Intel Management Engine
The Intel Management Engine (ME), also known as the Intel Manageability Engine,[1][2] is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008.[1][3][4] It is located in the Platform Controller Hub of modern Intel motherboards.
The Intel Management Engine always runs as long as the motherboard is receiving power, even when the computer is turned off. This issue can be mitigated with the deployment of a hardware device which is able to disconnect all connections to mains power as well as all internal forms of energy storage. The Electronic Frontier Foundation and some security researchers have voiced concern that the Management Engine is a backdoor.
Intel's main competitor, AMD, has incorporated the equivalent AMD Secure Technology (formally called Platform Security Processor) in virtually all of its post-2013 CPUs.
Difference from Intel AMT[edit]
The Management Engine is often confused with Intel AMT (Intel Active Management Technology). AMT runs on the ME, but is only available on processors with vPro. AMT gives device owners remote administration of their computer,[5] such as powering it on or off, and reinstalling the operating system.
However, the ME itself has been built into all Intel chipsets since 2008, not only those with AMT. While AMT can be unprovisioned by the owner, there is no official, documented way to disable the ME.
Assertions that ME is a backdoor[edit]
Critics like the Electronic Frontier Foundation (EFF), Libreboot developers, and security expert Damien Zammit accused the ME of being a backdoor and a privacy concern.[75][4] Zammit stresses that the ME has full access to memory (without the owner-controlled CPU cores having any knowledge), and has full access to the TCP/IP stack and can send and receive network packets independently of the operating system, thus bypassing its firewall.[5]
Intel responded by saying, "Intel does not put back doors in its products, nor do our products give Intel control or access to computing systems without the explicit permission of the end user."[5] and "Intel does not and will not design backdoors for access into its products. Recent reports claiming otherwise are misinformed and blatantly false. Intel does not participate in any efforts to decrease the security of its technology."[76]
In the context of criticism of the Intel ME and AMD Secure Technology it has been pointed out that the National Security Agency (NSA) budget request for 2013 contained a Sigint Enabling Project with the goal to "Insert vulnerabilities into commercial encryption systems, IT systems, ..." and it has been conjectured that Intel ME and AMD Secure Technology might be part of that program.[77][78]
Reactions[edit]
By Google[edit]
As of 2017, Google was attempting to eliminate proprietary firmware from its servers and found that the ME was a hurdle to that.[41]
By AMD processor vendors[edit]
Shortly after SA-00086 was patched, vendors for AMD processor mainboards started shipping BIOS updates that allow disabling the AMD Platform Security Processor,[99] a subsystem with a similar function as the ME.