How To Disable Intel ME Courtesy of the NSA

[FrgMstr]

I know there are a lot of folks that do not like Intel Management Engine and whatever they think it might do on their computers. The simple fact is though that it is a needed component for years now. Positive Technologies has laid out everything you need to keep enough of Intel ME around to initialize and launch the Intel processor, and then shut down the process once that has all taken place. And it seems that the HAP NSA program might be responsible for this all. If you are willing to get your hands a bit dirty, you can now turn Intel ME off once booted.



Closing thoughts - So we have found an undocumented PCH strap that can be used to switch on a special mode disabling the main Intel ME functionality at an early stage. We can prove this by the following facts: Binary analysis of Intel ME firmware, as described in this paper. If we remove some critical ME modules and enable HAP mode, Intel ME does not crash. This proves that HAP disables ME at an early stage. We are quite sure that Intel ME is unable to exit this mode because we have not found code capable of doing so in the RBE, KERNEL, and SYSLIB modules.

 

[GDI Lord]

Very interesting. I'm glad that researchers have figured out how to do this, even if it's just from a transparency and *dons tin foil hat* privacy and security point of view. Ups to those researchers!

 

[EchoWars]

Interesting. Not something I've thought about much.

 

[grtitan]

Interesting. Not something I've thought about much.

I wonder how the Chinese and the russians block this from the computers used in important/secret areas?

 

[Deleted member 88301]

I have no idea as to what this is all about. Could somebody explain it?

 

[Aluminyum]

I have no idea as to what this is all about. Could somebody explain it?

A bit late, but here you go:

The Intel Management Engine ('IME' or 'ME') is an out-of-band co-processor integrated in all post-2006 Intel-CPU-based PCs. It has full network and memory access and runs proprietary, signed, closed-source software at ring -3, independently of the BIOS, main CPU and platform operating system — a fact which many regard as an unacceptable security risk (particularly given that at least one remotely exploitable security hole has already been reported).

Source: https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide/Disabling_the_Intel_Management_Engine

Further reading: https://libreboot.org/faq.html#intelme

 

[jojo69]

sorry for the necro

I'm looking to set up a pretty secure system, has anyone here tried this? How did it go?

 

[eclypse]

Nice so.. gods eye on us all. I'd be down to shut this off.

But then again.. it's been there since 2006? Damn.

Chance of destroying my 5k+ pc upgrade? No thanks. Let them know how many times I fart at my desk. I'm sure my samsung TVs already record all that anyways.

 

[Etherton]

And the Raise the Dead award this month goes to jojo69!

 

[jojo69]

And the Raise the Dead award this month goes to jojo69!

Yeah well, as not infrequently happens, when I went out searching for computer information one of the top hits led back to my home forum, sooooo...

 

[GoodBoy]

I'd be careful with disabling the IntelME. As I understand it, it is required for several things to work: UEFI Secure Boot, Bitlocker, and some new security features in Windows 10 (forget what). So if you are currently running a UEFI bios and have UEFI enabled, turning off the IntelME might make your OS stop booting.

All you would have to do to fix that would be to reinstall the OS. So if there's no data on the os/boot volume, not a big deal.

 

[lcpiper]

A bit late, but here you go:

Source: https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide/Disabling_the_Intel_Management_Engine

Further reading: https://libreboot.org/faq.html#intelme

The Intel Management Engine is not disabled in the Army's OS builds, and there is not STIG vulnerability for it in the MS OS STIGs.

I don't think it's the risk some think it is. I think that if there is a vulnerability, then it's mostly like any other vulnerability. It'll get locked down when it get's patched, or when we move to something new and it becomes OBE. (Overcome by Events)

If anyone thinks that this is something that they need to do, by all means, I don't do your risk assessments

 

[jojo69]

I'd be careful with disabling the IntelME. As I understand it, it is required for several things to work: UEFI Secure Boot, Bitlocker, and some new security features in Windows 10 (forget what). So if you are currently running a UEFI bios and have UEFI enabled, turning off the IntelME might make your OS stop booting.

All you would have to do to fix that would be to reinstall the OS. So if there's no data on the os/boot volume, not a big deal.

Disable IME and then run win10? That...would be less than sane, what would be the point?

No, this is for a coreboot-Kali setup