When did Purism start shipping laptops with completely disabled Intel IME

Given that my Librem laptop was shipped last Tuesday, and Intel’s ME has been completely disabled since October 19, at what point did Purism start applying this update?

Update: I just received an e-mail stating that they’ve started applying the update a couple of days before. I’d guess that’ll mean you won’t have to update your laptop if it shipped on/after October 18 or so.

3 Likes

Bump, I am almost in the same spot. This seems like something that should be pushed down to existing hardware. Is there a way to update the firmware if its not disabled?

About updating, I guess you might want to read theses threads:

I would assume that there is also a ways to check the current state, probably @kakaroto can point you in the right direction.

So reading this makes me wish I was smarter : (

From what I can gather, you need to run a python script called me_cleaner. Since the Librem15 has CoreBoot, here

After trying to copy the original firmware with flashrom, you come to find out that the 15 v3 has skylake and therefore is not supported.

Please correct me if I am wrong anywhere.

@bretsky - Download this script, make it executable, then run it. It will prompt you and take you through the process.

https://code.puri.sm/kakaroto/coreboot-files/raw/master/build_coreboot.sh

More details can be found here:

1 Like

You sir, are a giant among men! Thank you!

I’m not sure exactly when it started to be shipped disabled, but I think it was a few days (maybe a week?) before the release of the article, since it takes some time to write and review all that text.
To check, you just need to run : cbmem -c | grep "ME:" (you may need to apt-get install coreboot-utils first). and look at the output, if the first line says “FW Partition Table : BAD”, then the ME is disabled, otherwise it’s not. (this applies to the never skylake based systems only)
For the update to existing customers, as @jaylittle said, download the build_coreboot.sh script and run it and follow instructions. It’s the safest method right now. Eventually, we’ll have an updater script which doesn’t require you to rebiuld coreboot from scratch. Note that the dependency list needed for that script to work is written in the first lines of the script itself, so just apt-get install those dependencies.
It’s all explained here :

2 Likes