Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Intel Security Open Source Operating Systems Privacy Software Linux

System76 Will Disable Intel Management Engine On Its Linux Laptops (liliputing.com) 149

System76 is rolling out a firmware update for its recent laptops that will disable the Intel Management Engine altogether. The decision comes after a major security vulnerability was discovered that would allow an attacker with local access to execute arbitrary code. Liliputing reports: What's noteworthy in the System76 announcement is that the PC maker isn't just planning to disable Intel ME in computers that ship from now on. The company will send out an update that disables it on existing computers with 6th, 7th, or 8th-gen Intel Core processors. System76 also notes that Intel ME "provides no functionality for System76 laptop customers and is safe to disable." Right now the firmware update will only be available for computers running Ubuntu 16.04 or later or a related operating system with the System76 driver. But the company says it's working on developing a command line tool that should work on laptops running other GNU/Linux-based operating systems. System76 says it will also release an update for its desktop computers... but on those machines the update will patch the security vulnerability rather than disabling Intel ME altogether.
This discussion has been archived. No new comments can be posted.

System76 Will Disable Intel Management Engine On Its Linux Laptops

Comments Filter:
  • by Anonymous Coward

    I'm glad that they are doing this, BUT, from what I know about the IME, it is extremely complicated and disabling it is not simple or straight forward -- otherwise someone would have done it a long time ago.

    • Re: (Score:3, Interesting)

      by Narcocide ( 102829 )

      I want to belieeeeeve!!! Save us system76 you're our only hope!!

    • Re:If it works (Score:5, Informative)

      by cfalcon ( 779563 ) on Thursday November 30, 2017 @08:02PM (#55655013)

      There was new-ish news about this from the summer. A few privacy-minded places are starting to shut the ME down in various ways, some by spoofing the flag the government uses to disable it on its own systems, others in other ways.

    • by Z80a ( 971949 )

      The problem was understanding what IME does as it is a encrypted black box piece of hunk.
      But things are made quite a lot easier with the literal NSA bit that disables everything but the bare essentials to operate the machine.

  • Wake me when they start shipping laptops with it physically removed or burned out.

    • Re: (Score:2, Interesting)

      by Anonymous Coward
      Typical slashdot user who is never satisfied by any progress toward something nice...
      • Oh, admit it, you're thinking of drilling some holes in a few motherboards as a test, too.

        • I can't speak for the AC, but I'd be down to experiment with a pile of motherboards and a power drill if someone else is buying.
  • I have yet to hear of a single useful thing IME gets me, and lots of bad things it gets me. Current laptop runs an AMD chip, when it dies/becomes obsolete in 5 years or so I'll use it to determine which CPU my new system will have.

    / Yeah, I said 5 years. This thing is 3-4 years old
    // hard drive is less than half full, even though I have a NAS I'm not good at updating
    /// I remember the 3 year updates, with a graphics card every 18 months. Times have changed
  • by GerryGilmore ( 663905 ) on Thursday November 30, 2017 @09:10PM (#55655323)
    ...IME was originally designed for servers only. Any OldFarts(TM) out there - remember crash carts? Yeah, the ability to remotely power-cycle servers was a really big deal when you're running hundreds/thousands of servers and VMs were just a pie in the sky. Also, basic front-end network management 101 handled security. There are still good reasons to allow IME in server deployments, but I see no good reason for including this in laptops. I suspect that this was brought into the Core line due to those people building servers needing remote management using i7, etc. chips, but that's just a guess.
    • most servers boards have ipmi with own nic most boards have a setting for combined or own. If intel wants to kill ipmi and go to IME they will need have so it can be put on it's own nic.

      • They'll just embed the NIC controller in the CPU alongside the memory controller and the VGA garbage.

    • Isn't IME on desktops and laptops for when they're used in corporate environments? Remote provisioning, updates, etc.

      It lets, for example, computers be removed from the network until OS patches have been applied.

      • by Anonymous Coward

        Yes, it's ridiculously useful OOB management, like having a KVM built right in. While I think there should be a simple and transparent way to completely and verifiably disable it, having used it for many years, I can't agree with the many reactionary Slashdot commenters that it serves no purpose other than a convenient NSA back door. If it were to go away tomorrow, a lot of businesses would be severely impacted.

