[coreboot] Hardware vendors offering systems with Intel ME disabled

Thu Dec 7 23:22:48 CET 2017

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

While dell has not gone into detail on this offering, from what has been
described it is highly likely that they were setting the HAP bit.
Unfortunately Dell has been billing this as a "inactive" ME when the
truth is something else: apparently the ME is still vulnerable even with
the HAP bit set [1], for instance.

In general there is a lot of confusion as to the ME and what me_cleaner
/ the HAP bit can do.  To clear it up:

 * Intel does not offer ME-free hardware to _anyone_, ever.  The closest
they ever came was the HAP bit.

 * A ME with me_cleaner applied and the HAP bit set is _not_ disabled.
It is limited compared to a stock ME but most definitely active and
involved with system boot and possibly runtime, and it remains a serious
security threat.

[1] https://twitter.com/rootkovska/status/938458875522666497

On 12/07/2017 03:29 PM, echelon at free.fr wrote:
> Hello,
> First I apologize in advance for introducing some "off topic" noise in the coreboot mailing list, but I would like to point to you a story which was posted on slashdot 4 days ago : 
> https://hardware.slashdot.org/story/17/12/03/2113220/dell-begins-offering-laptops-with-intels-management-engine-disabled .
> So I have some questions to the coreboot community regarding this story (if you have the time and if you bother to read it..) :
>  - I know that the aim of the coreboot project is to produce a fully open-source firmware alternative (and I fully subscript to this noble aim!..), but if we put ourselves in the place of a (corporate?) end-user, who NEEDS the security of a system with "features" like ME or PSP DISABLED, isn't "buying" the option "ME disabled" straight from the vendor a viable solution?.. Or in other words (I hope that I will avoid getting sued for this.. ;-)) : do you think that "buying" this advertised "option" is as reliable as say .. using open source tools like me_cleaner (DIY approach)?..
>  - And a more "politically sensitive" question (you can simply ignore it if it is too dangerous to answer..): do you think that Intel is somewhat .. "collaborative" (or at least indifferent..) to this new initiative of Dell or System76?..
> Thanks in advance for your answers,
>  Florentin Demetrescu
> 
> 

- -- 
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
https://www.raptorengineering.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJaKb80AAoJEK+E3vEXDOFb/M0H/iYOqM7L+JW/cNnMcihV0Ngp
u8UcqSSixmjNqmZ1XAeZd4VM2yLqPfbo2GKKcSk1a+tT7x6NaH5PMCLfrSPV/KLa
o5gYspN4fyyW4HtyyPCVY6lJMUsQLDswnXuGGxct6m8yU0bvTMC/1d7VDdAEHDni
K486nePlPCdboC1T8nGHT+P+5kX6R/Qiec+jWy27ep4HKR6JMTsHVnaLY2D68/F4
VyIdfxkxzBQZb/YvutppXnqPx3rmVejLYT3CwnsfGkNyoev/Eo0HSyT+sVlwCXhz
gQ3MgSVt3kR9QwMgOPMcbQTkmgcQvP50Wu7TVT2TVSx4k5YoxRX34SCjRTnLdRU=
=Zqy1
-----END PGP SIGNATURE-----