On Friday, 14 September 2018 08:53:51 BST Marc Joliet wrote: > Am Freitag, 14. September 2018, 04:47:21 CEST schrieb james: > > > Me cleaner only nerfs it by removing various modules, either BUP (init) > > > still runs or the kernel still runs plus any option/mask roms. > > > > Perhaps a bit of detail on this? > > Taiidan is referring to https://github.com/corna/me_cleaner. I don't > remember the details (and have no experience with it), but AFAIK it does > remove a good chunk of the ME. > > HTH
Yes, there's a description in the URL James had posted when starting this thread: https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/ Disabling_the_Intel_Management_Engine "Nicola Corna's me_cleaner ... removes the vast majority of the ME's software modules (including network stack, RTOS and Java VM), leaving only the essential 'bring up' components (the latter being necessary because, on modern systems if the IME fails to initialize, either the machine startup will be completely halted at that point, or startup will appear to complete, only for a watchdog timer to reset the whole PC 30 minutes later." So, the Management Engine itself is not disabled, only some of its modules. To an extent the ME is partially incapacitated, but the engine itself within the CPU is alive and kicking and it's only a re-flash away from being re- enabled. With AMD's PSP/Secure Technology an out of band embedded Arm processor presents a major security backdoor. Ryzenfall, Fallout and Chimera, are all vulnerability beauties available to compromise your security, courtesy of AMD's dev dept. It makes me smile that MS Azure is apparently running on these CPUs. No ME cleaner equivalent is available for these CPUs yet. As Taiidan has mentioned only old MoBos of the Intel/AMD oligopoly are safe from being pawned-by-design, as well as IBM's POWER9. For laptops however as far as I know there is little choice other than recycling old MoBos. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.