When it comes to Intel Management Engine, I actually think it’s not a threat if you neutralize it. I mean to just set the HAP bit on it. Because if that isn’t enough then that means all computers in the world which use Intel CPU can be accessed by NSA but if NSA had this much power then it seems obvious that they aren’t using it and why wouldn’t they use it?
There’s a github project to neutralize/disbale Intel ME: https://github.com/corna/me_cleaner Disable is overwriting intel ME as much as possible with zeros, leaving only a little remaining to be able to boot the computer. The newer the intel chips are, the less likely it is to be able to disable it. But all chip sets can be neutralized which means to set the HAP bit which is an official feature. In theory we can’t actually trust the HAP bit to really disable intel ME permanently. It’s more like asking Intel to do what they have promised because it’s proprietary. But I think it really does permanently disable it because otherwise NSA would be abusing this power.
That’s why I think the newer laptop models are better because it’s probably not necessary to disable, it’s enough to just neutralize withthe HAP bit. And with a newer modern laptop they can have open source Embedded Controller firmware which is better than proprietary Embedded Controller firmware.
I’m interested to hear what you think as well.
IMHO Intel ME or the AMD equivalent are only relevant for state level targeted attacks. It wouldn’t be wise for them to waste it on the small fries and risk having some snoopy I-have-nothing-better-to-do-with-my-life security researcher find some attack payloads.
Of course you are right to be worried and think about it. Right now the best you can do is coreboot, it allows you to disable it.
If you want to counter that risk the best is to get a computer like the nitropads (coreboot and only open source firmware, qubeos on top) https://www.nitrokey.com/news/2020/nitropad-secure-laptop-unique-tamper-detection or the ones of system76 After that, it’s no use worrying too much. You could as well be hit be hit in a car crash, a seism or a tsunami could also hit you city. Don’t think about it too much, just have a small plan so you are not too lost if the black swan comes for you.
Open source is not enough. It needs to be entirely free software. I recommend buying a Libreboot laptop from before 2009, they can fully disable/remove the IME and have a 100% free BIOS firmware (anything supported device with a Core Duo processor basically).
Thanks! I dug in and just found out that you can buy libreboot computers with Intel ME disabled and support the libreboot project on https://minifree.org/
They actually have an interesting selection.