What does HackerNews think of me_cleaner?

It can be de-blobbed though [1]. At least this will "de-risk" it as part of the boot process ?

[1]: https://github.com/corna/me_cleaner

AMD's PSP is pretty much the same thing.

In the past few years AMD has started including a BIOS option to disable it. However, I have never seen a convincing explanation of how exactly that option works. The only thing I know is that Linux complains about it at boot on my B450M (from 2019):

    Aug 30 23:52:07 kobold kernel: [    4.811829] ccp 0000:07:00.1: ccp: unable to access the device: you might be running a broken BIOS.
    Aug 30 23:52:07 kobold kernel: [    4.811831] ccp 0000:07:00.1: psp: unable to access the device: you might be running a broken BIOS.

Intel includes no such option, but on the other hand there is stuff like https://github.com/corna/me_cleaner/. In the absense of any detailed information about how AMD'S PSP disable option actually works, I guess I would trust this a little more. However it requires getting your hands dirty, attaching a programmer directly to the chip (on the motherboard), and is not without risk.

https://github.com/corna/me_cleaner works reasonably well for me - at least on motherboards with removable BIOS chips.

> How is it possible to secure these nested trees of computers-in-computers?

https://github.com/corna/me_cleaner

Or, buy hardware from vendors who neutralize ME according to the link.

cough https://github.com/corna/me_cleaner cough

Yes, all AMD chips [1] after 2013 come with an equivalent to the invasive and vulnerable Intel ME [2].

It's arguably worse, since we have some known ways to reduce the scope of the Intel ME backdoor [3].

But realistically, if you care about security and privacy, both Intel and AMD chips are unusable.

1. https://libreboot.org/faq.html#amd-platform-security-process...

2. https://libreboot.org/faq.html#intelme

3. https://github.com/corna/me_cleaner

You can overwrite most of it: https://github.com/corna/me_cleaner. AFAIK such overwriting will fix the bug in your link (and this is exactly what Purism is doing).

That's not correct, Libreboot does not work on those systems that require any part of the ME to boot.

You might be thinking of me_cleaner[1], which removes most but not all of the ME blobs. This is unrelated to Libreboot though, it works on newer systems and is not needed when using Libreboot because the latter gets rid of the (very early versions of) the ME completely.

[1] https://github.com/corna/me_cleaner

Interesting, thanks for sharing that. Sounds like what puri.sm are doing with their Librem ranges, with me-cleaner [1].

1. https://github.com/corna/me_cleaner

>How does GP know that everything is actually being provided unmodified, without any backdoors?

They don't need to. That is precisely the point. The entire software stack is open source and reproducible (except a few KBs of Intel ME). As a press release, the linked post is brief. If you wish to read more on the technical aspects, here are all the constituent projects:

https://coreboot.org/

https://github.com/osresearch/heads/

https://github.com/corna/me_cleaner

https://github.com/nitrokey

A good talk if you prefer video: https://media.ccc.de/v/33c3-8314-bootstraping_a_slightly_mor...

Short answer: no.

Longer answer: You cannot fully disable the ME (the system won't boot) but you can use me_cleaner https://github.com/corna/me_cleaner to remove parts of the ME firmware that you don't want. "However, ... flashing back the modified [ME firmware] is usually not trivial, as the Intel ME firmware region is often non-writable from the OS (and it's not a safe option anyways), requiring the use of an external SPI programmer."

Only partially for new machines. For pre-Nehalem ones, you can disable it fully. You may be interested in this: https://github.com/corna/me_cleaner

Here are some easy ways to prevent UEFI from tampering with your drive:

Disable UEFI. https://github.com/corna/me_cleaner

Disable the ACPI hooks that register the kernel with UEFI. http://heim.ifi.uio.no/~knuto/kernel/4.14/admin-guide/kernel...

Use full disk encryption - unlike Microsoft Bitlocker which left backdoors for LoJack, linux vulnerabilities are publicized and you can update as soon as the patch appears on the internet.

Switch to a filesystem that the UEFI malware does not understand. Or move fields and magic numbers around in an existing filesystem to create a "custom" filesystem.

Or a combination of all of the above.

Check out what the ME disable stuff does. It just removes some of the binaries from the thing's uKernel that are the non boot services. The ME is required for system bringup.

> However, while Intel ME can't be turned off completely, it is still possible to modify its firmware up to a point where Intel ME is active only during the boot process, effectively disabling it during the normal operation, which is what me_cleaner tries to accomplish.

https://github.com/corna/me_cleaner

EDIT: Also, the ME is inside the PCH, so I'm not really sure why you're making a distinction there.

