Hacker News new | past | comments | ask | show | jobs | submit login

The closest thing I found that could work for Linux is flashing the BIOS manually: https://hackaday.com/2016/11/28/neutralizing-intels-manageme...

In the case of my Thinkpad, I had to open it up and flash the chip using the Raspberry Pi hardware over SPI bus.

Then I found out that removing the Intel Management Engine breaks Hackintosh so I ended up having to put it back.

Another alternative is flashing Coreboot/Libreboot, but this also breaks Hackintosh.




You'll be happy to hear that this no longer works with newer devices thanks to Intel Boot Guard, which prevents firmware modifications altogether.


I have a Lenovo T440s. My BIOS has an "activate/deactivate/permanently deactivate" setting for AMT. I set it to "deactivate" for now.

Any idea what this buys me?

Their last BIOS update was March 14. I'm hoping their next one has the new firmware.


Deactivation merely resets the AMT settings. You can only turn it off by following these instructions.


So that means it's still exploitable over the network? (I thought it would cut it down to local-only). Lenovo is lying to me when it says "disable AMT"?

Then again, maybe it's not actually enabled, since I didn't use the software to do so.


That is a good question. Lenovo's advisory (https://pcsupport.lenovo.com/us/en/product_security/ps500104) does not explicitly states which AMT status make it vulnerable, but given that Intel ME runs no matter what, I'd go for the disable guide.


I did not know about the advisory. Thank you!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: