How To Disable Intel ME Courtesy of the NSA

Discussion in 'HardForum Tech News' started by FrgMstr, Aug 30, 2017.

  1. FrgMstr

    FrgMstr Just Plain Mean Staff Member

    Messages:
    48,441
    Joined:
    May 18, 1997
    I know there are a lot of folks that do not like Intel Management Engine and whatever they think it might do on their computers. The simple fact is though that it is a needed component for years now. Positive Technologies has laid out everything you need to keep enough of Intel ME around to initialize and launch the Intel processor, and then shut down the process once that has all taken place. And it seems that the HAP NSA program might be responsible for this all. If you are willing to get your hands a bit dirty, you can now turn Intel ME off once booted.



    Closing thoughts - So we have found an undocumented PCH strap that can be used to switch on a special mode disabling the main Intel ME functionality at an early stage. We can prove this by the following facts: Binary analysis of Intel ME firmware, as described in this paper. If we remove some critical ME modules and enable HAP mode, Intel ME does not crash. This proves that HAP disables ME at an early stage. We are quite sure that Intel ME is unable to exit this mode because we have not found code capable of doing so in the RBE, KERNEL, and SYSLIB modules.
     
  2. GDI Lord

    GDI Lord Limp Gawd

    Messages:
    190
    Joined:
    Jan 14, 2017
    Very interesting. I'm glad that researchers have figured out how to do this, even if it's just from a transparency and *dons tin foil hat* privacy and security point of view. Ups to those researchers!
     
    Monkey God likes this.
  3. EchoWars

    EchoWars Limp Gawd

    Messages:
    497
    Joined:
    Jan 7, 2010
    Interesting. Not something I've thought about much.
     
  4. grtitan

    grtitan Telemetry is Spying on ME!

    Messages:
    1,266
    Joined:
    Mar 18, 2011
    I wonder how the Chinese and the russians block this from the computers used in important/secret areas?
     
  5. I have no idea as to what this is all about. Could somebody explain it?
     
    d3athf1sh likes this.
  6. Aluminyum

    Aluminyum Guest

    A bit late, but here you go:
    Source: https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide/Disabling_the_Intel_Management_Engine

    Further reading: https://libreboot.org/faq.html#intelme
     
    d3athf1sh and GDI Lord like this.
  7. jojo69

    jojo69 [H]ardForum Junkie

    Messages:
    10,400
    Joined:
    Sep 13, 2009
    sorry for the necro

    I'm looking to set up a pretty secure system, has anyone here tried this? How did it go?
     
  8. eclypse

    eclypse 2[H]4U

    Messages:
    3,108
    Joined:
    Dec 7, 2003
    Nice so.. gods eye on us all. I'd be down to shut this off.

    But then again.. it's been there since 2006? Damn.

    Chance of destroying my 5k+ pc upgrade? No thanks. Let them know how many times I fart at my desk. I'm sure my samsung TVs already record all that anyways. ;)
     
    Last edited: Apr 10, 2019
  9. Etherton

    Etherton Will Bang for Poof

    Messages:
    6,991
    Joined:
    Aug 7, 2006
    And the Raise the Dead award this month goes to jojo69!
     
  10. jojo69

    jojo69 [H]ardForum Junkie

    Messages:
    10,400
    Joined:
    Sep 13, 2009
    Yeah well, as not infrequently happens, when I went out searching for computer information one of the top hits led back to my home forum, sooooo...
     
  11. GoodBoy

    GoodBoy [H]ard|Gawd

    Messages:
    1,562
    Joined:
    Nov 29, 2004
    I'd be careful with disabling the IntelME. As I understand it, it is required for several things to work: UEFI Secure Boot, Bitlocker, and some new security features in Windows 10 (forget what). So if you are currently running a UEFI bios and have UEFI enabled, turning off the IntelME might make your OS stop booting.

    All you would have to do to fix that would be to reinstall the OS. So if there's no data on the os/boot volume, not a big deal.
     
  12. lcpiper

    lcpiper [H]ardForum Junkie

    Messages:
    10,565
    Joined:
    Jul 16, 2008

    The Intel Management Engine is not disabled in the Army's OS builds, and there is not STIG vulnerability for it in the MS OS STIGs.

    I don't think it's the risk some think it is. I think that if there is a vulnerability, then it's mostly like any other vulnerability. It'll get locked down when it get's patched, or when we move to something new and it becomes OBE. (Overcome by Events)

    If anyone thinks that this is something that they need to do, by all means, I don't do your risk assessments (y)
     
  13. jojo69

    jojo69 [H]ardForum Junkie

    Messages:
    10,400
    Joined:
    Sep 13, 2009

    Disable IME and then run win10? That...would be less than sane, what would be the point?

    No, this is for a coreboot-Kali setup