Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Operating Systems Linux

System76's Open Firmware 'Re-Disables' Intel's Management Engine (phoronix.com) 19

Posted by EditorDavid from the securing-boots dept.
Linux computer vendor System76 shared some news in a recent blog post. "We prefer to disable the Intel Management Engine wherever possible to reduce the amount of closed firmware running on System76 hardware. We've resolved a coreboot bug that allows the Intel ME (Management Engine) to once again be disabled."

Phoronix reports that the move will "benefit their latest Intel Core 13th Gen 'Raptor Lake' wares as well as prior generation devices." Intel ME is disabled for their latest Raptor lake laptops and most older platforms with some exceptions like where having a silicon issue with Tiger Lake. System76 has also added a new firmware setup menu option for enabling/disabling UEFI Secure Boot. The motivation here with making it easier to toggle Secure Boot is for allowing Windows 11 support with SB active while running System76 Open Firmware.
This discussion has been archived. No new comments can be posted.

System76's Open Firmware 'Re-Disables' Intel's Management Engine More

System76's Open Firmware 'Re-Disables' Intel's Management Engine

Comments Filter:
  • There is no need. You can now easily install Windows 11 without secure boot using well known solutions. And even scripts to mame custom install media with the bypass exist. Secure boot is proprietary Microsoft garbage and we should all refuse to use it.

    • Re: no need, W11 can easily be installed without s (Score:4, Informative)

      by anonymouscoward52236 ( 6163996 ) on Sunday June 04, 2023 @11:02AM (#63575253)

      Secure boot is also extra blobs of closed source that knows how to reach into your hard drive and mess with files. (For UEFI reasons, but it could be manipulated or already contain malware.)

      • Re: (Score:2, Interesting)

        by AmiMoJo ( 196126 )

        If there is malware in your UEFI or Secure Boot/eTPM, you have already lost and nothing can protect you. The UEFI can literally reprogram your CPU.

        Disabling Intel ME makes sense because it is network accessible.

        CoreBoot might not help. UEFI images should be signed to prevent malware installing its own firmware, so the most you can do is a reproducible build that the user can verify, assuming they can trust that reading the UEFI flash memory returns the real data.

        • UEFI images should be signed to prevent malware installing its own firmware,

          If something can rewrite your bios anything worthwhile on your computer is already stolen, stop trying to take give away your computer to corporations for ficitonal gains..

        • ME is a sneaky beast that rarely is used and if it once was enabled it's hard to get rid of on many machines.
          It also consumes IP addresses, so if you have an IP address shortage or mysterious IP addresses on your net you should disable it.

      • but it could be manipulated or already contain malware.

        That's like saying anti-virus software has the power to install malware on your machine. The whole point of secure boot is to avoid the very malware you're talking about.

        There's literally no way in the slightest that secure boot is making this security risk worse.

    • Re:no need, W11 can easily be installed without se (Score:4, Interesting)

      by ArchieBunker ( 132337 ) on Sunday June 04, 2023 @12:05PM (#63575349)

      Something strange I noticed on windows 10. On my Lenovo workstation if IME is disabled windows would take a solid two minutes to load. It even showed as an error in the event log. Enable the IME and it loads in seconds.

      • Comment removed based on user account deletion

      • Re: (Score:3, Interesting)

        by AmiMoJo ( 196126 )

        You might need to remove the ME related items from Device Manager. The OS can communicate with it, and it's probably some driver hanging if it doesn't respond.

  • So is coreboot getting this? (Score:1)

    by Anonymous Coward

    On the note of coreboot, it'd be nice if you didn't have to be an active developer to know how to find out just what is supported and what is not.

    • this. This looks like a nascent project [coreboot.org] even though I don't think it is.

      How to get hardware with coreboot?

      At the moment it's not so easy to get consumer hardware on the market. But there are vendors shipping coreboot right away with their hardware.

      Yea.

      • Coreboot has had a really hard job to do. Vendors have traditionally not wanted to put in the effort, and there's no standard to make it easy for them (by sharing the necessary information) even if they wanted to.

        The story around the water cooler is that AMD is going to [slashdot.org] make supporting coreboot easier [slashdot.org] but it's going to take them some years (~3) to make the switch. Still, once they do, coreboot will be much more feasible, at least on AMD hardware. And frankly, I don't actually care about any other kind at th

        • Re: (Score:3)

          by gweihir ( 88907 )

          That is good news. I really would like to get rid of closed firmware. At least on Linux, the kernel is managing anything itself anyways once it runs.

      • Starlabs sells laptops with coreboot https://us.starlabs.systems/ [us.starlabs.systems]

Slashdot Top Deals

"Look! There! Evil!.. pure and simple, total evil from the Eighth Dimension!" -- Buckaroo Banzai

Close