[coreboot] Disabling Intel ME 11 via undocumented mode

Alberto Bursi alberto.bursi at outlook.it
Fri Dec 8 15:40:15 CET 2017

On 12/08/2017 02:59 PM, Timothy Pearson wrote:
> That's just the HAP bit.  The ME is limited but NOT disabled, and the
> remaining stubs are still hackable [1].
> Neither the ME or the PSP can ever be removed from their respective
> systems.  They can both be limited to some extent, but to call either of
> them "disabled" is rather far from the truth.

Hacking them requires being able to write in the SPI flash, or to have 
buggy UEFI firmware. Which means most systems are still vulnerable.

But it is also true that if someone can hack UEFI he pwns you anyway, 
even without ME.

So imho ME with the HAP bit can be called "disabled", although the fight 
isn't over as ME isn't the only thing that was a threat anyway.

There is still need to secure the UEFI firmware (which is needed even if 
ME didn't exist), and doing a hardware mod to have a hardware switch to 
turn the SPI chip read-only at the hardware level (also needed 
regardless of ME).

I think many SPI chips only need some pin pulled high/low to go in 
read-only mode, and I frankly trust a dumb switch many orders of 
magnitude more than Boot Guard or anything software-based.


More information about the coreboot mailing list