Dave,
You might want to take a look at both the Libreboot and Coreboot open
source projects. The challenge with the IME is that if you literally
disable it, it will shut down the system - and it's code is pretty
heavily encrypted. The Coreboot project has had some limited success
reverse-engineering how it works and can disable it in some cases but
it is very motherboard and CPU version specific which makes it
extremely difficult.
I'm running Libreboot with OpenBSD on a Thinkpad T500 and it works
reasonably well with the exception that I'm still figuring out how to
get full disk encryption working. Coreboot is something I plan on
experimenting with as well because it can be (mostly) de-blobbed and
supports some more modern hardware.
- B
On Fri, 2017-09-08 at 14:51 -0400, Dave Anderson wrote:
> While this isn't specifically an OpenBSD issue, since OpenBSD
> emphasizes
> security this seems like a good place to ask.
>
> As far as I can tell the "Intel Management Engine" (IME) is a gaping
> backdoor into every recent Intel-based system. My searches on the
> 'net
> haven't turned up much useful information about it.
>
> I'd really like to find documentation on how to configure and use
> it,
> though I'd settle for just enough to know how to lock it down or
> disable
> it such that it can't be used to attack me from the 'net.
>
> While this wouldn't work for a laptop, for desktop systems it might
> be
> sufficient to use an add-in NIC rather than the built-in one -- but
> the
> limited info I've found suggests that the IME may be able to snoop
> on
> all devices and so defeat this tactic. Does anyone here know?
>
> Thanks for any information,
>
> Dave
>
> --
> Dave Anderson
> <d...@daveanderson.com>
>
>
