Ultimately the problem is that because the source code is closed, we cannot verify whether the HAP bit does what it says it does, so ones confidence in the disable feature comes down to how much trust one puts in Intel I suppose. It very well could disable things exactly how they say, and there is a possibility it doesn’t (a possibility that would require a direct conspiracy between Intel and NSA).
Since we can’t know for sure, we’ve additionally added the neutralization step on past Librem laptops so that even if it were somehow remotely enabled even with the HAP bit set, there isn’t much code left for it to execute. The NSA isn’t magic. Code, especially code to allow remote access like that, does take up actual space on a chip, so neutralization gives extra peace of mind.
Many of these concerns come down to the fear that someone could remotely control a machine using the ME. This concern originated in the fact that corporate ME releases ship with Active Management Technology (AMT) which lets an IT worker remotely manage a fleet of machines including seeing what is on their screens, as long as AMT was enabled and the machine was on the network.
We originally addressed these concerns by installing the consumer ME that doesn’t include AMT code at all. That way you know that code isn’t present to execute to begin with. Then you are just left with worrying that somehow the same remote access technology from AMT is included by default, in secret, in the base ME, but somehow doesn’t take up nearly the space that AMT does even though it provides the same features. It seems unlikely, but I suppose it could be possible.
There is value though in neutralization outside of the above peace of mind and outside of “paranoia” (and paranoia to me isn’t enough of a reason to drive most security decisions–some of the most convoluted, overengineered, overcomplicated, and ultimately less secure security measures I’ve seen have been driven by “paranoia” instead of actual threat modeling).
The value outside of peace of mind and “paranoia”, is simply that by reducing the amount of mystery code we have to rely on to a minimum, we reduce the overall attack surface, not just from some alleged NSA remote access exploit that is based on speculation of a conspiracy between the NSA and Intel, but also from actual ME exploits in the wild. So all this to say we find neutralization valuable and want to re-enable that protection for our modern CPUs when it’s possible.