In some shiny good news to us of the tinfoil hat crew, Phoronix is reporting:
Many free software advocates have been concerned by Intel's binary-only Management Engine (ME) built into the motherboards on newer generations of Intel motherboards. The good news is there is now a working, third-party approach for disabling the ME and reducing the risk of its binary blobs.
Via an open-source, third-party tool called me_cleaner it's possible to partially deblob Intel's ME firmware images by removing any unnecessary partitions from the firmware, reducing its ability to interface with the system. The me_cleaner works not only with free software firmware images like Coreboot/Libreboot but can also work with factory-blobbed images. I was able to confirm with a Coreboot developer that this program can disable the ME on older boards or devices with BootGuard and disable Secure Boot. This is all done with a Python script.
Those unfamiliar with the implications on Intel's ME for those wanting a fully-open system can read about it on Libreboot.org.
Looks like I may not have to go ARM on my next desktop build after all.
(Score: 3, Informative) by Anonymous Coward on Sunday January 15 2017, @01:40AM
It's baked into desktop processors. Some have it disabled like the low end i3's and the pentiums. So companies have to shell out more for the i5's. But to my knowledge it is in every i7 and activated.
Depending on the motherboard you may not even be able to shut it off to the limited degree that uefi allows.
As of right now it's a storm in a teacup. Theoretically it is possible to use it to put on rootkits that the host os can't even see at all. But according to all i can find this is all theoretical, and requires physical root access at which point your system is hosed anyway.
Be warned if you look through the github page and the support page. Using this can and WILL break other things. There are reports of no longer being able to see gpu's(in optimus equipped laptops), lan and wireless cards going poof. And a few cases where the monitor would just up and shut off unless someone had say a fast refreshing game or video running.