Purism Now Offers Laptops with Intel's 'Management Engine' Disabled

"San Francisco company Purism announced that they are now offering their Librem laptops with the Intel Management Engine disabled," writes Slashdot reader boudie2. Purism describes Management Engine as "a separate CPU that can run and control a computer even when powered off."

HardOCP reports that Management Engine "is widely despised by security professionals and privacy advocates because it relies on signed and secret Intel code, isn't easily alterable, isn't fully documented, and has been found to be vulnerable to exploitation... In short, it's a tiny potentially hackable computer in your computer that you cannot totally control, nor opt-out of, but it can totally control your system."

Purism writes: Disabling the Management Engine is no easy task, and it has taken security researchers years to find a way to properly and verifiably disable it. Purism, because it runs coreboot and maintains its own BIOS firmware update process, has been able to release and ship coreboot that disables the Management Engine from running, directly halting the ME CPU without the ability of recovery... "Disabling the Management Engine, long believed to be impossible, is now possible and available in all current Librem laptops. It is also available as a software update for previously shipped recent Librem laptops," says Todd Weaver, Founder & CEO of Purism.

Upgrades?

[goombah99]

Does this also mean they can "unlock" the soft-locked downgrades on the cheaper processor series to make them full strength?

So if the management engine isn't actually necessary what actually does it provide?

Is this new one open source? or have we met the new boss, same as the old boss?

What country is Purism based in or owned by?

Re:Upgrades?

[fph+il+quozientatore]

So if the management engine isn't actually necessary what actually does it provide?

Oh, honey. It's a backdoor by the NSA. They can remotely access your computer, no matter what is installed on it, and even if it's turned off. No, I'm not kidding and it's not a conspiracy theory.

Re:Upgrades?

[guruevi]

On your first question, usually the cheaper processors these days are actually different layouts, a long, long time ago this wasn't the case but then it was a case of binning, you could potentially get lucky but it was usually a more expensive model that got rejected but still ran on slower speeds with large portions of cache and other features disabled (eg. due to low yields on the wafer). These days production has gotten smaller, better and cheaper so yields are rarely a problem and even if they were, they probably wouldn't produce useful products anymore.

The management engine provides exactly that, management. It's intended for servers and enterprise systems. It's a form of baked-in IPMI and these days runs a version of MINIX. It can connect either directly or over VPN to your corporate environment and then you can remotely manage the machine, it can do security posture assessments (because it's not controlled by the OS, it can peer into hypervisors or compromised hosts), it can even emulate a serial port so you can connect to your host if you're running Linux/Unix-type systems.

Nothing about this is open source besides it being based on MINIX, to actually use it you have to pay Intel for their closed source software to be able to access the devices.

Purism is a computer technology company based in South San Francisco, California and registered as a social purpose corporation in the state of Washington.

Excellent

[gweihir]

It is time to regard the ME (and the AMD equivalent) as what they are: Hardware back-doors. I would like to see more research into breaking into them, disabling them and eventually also reprogramming them. Until the CPU manufacturers hand out full documentation and a reliable way to disable, they must be regarded as malicious attackers in any scenario where security matters.

In the end, this is a good thing however. With a bit of luck, nobody will get away with hidden undocumented hardware in the not so distant future.

We need software freedom. Always.

[jbn-o]

We already knew from their announcement that they were backdoors, and the Intel ME security problems confirmed this. In addition to documentation on how to use and disable the system, we also need software freedom—controlling our own computers requires the freedom to run, inspect, share, and modify the software, and exclusive control over any encryption keys used so we can decide who else gets to control the hardware with us. Until we have software freedom these devices are not good at all, they are a clear threat to our ability to exclusively control our own computers.

This is also why computers with other architectures are so interesting and important. As far as we know POWER, PPC, and other architectures either don't have backdoors built into the hardware or the comparable hardware comes with user-revocable keys and respect for our software freedom. This is a good time to get away from Intel/AMD systems. They're not trustworthy.

Re:Fuck these Intel chips. Buy from AMD.

[markdavis]

>>AMD has similar features in theirs as well.

>Do you have any evidence of this? I'd like to learn more about that
A link or two would be nice.

Platform Security Processor (PSP); it is exactly the same as Intel's backdoor- hardware based, secret, non-controllable.

https://hothardware.com/news/a...

https://www.techpowerup.com/23...

https://libreboot.org/amd-libr...

https://en.wikipedia.org/wiki/...

Obligatory:Intel CPU Backdoor Report (May 5 2017)

All Intel did was added another hidden switch only they know how to switch on, like a unique wifi signal or magic packet on the onboard nic.

The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

What we know about Intel CPU backdoors so far:

TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.

The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
@21m43s, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
[Video Link] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
[Quotes] Vortrag:
"DAGGER exploits Intel's Manageability Engine (ME), that executes firmware code such as Intel's Active Management Technology (iAMT), as well as its OOB network channel."

"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker. Our presentation consists of three parts. The first part addresses how to find valuable data in the main memory of the host. The second part exploits the ME's OOB network channel to exfiltrate captured data to an external platform and to inject new attack code to target other interesting data structures available in the host runtime memory. The last part deals with the implementation of a covert network channel based on JitterBug."

"We have recently improved DAGGER's capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code."

"To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME)."

"We can permanently monitor the keyboard buffer on both operating system targets."

Backdoor removal:
The backdoor firmware can be removed by following this guide [github.io] using the me_cleaner [github.com] script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

If you are skilled in these areas, download Intel ME firmwares from this collection [win-raid.com] and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Useful links:
The Intel ME subsystem can take over your machine, can't be audited
REcon 2014 - Intel Management Engine Secrets
Untrusting the CPU (33c3)
Towards (reasonably) trustworthy x86 laptops
30C3 To Protect And Infect - The militarization of the Internet
30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software

1. Introduction, what is Intel ME

Short version, from Intel staff:

Re: What Intel CPUs lack Intel ME secondary processor?
Amy_Intel Feb 8, 2016 9:27 AM

The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current Intel chipsets, I even checked with the engineering department and they confirmed it.

Long version: