Can NixOS Disable INTEL Mgmt Engine?

Curious as to whether this can be (is better) done…

  1. after booting into NixOS proper

  2. after booting but before entering NixOS.

  3. during firmware boot by, say CoreBoot, Heads, etc.

I don’t think this has anything to do with NixOS per se. Whatever mechanisms (if any) that exist for other distributions would in all likelihood be usable here.

2 Likes

Isn’t this done at the firmware level? On my laptop this is an option in the firmware interface, to disable the ME.

2 Likes

Some users of NixOS run coreboot, some developers of Heads are trying to work with Nixpkgs currently.
But it has nothing to do with NixOS per se, we just don’t have any NixOS module to manage your coreboot setup, etc.

2 Likes

The only method to “disable” the intel ME, that I’m aware of, is me_cleaner. Unfortunately it hasn’t been maintained for a few years and it doesn’t work on recent CPUs.

If your motherboard/CPU is supported you need to get a copy of the firmware, either the full image of the BIOS or just the intel region, run me_cleaner on it and then flash it on the motherboard. The last step you do with a software OEM tool (but that rarely works because there are signatures/checksums that will fail) or using an SPI programmer.

You can’t really disable the ME because it’s needed to boot the computer. Thankfully it’s modular and me_cleaner can strip it down to just the essential modules needed to boot. There is also another mode that just flips a bit in the firmware image and it’s supposed to achieve the same result.

Anyway, neither of those methods can be applied to a running computer: not before or after the kernel, the bootloader or even the BIOS: by that time the ME has already started and did his thing. You need to modify the firmware.

Coreboot (and distributions) have an option to automatically run me_cleaner if you build a build a full image (need to obtain the IFD and other blobs). So, if your motherboard is supported by coreboot you can try to build an image including the neutralised intel ME region.
To flash this image internally (with flashrom) you typically need to unlock the region that contains the Intel firmware, so you can do only after an external flashing (for which there are no restrictions).
If you want to try this I recommend to first build the image containing only the BIOS/coreboot payload and then attempt to run me_cleaner.

Coreboot like all big projects requires its own toolchain and it’s quite annoying to build on NixOS, but it’s possible. If you’re interested I made this thing to build coreboot images using Nix: you just need to write the configuration of your board. I haven’t used it in a while but it’s pinned to a working coreboot version.

Thanks!

Once I’m more at home with Nix I’d like to try using your example it to build a version of Coreboot for something like a Raspberry PI 4 or BeagleBone Black to get my sea legs with customizing and building boot firmware with Nix.

I’ll forward along your post to the folks at Purism who offer Coreboot but also PureBoot - a version of Coreboot extended with HEADS that disables ME and works with board-resident TPM to provide an signal to user that firmware and boot software haven’t been tampered with.

I’m hoping they’ll be intrigued with exploring how Nix might help them offer reproducible firmware build options to their customers.

a version of Coreboot for something like a Raspberry PI 4 or BeagleBone Black

The beaglebone black appears to be supported by coreboot, but untested. The older Raspberry Pis are notorious for having an insane boot sequence that starts from the videocore GPU, not the ARM core, and requires a number of closed source firmware not yet fully reverse engineered. The Raspberry Pi 4 is different but equally bad, so still no coreboot.

I recommend you try with some well supported device, like a chromebook or and old thinkpad. Building and installing coreboot for the first time is complicated enough on a supported device.