The Intel Management Engine (ME), also known as the Intel Manageability Engine,
is an autonomous subsystem that has been incorporated in virtually all of
Intel
Intel Corporation is an American multinational corporation and technology company headquartered in Santa Clara, California. It is the world's largest semiconductor chip manufacturer by revenue, and is one of the developers of the x86 seri ...
's
processor
Processor may refer to:
Computing Hardware
* Processor (computing)
**Central processing unit (CPU), the hardware within a computer that executes a program
*** Microprocessor, a central processing unit contained on a single integrated circuit (I ...
chipset
In a computer system, a chipset is a set of electronic components
An electronic component is any basic discrete device or physical entity in an electronic system used to affect electrons or their associated fields. Electronic components are ...
s since 2008.
It is located in the
Platform Controller Hub
The Platform Controller Hub (PCH) is a family of Intel's single-chip chipsets, first introduced in 2009. It is the successor to the Intel Hub Architecture, which used two chips - a Northbridge (computing), northbridge and Southbridge (computing), ...
of modern Intel
motherboards
A motherboard (also called mainboard, main circuit board, mb, mboard, backplane board, base board, system board, logic board (only in Apple computers) or mobo) is the main printed circuit board (PCB) in general-purpose computers and other expand ...
.
The Intel Management Engine always runs as long as the motherboard is receiving power, even when the computer is turned off. This issue can be mitigated with deployment of a hardware device, which is able to disconnect
mains power
Mains electricity or utility power, power grid, domestic power, and wall power, or in some parts of Canada as hydro, is a general-purpose alternating-current (AC) electric power supply. It is the form of electrical power that is delivered to h ...
.
Intel's main competitor
AMD
Advanced Micro Devices, Inc. (AMD) is an American multinational semiconductor company based in Santa Clara, California, that develops computer processors and related technologies for business and consumer markets. While it initially manufactur ...
has incorporated the equivalent
AMD Secure Technology (formally called Platform Security Processor) in virtually all of its post-2013 CPUs.
Difference from Intel AMT
The Management Engine is often confused with
Intel AMT
Intel Active Management Technology (AMT) is hardware and firmware for remote out-of-band management of select business computers, running on the Intel Management Engine, a microprocessor subsystem not exposed to the user, intended for monitor ...
(Intel Active Management Technology). AMT runs on the ME, but is only available on processors with
vPro
The VPRO (stylized vpro; originally an acronym for , ) is a Dutch public broadcaster, which forms a part of the Dutch public broadcasting system. Founded in 1926 as a liberal Protestant broadcasting organization, it gradually became more ...
. AMT gives device owners remote administration of their computer,
such as powering it on or off, and reinstalling the operating system.
However, the ME itself is built into all Intel chipsets since 2008, not only those with AMT. While AMT can be unprovisioned by the owner, there is no official, documented way to disable the ME.
Design
The subsystem primarily consists of proprietary firmware running on a separate microprocessor that performs tasks during boot-up, while the computer is running, and while it is asleep. As long as the chipset or
SoC is supplied with power (via battery or power supply), it continues to run even when the system is turned off. Intel claims the ME is required to provide full performance. Its exact workings are largely undocumented and its code is
obfuscated
Obfuscation is the obscuring of the intended meaning of communication by making the message difficult to understand, usually with confusing and ambiguous language. The obfuscation might be either unintentional or intentional (although intent u ...
using confidential
Huffman tables stored directly in hardware, so the firmware does not contain the information necessary to decode its contents.
Hardware
Starting with ME 11, it is based on the
Intel Quark
Intel Quark is a line of 32-bit x86 SoCs and microcontrollers by Intel, designed for small size and low power consumption, and targeted at new markets including wearable devices. The line was introduced at Intel Developer Forum in 2013, and d ...
x86-based
32-bit
In computer architecture, 32-bit computing refers to computer systems with a processor, memory, and other major system components that operate on data in 32-bit units. Compared to smaller bit widths, 32-bit computers can perform large calculation ...
CPU and runs the
MINIX 3
Minix 3 is a small, Unix-like operating system. It is published under a BSD-3-Clause license and is a successor project to the earlier versions, Minix 1 and 2.
The project's main goal is for the system to be fault-tolerant by detecting and rep ...
operating system.
