Blog of All Trades

Bewildering botany, free software fanaticism, reliable book reviews, 'mazing math

March 30, 2021

Freedom Guide to Intel ME on old ThinkPads

funny picture mocking Intel ME

All About ME

The Intel Management Engine is a miniature CPU found in all Intel chipsets since 2006. Intel created it ostensively to help systems administrators remotely manage employee's computers. The Management Engine or "ME" became the sysadmin's best friend by logging events back to their server, enabling remote BIOS updates, and giving them remote control of the device. Unfortunately, the ME is not all sunshine and flowers. To make these useful features possible, the ME is granted intimate access to the device. The ME has direct memory access to all RAM, has network access that bypasses the computer's firewall, and is always on. If this isn't alarming enough from a security perspective (multiple vulnerabilites have been found in this chip that would give hackers undetectable, full control of devices), it is terrifying to anyone concerned about the growing survillence-state. Big tech companies like Microsoft have a history of complying with the US government's orders to insert backdoors into products and government intelligence agencies have the legal authority to force unwilling companies to do so.

The Three Eras of ME

here. The Lenovo BIOS update images that I have linked to is used for updating the EC firmware before flashing Libreboot. Instructions on updating the EC firmware (along with updating the BIOS) are found here.

Corebootable ME-neuterable ThinkPads

[1] https://media.ccc.de/v/34c3-8782-intel_me_myths_and_reality This talk has good information on the origins of ME but contains faulty reasoning that leads Skrchinsky and Corna to conclude ME is no big deal. For instance, externally testing ME is not comparable to a source code audit because it cannot disprove the existance of backdoors triggered by a special, untested code. In addition, the US government requesting the HAP bit does not prove that ME is innocuous, if anything it suggests the government knows ME for the security liability it is.