Hi, I’m very new to this stuff so I’m sorry if this is a stupid question. After doing some research, I discovered the existence of the Intel Management Engine(along with its AMD equivalent), which I’ve heard presents genuine security concerns as it could in theory be used as a hardware backdoor. So in response to that, many people suggested that I disable it through the installation of Libreboot. There just appears to be one problem: Qubes seems to require hardware virtualization technology in order for Xen to run correctly, but all of the processors which support this feature seem to be made within the last decade or so, where the management engine can only be partially disabled via the aforementioned method, not fully disabled like with older machines without virtualization tech. Is there truth to this? How concerned should I be? Solutions? Thanks so much in advance
Look into KCMA-D8 and KGPE-D16.
I don’t believe there is any reason to be overly concerned, you can use the HAP bit to disable ME on all intel processors.
In older machines, you could completely remove the IME.
In more recent machines, you can disable many functions of IME - you are
right that it cannot be “fully disabled”. But the functions that are left
do not provide a real threat.
As @renehoh says, probably not a reason to be overly concerned.
It’s worth pointing out that many components of newer machines run
code outwith the control of the OS, but this does not get the same
attention as Management Engines.
For the newcomer, can you describe where to find instructions to reset ‘hap’ bit.
It is reasonable for me to search for it, but for newcomers who have a lot of other things on their mine.
In the ifd (Intel Firmware Descriptor) region of the ROM you need to set a single bit, this will tell ME to shut down after the boot sequence is completed, this is the same as using me_cleaner with the -s option.
The offset of the HAP bit changes with every version of ME, but if you know the offset of the version you are using, you can just dump the ROM and use a hex editor to set the bit. Because the bit is in the ifd region and doesn’t change the BIOS or ME regions, it can be done with any bios firmware.
The Dasharo firmware has a feature in the bios menu that allows you to set the HAP bit, without have to worry about editing and flashing the firmware.
This is a good resource for ME info
You should get a laptop that can run QubesOS and also can be coreboot’ed. Coreboot “neuters” the Intel ME (IME). IME still stays in the BIOS chip, however, most of its functions removed. Basically, after coreboot’ing, IME thinks that it is running while it is stuck on boot up sequence or something. That allows you to keep using your laptop, without IME fully-active and spying on you.
You should check out youtube for videos on IME. There are some by one of its creators that explain the nuance between fully removing the IME and neutering the IME.
My suggestion for you is to get a Thinkpad X230 (with i7 CPU) and coreboot its BIOS chip. Tons of guide available online.
Hi, just briefly:
I have looked into all the various options how to deal with Intel ME just recently.
I just don’t want anyone else to have the ability to basically control everything and anything on my computer, so I wanted to deal with it out of principle. This is my hardware that I paid for with my money, so I should be who controls it. May be a slightly hardcore philosophy, but that’s how I see it, and I know I’m not the only one.
If I had had a hardware programmer and a chip clamp, plus someone who knows how to really work those by my side, I would have decided on Skulls BIOS.
I didn’t, so I decided to go with 1vyrain. This is a piece of software that allows you to software-disable the Intel ME on a limited range of laptop models without opening them up at all.
Check at the 1vyrain website what laptops it has been confirmed to work with.
In essence, first you run a second bit of software called IVprep - this rolls back your BIOS to an older version which has a vulnerability that the newer BIOS versions don’t have anymore. Then you run 1vyrain, and it uses that vulnerability to modify the BIOS.
You get the ability to disable Intel ME in the BIOS, along with a bunch of performance tweaking and some other settings that the stock BIOS doesn’t give you. I would have done it for disabling Intel ME alone.
I chose a Lenovo X230 for this because 1vyrain (and to my understanding the other, hardware flasher based, options to alter the BIOS and / or remove Intel ME) have been particuarly well proven and documented for that model, and because despite its age, if you throw some significant RAM into it, the X230 is actually a pretty capable machine in my opinion.
The good news is that the process of applying 1vyrain took me under an hour.
