Disabling the Intel Management Engine

Posted by Megalith 8:45 AM (CDT)

Thursday October 12, 2017

Sakaki has published an updated guide for those who consider the Intel Management Engine (IME) an unacceptable security risk and wish to disable it. The IME is an out-of-band co-processor integrated in all post-2006 Intel-CPU-based PCs that has full network and memory access and runs proprietary, signed, closed-source software at ring -3, independently of the BIOS, main CPU, and platform operating system.

You may wonder how this can work at all, given that the ME's code is signed. The reason is that the ME's software is deployed as individually signed modules that are signature checked only when loaded -- and they are lazy loaded. The very first module, BUP, contains the watchdog timer reset, and is left alone by me_cleaner. Once BUP has completed, the ME will either enter a "parked" state (if the HAP/AltMeDisable bit is respected) or try to load the RTOS kernel (if not). In the former, the ME is cleanly disabled. In the latter, the signature check fails and the ME effectively crashes. Either way, it is out of action from that point.