Most computers that ship with recent Intel processors include something called Intel Management Engine, which enables hardware-based security, power management, and remote configuration features that are not tied to the operating system running on your PC.
For free software proponents, this has been a pain in the behind, because it’s a closed-source, proprietary feature designed to provide remote access to a computer even when it’s turned off. While it’s designed to provide security, it also poses a potential security and privacy threat, since it’s a proprietary system that can only be patched by Intel
and that you couldn’t easily disable… until recently.
It’s still impossible to completely remove Intel Management Engine. But last year researchers figured out how to neutralize it by removing much of the code. More recently the folks at PT Security figured out how to disable it, so that it won’t even try to load that code.
Now Linux laptop maker Purism has announced that it will begin shipping all of its devices with Intel Management Engine both disabled and neutralized.
Using both methods means that even if one doesn’t work, there’s a chance the other will.
Right now this applies to the Purism Librem 13 and Librem 15 laptops. If you buy one today, it’ll ship with Intel’s Management Engine crippled. But Purism will also release a downloadable update that existing customers can use to flash the latest version of the coreboot bootloader in order to shut off the Management Engine.
Purism’s current line of laptops feature 6th-gen Intel Core “Skylake” chips. There’s no word on whether the same method will work with 7th or 8th-gen processors.