[ ] The ME firmware is stored in a partition of the
SPI BIOS Flash, using the
Embedded Flash File System
Embedded or embedding (alternatively imbedded or imbedding) may refer to:
Science
* Embedding, in mathematics, one instance of some mathematical object contained within another instance
** Graph embedding
* Embedded generation, a distributed ge ...
(EFFS).
Previous versions were based on an
ARC core, with the Management Engine running the
ThreadX RTOS
A real-time operating system (RTOS) is an operating system (OS) for real-time applications that processes data and events that have critically defined time constraints. An RTOS is distinct from a time-sharing operating system, such as Unix, which ...
. Versions 1.x to 5.x of the ME used the ARCTangent-A4 (32-bit only instructions) whereas versions 6.x to 8.x used the newer ARCompact (mixed 32- and
16-bit
16-bit microcomputers are microcomputers that use 16-bit microprocessors.
A 16-bit register can store 216 different values. The range of integer values that can be stored in 16 bits depends on the integer representation used. With the two mos ...
instruction set architecture
In computer science, an instruction set architecture (ISA), also called computer architecture, is an abstract model of a computer. A device that executes instructions described by that ISA, such as a central processing unit (CPU), is called an ' ...
). Starting with ME 7.1, the ARC processor could also execute signed
Java applets
Java applets were small applications written in the Java programming language, or another programming language that compiles to Java bytecode, and delivered to users in the form of Java bytecode. The user launched the Java applet from a ...
.
The ME has its own MAC and IP address for the
out-of-band management
In systems management, out-of-band management involves the use of management interfaces (or serial ports) for managing networking equipment. Out-of-band (''OOB'') management is a networking term which refers to accessing and managing network infras ...
interface, with direct access to the Ethernet controller; one portion of the Ethernet traffic is diverted to the ME even before reaching the host's operating system, for what support exists in various Ethernet controllers, exported and made configurable via
Management Component Transport Protocol
Management Component Transport Protocol (MCTP) is a protocol designed by the Distributed Management Task Force (DMTF) to support communications between different intelligent hardware components that make up a platform management subsystem, provid ...
(MCTP). The ME also communicates with the host via PCI interface.
[Igor Skochinsky (]Hex-Rays
The Interactive Disassembler (IDA) is a disassembler for computer software which generates assembly language source code from machine-executable code. It supports a variety of executable formats for different processors and operating systems. ...
Rootkit in your laptop
Ruxcon Breakpoint 2012 Under Linux, communication between the host and the ME is done via or .
Until the release of
Nehalem processors, the ME was usually embedded into the motherboard's
northbridge, following the
Memory Controller Hub
In computing, a northbridge (also host bridge, or memory controller hub) is one of two chips comprising the core logic chipset architecture on a PC motherboard. A northbridge is connected directly to a CPU via the front-side bus (FSB) to han ...
(MCH) layout.
With the newer Intel architectures (
Intel 5 Series
Intel 5 Series is a computing architecture introduced in 2008 that improves the efficiency and balances the use of communication channels in the motherboard. The architecture consists primarily of a central processing unit (CPU) (connected to the ...
onwards), ME is integrated into the
Platform Controller Hub
The Platform Controller Hub (PCH) is a family of Intel's single-chip chipsets, first introduced in 2009. It is the successor to the Intel Hub Architecture, which used two chips - a Northbridge (computing), northbridge and Southbridge (computing), ...
(PCH).
Firmware
By Intel's current terminology as of 2017, ME is one of several firmware sets for the Converged Security and Manageability Engine (CSME)(Need to be updated, as the latest document(#635338 v1.0 P.#6) described. ME means the HW, SPS is the firmware name on ME and ME contains NM and SiEn). Prior to AMT version 11, CSME was called Intel Management Engine BIOS Extension (Intel MEBx).
* Management Engine (ME) – mainstream chipsets
* Server Platform Services (SPS) – server chipsets and
SoCs
* Trusted Execution Engine (TXE) – tablet/embedded/low power
The Russian company
Positive Technologies (
Dmitry Sklyarov) found that the ME firmware version 11 runs
MINIX 3
Minix 3 is a small, Unix-like operating system. It is published under a BSD-3-Clause license and is a successor project to the earlier versions, Minix 1 and 2.
The project's main goal is for the system to be fault-tolerant by detecting and rep ...
.
Modules
*
Active Management Technology
Intel Active Management Technology (AMT) is hardware and firmware for remote out-of-band management of select business computers, running on the Intel Management Engine, a microprocessor subsystem not exposed to the user, intended for monitorin ...
