Kill Intel ME Whisky Lake

0bit · December 3, 2021, 6:49am

Does anyone know a way to disable the Intel ME for the Whisky Lake ( i5-8265U)?
The me_cleaner does not work unfortunately, also the more current forks dont work

ppc · December 3, 2021, 8:13am

so how do you know it doesn’t work?

0bit · December 3, 2021, 10:08am

I tryed it severall times with all give options. After flashing the me is still alive and active.

On older CPUs it worked for me (thinkpad T450s)

ppc · December 3, 2021, 1:57pm

but how you know it still active?

unman · December 3, 2021, 3:22pm

me_cleaner works up to Kabylake - I’m not aware of anything that will
work on WhiskeyLake.
Yet another reason not to rush for the latest hardware.

That said, Purism offer a 14 with CometLake and claim that the IME is
disabled. AS they did for the 13, and that had WhiskeyLake.
I had a quick check on github and don’t see anything on how they did this

it might be worth your while looking in more detail.
Purism · GitHub

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.

0bit · December 3, 2021, 5:41pm

Thank you, ill take a look

unman · December 4, 2021, 1:53pm

If you find the answer can you posy back here?
I looked at the 13 script for building coreboot and it just called
me_cleaner. Go figure.

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.

0bit · December 16, 2021, 7:16pm

So i tried it right now, i used the forked me_cleaner from dt-zero . I have used the -S -O option. It said the HAP AltMeDisable bit is set. So i dumped the status:


MEI found: [8086:9de0] Cannon Point-LP MEI Controller #1

ME Status   : 0x94000245
ME Status 2 : 0xf18506

ME: FW Partition Table      : OK
ME: Bringup Loader Failure  : NO
ME: Firmware Init Complete  : YES
ME: Manufacturing Mode      : NO
ME: Boot Options Present    : NO
ME: Update In Progress      : NO
ME: Current Working State   : Normal
ME: Current Operation State : M0 with UMA
ME: Current Operation Mode  : Normal
ME: Error Code              : No Error
ME: Progress Phase          : ROM Phase
ME: Power Management Event  : Clean Moff->Mx wake
ME: Progress Phase State    : (null)

ME: Extend Register not valid

ME: Firmware Version 12.0.1606.68 (code) 12.0.1606.68 (recovery) 12.0.1524.47 (fitc)

ME Capability: Full Network manageability                 : OFF
ME Capability: Regular Network manageability              : OFF
ME Capability: Manageability                              : OFF
ME Capability: Small business technology                  : OFF
ME Capability: Level III manageability                    : OFF
ME Capability: IntelR Anti-Theft (AT)                     : OFF
ME Capability: IntelR Capability Licensing Service (CLS)  : ON
ME Capability: IntelR Power Sharing Technology (MPC)      : OFF
ME Capability: ICC Over Clocking                          : OFF
ME Capability: Protected Audio Video Path (PAVP)          : ON
ME Capability: IPV6                                       : OFF
ME Capability: KVM Remote Control (KVM)                   : OFF
ME Capability: Outbreak Containment Heuristic (OCH)       : OFF
ME Capability: Virtual LAN (VLAN)                         : ON
ME Capability: TLS                                        : ON
ME Capability: Wireless LAN (WLAN)                        : OFF

Im confused, because the ME status differs . Is it sill alive? I also have the correct ME Version showed up in the BIOS. On my older T450 the firmware version is gone