Management Engine (frequently abbreviated as ME) is a separate #computer
within Intel computers, which denies users #control
by forcing them to run #nonfree
that cannot be modified or replaced by anyone but Intel. This is #dangerous
. It is a very serious #attack
on the #freedom
, and #security
of computer users.
The Management Engine started to appear in Intel computers around 2007.
It could, for instance, be used to remotely:
- Power the computers on and off.
- Boot computers from remote #storage located on the system administrator's #machine or on a #server, and take control of the computer that way.
- Retrieve and store various #serial #numbers that #identify the computer hardware.
Over time, Intel #imposed
the Management Engine on all Intel computers, removed the ability for computer #users
to disable it, and extended its control over the computer to nearly 100%. It even has access to the main computer's #memory
It now constitutes a #separate
computing environment that is designed to deny users the control of their computer. It can even run #applications
that implement Digital Restrictions Management ( #DRM
). See Defective by Design
to learn why DRM is bad.
The remote administration is done through applications running inside the Management Engine, such as AMT (Active Management Technology). AMT gives #remote
system administrators the same control they would have if sitting in front of the computer. AMT can also control Intel #Ethernet
cards to #filter
traffic from going in or out of the computer.
We could correct all these problems if the users were able to run fully free software on the Management Engine, or at least, make it not run any code, effectively disabling it. The former is impossible because the Management Engine will only run code that is #cryptographically
signed by Intel. This means that unless someone finds a flaw in the #hardware
that enables users to bypass the signature check, users are effectively denied the ability to #install
the software they wish in the Management Engine.
Despite all Intel's efforts to make the Management Engine inescapable, software developers have had some success with preventing it from loading code. For instance, the #Libreboot
project disables the Management Engine by removing all the code that the Management Engine is supposed to load on some #Thinkpad
computers manufactured in #2008, including the R400, T400, T400s, T500, W500, X200, X200s, and X200T.
Also, many Intel computers manufactured in 2006 have the ancestor of the Management Engine which is disabled from the start, such as the Lenovo Thinkpads X60, X60s, X60 Tablet and T60, and many more.
A free software program named intelmetool is capable of detecting if the Management Engine is absent or disabled. With more recent hardware, it is not yet possible to fully disable the Management Engine, as some of the hardware needs to be initialized by it. It is however possible to limit the amount of nonfree software running on the Management Engine by removing parts of the #code
and/or by configuring it to not run some code.
Independently from the Management Engine, other issues affect computers users in very similar ways:
Many computers use nonfree boot software (like #BIOS
or equivalent) and/or require it to be cryptographically signed by the hardware manufacturer. This raises similar concern for the freedom, privacy, and security of computer users because the boot software is responsible for loading the operating system, and has more control over the computer than the operating system. This issue also affects computers using other architectures such as #ARM
computers made after 2013 also have a separate computer within the computer, called PSP (Platform Security Processor), which has similar #issues
Because of Intel's attack on users' freedom, to avoid being denied freedom, privacy, and security, computer users wanting to use a machine with an Intel processor must use older computers with no Management Engine, or whose Management Engine is disabled.
Whenever companies follow Intel's path, we will need to design our own hardware to keep being able to escape such attacks on freedom, by ensuring that users can run fully free software on it. This will also create the necessary building blocks that will enable users to benefit from hardware #freedoms
in the #future
, when manufacturing technologies are easily available to end users.