Katana VentraIP

Intel Management Engine

The Intel Management Engine (ME), also known as the Intel Manageability Engine,[1][2] is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008.[1][3][4] It is located in the Platform Controller Hub of modern Intel motherboards.

The Intel Management Engine always runs as long as the motherboard is receiving power, even when the computer is turned off. This issue can be mitigated with the deployment of a hardware device which is able to disconnect all connections to mains power as well as all internal forms of energy storage. The Electronic Frontier Foundation and some security researchers have voiced concern that the Management Engine is a backdoor.


Intel's main competitor, AMD, has incorporated the equivalent AMD Secure Technology (formally called Platform Security Processor) in virtually all of its post-2013 CPUs.

Difference from Intel AMT[edit]

The Management Engine is often confused with Intel AMT (Intel Active Management Technology). AMT runs on the ME, but is only available on processors with vPro. AMT gives device owners remote administration of their computer,[5] such as powering it on or off, and reinstalling the operating system.


However, the ME itself has been built into all Intel chipsets since 2008, not only those with AMT. While AMT can be unprovisioned by the owner, there is no official, documented way to disable the ME.

Management Engine (ME) – mainstream chipsets

[21]

Server Platform Services (SPS) – server chipsets and [22][21][23]

SoCs

Trusted Execution Engine (TXE) – tablet/embedded/low power[25]

[24]

– C3000 family

Intel Atom

Intel Atom – Apollo Lake E3900 series

– N and J series

Intel Celeron

(i3, i5, i7, i9) – 1st, 2nd, 3rd, 4th, 5th, 6th, 7th, and 8th generation

Intel Core

– Apollo Lake

Intel Pentium

– E3-1200 v5 and v6 product family

Intel Xeon

Intel Xeon – Scalable family

Intel Xeon – W family

Assertions that ME is a backdoor[edit]

Critics like the Electronic Frontier Foundation (EFF), Libreboot developers, and security expert Damien Zammit accused the ME of being a backdoor and a privacy concern.[75][4] Zammit stresses that the ME has full access to memory (without the owner-controlled CPU cores having any knowledge), and has full access to the TCP/IP stack and can send and receive network packets independently of the operating system, thus bypassing its firewall.[5]


Intel responded by saying, "Intel does not put back doors in its products, nor do our products give Intel control or access to computing systems without the explicit permission of the end user."[5] and "Intel does not and will not design backdoors for access into its products. Recent reports claiming otherwise are misinformed and blatantly false. Intel does not participate in any efforts to decrease the security of its technology."[76]


In the context of criticism of the Intel ME and AMD Secure Technology it has been pointed out that the National Security Agency (NSA) budget request for 2013 contained a Sigint Enabling Project with the goal to "Insert vulnerabilities into commercial encryption systems, IT systems, ..." and it has been conjectured that Intel ME and AMD Secure Technology might be part of that program.[77][78]

Minifree Ltd has provided pre-loaded laptops with Intel ME either not present or disabled since at least 2015.[88][89][90]

Libreboot

previously petitioned Intel to sell processors without the ME, or release its source code, calling it "a threat to users' digital rights".[91] In March 2017, Purism announced that it had neutralized the ME by erasing the majority of the ME code from the flash memory.[92] It further announced in October 2017[93] that new batches of their Librem line of laptops running PureOS will ship with the ME neutralized, and additionally disable most ME operation via the HAP bit. Updates for existing Librem laptops were also announced.

Purism

In November, announced their plan to disable the ME on their new and recent machines which ship with Pop!_OS via the HAP bit.[94]

System76

In December, began showing certain laptops on its website that offered the "Systems Management" option "Intel vPro - ME Inoperable, Custom Order" for an additional fee. Dell has not announced or publicly explained the methods used. In response to press requests, Dell stated that those systems had been offered for quite a while, but not for the general public, and had found their way to the website only inadvertently.[95] The laptops are available only by custom order and only to military, government and intelligence agencies.[96] They are specifically designed for covert operations, such as providing a very robust case and a "stealth" operating mode kill switch that disables display, LED lights, speaker, fan and any wireless technology.[97]

Dell

In March 2018, , a German company which specializes in PCs which run Linux kernel-based operating systems, announced an option in the BIOS of their system to disable ME.[98]

Tuxedo Computers

Reactions[edit]

By Google[edit]

As of 2017, Google was attempting to eliminate proprietary firmware from its servers and found that the ME was a hurdle to that.[41]

By AMD processor vendors[edit]

Shortly after SA-00086 was patched, vendors for AMD processor mainboards started shipping BIOS updates that allow disabling the AMD Platform Security Processor,[99] a subsystem with a similar function as the ME.

AMD Platform Security Processor

ARM TrustZone

Intel AMT versions

Intel vPro

Meltdown (security vulnerability)

Microsoft Pluton

Next-Generation Secure Computing Base

Samsung Knox

Spectre (security vulnerability)

Trusted Computing

Trusted Execution Technology

Trusted Platform Module

Intel-SA-00086 security vulnerability detection tool

Behind the Scenes of Intel Security and Manageability Engine