(AMT)
* Intel
Boot Guard (IBG)
and
Secure Boot
UEFI (Unified Extensible Firmware Interface) is a set of specifications written by the UEFI Forum. They define the architecture of the platform firmware used for booting and its interface for interaction with the operating system. Examples of ...
*
Quiet System Technology (QST), formerly known as Advanced Fan Speed Control (AFSC), which provides support for acoustically-optimized fan speed control, and monitoring of temperature, voltage, current and fan speed sensors that are provided in the chipset, CPU and other devices present on the motherboard. Communication with the QST firmware subsystem is documented and available through the official
software development kit
A software development kit (SDK) is a collection of software development tools in one installable package. They facilitate the creation of applications by having a compiler, debugger and sometimes a software framework. They are normally specific to ...
(SDK).
* Protected Audio Video Path
* Intel Anti-Theft Technology (AT), discontinued in 2015.
*
Serial over LAN
Serial over LAN (SOL) is a mechanism that enables the input and output of the serial port of a managed system to be redirected over IP.
Details
On some managed systems, notably blade server systems, the serial ports on the managed computers are ...
(SOL)
*
Intel Platform Trust Technology (PTT), a firmware-based
Trusted Platform Module
Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a ch ...
(TPM)
*
Near Field Communication
Near-field communication (NFC) is a set of communication protocols that enables communication between two electronic devices over a distance of 4 cm (1 in) or less. NFC offers a low-speed connection through a simple setup that can be u ...
, a middleware for NFC readers and vendors to access NFC cards and provide secure element access, found in later MEI versions.
Security vulnerabilities
Several weaknesses have been found in the ME. On May 1, 2017, Intel confirmed a Remote Elevation of Privilege bug (SA-00075) in its Management Technology.
Every Intel platform with provisioned Intel Standard Manageability, Active Management Technology, or Small Business Technology, from
Nehalem in 2008 to
Kaby Lake
Kaby Lake is Intel's codename for its seventh generation Core microprocessor family announced on August 30, 2016. Like the preceding Skylake, Kaby Lake is produced using a 14 nanometer manufacturing process technology. Breaking with Intel's ...
in 2017 has a remotely exploitable security hole in the ME.
Several ways to disable the ME without authorization that could allow ME's functions to be sabotaged have been found.
Additional major security flaws in the ME affecting a very large number of computers incorporating ME, Trusted Execution Engine (TXE), and Server Platform Services (SPS) firmware, from
Skylake in 2015 to
Coffee Lake
Coffee Lake is Intel's codename for its eighth generation Core microprocessor family, announced on September 25, 2017. It is manufactured using Intel's second 14 nm process node refinement. Desktop Coffee Lake processors introduced i5 and i ...
in 2017, were confirmed by Intel on 20 November 2017 (SA-00086).
Unlike SA-00075, this bug is even present if AMT is absent, not provisioned or if the ME was "disabled" by any of the known unofficial methods.
In July 2018 another set of vulnerabilities was disclosed (SA-00112).
In September 2018, yet another vulnerability was published (SA-00125).
Ring −3 rootkit
A
ring
Ring may refer to:
* Ring (jewellery), a round band, usually made of metal, worn as ornamental jewelry
* To make a sound with a bell, and the sound made by a bell
:(hence) to initiate a telephone connection
Arts, entertainment and media Film and ...
−3 rootkit was demonstrated by Invisible Things Lab for the Q35 chipset; it does not work for the later Q45 chipset as Intel implemented additional protections. The exploit worked by remapping the normally protected memory region (top 16 MB of RAM) reserved for the ME. The ME rootkit could be installed regardless of whether the AMT is present or enabled on the system, as the chipset always contains the ARC ME coprocessor. (The "−3" designation was chosen because the ME coprocessor works even when the system is in the
S3 state, thus it was considered a layer below the
System Management Mode
System Management Mode (SMM, sometimes called ring −2 in reference to protection rings) is an operating mode of x86 central processor units (CPUs) in which all normal execution, including the operating system, is suspended. An alternate ...
rootkits.
) For the vulnerable Q35 chipset, a
keystroke logger
Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored ...
ME-based rootkit was demonstrated by Patrick Stewin.
