Purism, a startup that aims to develop privacy-focused devices, announced that it has now disabled Intel’s Management Engine (ME). The company, and many privacy activists, believe that because Intel’s ME is a black box to the user, it could hide backdoors from certain intelligence agencies. Alternatively, it may contain vulnerabilities that could even be unknown to Intel, but which might still be exploited by sophisticated attackers to bypass the operating system’s security.
Disabling Intel ME
Intel ME is a separate CPU and firmware that can control a computer even when powered off. The system can also completely bypass any operating system protections, as it’s a lower-level system.
The ME chip was introduced in 2008 to Intel’s processors. If a vulnerability is found in it, it can typically affect all Intel CPUs going back to that date, as one such vulnerability recently showed.
Researchers have been trying to disable the ME system for years, because it hasn’t been easy to do it in a way that can be verified. Plus, there was the danger that the rest of the chip would stop functioning without it. It doesn’t look like Intel has been actively trying to stop researchers from messing with its ME processor yet, but if it wants, the company could probably double down on making its future CPUs inoperable without the ME system enabled.
The Librem laptops use Coreboot firmware, which is an open source alternative to BIOS and UEFI for Linux. The company said that using Coreboot is one of the primary reasons why they were able to disable Intel ME in the first place. Coreboot allowed them to dig down on how the processor interacts with this firmware and with the operating system.
Purism had already "neutralized" the Intel ME system on its Librem laptops, which essentially meant that the mission-critical components of Intel ME were removed. However, this could still cause some errors, because the Intel ME would still be “fighting” Coreboot’s attempt to neutralize it. With the new method that disables it, the Intel ME can be shut down gracefully.
Purism’s laptops will continue to support both methods for extra security, just in case the Intel ME is able to “wake-up” somehow, after it’s disabled.
A New “ME Core”
According to Purism, the previous Intel Broadwell-based Librem laptops used version 10.x of ME and an ARC RISC processor, designed by ARC International. Starting with version 11.x of ME, which came with the Skylake microarchitecture, Intel seems to have switched to an x86 ME processor. This makes both the hardware and the firmware for these processors quite different. It’s also why it took some time for the Purism team (as well as other researchers) to remove ME modules without breaking anything else.
Some of the code in the ME firmware on both version 10.x and 11.x seems to have been written in Read-Only Memory (ROM), so there was no way to remove that code before. However, most of that ROM code from Intel ME 10.x firmware has moved to flash memory, which means more ME code can now be removed in version 11.x.
The Purism developers say they still have more work to do to completely reverse-engineer the Intel ME system, and they hope that with help from other researchers they’ll eventually be able to do it. The final goal here seems to be to completely remove Intel ME firmware from Intel systems. Removing it would mean that the ME processor and firmware would never be able to execute anything at any time.
Intel ME Disabled By Default On Librem Laptops
Both Librem 13 and Librem 15 laptop models will now ship with Intel ME disabled by default. Customers who have purchased the older Librem laptops will also receive an update that will disable Intel ME on their systems.
“Purism, in the long-term pursuit of liberating hardware at the lowest levels, still has more work to do,” said Youness Alaoui, Hardware Enablement Developer at Purism.“Removing the management engine entirely is the next step beyond just disabling it. Coreboot also includes another binary, the Intel FSP, a less worrisome but still important binary to liberate, incorporating a free vBIOS is another step Purism plans to take. The road to a completely free system on current Intel CPUs is not over, but the largest step of disabling the Management Engine is arguably the largest milestone to cross,” he added.
While it's been figuring out how to disable Intel ME on its laptops, Purism has also begun working on a privacy-focused smartphone called the Librem 5. The company has already passed its goal by 24%, with three days left in its crowdfunding campaign.