Update 12-5-2017: Dell has provided a statement in response to the IME news which is as follows:
- "Dell has offered a configuration option to disable the Intel vPro Management Engine (ME) on select commercial client platforms for a number of years (termed Intel vPro – ME inoperable, custom order on Dell.com). Some of our commercial customers have requested such an option from us, and in response, we have provided the service of disabling the Management Engine in the factory to meet their specific needs. As this SKU can also disable other system functionality it was not previously made available to the general public.
- Recently, this option was inadvertently offered online as a configuration option for a couple of systems on Dell.com. Customers interested in purchasing this SKU should contact their sales representative as it is intended to be offered as a custom option for a select number of customers who specifically require this configuration."
(End of update.)
Niche system vendors System76 and Purism are now joined by Dell in offering laptops with Intel's Intel Management Engine (IME) blackbox disabled. The company, one of the largest laptop manfacturers, currently offers three higher-end laptops with the configuration option of "Intel vPro™ – ME Inoperable, Custom Order" where for around $20 Dell will disable IME. IME has come under fire recently due to a major vulnerability that affects many of its Core series processors and has had bugs dating back years.
IME is baked into Intel processors dating back to 2008 and operates at what is known as Ring -3 meaning that it has privileges well above that of software, drivers, OS kernel, and even UEFI. IME is an autonomous subsystem with its own processor running its own software that has full control over the computer and even has its own networking stack. Intel has obfuscated that closed source code and has made it notoriously difficult to enable while also claiming it is necessarly for the processor to hit full performance. Security researchers and companies like Google have committed to disabling it (there is a way to turn it off though Intel has not documented it). IME can be used alongside Intel AMT / vPro features (Ring -2+) for remote management, and since IME runs even when the system is off it makes it easy to roll out OS upgrades and re-image machines. Home users however do not need IME, but have traditionally been stuck with it anyway along with its security holes. (Note that AMD has its own platform management subsystem with the PSP though it has not drawn nearly the high profile reputation Intel has with the latest bugs and promised patches.)
Specificlaly Dell is offering to disable IME for a small fee on the Latitude 14 Rugged laptop, Latitude 15 E5570, and Latitude 12 Rugged tablet which all run 6th Generation Core (6000 series and Core M) processors. Purism plans to sell PCs with IME disabled going forward and System76 has promised firmware updates for disabling IME on its PCs sold within the last few years. In reading about IME online, it seems that disabling IME is a tricky endevour with the potential to brick the system, but it can be done and the more documentation these vendors do the better for Linux, open source software, and security concious consumer proponents. For now you will have to pay a small fee to disable it but if you are worried about IME the peace of mind might be worth it. Also, with Dell now on board it shouldn't be long before other vendors start offering systems sans Intel Management Engine. Hopefully they are able to offer this IME disabled feature on models with the latest Intel processors as well for those that want it as the latest round of major bugs affected Skylake, Kaby Lake, and Coffee Lake CPUs.
What are your thoughts on this? Have your systems received an IME security patch? In any case, with the IME bugs, Mac OS High Sierra secuirty hole, and iOS encrypted backup loophole it has not been a good month for security!
- Intel Patches Major Flaws in the Intel Management Engine @ ExtremeTech