Have a Question?
Disabling the Intel Management Engine (ME)
Overview
The Intel Management Engine (ME) is designed to help manage and regulate a system including its processor. Some of the functions include power management, Active Management Technology (AMT), Serial over LAN (SOL), Intel Platform Trust Technology (PTT), and others. Functions such as AMT and SOL allow remote access that are designed to help monitor, maintain, update, and repair the system. However, these same systems can be exploited via vulnerabilities such as the CVE-2017-5712, allowing attackers with remote access to execute privileged code on the system.
One way to stay ahead of vulnerabilities is by using Intel's Converged Security and Management Engine Version Detection Tool or updating the Intel ME firmware. A better way is to completely disable ME if it is not being used. A reliable method of doing so is to use a system firmware (commonly referred to as BIOS) that prevents ME's functionality. Protectli's coreboot builds for the VP hardware line has ME disabled by default. For more information, see the ”Protectli coreboot VP, ME Disabled” chart at the bottom of this article.
Methods to Disable Intel ME
There are different types of disabling Intel ME: "Neutering," "soft-disabling," and "disabling".
Neutering
Neutering refers to removing modules that are not critical for functionality, leaving portions of the ME still operational. While this leaves some ME features intact, some issues may arise such as issues with power management. [SOURCE]
This method is not often used and requires further development. The instability coupled with possible power management issues renders this method to be used only when necessary.
Soft-disable (HECI)
Soft-disable works by having the system firmware send a "SET_ME_DISABLE" command via the Host Embedded Controller Interface (HECI). This commands the ME into a disabled state. The ME will remain disabled until an "ENABLE" command is sent. This method is seen as a general-purpose method as it does not require implementing platform- or processor-specific code. [SOURCE]
Disable (HAP)
The Disable method is a kill switch for the ME which leaves it in a hanging/stopped state and allows for graceful ME shutdown. Different ME version require a specific bit to be disabled, for ME version 11 or greater, the HAP bit is used. Anything lower than ME version 11, the AltMeDisable bit is used. [SOURCE]
The HAP/AltMEDisable is the preferred method as it provides the most security: remote access and other high-privileged features cannot be used.
While this method does provide the most security, other "safer" ME features are also disabled. For the general user, ME is never utilized in the first place. For consumers who need portions of the ME's features there exist workarounds. For example, if platform security is needed, utilizing a Discrete TPM module instead of Intel's PTT is possible.
Verifying Reduced ME Functionality
Protectli Vaults with ME Disabled in coreboot
coreboot
| Unit | ME disable | Notes |
|---|---|---|
| VP2410 | Disabled | Enters recovery mode. Recovery mode acts as being disabled. |
| VP2420 | Soft-disable | Standard – HECI |
| VP4600 | Soft-disable | Standard – HECI |
| VP6600 | TBD | TBD |
Future
We strive to make our devices as secure as possible. Many of our security updates are implemented specifically for Protectli hardware. Please check back for updates regarding our efforts to mitigate vulnerabilities exposed by the Intel ME.