The Intel Management Engine (ME), also known as the Intel Manageability Engine is in the Platform Controller Hub of modern Intel motherboards.The embedded microcontroller runs a lightweight microkernel operating system that provides a variety of features and services for Intel processor–based computer systems. This autonomous subsystem has been incorporated in nearly all of Intel’s processor chipsets beginning 2008.

What IT Do

The Intel Management Engine always runs if the motherboard is receiving power, even when the computer is turned off. This issue can be mitigated with the deployment of a hardware device which is able to disconnect all connections to mains power as well as all internal forms of energy storage. The Electronic Frontier Foundation and some security researchers have voiced concern that the Management Engine is a backdoor.

The benefits and utilities of the Intel Management Engine:

• Anti-Theft (AT) Protection Technology: It can detect when the laptop is lost or stolen, and secure the sensitive data by preventing the OS from loading and blocking to access encrypted data.

• Low power: Its power states are independent of the host OS power states.
• Out of band (OOB) management services: It allows the tool to respond to OOB commands from the IT management console without having to wake up the rest of the system.
• Capability Licensing Service (CLS): It enables the OS to communicate with the Intel Management Engine directly via the HECI bus.
• Protected Audio Video Path (PAVP): It can ensure a secure content protection path for high-definition video sources like Blu-ray discs. Moreover, it can control the hardware-accelerated decoding of the encrypted video streams by the integrated graphics processor.

Intel’s main competitor, AMD, has incorporated the equivalent AMD Secure Technology (formally called Platform Security Processor) in virtually all its post-2013 CPUs.

It is normally impossible for the end-user to disable the ME and there is no officially supported method to disable it, but some undocumented methods to do so were discovered.

The ME’s security architecture is designed to prevent disabling. Intel considers disabling the ME to be a security vulnerability, as malware could abuse it to make the computer lose some of the functionality such as the function of applications with Digital Rights Management (DRM).

How IT Do IT

The subsystem basically consists of proprietary firmware running on a separate microprocessor that performs tasks during boot-up, while the computer is running, and while it is asleep. If the chipset or SoC is supplied with power (via battery or power supply), it continues to run even when the system is turned off. Intel claims the ME is required to provide full performance.

Its exact workings are largely undocumented and its code is obfuscated using confidential Huffman tables stored directly in hardware, so the firmware does not contain the information necessary to decode its contents.

The Management Engine is sometimes confused with Intel AMT (Intel Active Management Technology). AMT runs on the ME but is only available on processors with vPro. AMT gives device owners remote administration of their computer, such as powering it on or off, and reinstalling the operating system.

However, the ME itself has been built into all Intel chipsets since 2008, not only those with AMT. While AMT can be disabled by the owner, there is no official, documented way to disable the ME.

Strictly speaking, none of the known methods can disable the ME completely, since it is required for booting the main CPU. The currently known methods merely make the ME go into abnormal states soon after boot, in which it seems not to have any working functionality. The ME is still physically connected to the system and its microprocessor continues to execute code.

Issues / Vulnerabilities

• It is reportedly possible for malicious actors to use the ME to compromise a system remotely. But this is largely unverified. There are no known incidents of this ever happening.
• The Intel Management Engine is undesirable for some companies because they view it as an unofficial surveillance or monitor for data within their systems.

Undocumented methods of Disabling the Management Engine

Firmware neutralization

In 2016, the me cleaner project found that the ME’s integrity verification is broken. The ME is supposed to detect that it has been tampered with and, if this is the case, shut down the PC forcibly 30 minutes after system start. This prevents a compromised system from running undetected yet allows the owner to fix the issue by flashing a valid version of the ME firmware during the grace period.

As the project found out, by making unauthorized changes to the ME firmware, it was possible to force it into an abnormal error state that prevented triggering the shutdown even if large parts of the firmware had been overwritten and thus made inoperable.

How it was able to make unauthorized changes to the ME firmware was not discussed.

“High Assurance Platform” mode

In August 2017, Positive Technologies (Dmitry Sklyarov) published a method to disable the ME via an undocumented built-in mode. As Intel has confirmed the ME contains a switch to enable government authorities such as the NSA to make the ME go into High-Assurance Platform (HAP) mode after boot. This mode is purported to disable most of ME’s functions and was intended to be available only in machines produced for specific purchasers like the US government.

There is no explanation for why HAP would be necessary as the government and private sector can buy non-Intel processor systems that would not have ME installed.

Protocol Compatibility

Intel Software Guard Extensions (Intel SGX)

Intel Software Guard Extensions (Intel SGX) provide applications the ability to create hardware enforced trusted execution protection for their applications’ sensitive routines and data. Intel SGX provides developers a way to partition their code and data into CPU hardened trusted execution environments (TEE’s).

This protocol is only available with ME enabled systems.

ECDSA-based Attestation

ECDSA-based attestation with Intel SGX DCAP allows providers to build and deliver their own attestation service instead of using the remote attestation service provided by Intel. This is useful for enterprise, data center, and cloud service providers who need to:

• Use the large enclave sizes that are available in the Intel Xeon Scalable processor family.
• Run large parts of their networks in environments where internet-based services cannot be reached.
• Keep attestation decisions in-house.
• Deliver applications that work in a distributed fashion (for example, peer-to-peer networks) that benefit from not relying on a single point of verification.
• Prevent platform anonymity where it is not permitted.

This attestation solution is supported on select Intel Xeon E processors and Intel Xeon Scalable processors.

While Intel SGX DCAP requires more provider-managed infrastructure than the attestation solution based on Intel EPID, Intel helps providers create this infrastructure through Intel SGX DCAP.

Trusted Execution Environments TEE’s

A Trusted Execution Environment (TEE) is a secure area within a computer system or mobile device that ensures the confidentiality and integrity of data and processes that are executed inside it. The TEE is isolated and protected from the main operating system and other software applications, which prevents them from accessing or interfering with the data and processes within the TEE. TEE is typically used for security-sensitive operations, such as secure storage of cryptographic keys, biometric authentication, and secure mobile payments. TEE provides a high level of assurance that sensitive data and processes stay secure and tamper-proof in the main operating system.

Intel Trust Domain Extensions TDX

TDX is a hardware-based trusted execution environment (TEE) facilitates the deployment of trust domains (TD), which are hardware-isolated virtual machines (VM) designed to protect sensitive data and applications from unauthorized access.

A CPU-measured Intel TDX module enables Intel TDX. This software module runs in a new CPU Secure Arbitration Mode (SEAM) as a peer virtual machine manager (VMM), and supports TD entry and exit using the existing virtualization infrastructure. The module is hosted in a reserved memory space identified by the SEAM Range Register (SEAMRR). 

Intel TDX uses hardware extensions for managing and encrypting memory and protects both the confidentiality and integrity of the TD CPU state from non-SEAM mode. 

Intel TDX uses architectural elements such as SEAM, a shared bit in Guest Physical Address (GPA), secure Extended Page Table (EPT), physical-address-metadata table, Intel® Total Memory Encryption – Multi-Key (Intel® TME-MK), and remote attestation.

Intel TDX ensures data integrity, confidentiality, and authenticity, which empowers engineers and tech professionals to create and maintain secure systems, enhancing trust in virtualized environments.

The Future of Intel Management Engine and other Extensions

At the 2024 Intel Vision enterprise expo the company revealed partnerships with Google Cloud, Thales, and Cohesity to utilize Intel’s confidential computing capabilities within their cloud instances. This encompasses features such as Intel Trust Domain Extensions (Intel TDX), Intel Software Guard Extensions (Intel SGX), and Intel’s attestation service.