theprotocol

Am I right to be concerned about this, if only in principle? I don't like having a mysterious embedded chip that can access the network when my computer's off.

adtac

Exactly. What is Intel's supposed reason for having such a feature?

tptacek

The Unix server vendors had these features long before Intel did. Having a common out-of-band management interface is hugely valuable for fleet management.

It's not valuable at all for individual retail consumers; in the long run, SGX probably does for the entire Intel customer based, including retail, pretty much everything that the ME might have done for retail users.

jerheinze

The real question is why there's no way to disable it. Certainly, if it was only for out-of-band management then why can't a retail consumer disable? Saying that it's because it does "hardware initialisation" is a weak response, Intel could've designed it in a way that doesn't do that such as with the very first models of CPUs with ME.

cyphar
I would think it's more pertinent to ask "is there an economic reason to allow a retail consumer to disable it". Most people don't know (or care) what Intel ME is, and some enterprises that buy machines with Intel CPUs want the management features. Companies aren't implicitly evil, they just don't have altruistic motives (generally). Which means that likely they didn't see it as having a good ROI. This is not what you or I want to be the case, but even if that were solved -- Intel CPUs have a whole variety of other issues that extend beyond ME.

But all of that is missing the point that there is a way to disable it[1], with the HAP or AltMeDisable bits[2]. It's believed they were added for the US government to be able to disable Intel ME (after hardware initialisation). It's not easy (you have to reflash the firmware) because most vendor firmware doesn't allow "internal" flashing from userspace, but it is doable if you buy a $5 flash programmer and a Raspberry PI.

[1]: https://github.com/corna/me_cleaner [2]: https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bi...