Is Intel’s Management Engine disabled on all Purism laptops or with Pureboot only?

Purism laptops claim the ability to suppress the Intel’s Management Engine:

Purism laptops can function with a neutralized and disabled ME

“Neutralized and Disabled Intel Management Engine” appears to be a feature of Pureboot.

Does that mean that non-Pureboot laptops from Purism (i.e. with coreboot+SeaBIOS) do not have the IME disabled?

If so, is there a way to disable it without having to resort to Pureboot (and, hence, Librem Key)?

Intel ME is disabled and neutralized on my LIbrem 15 with Coreboot (without Pureboot).

Thanks, that sounds like good news. How do you know it is disabled/neutralized though? Is there a test?

I think the IME is less disabled/neutralized in the Librem 14 because of the newer CPU, but I don’t have a reference.

1 Like

Sounds quite possible, but then Purism appears to be unequivocal that it is disabled at least when Pureboot is used. There is no mention of any variance across L13/14/15.

I think there should be no difference between Pureboot or SeaBios in this case (disabled/neutralized IME), because both are only the payload that is run as the last stage of Coreboot execution. When talking about disabled and/or neutralized IME, it’s more a matter of the underlying hardware (CPUs, Chipset) and what’s inside the SPI Flash, especially in the ME region of that BootROM.
But disabled and neutralized are two different things: Disabled IME is a special manufacturing mode that allows for enabling a PCH strap inside the chipset, called the HAP bit (for High Assurance Platform, a program for Agencies that fear the IME co-processor might be an ideal rootkitting infrastructure for compromizing the entire chain of trust in Ring -3, hence controlling the lowest level of the system and possibly even gaining persistence, undetected) When this HAP strap is set, the ME executes only three basic modules required for starting the main processor; and then it just dies (does not execute any other modules and stops altogether - as far as we are told)
“Neutralized” means that the ME region of the SPI Flash could be entirely “bleached” using the ME_Cleaner utiity, actually removing all the other modules and partitions except what is absolutely needed for platform bringup. This is an additional security feature that prevents the IME from loading and running any of its many many features, modules, runtimes and processes which nobody has any visibility or documentation on. The idea is that if there is nothing to run (because it was “cleaned”), we can be reasonably sure that no backdoor or unknown feature could be running even as we are told that the IME is in idle mode via the HAP bit and hence supposedly disabled.
To my knowledge, L15 and L13 running the versions 11.xx of the Firmware Support Package - that is architectures Skylake and Kabylake processors - can be neutralized for sure and actually are.
But on later architectures like gen 10th processor used on the L14, it does not seem possible (as far as I know) to clean the ME software anymore, due to the chipset manufacturer unfortunately closing this avenue. Hence, I would say that the L14 has IME disabled, but does not have it neutralized.
In the end, it is just a question of trust: do we trust that disabling the IME via the HAP bit is really sufficient in itself for nothing else to be running in there, or do we not entirely trust this method and would rather also have all the ME software removed as a confirmation that nothing can execute because there is simply no code to be loaded.

1 Like

Great to know, thank you for the insight!

Indeed, the L14 page says only “disabled” but nothing about “neutralized” — contrary to the 2017 article explicitly mentioning both.

If the L14 indeed only has the ME disabled but not neutralized, the Pureboot page appears to be somewhat misleading as users may assume that switching to Pureboot guarantees neutralizing the ME, but, as you noted, neither disabling nor neutralizing it has anything to do with Pureboot.

That depends on what you are prepared to trust / assume. :wink:

You might want to read IME neutralization on Librem 14 (or that topic in general).