3rd gen vs 10th gen - Intel ME

Further interesting references which belong to Intel ME:

https://www.reddit.com/r/privacy/comments/pvde9g/is_everything_i_do_useless_if_i_use_a_cpu_with/

https://askubuntu.com/questions/1280042/how-can-i-safely-confirm-intel-management-engine-status-disabled-or-enabled

https://security.stackexchange.com/questions/154737/how-to-disable-intel-me

https://security.stackexchange.com/questions/162812/can-a-self-build-router-minimize-the-potential-risk-of-intels-management-engine

I look forward to comments or clarifications.

Could someone please explain: Why do we need to neuter/disable ME if we just can use an USB network adapter to prevent remote access or exploitation?

I think the definition on wikipedia is in the ballpark, but not completely accurate. AMT is a set of functions that can be enabled by configuring specific vPro technologies (key being cpu, chipset & wired & wireless lan adapters), not just the cpu. Initially, it was just the lan adapter.

By neutering the IME, such as with the methods discussed by Positive Technologies, you break the configuration that enables AMT functions, such as remote management.

@unman I take the responsibility to correct the facts based on the work that happened from Heads (Trammel actually discovered that getting rid of some ME regions was not causing laptop shutdown 30 minutes later) and then me_cleaner picked up the work, and then Positive technologies advanced knowledge and HAP bit, which was then iteratively added under me_cleaner, until me_cleaner got unmaintained.

Heads has a little guide to clarify the facts here: Documentation: collaborators/maintainers/testers for faster problems resolution · Issue #692 · osresearch/heads · GitHub


The short version of this is that ME <10 can be deactivated + neutered (meaning that all modules outside of ROMP and BUP) can be removed. (where ME <6 could be completely removed but out of interest to Qubes OS: the x200 being a platform example).

That includes xx20 (Sandy bridge) which can be neutered to only have BUP (minimal requirement to BringUP the platform) and xx30 (Ivy bridge) which added ROMP as a requirement and cannot be removed. The best link to understand what happens when neutering is from me_cleaner doc here for those platforms: How does it work? · corna/me_cleaner Wiki · GitHub

Me > 11 adds Kernel and modules to non-removable modules. The correct term here is then deactivated (HAP bit) + minimized (not neutered anymore). The best documentation to understand what changed under ME > 11 signature scheme is again from me_cleaner documentation, this time under this link: How does it work? · corna/me_cleaner Wiki · GitHub


So newer platforms including ME (now named Converged Security Management Engine (CSME)) can still deactivate ME (with HAP bit) where minimizing is now limited since Intel adapted their signature scheme to encompass modules that now cannot be removed.

An excellent resource to see AMT/ME/MCSE exploits/papers is exploring tags on this webpage: Low Level PC/Server Attack & Defense Timeline — By @XenoKovah of @DarkMentorLLC

One reference of which is Conti, really recent (2022 June) and seen in the wild: Conti Targets Critical Firmware - Eclypsium


The goal is not to feed FUD, but be conscious of what is there, updated in firmware updates, new CPU extensions being present in newer processors, microcode updates presence or not. I replied under Short list of laptops/desktops that work well with Qubes OS - #245 by Insurgo as well to debrief on XSA-404 affecting Qubes and covered under QSB-081-2022. Those are complicated matters, once again…

3 Likes