1

It's well known fact that the Intel Management Engine can not be completely disabled. Its functionality can be greatly reduced using me_cleaner which utilizes various techniques including switching the ME "kill switch".

However, the Supermicro X9DRi-F BIOS contains ENABLE/DISABLE option for ME subsystem:

enter image description here

Motherboard manual says the following:

ME Subsystem
Select Enabled to support Intel Management Engine (ME) Subsystem, a small power
computer subsystem that performs various tasks in the background. The options
are Enabled and Disabled.
When ME Subsystem is enabled, the following items will display.
•   ME BIOS Interface
•   ME Version

When I compare the output of intelmetool -m when the ME Subsystem option in UEFI is Disabled and when the same option is Enabled, then the difference can be seen below:

$ diff -y --suppress-common-lines ~/ME_in_UEFI_disabled ~/ME_in_UEFI_enabled 
ME Status 2 : 0x39006301                                      | ME Status 2 : 0xb9000301
ME: Progress Phase          : Policy Module                   | ME: Progress Phase          : Global reset after an error
ME: Progress Phase State    : Entery into Policy Module       | ME: Progress Phase State    : Unknown 0x00
$

Firmware Init Complete is YES and Current Working State is Normal even when the ME Subsystem option is set to Disabled so based on this it looks that the ME is not disabled.

What does the enable/disable ME subsystem option in Supermicro X9DRi-F motherboard BIOS do?

Martin
  • 352
  • 3
  • 12
  • 29

1 Answers1

1

"It's well known fact that the Intel Management Engine can not be completely disabled" - as far as I know, it can be disabled by manufacturers at least. See this link about Dell's purchase option: systems with ME disabled could be bought from them: https://www.extremetech.com/computing/260219-dell-sells-pcs-without-intel-management-engine-tradeoffs

So what does this bios option do? It disables ME. There are obviously systems on the market that allow it. Try it out, disable it and see if ME vanishes from device manager.

Hans Hase
  • 61
  • 2
  • I ran `intelmetool -m` when the `ME Subsystem` option in UEFI was disabled and based on the output of `intelmetool` the [HAP](https://en.wikipedia.org/wiki/Intel_Management_Engine#%22High_Assurance_Platform%22_mode) bit was not set and Intel ME was completely initialized. – Martin Dec 08 '19 at 14:07
  • 1
    Before running that tool, did you reboot windows? You know there's a difference between these two: "shutdown - modify bios - turn on" and "modify bios - restart". The latter produces different results since modern windows uses kernel hibernation and keeps services and other things loaded until you restart. – Hans Hase Dec 10 '19 at 07:29
  • I'm not using Windows, but I did power off the server in a meanwhile. This didn't change the results of `intelmetool`. – Martin Dec 10 '19 at 17:02
  • Sorry for not following up - I was on vacation and did not have the login info with me. Your test result is surprising, then. I would ask Supermicro support. – Hans Hase Jan 03 '20 at 14:31