System76 Will Disable Intel Management Engine On Its Linux Laptops

System76 is rolling out a firmware update for its recent laptops that will disable the Intel Management Engine altogether. The decision comes after a major security vulnerability was discovered that would allow an attacker with local access to execute arbitrary code. Liliputing reports: What's noteworthy in the System76 announcement is that the PC maker isn't just planning to disable Intel ME in computers that ship from now on. The company will send out an update that disables it on existing computers with 6th, 7th, or 8th-gen Intel Core processors. System76 also notes that Intel ME "provides no functionality for System76 laptop customers and is safe to disable." Right now the firmware update will only be available for computers running Ubuntu 16.04 or later or a related operating system with the System76 driver. But the company says it's working on developing a command line tool that should work on laptops running other GNU/Linux-based operating systems. System76 says it will also release an update for its desktop computers... but on those machines the update will patch the security vulnerability rather than disabling Intel ME altogether.

Re:I will only buy non-Intel chips now

[Narcocide]

At this point all AMD has to do is willingly release the information to provably disable their own management engine equivalent and they can sweep the market.

Re: I will only buy non-Intel chips now

[lucasnate1]

Too late, amd has psp.

It should be opt-in, not opt-out

[Picodon]

...I can't agree with the many reactionary Slashdot commenters...

...there should be a simple and transparent way to completely and verifiably disable it, ...

I think it’s a bit more than that. The feature may be useful, but the outrage is legitimate. Consumers, most of whom arguably have no need for such feature, fortuitously found out about its existence and that it is enabled in their computers. They had not been told about it, so they had no way to even try to use it. Other people (government, corporate, hackers) knew about it, so the malicious among those were in the position of abusing it (by exploiting its features and its security flaws). No wonder consumers are in arms over this. They are not over-reacting.

So, no, a way to disable it is not enough. This kind of feature requires full disclosure (before you buy), documentation (so that you can actually use the feature if you want) and, at least on systems sold to consumers who are unlikely to use it, it should be entirely disabled by default. Institutional customers who buy computers in quantity can (and indeed do) request the configuration that they want (including, for example, activation of Intel’s anti-theft protection).

Minix more popular on laptops than Linux

[Keruo]

Isn't it mind-boggling that Minix is actually more used on laptops currently than Linux?

(The management engine runs custom version of Minix)