Zero-touch provisioning
Another security evaluation by Vassilios Ververis showed serious weaknesses in the GM45 chipset implementation. In particular, it criticized AMT for transmitting unencrypted passwords in the SMB provisioning mode when the IDE redirection and Serial over LAN features are used. It also found that the "zero touch" provisioning mode (ZTC) is still enabled even when the AMT appears to be disabled in BIOS. For about 60 euros, Ververis purchased from
Go Daddy
GoDaddy Inc. is an American publicly traded Internet domain registrar and web hosting company headquartered in Tempe, Arizona, and incorporated in Delaware.
, GoDaddy has more than 21 million customers and over 6,600 employees worldwide. The co ...
a certificate that is accepted by the ME firmware and allows remote "zero touch" provisioning of (possibly unsuspecting) machines, which broadcast their HELLO packets to would-be configuration servers.
SA-00075 (a.k.a. Silent Bob is Silent)
In May 2017, Intel confirmed that many computers with AMT have had an unpatched critical privilege escalation vulnerability (
CVE-2017-5689).
The vulnerability, which was nicknamed "Silent Bob is Silent" by the researchers who had reported it to Intel,
affects numerous laptops, desktops and servers sold by
Dell
Dell is an American based technology company. It develops, sells, repairs, and supports computers and related products and services. Dell is owned by its parent company, Dell Technologies.
Dell sells personal computers (PCs), servers, data ...
,
Fujitsu
is a Japanese multinational information and communications technology equipment and services corporation, established in 1935 and headquartered in Tokyo. Fujitsu is the world's sixth-largest IT services provider by annual revenue, and the la ...
,
Hewlett-Packard
The Hewlett-Packard Company, commonly shortened to Hewlett-Packard ( ) or HP, was an American multinational information technology company headquartered in Palo Alto, California. HP developed and provided a wide variety of hardware components ...
(later
Hewlett Packard Enterprise
The Hewlett Packard Enterprise Company (HPE) is an American multinational information technology company based in Spring, Texas, United States.
HPE was founded on November 1, 2015, in Palo Alto, California, as part of the splitting of the ...
and
HP Inc.
HP Inc. is an American multinational information technology company headquartered in Palo Alto, California, that develops personal computers (PCs), printers and related supplies, as well as 3D printing solutions.
It was formed on Novembe ...
), Intel,
Lenovo
Lenovo Group Limited, often shortened to Lenovo ( , ), is a Chinese Multinational corporation, multinational technology company specializing in designing, manufacturing, and marketing consumer electronics, Personal computer, personal computers, ...
, and possibly others.
Those researchers claimed that the bug affects systems made in 2010 or later. Other reports claimed the bug also affects systems made as long ago as 2008.
The vulnerability was described as giving remote attackers:
PLATINUM
In June 2017, the
PLATINUM
Platinum is a chemical element with the symbol Pt and atomic number 78. It is a dense, malleable, ductile, highly unreactive, precious, silverish-white transition metal. Its name originates from Spanish , a diminutive of "silver".
Platinu ...
cybercrime group became notable for exploiting the
serial over LAN (SOL) capabilities of AMT to perform data exfiltration of stolen documents.
SOL is disabled by default, and must be enabled to exploit this vulnerability.
SA-00086
Some months after the previous bugs, and subsequent warnings from the EFF,
security firm Positive Technologies claimed to have developed a working
exploit
Exploit means to take advantage of something (a person, situation, etc.) for one's own end, especially unethically or unjustifiably.
Exploit can mean:
*Exploitation of natural resources
*Exploit (computer security)
* Video game exploit
*Exploitat ...
. On 20 November, 2017 Intel confirmed that a number of serious flaws had been found in the Management Engine (mainstream), Trusted Execution Engine (tablet/mobile), and Server Platform Services (high end server) firmware, and released a "critical firmware update".
Essentially every Intel-based computer for the last several years, including most desktops and servers, were found to be vulnerable to having their security compromised, although all the potential routes of exploitation were not entirely known.
It is not possible to patch the problems from the operating system, and a firmware (UEFI, BIOS) update to the motherboard is required, which was anticipated to take quite some time for the many individual manufacturers to accomplish, if it ever would be for many systems.
Affected systems
*
Intel Atom
Intel Atom is the brand name for a line of IA-32 and x86-64 instruction set ultra-low-voltage processors by Intel Corporation designed to reduce electric consumption and power dissipation in comparison with ordinary processors of the Intel Cor ...