        • by Picodon ( 4937267 ) on Thursday November 30, 2017 @11:56PM (#55655951)

          ...I can't agree with the many reactionary Slashdot commenters...

          ...there should be a simple and transparent way to completely and verifiably disable it, ...

          I think it’s a bit more than that. The feature may be useful, but the outrage is legitimate. Consumers, most of whom arguably have no need for such feature, fortuitously found out about its existence and that it is enabled in their computers. They had not been told about it, so they had no way to even try to use it. Other people (government, corporate, hackers) knew about it, so the malicious among those were in the position of abusing it (by exploiting its features and its security flaws). No wonder consumers are in arms over this. They are not over-reacting.

          So, no, a way to disable it is not enough. This kind of feature requires full disclosure (before you buy), documentation (so that you can actually use the feature if you want) and, at least on systems sold to consumers who are unlikely to use it, it should be entirely disabled by default. Institutional customers who buy computers in quantity can (and indeed do) request the configuration that they want (including, for example, activation of Intel’s anti-theft protection).

          • by AmiMoJo ( 196126 )

            You can't even disable it. There is a disable flag you can set, but the ME is still used to bring the CPU up from cold and then you have to trust that the flag does what it claims to do. You can try to sabotage the ME by deleting all the firmware modules except the early boot stuff, but then you are still vulnerable to any flaws in that boot code.

            This is a general problem with CPUs. Most modern ones run microcode which is updated by the BIOS and comes as a binary blob. They all have hidden code, hidden feat

            • by Megol ( 3135005 )

              You can't even disable it. There is a disable flag you can set, but the ME is still used to bring the CPU up from cold and then you have to trust that the flag does what it claims to do. You can try to sabotage the ME by deleting all the firmware modules except the early boot stuff, but then you are still vulnerable to any flaws in that boot code.

              Just as one is vulnerable to flaws in the transistor layout.

              This is a general problem with CPUs. Most modern ones run microcode which is updated by the BIOS and comes as a binary blob. They all have hidden code, hidden features for testing and debugging, hidden op-codes.

              X86 have to use microcode but most other do not.
              Microcode in itself isn't a problem. The reason is simple: if you don't trust the designer/manufacturer of your processor then not having microcode doesn't make any difference. If you do then signed microcode updates isn't a problem.

              Open source microcode updates would only lead to problems as they are part of the microprocessor design, the code is targeting a design that can vary even within a family

              • by AmiMoJo ( 196126 )

                Microcode in itself isn't a problem. The reason is simple: if you don't trust the designer/manufacturer of your processor then not having microcode doesn't make any difference. If you do then signed microcode updates isn't a problem.

                It is a problem, because unfixed microcode can change the behaviour of the CPU. Even if you do trust it, you can't be sure that it can't be backdoored by someone else. Signed updates help but are not bulletproof.

                RISC V?

                Maybe one day. For now the price/performance isn't there.

    • but I see no good reason for including this in laptops.

      Is that because you think the only equipment which needs managing is servers? Hell as someone who has a mother with a computer I'm personally hoping they'll introduce a HCF instruction that can be triggered remotely.

      Ok facetiousness aside, IME is a "feature" based product which is why they charge extra for chips that have more IME functionality. Management of remote machines is customer driven. It's the same justification for things like bitlocker to be included in Microsoft's OS. These companies look to se

    • by tlhIngan ( 30335 ) <slashdot.worf@net> on Friday December 01, 2017 @02:41AM (#55656341)

      I suspect that this was brought into the Core line due to those people building servers needing remote management using i7, etc. chips, but that's just a guess.

      No, it was brought into the main chips because servers have stuff like IPMI and ILO for remote management, but employee PCs do not. And the same reason servers can be remotely managed can be applied to employee PCs and laptops. The only difference is servers are usually concentrated in a few areas, so it's much easier for 10,000 servers to be locally managed than 10,000 PCs, making the case for remote management of PCs even more critical.

