Subject: General Tech | December 4, 2017 - 07:05 PM | Tim Verry
Tagged: system76, security, linux, Intel, IME, dell
Update 12-5-2017: Dell has provided a statement in response to the IME news which is as follows:
- "Dell has offered a configuration option to disable the Intel vPro Management Engine (ME) on select commercial client platforms for a number of years (termed Intel vPro - ME inoperable, custom order on Dell.com). Some of our commercial customers have requested such an option from us, and in response, we have provided the service of disabling the Management Engine in the factory to meet their specific needs. As this SKU can also disable other system functionality it was not previously made available to the general public.
- Recently, this option was inadvertently offered online as a configuration option for a couple of systems on Dell.com. Customers interested in purchasing this SKU should contact their sales representative as it is intended to be offered as a custom option for a select number of customers who specifically require this configuration."
(End of update.)
Niche system vendors System76 and Purism are now joined by Dell in offering laptops with Intel's Intel Management Engine (IME) blackbox disabled. The company, one of the largest laptop manfacturers, currently offers three higher-end laptops with the configuration option of "Intel vPro™ - ME Inoperable, Custom Order" where for around $20 Dell will disable IME. IME has come under fire recently due to a major vulnerability that affects many of its Core series processors and has had bugs dating back years.
IME is baked into Intel processors dating back to 2008 and operates at what is known as Ring -3 meaning that it has privileges well above that of software, drivers, OS kernel, and even UEFI. IME is an autonomous subsystem with its own processor running its own software that has full control over the computer and even has its own networking stack. Intel has obfuscated that closed source code and has made it notoriously difficult to enable while also claiming it is necessarly for the processor to hit full performance. Security researchers and companies like Google have committed to disabling it (there is a way to turn it off though Intel has not documented it). IME can be used alongside Intel AMT / vPro features (Ring -2+) for remote management, and since IME runs even when the system is off it makes it easy to roll out OS upgrades and re-image machines. Home users however do not need IME, but have traditionally been stuck with it anyway along with its security holes. (Note that AMD has its own platform management subsystem with the PSP though it has not drawn nearly the high profile reputation Intel has with the latest bugs and promised patches.)
Specificlaly Dell is offering to disable IME for a small fee on the Latitude 14 Rugged laptop, Latitude 15 E5570, and Latitude 12 Rugged tablet which all run 6th Generation Core (6000 series and Core M) processors. Purism plans to sell PCs with IME disabled going forward and System76 has promised firmware updates for disabling IME on its PCs sold within the last few years. In reading about IME online, it seems that disabling IME is a tricky endevour with the potential to brick the system, but it can be done and the more documentation these vendors do the better for Linux, open source software, and security concious consumer proponents. For now you will have to pay a small fee to disable it but if you are worried about IME the peace of mind might be worth it. Also, with Dell now on board it shouldn't be long before other vendors start offering systems sans Intel Management Engine. Hopefully they are able to offer this IME disabled feature on models with the latest Intel processors as well for those that want it as the latest round of major bugs affected Skylake, Kaby Lake, and Coffee Lake CPUs.
What are your thoughts on this? Have your systems received an IME security patch? In any case, with the IME bugs, Mac OS High Sierra secuirty hole, and iOS encrypted backup loophole it has not been a good month for security!
- Intel Patches Major Flaws in the Intel Management Engine @ ExtremeTech
Subject: Mobile | August 27, 2013 - 02:07 PM | Jeremy Hellstrom
Tagged: linux, ubuntu, system76, Gazelle Pro
The component list of System76's Gazelle Professional laptop reads like a $1000+ ultrabook, a Core i7 4900MQ, 8GB of DDR3-1600, a 120GB Intel 520 SSD and 15.6-inch 1080p display. Instead of Windows it ships with Ubuntu 13.04, part of the reason you can purchase the base model for $830. Support for Haswell's HD Graphics 4600 is solid, with performance far beyond the old HD Graphics 3000; the Ivy Bridge GPU can sometimes outperform Haswell but that will change as drivers improve. Take a peek at the benchmarks in Phoronix's review.
"System76 recently sent over their Haswell-based Gazelle Professional laptop that sports HD Graphics 4600, a fancy Intel SSD, 8GB of system memory, and a beautiful HD display. This Haswell Linux laptop has already been used for testing within a few Phoronix articles while now is a full look at this Ubuntu laptop along with some comparison performance tests."
Here are some more Mobile articles from around the web:
- Samsung Ativ Book 9 Lite @ The Inquirer
- HP Pavilion TouchSmart 11z Review @ TechReviewSource
- Razer Blade 14-inch Gaming Notebook Review @ Custom PC Review
- MSI GE40 2OC-009US Review @ TechReviewSource
- Apple iMac 27-inch (Late 2013) Review @ TechReviewSource
- HP Envy Touchsmart 15 @ The Inquirer
- HP SlateBook x2 Review @ TechReviewSource
- Diamond DS3900 Dual Video USB 3.0 Docking Station @ Benchmark Reviews
- EasyAcc Power Bank PB12000A @ NikKTech
- Nvidia Tegra 4 benchmark review @ Hardware.Info
- Moto X @ AnandTech
- Samsung Galaxy S4 Active @ The Inquirer
- Samsung ATIV S Cell Phone Review @ Hardware Secrets