– C3000 family
* Intel Atom – Apollo Lake E3900 series
*
Intel Celeron
Celeron is Intel's brand name for low-end IA-32 and x86-64 computer microprocessor models targeted at low-cost personal computers.
Celeron processors are compatible with IA-32 software. They typically offer less performance per clock speed comp ...
– N and J series
*
Intel Core
Intel Core is a line of streamlined midrange consumer, workstation and enthusiast computer central processing units (CPUs) marketed by Intel Corporation. These processors displaced the existing mid- to high-end Pentium processors at the time ...
(i3, i5, i7, i9) – 1st, 2nd, 3rd, 4th, 5th, 6th, 7th, and 8th generation
*
Intel Pentium
Pentium is a brand used for a series of x86 architecture-compatible microprocessors produced by Intel. The original Pentium processor from which the brand took its name was first released on March 22, 1993. After that, the Pentium II and P ...
– Apollo Lake
*
Intel Xeon
Xeon ( ) is a brand of x86 microprocessors designed, manufactured, and marketed by Intel, targeted at the non-consumer workstation, server, and embedded system markets. It was introduced in June 1998. Xeon processors are based on the same arc ...
– E3-1200 v5 and v6 product family
* Intel Xeon – Scalable family
* Intel Xeon – W family
Mitigation
None of the known unofficial methods to disable the ME prevent exploitation of the vulnerability. A firmware update by the vendor is required. However, those who discovered the vulnerability note that firmware updates are not fully effective either, as an attacker with access to the ME firmware region can simply flash an old, vulnerable version and then exploit the bug.
SA-00112
In July 2018 Intel announced that three vulnerabilities () had been discovered and that a patch for the CSME firmware would be required. Intel indicated there would be no patch for 3rd generation Core processors or earlier despite chips or their chipsets as far back as Intel Core 2 Duo vPro and Intel Centrino 2 vPro being affected. However Intel AMT must be enabled and provisioned for the vulnerability to exist.
Assertions that ME is a backdoor
Critics like the
Electronic Frontier Foundation
The Electronic Frontier Foundation (EFF) is an international non-profit digital rights group based in San Francisco, California. The foundation was formed on 10 July 1990 by John Gilmore, John Perry Barlow and Mitch Kapor to promote Internet ci ...
(EFF),
Libreboot
Libreboot (briefly known as GNU Libreboot) is a free software project based on coreboot, aimed at replacing the proprietary BIOS firmware contained by most computers. Libreboot is a lightweight system designed to perform only the minimum number ...
developers, and security expert Damien Zammit accused the ME of being a
backdoor
A back door is a door in the rear of a building. Back door may also refer to:
Arts and media
* Back Door (jazz trio), a British group
* Porta dos Fundos (literally “Back Door” in Portuguese) Brazilian comedy YouTube channel.
* Works so titl ...
and a privacy concern.
Zammit stresses that the ME has full access to memory (without the owner-controlled CPU cores having any knowledge), and has full access to the TCP/IP stack and can send and receive network packets independently of the operating system, thus bypassing its firewall.
Intel responded by saying that "Intel does not put back doors in its products nor do our products give Intel control or access to computing systems without the explicit permission of the end user."
and "Intel does not and will not design backdoors for access into its products. Recent reports claiming otherwise are misinformed and blatantly false. Intel does not participate in any efforts to decrease security of its technology."
In the context of criticism of the Intel ME and
AMD Secure Technology it has been pointed out that the
National Security Agency
The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...
(NSA) budget request for 2013 contained a Sigint Enabling Project with the goal to "Insert vulnerabilities into commercial encryption systems, IT systems, …" and it has been conjectured that Intel ME and AMD Secure Technology might be part of that program.
Disabling the ME
It is normally not possible for the end-user to disable the ME and there is no officially supported method to disable it, but some undocumented methods to do so were discovered.
The ME's security architecture is designed to prevent disabling. Intel considers disabling ME to be a security vulnerability, as a malware could abuse it to make the computer lose some of the functionality that the typical user expects, such as the ability to play media with
DRM
DRM may refer to:
Government, military and politics
* Defense reform movement, U.S. campaign inspired by Col. John Boyd
* Democratic Republic of Madagascar, a former socialist state (1975–1992) on Madagascar
* Direction du renseignement milita ...
