Can anyone confirm whether the Librem 13 v3 has ME disabled + neutralized out of the box?
If not, would it be possible to neutralize with ME cleaner?
2 Likes
Verifying the Intel ME is Neutralized
You can confirm the ME condition by utilizing the same cbmem utility as above:
coreboot/util/cbmem$ sudo ./cbmem -c | grep ^ME
2 Likes
it is, and you can verify it via the link provided above
3 Likes
Have you made a table yet displaying what models, versions, years product you made and sold that have said status ? Would be nice to have a lil cheat sheet to refer to, just my .02
2 Likes
what is “said status”?
All Librem 13/15 models have a disabled and neutralized ME.
All Librem Mini and 14 models have a disabled ME only.
3 Likes
You defined it perfectly. 
thanks.
In detail, ALL 13 / 15 Librem’s are treated the same being disabled and neutralized? Meaning, V1 may not be the same as V3 ? Just curious if there were differences in the removal, disable, neutralizing of Intel ME as you progressed in later revisions of the same model.
I am considering getting a 13 / 15 . . . now that I know my 14 is not both disabled and neutralized. Not that I think its an issue . . . though it may or may not be. You could clarify specific differences for me, if you like, I would love that. (If Any)
Possibly I will make a thread for this
2 Likes
there are differences between the 13v1/15v2 (Broadwell) and 13v2,3,4/15v3,4 (Skylake/Kabylake) due to using different versions of the ME/CSE, but the result is the same for both.
IMO it’s not a big deal. Neither can be reactivated without flashing the firmware.
3 Likes
Perfect! Thanks!
Is there a way for me to detect the status on my machine?
Hypothetically, what if someone did have access to my machine and was intending to install some firmware or “whatever” . . . and say that I confirmed the changes myself (say I did an update at starbucks and left my machine on the desk and went to the bathroom for 15 minutes). When I come out I go to my machine and approve the changes I made, unknowing that someone had time and access to install something. Lets be paranoid and say it was an intelligence agency and they have been following me for 3 years.
2 Likes
No, that is what I would have used to validate the updates I (and the unsuspecting intruder) installed.
I suspect that an Audit would be in order, yes? Is that accurate / possible?
1 Like
Updates made without your approval would be detected by a Librem Key. It would blink red in such case AFAIK.
2 Likes
Yes I am aware. Reread my post again, Im posting a hypothetical situation where I just installed an update to my PureOs, one that would require a signing with my librem key, but where before signing the update, I went to the bathroom for 15 minutes. During this time, someone had access to install naughty naughty on my computer knowing that I hadn’t yet signed the changes I made ( + the changes they made )
you follow? So its like they sneak in a firware app or keylogger, whatever, before I sign the changes I made. This would sign all changes made by myself and said hostile actor.
Could be a hacker, intel, police, whomever. I am more interested in what I can do to verify every piece of firmware, software, and all hardware is original to manufacturer specification.
I assume this is an audit.
1 Like
AFAIK there is no secure audit of a compromised system. It can always tell you that everything is fine, when it isn’t. You best bet is to reinstall everything, including the Coreboot.
2 Likes
I will check into this. Is this the only way to rid potential unknown threats?
You know of a how to guide? Share if you do!
1 Like
Looks like it’s here: https://docs.puri.sm/PureBoot/GettingStarted.html#oem-factory-reset.
3 Likes
Yeah unfortunately this doesn’t work anymore. Only thing that shows up is a few lines starting with MEM.
Do you know what might cause this or does this mean ME is enabled?
Thanks
1 Like