruin the BMC/iLo/IPMI?

------
moonbug
Aww, Gentoo's still a thing, how cute.

~~~
0x6c6f6c
Even if enthusiast Gentoo wasn't a thing, Google's ChromeOS is a customized
Gentoo[1] which has grown in market share fairly drastically in K-12 schools
especially in the US[2].

[1]:
[https://wiki.installgentoo.com/index.php/ChromeOS](https://wiki.installgentoo.com/index.php/ChromeOS)
[2]: [https://9to5mac.com/2017/03/02/apple-ios-market-
share-k-12-e...](https://9to5mac.com/2017/03/02/apple-ios-market-
share-k-12-education-chrome-os/)

