System76 Will Disable Intel Management Engine On Its Linux Laptops

System76 is rolling out a firmware update for its recent laptops that will disable the Intel Management Engine altogether. The decision comes after a major security vulnerability was discovered that would allow an attacker with local access to execute arbitrary code. Liliputing reports: What's noteworthy in the System76 announcement is that the PC maker isn't just planning to disable Intel ME in computers that ship from now on. The company will send out an update that disables it on existing computers with 6th, 7th, or 8th-gen Intel Core processors. System76 also notes that Intel ME "provides no functionality for System76 laptop customers and is safe to disable." Right now the firmware update will only be available for computers running Ubuntu 16.04 or later or a related operating system with the System76 driver. But the company says it's working on developing a command line tool that should work on laptops running other GNU/Linux-based operating systems. System76 says it will also release an update for its desktop computers... but on those machines the update will patch the security vulnerability rather than disabling Intel ME altogether.

Having worked at Intel...

[GerryGilmore]

...IME was originally designed for servers only. Any OldFarts(TM) out there - remember crash carts? Yeah, the ability to remotely power-cycle servers was a really big deal when you're running hundreds/thousands of servers and VMs were just a pie in the sky. Also, basic front-end network management 101 handled security. There are still good reasons to allow IME in server deployments, but I see no good reason for including this in laptops. I suspect that this was brought into the Core line due to those people building servers needing remote management using i7, etc. chips, but that's just a guess.

It should be opt-in, not opt-out

[Picodon]

...I can't agree with the many reactionary Slashdot commenters...

...there should be a simple and transparent way to completely and verifiably disable it, ...

I think it’s a bit more than that. The feature may be useful, but the outrage is legitimate. Consumers, most of whom arguably have no need for such feature, fortuitously found out about its existence and that it is enabled in their computers. They had not been told about it, so they had no way to even try to use it. Other people (government, corporate, hackers) knew about it, so the malicious among those were in the position of abusing it (by exploiting its features and its security flaws). No wonder consumers are in arms over this. They are not over-reacting.

So, no, a way to disable it is not enough. This kind of feature requires full disclosure (before you buy), documentation (so that you can actually use the feature if you want) and, at least on systems sold to consumers who are unlikely to use it, it should be entirely disabled by default. Institutional customers who buy computers in quantity can (and indeed do) request the configuration that they want (including, for example, activation of Intel’s anti-theft protection).

Re:/.ers clearly disagree OrangeTide FAKE name

[rot16]

I didn't know people like this existed. Until today. I feel like being extremely privileged.