Intel’s Management Engine

Recent CPUs from Intel requires a binary called the “Management Engine” (Intel ME, or ME for short). This binary is one of three parts required if a business elects to use Intel’s Active Management Technology (AMT), which Purism avoids. Purism laptops can function with a neutralized and disabled ME, as we have tested and demonstrated it is not required to operate a full desktop environment on Librem devices.

The Intel ME issue is arguably the hardest to overcome–some have even previously said “impossible”–but we are already making great progress.

What is AMT?

Intel Active Management Technology (AMT) is hardware and firmware technology for remote out-of-band management of personal computers. It allows someone else to monitor, maintain, update, upgrade, and repair a computer. Out-of-band (OOB) or hardware-based management is different from software-based (or in-band) management and software management agents. Purism Librem computers avoids CPUs that have AMT (or as Intel calls it vPro enabled), and do not use Intel based networking, thus disabling this capability at the hardware level. However this does not change what the ME is capable of, which is why having a freed ME is so important to the Free Software Foundations Respects Your Freedom certification.

What is the ME?

The Intel Management Engine (ME) is a separate independent processor core that is actually embedded inside the Multichip Package (MCP) on Intel CPUs. It operates all-by-itself and separate from the main processor, the BIOS, and the Operating system (OS), but it does interact with the BIOS and OS kernel. It is a black box of mystery code at the lowest level, in ring -2, with complete control over every part of the system.


Freeing the ME is a challenge,
but not impossible

By working with Intel, motherboard design developers, as well as our coreboot developers, Purism has put in motion a solid approach on how to run a freed Intel ME in the future. Users would then be able to have hardware that is one step closer to respecting their freedoms at the BIOS level.

Why Purism has the uncommon ability to run a freed ME

The reason the Intel ME is so impenetrable is that you have to combine hardware selection, hardware configuration, hardware fuses, and firmware, which requires to push into the manufacturing and fabrication process. There is no other way to do it consistently over time. This is one of the many reasons Purism started as an organization: to solve really hard problems by manufacturing hardware that can fully respect users freedoms in the future. As mentioned in Purism Business Model and Vision, the model of “buy hardware, install free software” is aging, due primarily to the fact that there is a growing cryptographic bond between proprietary non-free signed binaries and the hardware that they run on. This bond renders it mathematically impossible to give each user control. Cryptography is superb when in the hands and control of each user, but it is nasty when it strips the users’ control.

Purism learned through the supply chain (and the provided manufacturing documentation) that we, as the motherboard fabricator, have a lot more control than the end-user does with regard to the Multichip Package (MCP). Choosing Purism as the manufacturer gives each user freedom, privacy, and security because Purism believes in giving users freedom, privacy, and security. These options would probably never see the light of day otherwise.

Our take on “enterprise”

While the highest profit margins in the PC industry come from large-volume purchases for businesses, this set up a downward spiral for user freedom. Business users are not the owners of their personal computer, which immediately divorces ultimate authority (“root”) from the end-user.

  • In “enterprise” environments, when malicious software is found, the machine is just “wiped” and the end-user is protected by the IT department’s hard work to secure the machine. In that environment, locking 100% of users into a black-box tamper-proof Management Engine (ME) makes a lot of sense.
  • Who is “root” gets even more complicated by using enterprise asset management and third-party tools.

Purism believes in end-user privacy, security, and freedom; users with full power over their computer can make a positive change for the future of computing. Therefore, we want users to choose to completely own their hardware instead of just getting to use it until its “end of life.”

Internet-connected users will update their BIOS faster, fixing security vulnerabilities as they are found. Better security saves you time and money. And it’s more fun when users have more freedom.

Understanding the ME lockdown through Field Programmable Fuses

During fabrication, the ME region can be locked through Field Programmable Fuses (FPFs). An e-fuse is a one-time programmable option inside each Intel CPU. The manufacturer has the option to lock the ME region before shipping the computer, but this is not a requirement, just an option.

Purism Todd Weaver Shenzhen CPU Fusing Configuration

To test that we can have a future with a freed ME, our Founder & CEO Todd Weaver, met with motherboard designers to discuss the fusing options.

Purism Todd Weaver Shenzhen China CPU Fusing Options

Purism receives Intel processors with manufacturing mode enabled, which lets us test various configurations and set various options allowing us to have a future where users control their device.

To name a few variables we could fuse:

Force Boot Guard ACM:
Protect BIOS Environment:
CPU Debug Disabled:
BSP Initialization Disabled:
Measured Boot:
Verified Boot:
Key Manifest ID:
Enforcement Policy:
Platform Trust Technology:

…etc.

Some of these fuses, if enabled, would force the ME region to exist in full, and could also make debugging and running coreboot impossible.

Remember, once FPFs such as these are set, they become immutable–permanently fused and impossible to change. The essential part here is to leave them unfused or to fuse them in a configuration that gives the end user control, supporting the best security, privacy, and freedom for users.

Purism’s policy is to ship these unfused, allowing a user maximum control. In the process, we are ensuring that users can use their Purism devices with the ME neutralized and disabled.

A neutralized and disabled ME

While finishing our first coreboot port, we have successfully neutralized (zeroed-out) a very significant portion of the Intel ME, thanks to the great work of the “me_cleaner” project. By doing so, we remove the Intel ME’s kernel, network stack, and about 90-92% of the Intel ME binary in total (this figure varies across ME versions).

When testing neutralization, the goal is to run and operate a neutralized Intel ME firmware+coreboot correctly for more than 31 minutes, as it takes 31 minutes to verify that the ME lockdown has been fully disabled (otherwise, the ME’s “watchdog” component would abruptly shut down the machine at the 30 minutes mark). We have demonstrated this as well:

But wait, there’s more. We also disable the Intel Management Engine using its own (until recently secret) features, the HAP (“High Assurance Platform”) bit. So we disable it cleanly, but—just in case—it is also “neutralized” by force to maximize your computer’s security and privacy.

The distinction between neutralization, disablement, and other states is quite subtle. Read our in-depth technical write-up on disabling the Intel ME on Skylake to learn more.

We are still working to completely remove (or reverse engineer, as we have begun to do) the Intel ME (and other components, such as the Intel FSP), on all our models, and will update on our blog (and this page) as we make progress on that front. In the meantime, feel free to check out the many topics related to this one!