With security issues like the Spectre and Meltdown vulnerabilities discovered in Intel chips in early 2018, it became more important than ever to talk about the necessity of software freedom in these deeply embedded technologies. Serious as though these bugs may be, we cannot let them distract us from the broader issues: Intel considers the Intel Management Engine a feature, while it’s nothing more than a threat to user freedom. Thanks to Denis GNUtoo Carikli, we have a new basis for that conversation in this article.
The Intel Management Engine is a tool that ships with Intel chipsets, purportedly to ease the job of system administrators. But in reality, it is another restriction on user freedoms, imposed by a company, and used to control your computing.
Carikli offers a moderately technical explanation of what’s happening with Management Engine, the ways in which it restricts rather than empowers users, and how it violates the four freedoms of free software.
Carikli may be best known for his work on the Replicant project, which he co-founded with Aaron Williamson, Bradley Kuhn, and Graziano Sorbaioli. He has also worked on a number of free BIOS/UEFI including coreboot and serialICE.
The Management Engine1 (frequently abbreviated as ME) is a separate computer within Intel computers, which denies users control by forcing them to run nonfree software that cannot be modified or replaced by anyone but Intel. This is dangerous and unjust. It is a very serious attack on the freedom, privacy, and security of computer users.
The Management Engine started to appear in Intel computers around 20072.
At first, it was designed to help system administrators and other employees to remotely manage computers3, and was advertised as a computer feature for business customers. It could, for instance, be used to remotely:
Power the computers on and off.
Boot computers from remote storage located on the system administrator’s machine or on a server, and take control of the computer that way4.
Retrieve and store various serial numbers that identify the computer hardware.
Over time, Intel imposed the Management Engine on all Intel computers, removed the ability for computer users and manufacturers to disable it, and extended its control over the computer to nearly 100%. It even has access to the main computer’s memory.
It now constitutes a separate computing environment that is designed to deny users the control of their computer. It can even run applications that implement Digital Restrictions Management (DRM)5. See Defective by Design to learn why DRM is bad.
The remote administration is done through applications running inside the Management Engine, such as AMT (Active Management Technology)6. AMT gives remote system administrators the same control they would have if sitting in front of the computer7. AMT can also control Intel Ethernet interfaces and WiFi cards to filter or block network traffic from going in or out of the computer8.
Intel has gone as far as to use a free operating system and convert it to nonfree software to attack its users’ freedom: The license9 of the operating system they use does not give users rights to the source code under a free license, nor does it ensure users’ rights to run modified versions of that code on the Management Engine.
We could correct all these problems if the users were able to run fully free software on the Management Engine, or at least, make it not run any code, effectively disabling it. The former is impossible because the Management Engine will only run code that is cryptographically signed by Intel10. This means that unless someone finds a flaw in the hardware that enables users to bypass the signature check, users are effectively denied the ability to install the software they wish in the Management Engine.
To prevent free operating systems from being subverted into an instrument that makes attacking users’ freedom cheaper and easier, it is important to license their components under the GNU GPLv3 or later whenever possible. This keeps the software free and prevents hardware manufacturers from denying end users the ability to run modified versions of the software. See how to choose a license for your own work to learn about the best licensing strategies to maximize users’ freedom, and in which cases licenses other than the GPLv3 might be suitable.
Despite all Intel’s efforts to make the Management Engine inescapable, software developers have had some success with preventing it from loading code. For instance, the Libreboot project disables the Management Engine by removing all the code that the Management Engine is supposed to load on some Thinkpad computers manufactured in 2008, including the R400, T400, T400s, T500, W500, X200, X200s, and X200T.
Also, many Intel computers manufactured in 2006 have the ancestor of the Management Engine which is disabled from the start, such as the Lenovo Thinkpads X60, X60s, X60 Tablet and T60, and many more.
A free software program named intelmetool11 is capable of detecting if the Management Engine is absent or disabled. With more recent hardware, it is not yet possible to fully disable the Management Engine, as some of the hardware needs to be initialized by it. It is however possible to limit the amount of nonfree software running on the Management Engine by removing parts of the code and/or by configuring it to not run some code12.
Independently from the Management Engine, other issues affect computers users in very similar ways:
Many computers use nonfree boot software (like BIOS or UEFI or equivalent) and/or require it to be cryptographically signed by the hardware manufacturer. This raises similar concern for the freedom, privacy, and security of computer users because the boot software is responsible for loading the operating system, and has more control over the computer than the operating system. This issue also affects computers using other architectures such as ARM13.
AMD14 computers made after 2013 also have a separate computer within the computer, called PSP (Platform Security Processor), which has similar issues.
Because of Intel’s attack on users’ freedom, to avoid being denied freedom, privacy, and security, computer users wanting to use a machine with an Intel processor must use older computers with no Management Engine, or whose Management Engine is disabled.
Whenever companies follow Intel’s path, we will need to design our own hardware to keep being able to escape such attacks on freedom, by ensuring that users can run fully free software on it. This will also create the necessary building blocks that will enable users to benefit from hardware freedoms15 in the future, when manufacturing technologies are easily available to end users.
— source fsf.org | Denis GNUtoo Carikli, Molly de Blanc | Jan 10, 2018