System76 Will Disable Intel Management Engine On Its Linux Laptops

System76 is rolling out a firmware update for its recent laptops that will disable the Intel Management Engine altogether. The decision comes after a major security vulnerability was discovered that would allow an attacker with local access to execute arbitrary code. Liliputing reports: What's noteworthy in the System76 announcement is that the PC maker isn't just planning to disable Intel ME in computers that ship from now on. The company will send out an update that disables it on existing computers with 6th, 7th, or 8th-gen Intel Core processors. System76 also notes that Intel ME "provides no functionality for System76 laptop customers and is safe to disable." Right now the firmware update will only be available for computers running Ubuntu 16.04 or later or a related operating system with the System76 driver. But the company says it's working on developing a command line tool that should work on laptops running other GNU/Linux-based operating systems. System76 says it will also release an update for its desktop computers... but on those machines the update will patch the security vulnerability rather than disabling Intel ME altogether.

Re:I will only buy non-Intel chips now

[Narcocide]

At this point all AMD has to do is willingly release the information to provably disable their own management engine equivalent and they can sweep the market.

Re: I will only buy non-Intel chips now

[lucasnate1]

Too late, amd has psp.

Re:If it works

[cfalcon]

There was new-ish news about this from the summer. A few privacy-minded places are starting to shut the ME down in various ways, some by spoofing the flag the government uses to disable it on its own systems, others in other ways.

Having worked at Intel...

[GerryGilmore]

...IME was originally designed for servers only. Any OldFarts(TM) out there - remember crash carts? Yeah, the ability to remotely power-cycle servers was a really big deal when you're running hundreds/thousands of servers and VMs were just a pie in the sky. Also, basic front-end network management 101 handled security. There are still good reasons to allow IME in server deployments, but I see no good reason for including this in laptops. I suspect that this was brought into the Core line due to those people building servers needing remote management using i7, etc. chips, but that's just a guess.

Re:Having worked at Intel...

[tlhIngan]

I suspect that this was brought into the Core line due to those people building servers needing remote management using i7, etc. chips, but that's just a guess.

No, it was brought into the main chips because servers have stuff like IPMI and ILO for remote management, but employee PCs do not. And the same reason servers can be remotely managed can be applied to employee PCs and laptops. The only difference is servers are usually concentrated in a few areas, so it's much easier for 10,000 servers to be locally managed than 10,000 PCs, making the case for remote management of PCs even more critical.

You can do bare metal bringups - perhaps the employee got to their desk and their PC is dead - it won't load the OS and there's lots of error messages. IT's effectively ILO or IPMI for consumer grade machines.

Of course, you can't "disable" IME - you can neuter it. The firmware that controls power and boot and startup and all that must still run in order for the main CPU to be brought up, so you need IME to do that part. Neutering basically disables all the remore management while leaving the power management code still active.

Re:LOL! Not really (downmod me? I repost)... apk

[OrangeTide]

Your downmodded posts aren't hidden. They are correctly categorized as garbage. Some people will browse and see the 0 and -1 garbage, usually other mods or brave people with too much free time.

Reasons that APK deserves frequent downmoding:
  1. lacks an account and always posts as AC
  2. makes duplicate posts
  3. admits to trying to avoid moderation
  4. frequently posts off topic advertisements for his [free] products and services.
  5. talks like a git. really his English phrasing is bizarre.

It should be opt-in, not opt-out

[Picodon]

...I can't agree with the many reactionary Slashdot commenters...

...there should be a simple and transparent way to completely and verifiably disable it, ...

I think it’s a bit more than that. The feature may be useful, but the outrage is legitimate. Consumers, most of whom arguably have no need for such feature, fortuitously found out about its existence and that it is enabled in their computers. They had not been told about it, so they had no way to even try to use it. Other people (government, corporate, hackers) knew about it, so the malicious among those were in the position of abusing it (by exploiting its features and its security flaws). No wonder consumers are in arms over this. They are not over-reacting.

So, no, a way to disable it is not enough. This kind of feature requires full disclosure (before you buy), documentation (so that you can actually use the feature if you want) and, at least on systems sold to consumers who are unlikely to use it, it should be entirely disabled by default. Institutional customers who buy computers in quantity can (and indeed do) request the configuration that they want (including, for example, activation of Intel’s anti-theft protection).

Minix more popular on laptops than Linux

[Keruo]

Isn't it mind-boggling that Minix is actually more used on laptops currently than Linux?

(The management engine runs custom version of Minix)