Opinion: Me_cleaner to disable IME

Security experts, whats your take on this script to disable IME?

I hear complete removal of IME is not impossible on new Intel chips. Is this true? How has Purism dealt with this?

(Is “not” supposed to be in your question?)

Complete removal of IME was always impossible, as far as I know.

If the IME backdoor can’t be totally removed, how does anything else we do for security even matter? NSA, China, the chip manufactures, and eventually the leaks to hackers now have a backdoor to the system, regardless of the boot, the hardware audits, Qubes… or anything else we do.

And what about AMD?
Are they any better than Intel at this point?

AMD has PSP which is no different. I’ve heard AMD was considering to release source but chose not to. Fully removing ME isn’t really possible. Fully disabling is technically possible (changing of HAP bit for the alphabet boys) but not for consumer or corporate. You can mostly remove it as purism has done but this isn’t absolute. If you want true trusted computing, you would need to buy a computer from raptor computer systems. These are ppc based from IBM and the firmware is entirely controlled by the user for everything and you can verify everything or even compile the firmware yourself. Their motherboards are pretty bare bones when you receive so you would need to extend with pci devices. Qubes doesn’t support ppc yet but they are working on that. For the time being, I’d suggest openBSD and use powerkvm and setup various virtual machines. Talos computers aren’t exactly perfect but they are incredibly free.

What purism sells currently is products with ME incredibly crippled but not “neutralised” as they put it. Through their testing, it seems to not be able to do a whole lot at all but by the word neutralised, it feels a little snake oil to me especially in comparison to a product from raptor CS.

Qubes getting ppc support:

A video on talos 2:

The video says how it still isn’t perfect as with requiring blobs for your GPU and “nvme controllers” but at least it seems quite minimal. I guess you can dig deep into using a free GPU but that’s another rabbit hole.

edit 1:
oh and also obviously some other things such as concern over firmware running on your secondary storage and such which is also another rabbit hole.

1 Like

AFAIK this scrip is exactly what Purism used to do with their Librem 13 and 15: https://puri.sm/projects/coreboot/. For Librem 14 unfortunately, it does not work anymore, one can only disable. ME.

Verifying the Intel ME is Neutralized

complete removal of the ME firmware from flash was possible on the original Core CPUs; starting with Sandybridge (2nd gen Core) only partial removal possible

1 Like

it was more interesting 4+ years ago when it was actually maintained/supported recent/current hardware


That’s a very black and white approach. Maybe that’s a bit like saying that because a determined intruder can smash your door down you’re not going to bother to lock it.

Answering part of the question … if you trust that the HAP bit is effective then you limit the amount of time that the IME is active in the system. That is, my understanding is that the main CPU won’t boot unless the IME is active but subsequently (an eternity in clock cycles, a blink of an eye for a human) you can ask the IME to cease operation, having done its ostensible job.

Another consideration is that if you, for example, don’t trust Intel then … the IME is irrelevant, required or not, dodgy Intel CPU microcode updates are irrelevant, and all other security features (boot path integrity, robust operating system, hardening, encryption, …) are irrelevant because the backdoor can be baked in to the silicon.

At the end of the day you have to decide whether “good enough” is good enough, whether the utility of the device in the best state that it can be in outweighs the remnant weaknesses.

I would love for there to be better practical alternatives than the x86_64 duopoly. Maybe one day there will be …

There is. RiscV is becoming accessible and ARM-Platforms (like the Librem5 or the MNT Reform - soon alternatively with a powerful, new SOM or even with an RiscV SOM) are not bringing IME and generally are more open.

1 Like

Pretty expensive aren’t they?

Yes, they are. There’s no mass market for such project, yet. But they are accessible. There is no big money involved - they are just more expensive. People really wanting or needing openness and review-ability can decide to get these and pay for them.

Note that I have set the bar pretty high. For a start it needs to be a CPU that has an open design for the silicon i.e. anyone (suitably qualified!) can audit it and fab it; and it needs to be acceptable performance for general purpose use (which is not such a high bar).

I believe that a lot of ARM implementations would fail on the first point.

I think it might be a little overstated to call it powerful. Yes on single core processes for sure, and the increase in RAM is great, but you are loosing two cores with it. In this light the processing bump is rather slight. Still, I’m getting it as soon as it is available! But first, I just need to get the Reform. :wink:

1 Like

shouldnt the question be on a librem 14" laptop has me_cleaner been used by purism, is it a requirement for coreboot installation?

Should i as a user use the Hap option 2 or is that bit flipped already on librem 14" laptops? Option 1 does it work with Librem 14".

Plus is there a way to protect from such backdoors using software?