Intel Management Engine - Never Complete Only Abandoned

> The Intel Management Engine (ME) is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of modern Intel motherboards. > > The Intel Management Engine always runs as long as the motherboard is receiving power, even when the computer is turned off. > > Intel claims the ME is required to provide full performance. Its exact workings are largely undocumented and its code is obfuscated using confidential Huffman tables stored directly in hardware, so the firmware does not contain the information necessary to decode its contents. See also: [[Libreboot]], [[AMD Platform Security Processor]] # Hardware Starting with ME 11, it is based on the Intel Quark x86-based 32-bit CPU originally designed for tiny, low-power applications like wearables. Previous versions of IME ran on a platform based on the RISC [[ARC]] architecture with the 32-bit ARCTangent-A4 and 16/32-bit mixed ARCompact instruction set depending on the CPU. Starting with ME 7.1, the ARC processor could also execute signed Java applets. > Until the release of Nehalem processors, the ME was usually embedded into the motherboard's northbridge, following the Memory Controller Hub (MCH) layout. With the newer Intel architectures (Intel 5 Series onwards), ME is integrated into the Platform Controller Hub (PCH). > The ME has its own MAC and IP address for the out-of-band management interface, with direct access to the Ethernet controller; one portion of the Ethernet traffic is diverted to the ME even before reaching the host's operating system > The ME also communicates with the host via PCI interface. Under Linux, communication between the host and the ME is done via /dev/mei or /dev/mei0. # Software The software side of IME is [based](https://www.cs.vu.nl/~ast/intel/) on [[MINIX]] v3. Earlier versions used [[ThreadX]] RTOS. Media DRM and cryptography components are stored in the IME region of chips and firmware. > As Intel has confirmed, the ME contains a switch to enable government authorities such as the NSA to make the ME go into High-Assurance Platform (HAP) mode after boot. This mode disables most of ME's functions, and was intended to be available only in machines produced for specific purchasers like the US government; however, most machines sold on the retail market can be made to activate the switch. # Mitigation - [[Libreboot]] does not itself remove IME, but it replaces the closed source firmware with its own when installed (the [docs](https://libreboot.org/faq.html#intelme) are a little unclear to me) - https://github.com/corna/me_cleaner - Minifree Ltd, Purism, System76, Tuxedo, and other vendors sell computers marketed as having IME disabled via HAP or other strategies.