On 09/18/2017 10:33 PM, alexclay...@gmail.com wrote:
> Has anyone here successfully disabled the Intel ME yet?
> http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
> I'm hoping a future release of Qubes integrates this into the install
> process for us. Or be downloadable as a package like Anti-Evil Maid?
> Thoughts?
This is an extremely risky and highly ad-hoc procedure that cannot be
easily automated. As you can understand from the article, newer ME
versions manage the boot process so some level of functionality is
required just to have a working computer.

Being an opaque component, different versions have highly variable level
of built-in functionality and architecture position, so while some ME
versions on some chipsets could just be zapped away, others have to be
patched, reflashed, bypassed or replaced to be disarmed.

Hence, the operations to "disarm" ME still resemble more surgery than
patching; our only hopes are that Intel will give a simple way of
disabling the unneeded "services" (i.e. network services?) with
something reasonable like a hardware jumper of some sort. They will be
able to give the HAP guarantees to their customers without impairing
security for everybody else...


You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to