PC maker Purism disables flawed Intel Management Engine

Disabling Intel Management Engine, deeply embedded in Intel CPUs, could circumvent security risks

Linux PC maker Purism claims to have devised a process to disable the flawed Intel Management Engine.

The company's line of Librem laptops, which run flexible open-source firmware Coreboot, are now running with Intel's management service completely disabled.

A core part of Intel Active Management Technology (AMT), the management engine is present in all the company's CPUs and is capable of powering a computer, even when it is powered off.

However, many in the security marketplace have found it a pain to manage, and there have been a number of well known, publicly released exploits against it.

In May 2017, a bug was found that enabled attackers to bypass password security for the technology - giving remote attackers direct access to IT infrastructure.

Disabling the management engine isn't easy and security researchers have been working for years to find a way to bypass it. Purism claims that it has now been able to do this effectively.

Because the company's products run on Coreboot and it has its own BIOS firmware update process, it has been able to stop the engine from running. The Management Engine is halted without any recovery ability.

As of this week, the Librem 13 and Librem 15 range of products can be purchased with the management engine disabled by default. Customers can also disable it with the source code, which will be released to confirm the accuracy of the disablement.

Todd Weaver, founder and CEO of Purism, which was only started up in 2014, claimed that his company is issuing a free update so that owners of previous generation Librem laptops can also disable the feature.

"Disabling the Management Engine, long believed to be impossible, is now possible and available in all current Librem laptops, it is also available as a software update for previously shipped recent Librem laptops," he said.

Zlatan Todoric, chief technology officer of Purism, said: "Purism Librem laptops were already the most secure current Intel based computers available on the market today, but disabling the management engine solidifies that statement clearly."

Youness Alaoui, a hardware enablement developer at Purism, played a key role in disabling the management engine. He said the company is already working to disable other troublesome binaries.

"Purism, in the long-term pursuit of liberating hardware at the lowest levels, still has more work to do. Removing the management engine entirely is the next step beyond just disabling it," he said.

"Coreboot also includes another binary, the Intel FSP, a less worrisome but still important binary to liberate, incorporating a free vBIOS is another step Purism plans to take.

"The road to a completely free system on current Intel CPUs is not over, but the largest step of disabling the Management Engine is arguably the largest milestone to cross." says Youness Alaoui, Hardware Enablement Developer at Purism."