. But on the other hand, it is also possible for malicious actors to use the ME to remotely compromise a system.
Strictly speaking, none of the known methods can disable the ME completely, since it is required for booting the main CPU. The currently known methods merely make the ME go into abnormal states soon after boot, in which it seems not to have any working functionality. The ME is still physically connected to the system and its microprocessor continues to execute code.
Undocumented methods
Firmware neutralization
In 2016, the ''me_cleaner'' project found that the ME's integrity verification is broken. The ME is supposed to detect that it has been tampered with and, if this is the case, shut down the PC forcibly 30 minutes after system start. This prevents a compromised system from running undetected, yet allows the owner to fix the issue by flashing a valid version of the ME firmware during the grace period. As the project found out, by making unauthorized changes to the ME firmware, it was possible to force it into an abnormal error state that prevented triggering the shutdown even if large parts of the firmware had been overwritten and thus made inoperable.
"High Assurance Platform" mode
In August 2017, Positive Technologies (
Dmitry Sklyarov) published a method to disable the ME via an
undocumented built-in mode. As Intel has confirmed the ME contains a switch to enable government authorities such as the
NSA
The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...
to make the ME go into High-Assurance Platform (HAP) mode after boot. This mode disables most of ME's functions,
and was intended to be available only in machines produced for specific purchasers like the US government; however, most machines sold on the retail market can be made to activate the switch.
Manipulation of the HAP bit was quickly incorporated into the me_cleaner project.
Commercial ME disablement
From late 2017 on, several laptop vendors announced their intentions to ship laptops with the Intel ME disabled or let the end-users disable it manually:
*
Purism
Purism, referring to the arts, was a movement that took place between 1918 and 1925 that influenced French painting and architecture. Purism was led by Amédée Ozenfant and Charles Edouard Jeanneret (Le Corbusier). Ozenfant and Le Corbusier fo ...
previously petitioned Intel to sell processors without the ME, or release its source code, calling it "a threat to users' digital rights". In March 2017, Purism announced that it had neutralized the ME by erasing the majority of the ME code from the flash memory. It further announced in October 2017 that new batches of their
Librem
Librem is a line of computers manufactured by Purism, SPC featuring free (libre) software. The laptop line is designed to protect privacy and freedom by providing no non-free (proprietary) software in the operating system or kernel, avoiding t ...
line of laptops running
PureOS
PureOS is a Linux distribution focusing on privacy and security, using the GNOME desktop environment. It is maintained by Purism for use in the company's Librem laptop computers as well as the Librem 5 smartphone.
PureOS is designed to include ...
will ship with the ME neutralized, and additionally disable most ME operation via the HAP bit. Updates for existing Librem laptops were also announced.
* In November,
System76 announced their plan to disable the ME on their new and recent machines which ship with
Pop!_OS
Pop!_OS is a free and open-source Linux distribution, based upon Ubuntu, and featuring a customized GNOME desktop environment known as COSMIC. The distribution is developed by American Linux computer manufacturer System76. Pop!_OS is prim ...
via the HAP bit.
* In December,
Dell
Dell is an American based technology company. It develops, sells, repairs, and supports computers and related products and services. Dell is owned by its parent company, Dell Technologies.
Dell sells personal computers (PCs), servers, data ...
began showing certain laptops on its website that offered the "Systems Management" option "Intel vPro - ME Inoperable, Custom Order" for an additional fee. Dell has not announced or publicly explained the methods used. In response to press requests, Dell stated that those systems had been offered for quite a while, but not for the general public, and had found their way to the website only inadvertently.
The laptops are available only by custom order and only to military, government and intelligence agencies. They are specifically designed for covert operations, such as providing a very robust case and a "stealth" operating mode kill switch that disables display, LED lights, speaker, fan and any wireless technology.
*In March 2018
Tuxedo Computers a German company which specializes in PCs which run
operating systems which use the Linux kernel, announced an option in the BIOS of their system to disable ME.
*In February 2021 Nitrokey, a German company specialized in producing Security Tokens, announced NitroPC, a device identical to Purism's Librem Mini.
Effectiveness against vulnerabilities
Neither of the two methods to disable the ME discovered so far turned out to be an effective countermeasure against the SA-00086 vulnerability.
This is because the vulnerability is in an early-loaded ME module that is essential to boot the main CPU.
Reactions
By Google
Google was attempting to eliminate