There is a Python script that can take a BIOS image (either from a vendor or scanned from a running system) and remove all ME components that are not absolutely required to operate the CPU. I have never tried it.

https://github.com/corna/me_cleaner

As far as I understand:

* In general you cannot.

* You can try to remove ME with non-official tools like https://github.com/corna/me_cleaner

* Some vendors ship specific laptops with ME disabled (https://fossbytes.com/laptops-intel-me-chip-disabled/)

* For servers or desktops, you can plug in a separate PCI network adapter instead of using the one on the mainboard (please correct me if this is wrong or confirm it as I'm unsure about it). That would at least disconnect the ME from the network by default. But anybody could still walk up to your machine, plug a cable into the mainboard ethernet port and own you at the deepest level.

It happened more than a year ago[1]. It doesn't remove ME entirely, but drastically reduces the attack surface in the currently accessible ring - the GitHub project has more details. Ultimately, the network-enabled bits that keep getting exploited are removed.

[1]: https://github.com/corna/me_cleaner

This is backed up by older systems working fine with the ME firmware completely removed, and on newer systems, for 30 minutes before a watchdog triggers: https://github.com/corna/me_cleaner

Let's be pragmatic. Does anyone know if ME blockers work? Can you please post one if it does? Can we start a list? Are the destination ips it can be controlled from hard coded, can it be blocked via simple firewall rules?

EG tool: https://github.com/corna/me_cleaner

List? https://github.com/ransom1538/intel_me_cleaners/

me_cleaner already exists[1], and it takes advantage of several flaws in Intel ME's signing to remove large sections of the code thus neutering it. Some code still exists, but Intel ME cannot actually fully initialise on "cleaned" systems. Older machines used to have a bug where if you filled the first half of the Intel ME firmware with zeros the machine would boot but ME wouldn't start at all.

But yes, I hope that with this it'll be possible to completely remove the remaining few hundred kB of Intel ME code remaining.

[1]: https://github.com/corna/me_cleaner

Flashing ME firmware is quite trivial for older laptops -- you just need a flash programmer, a raspberry pi and some patience. It's one of the key parts of how me_cleaner[1] works -- you "clean up" the firmware and flash a new version. However, newer Intel CPUs have BootGuard[2] which makes this impossible.

But I wouldn't hold my breath that they'll release the keys -- why would they? Releasing keys is the last thing you'll think of if a decades-old business is going up in flames.

[1]: https://github.com/corna/me_cleaner [2]: https://github.com/corna/me_cleaner/wiki/Intel-Boot-Guard

I would think it's more pertinent to ask "is there an economic reason to allow a retail consumer to disable it". Most people don't know (or care) what Intel ME is, and some enterprises that buy machines with Intel CPUs want the management features. Companies aren't implicitly evil, they just don't have altruistic motives (generally). Which means that likely they didn't see it as having a good ROI. This is not what you or I want to be the case, but even if that were solved -- Intel CPUs have a whole variety of other issues that extend beyond ME.

But all of that is missing the point that there is a way to disable it[1], with the HAP or AltMeDisable bits[2]. It's believed they were added for the US government to be able to disable Intel ME (after hardware initialisation). It's not easy (you have to reflash the firmware) because most vendor firmware doesn't allow "internal" flashing from userspace, but it is doable if you buy a $5 flash programmer and a Raspberry PI.

[1]: https://github.com/corna/me_cleaner [2]: https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bi...

You can do this fairly easily with me_cleaner[1] which also does a lot of other disarming of ME.

[1]: https://github.com/corna/me_cleaner

>How can the consumer stop someone from exploiting this hack?

[Remove Intel ME](https://github.com/corna/me_cleaner) to the largest extent possible. I don't know of equivalent tools for AMD, though, which also has similar systems in place.

This is also what the management engine cleaner project is for:

https://github.com/corna/me_cleaner

Neutralizing the ME is not a full "disable," because Intel has made that exceptionally hard to do.

Even this "neutralized ME" still boots before the main x86 CPU, and still runs even when the machine is off (if it's plugged in or has a laptop battery). And this "neutralized ME" still has an unknown binary that runs, it's just that the LibreBoot.org folks have found a way to strip it down to the bone without breaking the digital signatures.

https://github.com/corna/me_cleaner

(This posting is just Librem laptops releasing the me_cleaner for their hardware, a good thing, but not any new news.)

I was thinking of this project - https://github.com/corna/me_cleaner This is the one that strips most of the ME (which seems to be Java applets, if I remember correctly Igor Skochinsky's presentation), but there's still the core "OS" in PCH, which loads and executes the applets - we don't know what nefarious things that part of ME might be up to - and it has DMA, and access to the network controller - that's how they remotely wipe HDD's, even without an OS being installed, even without the computer being turned on - that shit is straight out of Orwell's 1984. Telescreen, that's what it is.