Slashdot Mirror

← Back to Stories (view on slashdot.org)

System76 Will Disable Intel Management Engine On Its Linux Laptops (liliputing.com)

Posted by BeauHD on from the gone-with-the-wind dept.

System76 is rolling out a firmware update for its recent laptops that will disable the Intel Management Engine altogether. The decision comes after a major security vulnerability was discovered that would allow an attacker with local access to execute arbitrary code. Liliputing reports: What's noteworthy in the System76 announcement is that the PC maker isn't just planning to disable Intel ME in computers that ship from now on. The company will send out an update that disables it on existing computers with 6th, 7th, or 8th-gen Intel Core processors. System76 also notes that Intel ME "provides no functionality for System76 laptop customers and is safe to disable." Right now the firmware update will only be available for computers running Ubuntu 16.04 or later or a related operating system with the System76 driver. But the company says it's working on developing a command line tool that should work on laptops running other GNU/Linux-based operating systems. System76 says it will also release an update for its desktop computers... but on those machines the update will patch the security vulnerability rather than disabling Intel ME altogether.

8 of 149 comments (clear)

  1. Re:If it works by Narcocide · · Score: 3, Interesting

    I want to belieeeeeve!!! Save us system76 you're our only hope!!

  2. Re:I will only buy non-Intel chips now by Narcocide · · Score: 5, Interesting

    At this point all AMD has to do is willingly release the information to provably disable their own management engine equivalent and they can sweep the market.

  3. Re:Yawn by Anonymous Coward · · Score: 2, Interesting

    Typical slashdot user who is never satisfied by any progress toward something nice...

  4. Re:LOL! Not really (downmod me? I repost)... apk by OrangeTide · · Score: 4, Interesting

    Your downmodded posts aren't hidden. They are correctly categorized as garbage. Some people will browse and see the 0 and -1 garbage, usually other mods or brave people with too much free time.

    Reasons that APK deserves frequent downmoding:
      1. lacks an account and always posts as AC
      2. makes duplicate posts
      3. admits to trying to avoid moderation
      4. frequently posts off topic advertisements for his [free] products and services.
      5. talks like a git. really his English phrasing is bizarre.

    --
    “Common sense is not so common.” — Voltaire
  5. Re:I will only buy non-Intel chips now by Anonymous Coward · · Score: 2, Interesting

    Yeah like how when Windows 10 introduced telemetry it became the Year of the Linux Desktop...that's right isn't it?

  6. Minix more popular on laptops than Linux by Keruo · · Score: 5, Interesting

    Isn't it mind-boggling that Minix is actually more used on laptops currently than Linux?

    (The management engine runs custom version of Minix)

    --
    There are no atheists when recovering from tape backup.
  7. Re:Having worked at Intel... by tlhIngan · · Score: 4, Interesting

    I suspect that this was brought into the Core line due to those people building servers needing remote management using i7, etc. chips, but that's just a guess.

    No, it was brought into the main chips because servers have stuff like IPMI and ILO for remote management, but employee PCs do not. And the same reason servers can be remotely managed can be applied to employee PCs and laptops. The only difference is servers are usually concentrated in a few areas, so it's much easier for 10,000 servers to be locally managed than 10,000 PCs, making the case for remote management of PCs even more critical.

    You can do bare metal bringups - perhaps the employee got to their desk and their PC is dead - it won't load the OS and there's lots of error messages. IT's effectively ILO or IPMI for consumer grade machines.

    Of course, you can't "disable" IME - you can neuter it. The firmware that controls power and boot and startup and all that must still run in order for the main CPU to be brought up, so you need IME to do that part. Neutering basically disables all the remore management while leaving the power management code still active.

  8. EZ way to cripple Intel AMT/ME by Anonymous Coward · · Score: 2, Interesting

    Stop it's ability to send info. outward via router port filtering ports 16992-16995 + 623-625 Intel AMT/ME uses in a modem/router external to OS/PC.

    Intel ME/AMT operates from your motherboard but has NO CONTROL OF YOUR MODEM/ROUTER!

    (This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)

    Additionally, once you disable the AMT engine's software interface (ez via software articles note)? A malware to 'repatch' this = impossible (bios updaters require it in usermode ware, e.g. ASUS).

    (I only allow 80, 8080 & 443 in/out here on a SINGLE stand-alone system (no home LAN but TCP/IP connected online in BOTH my modem or router port filters or software firewalls))

    HOWEVER - Be CERTAIN your modem/router's internal ware is "solid" too (turn off things like UPnP etc. & CHECK router/modem HAS NO KNOWN BACKDOOR EXPLOITS (tons do unfortunately)) - get it patched ASAP if it's KNOWN exploited & TONS of routers, ARE https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/

    * GOOD ROUTERS/MODEMS HAVE PORT FILTERING OPTIONS (crappy ones don't)!

    APK

    P.S.=> Good luck - it's the BEST EASIEST & CHEAPEST DEFENSE using what you already have (hopefully, again as not ALL modems have port filtering but most do & certainly GOOD ONES DO) vs. this threat by stopping it being able to communicate in/out period, from OUTSIDE of the INTEL chipset external to it via a router/firewall hardware... apk