Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Mick <michaelkintzios@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] disable Intel Mgr Engine
Date: Fri, 14 Sep 2018 15:58:18
Message-Id: 2516165.hqPxLyQrZX@dell_xps
In Reply to: Re: [gentoo-user] disable Intel Mgr Engine by Marc Joliet
1 On Friday, 14 September 2018 08:53:51 BST Marc Joliet wrote:
2 > Am Freitag, 14. September 2018, 04:47:21 CEST schrieb james:
3 > > > Me cleaner only nerfs it by removing various modules, either BUP (init)
4 > > > still runs or the kernel still runs plus any option/mask roms.
5 > >
6 > > Perhaps a bit of detail on this?
7 >
8 > Taiidan is referring to https://github.com/corna/me_cleaner. I don't
9 > remember the details (and have no experience with it), but AFAIK it does
10 > remove a good chunk of the ME.
11 >
12 > HTH
13
14 Yes, there's a description in the URL James had posted when starting this
15 thread:
16
17 https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/
18 Disabling_the_Intel_Management_Engine
19
20 "Nicola Corna's me_cleaner ... removes the vast majority of the ME's software
21 modules (including network stack, RTOS and Java VM), leaving only the
22 essential 'bring up' components (the latter being necessary because, on modern
23 systems if the IME fails to initialize, either the machine startup will be
24 completely halted at that point, or startup will appear to complete, only for
25 a watchdog timer to reset the whole PC 30 minutes later."
26
27 So, the Management Engine itself is not disabled, only some of its modules.
28 To an extent the ME is partially incapacitated, but the engine itself within
29 the CPU is alive and kicking and it's only a re-flash away from being re-
30 enabled.
31
32 With AMD's PSP/Secure Technology an out of band embedded Arm processor
33 presents a major security backdoor. Ryzenfall, Fallout and Chimera, are all
34 vulnerability beauties available to compromise your security, courtesy of
35 AMD's dev dept. It makes me smile that MS Azure is apparently running on
36 these CPUs. No ME cleaner equivalent is available for these CPUs yet.
37
38 As Taiidan has mentioned only old MoBos of the Intel/AMD oligopoly are safe
39 from being pawned-by-design, as well as IBM's POWER9. For laptops however as
40 far as I know there is little choice other than recycling old MoBos.
41
42 --
43 Regards,
44 Mick

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups