Update 12-5-2017: Dell has provided a statement in response to the IME news which is as follows:
- "Dell has offered a configuration option to disable the Intel vPro Management Engine (ME) on select commercial client platforms for a number of years (termed Intel vPro – ME inoperable, custom order on Dell.com). Some of our commercial customers have requested such an option from us, and in response, we have provided the service of disabling the Management Engine in the factory to meet their specific needs. As this SKU can also disable other system functionality it was not previously made available to the general public.
- Recently, this option was inadvertently offered online as a configuration option for a couple of systems on Dell.com. Customers interested in purchasing this SKU should contact their sales representative as it is intended to be offered as a custom option for a select number of customers who specifically require this configuration."
(End of update.)
Niche system vendors System76 and Purism are now joined by Dell in offering laptops with Intel's Intel Management Engine (IME) blackbox disabled. The company, one of the largest laptop manfacturers, currently offers three higher-end laptops with the configuration option of "Intel vPro™ – ME Inoperable, Custom Order" where for around $20 Dell will disable IME. IME has come under fire recently due to a major vulnerability that affects many of its Core series processors and has had bugs dating back years.
IME is baked into Intel processors dating back to 2008 and operates at what is known as Ring -3 meaning that it has privileges well above that of software, drivers, OS kernel, and even UEFI. IME is an autonomous subsystem with its own processor running its own software that has full control over the computer and even has its own networking stack. Intel has obfuscated that closed source code and has made it notoriously difficult to enable while also claiming it is necessarly for the processor to hit full performance. Security researchers and companies like Google have committed to disabling it (there is a way to turn it off though Intel has not documented it). IME can be used alongside Intel AMT / vPro features (Ring -2+) for remote management, and since IME runs even when the system is off it makes it easy to roll out OS upgrades and re-image machines. Home users however do not need IME, but have traditionally been stuck with it anyway along with its security holes. (Note that AMD has its own platform management subsystem with the PSP though it has not drawn nearly the high profile reputation Intel has with the latest bugs and promised patches.)
Specificlaly Dell is offering to disable IME for a small fee on the Latitude 14 Rugged laptop, Latitude 15 E5570, and Latitude 12 Rugged tablet which all run 6th Generation Core (6000 series and Core M) processors. Purism plans to sell PCs with IME disabled going forward and System76 has promised firmware updates for disabling IME on its PCs sold within the last few years. In reading about IME online, it seems that disabling IME is a tricky endevour with the potential to brick the system, but it can be done and the more documentation these vendors do the better for Linux, open source software, and security concious consumer proponents. For now you will have to pay a small fee to disable it but if you are worried about IME the peace of mind might be worth it. Also, with Dell now on board it shouldn't be long before other vendors start offering systems sans Intel Management Engine. Hopefully they are able to offer this IME disabled feature on models with the latest Intel processors as well for those that want it as the latest round of major bugs affected Skylake, Kaby Lake, and Coffee Lake CPUs.
What are your thoughts on this? Have your systems received an IME security patch? In any case, with the IME bugs, Mac OS High Sierra secuirty hole, and iOS encrypted backup loophole it has not been a good month for security!
Also read:
- Intel Patches Major Flaws in the Intel Management Engine @ ExtremeTech
I really do not care much
I really do not care much about the Intel management engine stuff because AMD has a platform security processor too. So hopefully that can be disabled also.
But the system76 folks appear to be just another Intel division as System76 does not appear to offer products with Intel Outside. And System76 and the other Linux OS based Laptop/PC OEM what the hell about offering some AMD Raven Ridge offeings or is Intel’s Funding of your Linux laptop products so good that you can not afford to build laptops without Intel’s cash assistance.
2020 is getting closer and still no Linux OS OEM laptop Options without Microsoft, Intel, or Nvidia inside and I know that Dell is the best friend that Intel’s money can buy! And look Dell charges to turn that IME off!
What about some Linux OS laptops with M$, Intel, and Nvidia’s products turned off and Raven Ridge inside and I do not care about battery life as I want APU graphics performance witout all that Nvidia extra cost or sign-ins required for driver updates.
That IME is just one thing to worry about as the entire windows 10 OS is spyware, no IME backdoors needed!
Could someone explain this
Could someone explain this person’s post please? It doesn’t make any sense to me.
CamelCaseGuy’s posts
CamelCaseGuy's posts never make much sense. Surprised there was no mention of POWER, as IIRC, its management engine is on a optional installable daughterboard and not integrated into the baseband firmware.
As for the Linux comments, there are options out there, but they are not bleeding edge hardware. some examples are the various ARM based systems, aforementioned POWER workstations ($$$), SiFive just came out with a RISC-V platform, as well as a few others. Distros support alternative platforms to various levels, but don't expect to drop steam and run games on em.
If you're looking to remain on x86, Purism’s offerings are likely the best path; they are using 6th gen Intel APUs, but utilising coreboot. Not sure if they are stripping ME firmware or not via me_cleaner or not. There is also the libreboot project, for a fully open boot experience, but it's supported hardware is VERY limited.
