Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dell Begins Offering Laptops With Intel's 'Management Engine' Disabled (liliputing.com)

Posted by EditorDavid on from the mismanagement-engine dept.

An anonymous reader quotes Liliputing.com Linux computer vendor System76 announced this week that it will roll out a firmware update to disable Intel Management Engine on laptops sold in the past few years. Purism will also disable Intel Management Engine on computers it sells moving forward. Those two computer companies are pretty small players in the multi-billion dollar PC industry. But it turns out one of the world's largest PC companies is also offering customers the option of buying a computer with Intel Management Engine disabled.

At least three Dell computers can be configured with an "Intel vPro -- ME Inoperable, Custom Order" option, although you'll have to pay a little extra for those configurations... While Intel doesn't officially provide an option to disable its Management Engine, independent security researchers have discovered methods for doing that and we're starting to see PC makers make use of those methods.
The option appears to be available on most of Dell's Latitude laptops (from the 12- to 15-inch screens), including the 7480, 5480, and 5580 and the Latitude 14 5000 Series (as well as several "Rugged" and "Rugged Extreme" models).

Dell is charging anywhere from $20.92 to $40 to disable Intel's Management Engine.

8 of 140 comments (clear)

  1. Disabling the Intel ME - direct story link by 93+Escort+Wagon · · Score: 4, Informative

    Rather than having to follow yet a Slashdot link to another Slashdot link, which then has a link to the actual story - here is a direct one:

    Researchers find a way to disable Intel's Management Engine.

    --
    #DeleteChrome
  2. Re:Thanks for the value Dell! by Anonymous Coward · · Score: 2, Informative

    We need open, auditable, trustworthy hardware, and that means not x86.

    It's not in the CPU - the IME is in the South Bridge. AMD has their own version. I wouldn't be surprised if ARM has theirs as well.

  3. Re:"Disabled", not disabled. by Anonymous Coward · · Score: 0, Informative

    You don't know what you're talking about in this case, it is physically disabled.

  4. Re:does AMD have this sort of feature? by orionpi · · Score: 3, Informative

    Yes, it's called a "Platform Security Processor".

    1. https://libreboot.org/faq.html...

  5. Re: Thank you to the Linux laptop vendor by Anonymous Coward · · Score: 5, Informative

    You forgot about Purism. I believe they were the first ones to offer laptops with Intel ME disabled, back in October.

    https://hardware.slashdot.org/story/17/10/29/0324201/purism-now-offers-laptops-with-intels-management-engine-disabled

  6. Re:"Disabled", not disabled. by NicknameUnavailable · · Score: 1, Informative

    Intel and Dell aren't even remotely the same. Intel is a largely foreign-owned corporation which integrates sleazy components like the management engine under secret projects on behalf of alphabet agencies. Dell on the other hand has the best hardware support I've encountered in my decade and a half in IT while the fucking owner is extremely approachable. I sent him a message years back, had a genuine conversation, and he seemed legitimately like a cool person who was really passionate about his projects - while I was/am ostensibly a nobody from the perspective of anyone worth billions of dollars. I've never heard a bad story about Dell from anyone in person beyond "shit broke and I was too lazy to take advantage of the support service," and have had dozens of times where things were well beyond (by years) any support agreement or warranty on the individual piece of hardware and they still replaced the parts after simply calling and paying for postage.

  7. ME Cleaner on github by alexo · · Score: 3, Informative

    https://github.com/corna/me_cl...

  8. Re:Thanks for the value Dell! by Anonymous Coward · · Score: 3, Informative

    TrustZone is just a hardware-level (think at the data bus level) capability to allow software to be non-secure (eg, Normal World) or secure (eg, Secure World). This happens at the at the AXI interface level with a special bit called the 'NS bit'. Every single AXI transaction carries this bit. Now, on its own this is harmless as TrustZone requires another software-level portion of this called the TrustZone Secure Monitor (ARMv7 and prior) or ARM Trusted Firmware (ARMv8 and later).

    ARM Trusted Firmware (ATF) is open source here: https://github.com/ARM-software/arm-trusted-firmware
    TrustZone is described here: https://www.arm.com/products/security-on-arm/trustzone

    This is COMPLETELY DIFFERENT technology from what is being done by Intel because this TrustZone/ATF are technologies that run on the actual CPU and actually time-share CPU cycles while the CPU is alive. If the CPU is not up and running and configured properly then they are completely useless and have no impact on security.

    What intel is doing is having a *COMPLETELY SEPARATE* computing subsystem on the chipset that operates independently of your traditional x86 CPU cycles. That is what makes it so dangerous. Its operations is completely asynchronous to anything else.