On 28.03.21 09:24, Gert Vanhaerents wrote:
"Please note, that coreboot has nothing to do with the Intel Management Engine as it’s a separate “chip” running it’s own firmware [1]. "
Can I completely disable that Intel ME software via coreboot?
No. At various levels. But you can probably use similar tools, e.g. flashrom to *reduce* its firmware. What I'm going to suggest later should be independent of the host firmware (e.g. BIOS, UEFI or coreboot).
First thing to understand is that the Intel ME is no spyware and nothing evil per se. Somehow bad, though: its firmware is not open-source and it's a security risk.
The "Binary situation" page Paul linked is a bit outdated (about 7 years, I guess). It mentions a Panic level of 9,000+ for the ME. One has to know that the authors of this page would probably never consider running Windows. For comparison, I guess that would be Panic level 100,000.
FWIW, people mostly call it spyware or backdoor because they bought a computer, didn't read the manual, and were later taken by surprise when they learned what their computer can do. There are scary things, that's true, but they are usually advertised (e.g. Remote Management, Anti-Theft, these things are sold, not hidden).
Modern computers are full of tiny, programmable processors. The ME is just one of them, albeit a very powerful one. What draws attention to the ME are two things, IMO:
* A huge part of its firmware usually resides in the BIOS flash. * The firmware optionally has networking capabilities.
The ME (processor) starts executing code from a ROM embedded in the chipset. The last time one could completely disable this was over a decade ago (Intel 4 series chipsets, before the Core i* processors).
Today, the ROM code and some hundred kilobytes of firmware in flash are essential for the computer to work. However, Intel refuses to provide a firmware package that does just this essential part and nothing else. It existed before, though, for the first generation of Core i chipsets. They call it an "ignition" firmware. If you'd ask Intel for it, they would tell you that nobody else wants it, so they won't provide it. It's not true. They tell that to everyone about everything that isn't on their own agenda. Pressure was high enough to make them release an ignition firmware for a server plat- form lately, though.
If you have any contact to Intel, ask them for ignition firmware! At the very least they'd see another one asking.
What can be done about it:
* If you have an NDA with Intel, you can use their tools to disable unwanted features of the ME firmware. Also, there are usually two variants of the firmware: "consumer" and "corporate". On the Clevo devices I would expect the former.
* There is something for newer chipsets introduced for Chromebooks, an ME "lite SKU". This may be similar to an ignition firmware, I don't know yet. Ask Intel about it :)
* For some chipsets there is a configuration bit, sometimes called AltMeDisable or HAP, to disable non essential parts of the firmware (even if they are present in flash). FWIW, people have made positive experience with this (i.e. systems are still stable enough to sell them). But don't blame me if something goes wrong ;)
* There is a tool `me_cleaner` that may be able to reduce the firmware but it sometimes compromises stability.
For the sake of completeness, here are some points that I know people (not me) might miss after "cleaning" the ME:
* Integrated (firmware) TPM * PAVP (Intel's DRM tech to stream high-resolution, protected video)
In any case, to alter the ME firmware in flash, you need write access, and -- same as with the BIOS -- it depends on the current configuration of the machine if you can do that without an external flash programmer.
Nico