AMD APU based Linux OEM
AMD APU based Linux OEM laptops are as rare as hen’s teeth! So until I can get a more affordable Linux OS OEM Laptop option with an AMD Raven Ridge APU where I do not need to get a discrete mobile GPU to get graphics that’s good enough and much better than Intel’s dog food graphics.
So the Idea is to avoid M$(Spyware OS), Intel(Dog Food Graphics), and Nvidia(good enough graphics but too costly) and go with a more affordable AMD APU based Linux OS laptop where the Laptop OEM has vetted the Linux Build to work fully with the OEM’s laptop hardware/features.
Intel has just about 99.99% domination of the Linux OS based OEM Laptop market and any Intel based system is going to have to be paired with a mobile discrete GPU to make up for Intel’s dog food graphics that chokes on high polygon count Blender 3D mesh models. AMD’s Raven Ridge APU, the variant with the 10 Vega nCUs, has more graphics power in its integrated graphics than an old AMD TeraScale rebrand AMD 7650M discrete mobile laptop GPU! So the Raven Ridge Ryzen 7 2700U SKU can by itself work with higher polygon count mash models in Blender 3D’s edit mode and not be bogged down to the point where the Blender 3D editor mode’s User Interface becomes unusable!
So Intel’s graphics is not good for non gaming 3D graphics workloads as Intel’s integrated graphics lacks the shader count compared to AMD’s or Nvidia’s Graphics. Most gaming workloads are done on minimal polygon count mesh models with the gaming models skinned with faux textures to make them look realistic and to maintain gaming FPS rates. Non Gaming 3D animated workloads make use of realistic models with millions of more polygons and use Ray Tracing and other settings on high to get natural highly detailed shadows generated off high polygon count mesh models themselves that are more realistic. And animations render a single frame about once every 1/4 to 1/2 hour with all the settings, Shadow/AA/AO/Ray sample rates/others, on high in Blender 3D and the rendering done on the GPU(Cycles Renderer/other GPU rendering plugins).
So for Linux OS OEM laptops from the factory with that OEM’s Linux OS distro installed and vetted for use with the laptop’s hardware the hardware choice is 99.99% Intel/Nvidia where these Linux Laptop OEM’s are incentivized to go with the more expensive hardware.
AMD needs to incentivize some Linux Laptop OEM/s and get a line of Raven Ridge APU based laptops that will appeal to folks that are doing more graphics design/animation asset(highly detailed mesh models) oriented workloads where FPS is not a factor like it is in gaming. Because 9 times out of 10 when the fools swoon over Intel’s dog food graphics it’s using gaming workloads to judge the graphics and gaming graphics workloads are not representative of any other graphics workloads that like the most shaders with the GPU’s shader cores put to the task of accelerating Ray Tracing interaction, and AO, AA, Shadow calculations.
“Options Out there”, I’m Talking Linux OS OEM laptop hardware Options as Linux OS runs on plenty of hardware! But I want Raven Ridge APU hardware with the Laptop OEM vetting it’s chosen Linux distro to work on that Linux OS laptop OEM’s hardware where I can get that Out OF the Box experience and OEM support in things are not working as they should. And then there is that Raven Ridge APU graphics with its Vega nCUs and no need for me to have to spend extra for a discrete mobile GPU to be able to work with High Polygon mesh models in Blender 3D’s editing mode where I spend most of my time making more realistic 3D models.
Most Gamers believe that games grow on trees and all that stuff comes with little or no efforts! And Plenty of games make use of textures that are baked on highly detailed mesh models and then applied as textures onto those decimated low polygon count gaming models for gaming.
Maybe you should be replying to the article and not my post, Lustenberg, and Subsailor you are a known Daft fool!
I can’t wait to hear what
I can’t wait to hear what Intel says about this.
I do wonder if Dell’s offer
I do wonder if Dell’s offer of disabling IME is more of a “we’ll change a BIOS setting for you” than actually neutering it by removing the worst offending parts of it, namely the inbuilt web server and networking stack.
https://en.wikipedia.org/wiki
https://en.wikipedia.org/wiki/Intel_Management_Engine
“..laptops will ship with the ME disabled, via erasing the majority of ME code from the flash, and disabling most ME operation via the HAP bit.”
If that’s the same for Dell is that the normal BIOS for the motherboard or flash on the CPU itself?
This explains things too:
https://www.theregister.co.uk/2017/08/29/intel_management_engine_can_be_disabled/
But it makes things even more complicated since it may or may not disable Boot Guard which could ironically put you at more security risk?
I got the impression this is all done via a motherboard BIOS flash but I could be wrong.
Heck, I’m not even clear if you need to be locally attached (i.e. USB) to hack into the machine or not to compromise IME (which Intel still maintains isn’t a “backdoor” so.. WHAAAT?
“Want your $1000 enterprise
“Want your $1000 enterprise focused computer without an unmitigatable security hole? That’ll be $20 extra.”
Still better than not having the option I guess.