      You can do bare metal bringups - perhaps the employee got to their desk and their PC is dead - it won't load the OS and there's lots of error messages. IT's effectively ILO or IPMI for consumer grade machines.

      Of course, you can't "disable" IME - you can neuter it. The firmware that controls power and boot and startup and all that must still run in order for the main CPU to be brought up, so you need IME to do that part. Neutering basically disables all the remore management while leaving the power management code still active.

      • Unfortunately, the homebuilt Asus sabertooth system I assembled uses Intel ME due to Raid I need for running Hyper-V and VMWare Workstation Vms.

        I use Intel RST for storage which uses the IME for my fakeRaid. I am hooked on it so to speak. Also Wake on LAN and certain UEFI functions that need to work when you disable BIOS emulation( CSM ) for fast booting need that horrible Intel ME/Minix to run properly.

        So even on PC's some of it's functionality is used. AMD has zonetrust. My hunch is maybe something in the

  • by Anonymous Coward

    if you can't control what's in it.

  • by Keruo ( 771880 ) on Friday December 01, 2017 @02:28AM (#55656303)
    Isn't it mind-boggling that Minix is actually more used on laptops currently than Linux?

    (The management engine runs custom version of Minix)
    • by Megol ( 3135005 )

      Please write Minix 3 as it isn't the same as previous versions, designed for different goals and with different design features.
      Have seen many supposedly technical people being confused already, thinking that the ME runs what Linus Torvalds once used before making Linux.

    • Comment removed based on user account deletion
    • Tanenbaum's revenge on Linus, Muhahaha!
  • by Anonymous Coward

    System76 seems to be one of very, very few American manufacturers that can be trusted. But one issue still remains - have they received any NSA court orders, compelling them to subvert the systems they sell?

  • by Anonymous Coward

    Stop it's ability to send info. outward via router port filtering ports 16992-16995 + 623-625 Intel AMT/ME uses in a modem/router external to OS/PC.

    Intel ME/AMT operates from your motherboard but has NO CONTROL OF YOUR MODEM/ROUTER!

    (This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)

    Additionally, once you disable the AMT engine's software interface (ez via software articles note)? A malware to 'repatch' this

  • by account_deleted ( 4530225 ) on Friday December 01, 2017 @11:02AM (#55657781)
    Comment removed based on user account deletion
    • by Ayano ( 4882157 )
      They get their laptops from the generic laptop manufacturer that supplies both Clevo and Sarger.

      The only real add they have is a small crack driver support team and a little customization before shipping it to you.

      That said, it's guaranteed to work with the hardware, and I've had several s76 laptops both personally and purchased on my behalf at the workplace. Not really sure how I feel about them, but I do like their mobile workstations (a 'special' kind of laptop).
  • Inadequate fix (Score:2, Informative)

    by Anonymous Coward

    Intel CPUs still run a blob at initialization called the FSP. This is sometimes entangled with the ME, but is separate and is not getting disabled. The blob is usually writable for updates and must run before any user-supplied code, so it's an ideal spot to put persistent malware to evade verified boot anti-persistence schemes. The AMD equivalent is called the PSP [twitter.com].

  • by Rick Schumann ( 4662797 ) on Friday December 01, 2017 @12:35PM (#55658471) Journal
    Having worked at Intel for a while testing graphics drivers, I know that the Management Engine is also leveraged to perform HDCP (High Definition Content Protection) as well as remote-management functions; any idea how disabling it at the firmware level will affect that? If HDCP is disabled as well then some AV content might not be playable on Intel platforms.
  • When we migrated from macs to linux laptops one year ago, I first considered buying System76 machines. I quickly understood they'd never offer the non-US keyboard in use here (I went up to asking them if a separate procurement would be feasible... no)
    Then I discovered, much closer to my home, the German guys from Tuxedo. Smaller company, not the same surface on internet. But brilliant products. And localized keyboards.
    Well, when the Intel-mgt-bug was discussed (first on LWN, months and months ago) I contact

"Pay no attention to the man behind the curtain." -- The Wizard Of Oz

Working...