Slashdot Mirror
Dell Begins Offering Laptops With Intel's 'Management Engine' Disabled (liliputing.com)
An anonymous reader quotes Liliputing.com
Linux computer vendor System76 announced this week that it will roll out a firmware update to disable Intel Management Engine on laptops sold in the past few years. Purism will also disable Intel Management Engine on computers it sells moving forward. Those two computer companies are pretty small players in the multi-billion dollar PC industry. But it turns out one of the world's largest PC companies is also offering customers the option of buying a computer with Intel Management Engine disabled.
At least three Dell computers can be configured with an "Intel vPro -- ME Inoperable, Custom Order" option, although you'll have to pay a little extra for those configurations... While Intel doesn't officially provide an option to disable its Management Engine, independent security researchers have discovered methods for doing that and we're starting to see PC makers make use of those methods.
The option appears to be available on most of Dell's Latitude laptops (from the 12- to 15-inch screens), including the 7480, 5480, and 5580 and the Latitude 14 5000 Series (as well as several "Rugged" and "Rugged Extreme" models).
Dell is charging anywhere from $20.92 to $40 to disable Intel's Management Engine.
At least three Dell computers can be configured with an "Intel vPro -- ME Inoperable, Custom Order" option, although you'll have to pay a little extra for those configurations... While Intel doesn't officially provide an option to disable its Management Engine, independent security researchers have discovered methods for doing that and we're starting to see PC makers make use of those methods.
The option appears to be available on most of Dell's Latitude laptops (from the 12- to 15-inch screens), including the 7480, 5480, and 5580 and the Latitude 14 5000 Series (as well as several "Rugged" and "Rugged Extreme" models).
Dell is charging anywhere from $20.92 to $40 to disable Intel's Management Engine.
Rather than having to follow yet a Slashdot link to another Slashdot link, which then has a link to the actual story - here is a direct one:
Researchers find a way to disable Intel's Management Engine.
#DeleteChrome
It's not in the CPU - the IME is in the South Bridge. AMD has their own version. I wouldn't be surprised if ARM has theirs as well.
Yes, it's called a "Platform Security Processor".
1. https://libreboot.org/faq.html...
You forgot about Purism. I believe they were the first ones to offer laptops with Intel ME disabled, back in October.
https://hardware.slashdot.org/story/17/10/29/0324201/purism-now-offers-laptops-with-intels-management-engine-disabled
https://github.com/corna/me_cl...
TrustZone is just a hardware-level (think at the data bus level) capability to allow software to be non-secure (eg, Normal World) or secure (eg, Secure World). This happens at the at the AXI interface level with a special bit called the 'NS bit'. Every single AXI transaction carries this bit. Now, on its own this is harmless as TrustZone requires another software-level portion of this called the TrustZone Secure Monitor (ARMv7 and prior) or ARM Trusted Firmware (ARMv8 and later).
ARM Trusted Firmware (ATF) is open source here: https://github.com/ARM-software/arm-trusted-firmware
TrustZone is described here: https://www.arm.com/products/security-on-arm/trustzone
This is COMPLETELY DIFFERENT technology from what is being done by Intel because this TrustZone/ATF are technologies that run on the actual CPU and actually time-share CPU cycles while the CPU is alive. If the CPU is not up and running and configured properly then they are completely useless and have no impact on security.
What intel is doing is having a *COMPLETELY SEPARATE* computing subsystem on the chipset that operates independently of your traditional x86 CPU cycles. That is what makes it so dangerous. Its operations is completely asynchronous to anything else.