The Intel Management Engine (‘IME’ or ‘ME’) is an out-of-band co-processor integrated in all post-2006 Intel-CPU-based PCs. It has full network and memory access and runs proprietary, signed, closed-source software at ring -2, independently of the BIOS, main CPU and platform operating system – a fact which many regard as an unacceptable security risk (particularly given that at least one remotely exploitable security hole has already been reported).
In this mini-guide, I’ll run through the process of disabling the IME on your target PC.
Apparently, the IME co-processor runs… MINIX 3. That is incredibly fascinating. This means every post-2006 Intel PC runs MINIX.
Minix 3 is the most popular x86 Operating System?
Hi,
Popularity implies people had a choice. For example; you can’t say that Minix 3 is the most hated/least popular OS just because nobody wants Intel’s management engine.
– Brendan
Is Windows the most popular operating system ?
I’d say yes for x86-based platforms. Outside of that, maybe not so much
Android must be the most popular by volume no? Certainly Linux is as far as kernels go.
this is certainly not for everyone. I’m sure that if you follow the steps perfectly you may do it but TBH, it seem an awful lot more trouble than it is worth.
I suspect that only the most paranoid or who work for the various TLA’s around the world will bother.
For the average punter? I don’t see any compelling reason to do this (at the moment)
But… it was interesting to find out that it can be done.
Thanks Thom.
IME is a security risk. The AMT/vPro security holes of the not too distant past illustrate the problem of this technology, and without a compelling reason to keep it around (ie. corporate setting which uses it for remote administration and provisioning of desktops), it should get nuked.
References:
https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-int…
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-000…
https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Sec…
Edited 2017-10-11 17:23 UTC
Wow, this FAQ page makes a strong case for Apple (and maybe others) to ditch x86 quickly https://libreboot.org/faq.html#amd
From the FAQ:
“it is our opinion that all performant x86 hardware newer than the AMD Family 15h CPUs (on AMD’s side) or anything post-2009 on Intel’s side is defective by design and cannot safely be used to store, transmit, or process sensitive data. Sensitive data is any data in which a data breach would cause significant economic harm to the entity which created or was responsible for storing said data, so this would include banks, credit card companies, or retailers (customer account records), in addition to the “usual†engineering and software development firms. This also affects whistleblowers, or anyone who needs actual privacy and security.”
Apple is really the only larger player that has not only vocally supported privacy, but also actually done some things about it. A switch away from x86 to ARM could allow them to engineer their CPUs without these problems. Of course, I wonder whether they would…
Do read second link carefully. MINIX is used after PCH 100 series overhaul. It was released in 2015.
So it is not true that every post-2006 Intel PC has Minix inside.
I would love to see the IME code.. It is probably full of scary crap, but it sounds so fascinating.
Oh the irony…..
Curious if AMD’s TrustZone runs something similar as well. it’s ARM based ..
Edited 2017-10-11 12:20 UTC
No. ThreadX until Skylake (IME v11)
So every post-2015 Intel PC runs MINIX.
The Intel Management Engine chip and firmware need to be installed on the motherboard. Not all hardware sold since 2006 has this. It is typically included as a feature for Corporate use.
The article claims AMD has an equivalent but all I have found is a bunch of FUD that all link back to a couple of 2012 articles saying “AMD has licensed Trustzone and plan to use it in the future” but I have found ZERO evidence they ever did anything with ARM Trustzone other than use it for the console APUs they sold to MSFT and Sony.
With the Intel version you can find code for the IME, you can find where it is on the chip layouts, I have scoured over everything I can find on AMD chips and have found exactly squat when it comes to AMD having their own IME, instead it all comes back to those same couple of 2012 articles. Even AMD’s Trustzone page hasn’t been updated since 2013 so unless someone can show us some current code or chip layouts showing Trustzone on current AMD processors? I’m calling FUD.
It doesn’t help that AMD changed the name twice. First to PSP (Platform Security Processor) and now to “Secure Processor”.
According to this article, the first in-the-wild PSP cores back in 2014 were 32-bit ARM Cortex-A5 cores:
http://www.tomshardware.com/reviews/amd-tablet-processor,3813-2.htm…
…and here are some more recent links about it:
https://www.amd.com/en-us/innovations/software-technologies/security
https://hothardware.com/news/amd-confirms-it-will-not-be-opensourcin…
Edited 2017-10-13 00:33 UTC
If the CPUs run okay with IME disabled, why did we need it in the first place?
The system can run without the IME because, originally, its purpose was to allow remote administration of servers even when the primary OS is completely borked. (Hence the “ME” part. [Remote] Management Engine.)
That’s probably also the reason that it resets the system if the IME doesn’t come up quickly enough. Better to have your server fail while you’re still in the datacenter doing the install than to discover the IME is broken just when you need it.
…and, since then, the new modules that were added are so that the entire “decrypt video, then re-encrypt with HDCP” step can be moved completely outside the reach of software the user can inspect or modify.
https://www.alexrad.me/discourse/why-rosyna-cant-take-a-movie-screen…
Edited 2017-10-14 07:08 UTC
Just a minor nitpick, but the summaru Mentioned BIOS, dies this allso effect people with UEFI?