Linux Computer Vendor System76 To Disable Intel ME Firmware

System76, a vendor of Linux-based laptops, PCs, and servers, will join another Linux laptop maker, Purism, as well as Google and the NSA in disabling the Intel Management Engine (ME) firmware, which has recently been found to contain multiple vulnerabilities. Intel ME provides few to no benefits to consumer laptops, but Intel has been integrating it into all all of its chips since 2008 nonetheless.

Intel ME Vulnerabilities

The Intel ME, which includes its own processor and operating system lying underneath the user-level operating system, has long been considered by privacy activists to be a security risk. One of the reasons that led to this thinking was ME’s potential to contain a backdoor, because it was essentially a black box that can control and bypass any OS-level security protections, and also because users couldn’t gain access to it.

We’ve only recently discovered, through Positive Technologies, a Russian security firm that has been working on disabling ME, that the NSA was the only one that could disable the ME via an undocumented High Assurance Platform (HAP) mode. This undocumented mode can now also be used to disable ME by Google, Purism, and System76.

The second reason why privacy activists have been suspicious of Intel ME was that ME could contain bugs, like any other system, which could then give attackers remote access to any Intel-based machine.

This theory was proven twice already this year, with Intel having to eventually acknowledge that multiple vulnerabilities existed in ME. The company released fixes to laptop makers and motherboard manufacturers, as well as a detection tool for users. The computer companies will have to release the final patches to their users, and then the users will have to download and install those updates. Otherwise, their systems will still be vulnerable to bugs that are now public and completely known to all malware developers.

System 76 Disables ME

System76 has already been working on delivering automatic firmware patches to its customers’ devices, which works similarly to how operating systems receive their automatic updates these days. The company said that it will use the automatic firmware patch system to deliver an updated firmware with disabled ME to all of its customers’ machines that come with an Intel 6th generation CPU or newer.

System76 also reassured its customers that ME provides no functionality  needed by consumer machines, so it’s safe to disable. The company warned that Intel may make changes to ME so that consumer devices can’t disable the firmware in the future, but it hopes Intel will not do that.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • jimmysmitty
    Disabling ME is a pretty big jump. It has a lot of controls built in for multiple parts of the CPU so I wonder how the CPUs will perform with it disabled.

    That said, the only possible back door I could see is in a vPro enabled platform. A lot of consumer boards use non Intel NICs which alone kills vPro.
  • pnh2052
    Or you could buy only PC's with AMD chips. I hate when people reflexively say the market will fix it, because it often does not, but there is a chance it could in this case.
  • technomeyer
    This is a dangerous form of crapware.
  • jabliese
    Anyone else a little nervous about the phrase "automatic firmware patch?" What is the guarantee if they brick your hardware?