How can I check if Intel ME is disabled or not?

jam · August 5, 2024, 8:18am

Hello everyone.

I found this option:

$ git clone --depth=1 https://review.coreboot.org/coreboot

$ cd coreboot/util/intelmetool

$  make

$ sudo ./intelmetool -m

What should I see after running the command if Intel ME is disabled?

$ sudo ./intelmetool -m

If you know other methods, please share…

FranklyFlawless · August 5, 2024, 8:26am

Verifying the Intel ME is Neutralized

You can confirm the ME condition by utilizing the same cbmem utility as above:
coreboot/util/cbmem$ sudo ./cbmem -c | grep ME
the most important lines are the 7 that match these output:

for Librem 13v1/15v2:
ME: FW Partition Table : OK
ME: Bringup Loader Failure : NO
ME: Firmware Init Complete : NO
ME: Manufacturing Mode : YES
ME: Boot Options Present : NO
ME: Update In Progress : NO
ME: Current Working State : Initializing ...
for Librem 13v2/15v3 and newer:

ME: Host Firmware Status Register 1 : 0xFFFFFFFF
ME: Host Firmware Status Register 2 : 0xFFFFFFFF
ME: Host Firmware Status Register 3 : 0xFFFFFFFF
ME: Host Firmware Status Register 4 : 0xFFFFFFFF
ME: Host Firmware Status Register 5 : 0xFFFFFFFF
ME: Host Firmware Status Register 6 : 0xFFFFFFFF
ME: FW Partition Table : BAD
ME: Bringup Loader Failure : YES
ME: Firmware Init Complete : YES
ME: Manufacturing Mode : YES
ME: Boot Options Present : YES
ME: Update In Progress : YES
ME: D3 Support : YES
ME: D0i3 Support : YES
ME: Low Power State Enabled : YES
ME: CPU Replaced : YES
ME: CPU Replacement Valid : YES
ME: Current Working State : Unknown (15)
…

Disclaimer: ME neutralization and disablement is an ongoing and repeated effort requiring tailored work across different models and chipsets (for example, we once found the ME cleaner tool to cause problems with Wi-Fi on Skylake, and had to solve that first).

Output from Librem 14:

[NOTE ]  coreboot--TIMELESS--LESSTIME--PureBoot-Release-30 Thu Jan 01 00:00:00 UTC 1970 x86_32 bootblock starting (log level: 7)...
[NOTE ]  coreboot--TIMELESS--LESSTIME--PureBoot-Release-30 Thu Jan 01 00:00:00 UTC 1970 x86_32 romstage starting (log level: 7)...
[DEBUG]  CBMEM:
[NOTE ]  coreboot--TIMELESS--LESSTIME--PureBoot-Release-30 Thu Jan 01 00:00:00 UTC 1970 x86_32 postcar starting (log level: 7)...
[NOTE ]  coreboot--TIMELESS--LESSTIME--PureBoot-Release-30 Thu Jan 01 00:00:00 UTC 1970 x86_32 ramstage starting (log level: 7)...
[DEBUG]  Reference Code - ME = 9.0.7b.20
[DEBUG]  MEBx version = 0.0.0.0
[DEBUG]  ME Firmware Version = Consumer SKU
[DEBUG]  BS: BS_DEV_ENUMERATE run times (exec / console): 2 / 0 ms
[DEBUG]  ME: HFSTS1                      : 0xFFFFFFFF
[DEBUG]  ME: HFSTS2                      : 0xFFFFFFFF
[DEBUG]  ME: HFSTS3                      : 0xFFFFFFFF
[DEBUG]  ME: HFSTS4                      : 0xFFFFFFFF
[DEBUG]  ME: HFSTS5                      : 0xFFFFFFFF
[DEBUG]  ME: HFSTS6                      : 0xFFFFFFFF
[DEBUG]  ME: Manufacturing Mode          : YES
[DEBUG]  ME: SPI Protection Mode Enabled : NO
[DEBUG]  ME: FW Partition Table          : BAD
[DEBUG]  ME: Bringup Loader Failure      : YES
[DEBUG]  ME: Firmware Init Complete      : YES
[DEBUG]  ME: Boot Options Present        : YES
[DEBUG]  ME: Update In Progress          : YES
[DEBUG]  ME: D0i3 Support                : YES
[DEBUG]  ME: Low Power State Enabled     : YES
[DEBUG]  ME: CPU Replaced                : YES
[DEBUG]  ME: CPU Replacement Valid       : YES
[DEBUG]  ME: Current Working State       : 15
[DEBUG]  ME: Current Operation State     : 7
[DEBUG]  ME: Current Operation Mode      : 15
[DEBUG]  ME: Error Code                  : 15
[DEBUG]  ME: CPU Debug Disabled          : YES
[DEBUG]  ME: TXT Support                 : YES
[DEBUG]  FSP MEMORY  2. 0x99c4e000 0x003b0000
[DEBUG]  TIME STAMP  5. 0x99c2c000 0x00000910
[DEBUG]  MEM INFO    7. 0x99c29000 0x00000f48
[DEBUG]    FSP RUNTIME 1. 0x99ffebe0 0x00000004

jam · August 5, 2024, 8:33am

Thank you very much for your answer. Yes, I see cbmem, but you and I forgot that you need to reboot the computer into iomem-relaxed mode))

To check, enter in the terminal

$ cat /proc/cmdline

As for the 7 lines, could you clarify what exactly tells us that Intel ME is disabled or partially disabled, etc.

I have Lenovo with Libreboot now so I can check

FranklyFlawless · August 5, 2024, 8:38am

I only had to run the script as-is for my output without needing to reboot my Librem 14.

Output:

root=UUID=8dc5d099-66ac-4a10-91ba-bfe29bed3070 ro quiet splash   firmware_class.path=/firmware/

@jonathon.hall

Intel ME has changed a lot since the Librem 13/15v4, enough that there has not been a blog article about it for the Librem 14 and later Purism devices. The largest priority from Purism for the last few years was bringing the Librem 5 to shipping parity.

jam · August 5, 2024, 1:06pm

I checked on a normal computer where there is no Coreboot and Libreboot this method does not work (cbmem) I get the message:
Table not found, but if I use the intelmetool utility I see information about what is enabled and what is disabled.

jonathon.hall · August 5, 2024, 1:30pm

Look for the HFSTS flags set to all 0xFFFFFFFF, that’s the most obvious. This indicates that coreboot couldn’t communicate with the ME, it’s disabled. The output does vary by ME generation, but this is present on most devices.

Yes, there have been a lot of changes, and the output does vary somewhat by ME generation, but the cbmem output is still IMO the best way to check this. The results here come from the coreboot logs relatively early in the boot process.

You can check whether Linux sees the ME device on PCIe, but there is a possibility that the ME interface was disabled while the ME is still active. So this is necessary for the ME to be disabled, but not totally sufficient to confirm it.

cbmem is specific to coreboot. It’s reading the coreboot boot log. It won’t work on any other firmware.

True, but this relies on the ME interface device being up. So again, if you want the ME disabled, it’s necessary that intelmetool will not be able to report status, but not sufficient to confirm that ME is really disabled. It could just be the ME interface device that’s disabled/hidden.

jam · August 5, 2024, 1:47pm

Thank you very much for the detailed answer. Would it be difficult for you to write here for me and other users what the answer looks like when Intel ME is enabled and when Intel ME is disabled, I mean the output after the commands. This is very useful information for users for a long time.

And how to distinguish when Intel ME is partially disabled or completely, I think this is also important, since partial disabling of Intel ME leaves many questions))