I am the engineer at System76 currently working on this. We are using ME cleaner with -S on all systems where possible - HAP bit will be set AND code removed. All systems will then be tested thoroughly in this configuration before it is released to customers.

Relevant source code can be found in the following places, keep in mind that it is still work in progress:

- System76 Driver with Firmware Update support: https://github.com/pop-os/system76-driver/tree/firmware_artf...

- Firmware Update Frontend: https://github.com/system76/firmware-update

Please ask me anything

You don't need to buy branded laptops to be able to disable Intel ME. Thanks to me_cleaner, I have been running my Chromebooks with Intel ME disabled for years. You can do it too if you have 30 minutes and a raspberry pi.

Here is what the intelmetool [1] says on my laptop: https://i.imgur.com/yKTt5ga.png

What's even more interesting is that there is a simple, automatic, no-frills method to clamp a SOIC clip connected to a Raspberry Pi zero to any Chromebook and it will clear out the Intel ME automatically with no user interaction. It's not even hard, all you have to do is to configure the Pi to enable SPI, and then make the pi automatically run flashrom to pull out the ROM from the Chromebook's flash chip, run ./me_cleaner on the ROM image, and then flash it back.

It can be done safely and automatically, and you wouldn't have to risk frying your laptop, so everyone could do it provided they can open their laptop. However, I'm too lazy to document it properly: either by providing the image tool to create the said Raspberry Pi Zero image + h/w instruction or by providing a premade hardware to do it.

I have reasons to believe that downloading a random binary image from a random guy nicknamed jimmies and use it to flash the firmware to your laptop because you don't trust Intel is probably not a great idea. The act of creating such a script to customize Raspbian, and testing out to make sure that it works for every Chromebook or laptop, and make a hardware compatibility list is quite a daunting task. I was talking about that briefly to some of the security people, but then as a grad student trying to graduate it got to the pile of TODOs. So if anyone is interested in it, let me know and I can provide some more details.

Currently, I'm running a Dell 13 inches Chromebook that can be had for $300 and does everything I need.

1: https://github.com/coreboot/coreboot/tree/master/util/intelm... - disclaimer: I contributed a patch to the intelmetool to make it work on the Chromebook.

> System76 will automatically deliver updated firmware with a disabled ME

Having the ability to automatically push new firmware of your own creation to customers' machines is more power than you ought to want. My security threat model as a System76 customer shouldn't have to include you (perhaps with you being hacked or coerced) pushing me malware that's undetectable to my OS after it's been installed.

Please reconsider this feature (of automatic firmware updates). Firmware updates are rare enough that it should be fine for them to be explicitly opt-in. It's great to want to make Intel's firmware more secure. But replacing Intel as a possible attack vector with yourselves is strictly worse for the machine's security.

This is a strong contrast with my experience in trying to patch the vulnerability on an Asus desktop motherboard.

The process was so byzantine that I very much doubt more than a small fraction of home users would get through it, or even bother starting.

The correct steps were (1) flash a newer bios, (2) install the Intel ME driver for windows, (3) run the actual vulnerability patching tool. Discovering those steps required a bunch of trial and error and navigating Asus's really terrible website full of badly named downloads.

This is awesome. System76 does a lot for the Linux community. Everyone reaps the benefits of their work, even people that aren't customers. One example from just this blog post:

> System76 will investigate producing a distro-agnostic command line firmware install tool. Follow us on your preferred social network for updates.

> You must run Ubuntu 16.04 LTS, Ubuntu 17.04, Ubuntu 17.10, Pop!_OS 17.10, or an Ubuntu derivative and have the System76 driver installed to receive the latest firmware and disabled ME on laptops*

Ubuntu is the distribution that once sent everything you typed into the desktop search box to Amazon so that it could deliver you ads. Current versions may not do that but it's clear that Canonical prioritizes profit over privacy.

It's disappointing that if you choose not to run Ubuntu you can't take advantage of their firmware update tool.

If anyone's interested, here's the full article from Positive Technologies on how they went about discovering reserve_hap and disabling it.

http://blog.ptsecurity.com/2017/08/disabling-intel-me.html

Hi I'm a mostly average Linux user just now learning about these hardware back doors as I'm planning on building a new computer. Can I avoid the disadvantages of ME et al by building my own computer from a separate motherboard and CPU? I remember reading that somewhere but I haven't see it explored again.

My first thought was "Ah ha! AMD CPU!", but they seem to be in on it too. What's a "normal person" to do?

I hope other vendors will follow their lead but I'm certainly not holding my breath.

system76 are cool, but their laptops IMO should be better for the money they cost.

I'd still like to get one, but there's better stuff around at those prices.

I pieced together how to update a ThinkPad's ME firmware without Windows last week: https://news.ycombinator.com/item?id=15744152 - the process is a pain, as Lenovo only provides a Windows binary for installing the update, so you have to piece together a WinPE image that contains the ME driver and firmware update tool, boot it, load the driver, and then execute the firmware update.

The process is probably the same for most other vendors, so if your vendor provides a Windows ME firmware updater (no pun intended :P) you might be able to make it work that way.

Do AMD chips have a "management engine"?

I used me_cleaner on my old as heck gigabyte sandybridge desktop and was surprised how straight-forward it was. I ran the python script against latest rom, reflashed, everything works and I confirmed it's disabled.

Great to hear that you kill ME but I'll still stick with puri.sm or alpha.store because systen76 machines are just too freakin overpriced. They talk about freedom and FOSS yet their machines can cost 1.5 times a macbook, with free OS and rebranded chineese 200$ clevo cases. Available price is an essential part of FOSS and OSHW phylosophy, greed never had any place in this community

I wonder if system76 might consider laptops with alternative architectures like POWER9. A number of them are open all the way down to and including their concept of microcode.

Is there any appliance or software that can passively monitor a network to see if any ME commands and related data flow back and forth from an attacker?

It seems to me that using ME as an _actual_ backdoor would be only an occasional thing, (maybe once in a lifetime thing), but it would be so cool to at least know when it is happening and maybe capture some packets.

Is there some way to disable this for AMD CPUs?

Shouldn't the news be that the ME can be disabled?

From what I heard the consensus was that it couldn't be turned off.

Just to be clear, the firmware upgrade tool is the same as the System75 Driver (pre-installed on System76 laptops)?

This will actually give people a way to vote with their wallet. Thank you!

undefined

Unrelated: any plans about integrating a trackpoint/ultranav solution in System76 laptops?

Just stop buying Intel.