Linked by Thom Holwerda on Tue 10th Oct 2017 23:45 UTC

The Intel Management Engine ('IME' or 'ME') is an out-of-band co-processor integrated in all post-2006 Intel-CPU-based PCs. It has full network and memory access and runs proprietary, signed, closed-source software at ring -2, independently of the BIOS, main CPU and platform operating system - a fact which many regard as an unacceptable security risk (particularly given that at least one remotely exploitable security hole has already been reported).

In this mini-guide, I'll run through the process of disabling the IME on your target PC.

Apparently, the IME co-processor runs... MINIX 3. That is incredibly fascinating. This means every post-2006 Intel PC runs MINIX.

Thread beginning with comment 649792
To read all comments associated with this story, please click here.
by Earl C Pottinger on Thu 12th Oct 2017 21:45 UTC
Earl C Pottinger
Member since:

If the CPUs run okay with IME disabled, why did we need it in the first place?

Reply Score: 2

RE: Question
by ssokolow on Sat 14th Oct 2017 07:07 in reply to "Question"
ssokolow Member since:

The system can run without the IME because, originally, its purpose was to allow remote administration of servers even when the primary OS is completely borked. (Hence the "ME" part. [Remote] Management Engine.)

That's probably also the reason that it resets the system if the IME doesn't come up quickly enough. Better to have your server fail while you're still in the datacenter doing the install than to discover the IME is broken just when you need it.

...and, since then, the new modules that were added are so that the entire "decrypt video, then re-encrypt with HDCP" step can be moved completely outside the reach of software the user can inspect or modify.

Edited 2017-10-14 07:08 UTC

Reply Parent Score: 2