The bad news is that it took me two weeks to distill how exactly to do that step by step out of countless sources of information. To a low level nerd like myself, the existing documentation was very challenging.
The good news for you, if you want to try it, is that I have systematically written down every single tiny step of the process once I had figured it out; and then repeated it, following my own instructions, on a second X230, which also worked flawlessly. If you’re interested I can post the instructions here - no warranties or guarantees, but it worked for me.
Now about Qubes and performance after disabling Intel ME / performance in general / performance on an X230:
I just went through the process of installing Qubes on that same machine. That is also quite a journey for me, as it is really pushing (and exceeding) my abilities. @sm95 and @unman here in the forums have helped me heaps just in the last two days, especially with installing software that I need after installing Qubes, and generally with stumbling a bit less while learning the robes of using Qubes (I’m still a total greenhorn, but man Qubes is amazing!).
What I can tell you so far is that on the X230, a software that is particularly important to me, Freeplane, so far has periodic freezing issues - HOWEVER the jury is still out on this one, because I’m still hoping that this can be solved somehow. 480p video streaming works fine; 720p not really; 1080p is totally unusable. Maybe that can also still be improved, but I’m not using Qubes for video, in my use case.
What I can tell you as well though is that Qubes does run despite me having applied 1vyrain and disabled Intel ME.
Although I’m asking myself now just a little bit whether the virtualization issue regarding a non stock BIOS might actually have to do with the freezing issues that I am experiencing with Freeplane so far, and maybe with the video limitations as well? I don’t know. Maybe I’ll find out.
It might be noteworthy that my X230 has an i7 processor and 16 GB of RAM. Most X230 seem to come with an i5, which is about 20% less powerful, or thereabouts. If you want to try running Qubes on an X230, I’d suggest looking until you find an i7 one. They are not that much more expensive these days.
Not sure if any of this is useful for you or for anyone. Questions, ask! But remember I’m rather new to all this myself. I can tell you what worked for me and how I did things, but that’s about it, probably. Maybe it can save you some detours and time.
Worth mentioning: During the development of 1vyrain, not one single machine got bricked, much to the surprise and delight of the developers.
And it seems really rare that 1vyrain bricks laptops in general now that it’s “out in the field” as well. In fact, in over a week of researching this, I have only read about one single case where that seems to have happened.
The worst that seems a bit more likely to happen is that you need to find a hardware flasher and someone who can help you use that correctly in order to undo any seeming bricking situation that you might encounter with 1vyrain.
Most bricking experiences with 1vyrain seem to only seemingly be bricked, but are actually fixable with a hardware flasher.
And if you were to install any of the other available custom BIOS options (Coreboot, Libreboot, Skulls, Heads, there are more I think) you would need to use a hardware flasher anyway.
Btw: It appears to be true that most or almost all modern computers have backdoors similar to Intel ME and worse, and to my knowledge there is no fix for those so far, and there may never be.
However there are a few first small laptop manufacturers that are starting to offer laptops that aim to be backdoor-free, opensource-hardware, specifically suited for and compatible with Coreboot or other custom BIOS options. Some even come with Coreboot preinstalled. So if you must have a newer machine, you could look into that.
Until those machines become more common and available as more affordable used machines in the market, I’ll probably keep enjoying the X230 i7, which is an awesome amount of computer for your money, even today, in my opinion - and incredibly robust hardware as well.
Ok, enough for now Hope some of this is helpful. Enjoy your day!
Awesome, thanks so much. If you don’t mind posting it, it would be incredibly helpful. Sorry for such a late reply
Sure, here you go: How to use IVPREP and 1VYRAIN and Disable Intel ME on a Lenovo x230
4 posts were split to a new topic: How to use IVPREP and 1VYRAIN and Disable Intel ME on a Lenovo x230
Agreed! This is important to consider for a better user experience with a Thinkpad X230.
Getting X230 preferably with an i7 - and a fast SSD is crucial! Unfortunately I had a noname, slow SSD for a while. It really made a difference (in a bad way).