Intel ME Status on Librem 13 v3

Can anyone confirm whether the Librem 13 v3 has ME disabled + neutralized out of the box?

If not, would it be possible to neutralize with ME cleaner?

1 Like

Verifying the Intel ME is Neutralized
You can confirm the ME condition by utilizing the same cbmem utility as above:
coreboot/util/cbmem$ sudo ./cbmem -c | grep ^ME

1 Like

it is, and you can verify it via the link provided above

2 Likes

Have you made a table yet displaying what models, versions, years product you made and sold that have said status ? Would be nice to have a lil cheat sheet to refer to, just my .02

1 Like

what is “said status”?

All Librem 13/15 models have a disabled and neutralized ME.

All Librem Mini and 14 models have a disabled ME only.

2 Likes

You defined it perfectly. :slight_smile: thanks.

In detail, ALL 13 / 15 Librem’s are treated the same being disabled and neutralized? Meaning, V1 may not be the same as V3 ? Just curious if there were differences in the removal, disable, neutralizing of Intel ME as you progressed in later revisions of the same model.

I am considering getting a 13 / 15 . . . now that I know my 14 is not both disabled and neutralized. Not that I think its an issue . . . though it may or may not be. You could clarify specific differences for me, if you like, I would love that. (If Any)

Possibly I will make a thread for this

1 Like

there are differences between the 13v1/15v2 (Broadwell) and 13v2,3,4/15v3,4 (Skylake/Kabylake) due to using different versions of the ME/CSE, but the result is the same for both.

IMO it’s not a big deal. Neither can be reactivated without flashing the firmware.

2 Likes

Perfect! Thanks!

Is there a way for me to detect the status on my machine?

Hypothetically, what if someone did have access to my machine and was intending to install some firmware or “whatever” . . . and say that I confirmed the changes myself (say I did an update at starbucks and left my machine on the desk and went to the bathroom for 15 minutes). When I come out I go to my machine and approve the changes I made, unknowing that someone had time and access to install something. Lets be paranoid and say it was an intelligence agency and they have been following me for 3 years.

1 Like

You are probably looking for Librem Key.

1 Like

No, that is what I would have used to validate the updates I (and the unsuspecting intruder) installed.

I suspect that an Audit would be in order, yes? Is that accurate / possible?

Updates made without your approval would be detected by a Librem Key. It would blink red in such case AFAIK.

1 Like

Yes I am aware. Reread my post again, Im posting a hypothetical situation where I just installed an update to my PureOs, one that would require a signing with my librem key, but where before signing the update, I went to the bathroom for 15 minutes. During this time, someone had access to install naughty naughty on my computer knowing that I hadn’t yet signed the changes I made ( + the changes they made )

you follow? So its like they sneak in a firware app or keylogger, whatever, before I sign the changes I made. This would sign all changes made by myself and said hostile actor.

Could be a hacker, intel, police, whomever. I am more interested in what I can do to verify every piece of firmware, software, and all hardware is original to manufacturer specification.

I assume this is an audit.

AFAIK there is no secure audit of a compromised system. It can always tell you that everything is fine, when it isn’t. You best bet is to reinstall everything, including the Coreboot.

1 Like

I will check into this. Is this the only way to rid potential unknown threats?

You know of a how to guide? Share if you do! :slight_smile:

Looks like it’s here: https://docs.puri.sm/PureBoot/GettingStarted.html#oem-factory-reset.

2 Likes

Yeah unfortunately this doesn’t work anymore. Only thing that shows up is a few lines starting with MEM.

Do you know what might cause this or does this mean ME is enabled?

Thanks