On 09/18/2017 10:33 PM, alexclay...@gmail.com wrote: > Has anyone here successfully disabled the Intel ME yet? > > http://blog.ptsecurity.com/2017/08/disabling-intel-me.html > > I'm hoping a future release of Qubes integrates this into the install > process for us. Or be downloadable as a package like Anti-Evil Maid? > > Thoughts? > This is an extremely risky and highly ad-hoc procedure that cannot be easily automated. As you can understand from the article, newer ME versions manage the boot process so some level of functionality is required just to have a working computer.
Being an opaque component, different versions have highly variable level of built-in functionality and architecture position, so while some ME versions on some chipsets could just be zapped away, others have to be patched, reflashed, bypassed or replaced to be disarmed. Hence, the operations to "disarm" ME still resemble more surgery than patching; our only hopes are that Intel will give a simple way of disabling the unneeded "services" (i.e. network services?) with something reasonable like a hardware jumper of some sort. They will be able to give the HAP guarantees to their customers without impairing security for everybody else... -- Alex -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/338cf7e2-e5ee-eafd-4187-6d829f2dbb01%40gmx.com. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature