Wanna exorcise Intel's secretive hidden CPU from your hardware? Meet Purism's laptops

Purism – a San Francisco, California, social purpose company that flies the flags of privacy, security and software freedom – has begun offering its GNU/Linux-based laptops with Intel's Management Engine disabled.

The Intel Management Engine is a hidden coprocessor at the heart of Chipzilla's vPro technology. Part of the Platform Controller Hub – a multifunction chip that interfaces a computer's main CPU to peripherals – the Management Engine offers a way for system administrators to manage large numbers of PCs over a network using out-of-band communications.

It's also widely despised by security professionals and privacy advocates because it relies on signed and secret Intel code, isn't easily alterable, isn't fully documented, and has been found to be vulnerable to exploitation, though the Active Management (AMT) module in recent Management Engines. In short, it's a tiny potentially hackable computer in your computer that you cannot totally control, nor opt-out of, but it can totally control your system.

"The design choice of putting a secretive, unmodifiable management chip in every computer was terrible, and leaving their customers exposed to these risks without an opt-out is an act of extreme irresponsibility," wrote EFF staff technologist Erica Portnoy and chief computer scientist Peter Eckersley in May.

Intel is adamant its Management Engine is not a backdoor. Its spokespeople will say as much to those who use the term.

Nonetheless, Chipzilla will disable this administrative window – to reiterate, it's not a backdoor – in its CPUs for demanding government customers, in keeping with the NSA-backed HAPSOC High Assurance Platform (HAP) IT security framework for commercial, off-the-shelf hardware.

Positive Technologies, a London-based security biz, recently discovered how Intel does this, and at Black Hat Europe 2017 in December is expected to disclose a Management Engine flaw that allows the execution of unsigned code in the Platform Controller Hub, on motherboards sporting Skylake or later CPUs. Such code can switch off the engine by flipping an undocumented bit.

Purism's bane

In a blog post Thursday, Purism CEO Todd Weaver characterized Intel's Management Engine as "the bane of the security market since 2008."

His company is offering its Librem 13 (US$1,399+, Core i7-6500U) and Librem 15 (US $1,599+, Core i7-6500U) laptops with the Intel Management Engine verifiably turned off, something it has been able to do because its machine run the open source coreboot firmware and because of findings published by Positive Technologies in August. The Librem laptops, by the way, feature physical switches that electrically disconnect the microphone and webcam, and Wi-Fi and Bluetooth hardware, from the rest of the computer as a privacy defense.

Purism not only turned the Management Engine off using the HAP mechanism, it also removed the bulk of the ME firmware using the me_cleaner tool. It's a bit like burning a vampire after putting the stake through its heart, because you really don't want it coming back.

In a phone interview with The Register, Weaver supported Intel's insistence that it would never deliberately compromise the security of its customers. "It's not a purposeful backdoor," he said. "Intel isn't doing anything malicious."

The Management Engine, he said, was originally created because businesses wanted lower-level access to PCs to simplify administration. If a machine can't boot its OS, you need something running under the operating system, at the chipset firmware level, to recover the box. "It's a compelling offering, if you're a sysadmin, if someone borked the OS, you can go in and reinstall it," he said. "It had good intentions but negative security implications."

Exposed

The Management Engine executes mystery code that runs below the BIOS level, Weaver explained, and thus has the potential to access everything above it. "The theoretical problems that can expose you to are too numerous to list," said Weaver.

Weaver said Purism has corresponded with security researcher Igor Skochinsky, who published details about the Intel Management Engine in 2014, and with the researchers at Positive Technologies, to refine its ME exorcism ritual.

Purism is also about to wrap up a successful crowdfunding effort to create mobile phone powered by free, open source software, something that has been tried without much success by Mozilla and Ubuntu, among others. "The bigger picture of Purism is really about digital rights for users," said Weaver.

Weaver said that despite the availability of Android and iOS phones, there's no ethical computing device option. "We're not going to be attached to the Google surveillance machine or the Apple walled garden," he said. He contends Purism's Librem 5 phone can succeed where others have failed because concerns about privacy and security have become more acute over the past five years.

By focusing on making Purism products easy to use and convenient, he believes the company can attract customers beyond developers and those already sold on the merits of Linux. "Purism taking a business model similar to Apple, except we're ethical," he said. ®