Hacker News new | past | comments | ask | show | jobs | submit login

What is the motivation behind Management Engine?

From the perspective of an everyday user these things came out of nowhere to evolve into this para-computer running along side me that I cannot see and have no control of. It is on literally ALL hardware

Why is it that any attempts to disable it knock your whole computer out?

And this is the world of technology that we want? I'm so sick of technology companies appearing to work for their customers but secretly working against them.




The functionality ME attempts to provide is lights out a.k.a. out-of-band management (like IPMI) to the desktop.

If, for example, an admin needed to add a dual-boot-to-Ubuntu option to every PC on a floor, he could, through ME, remotely reboot (force power reset if necessary) or power on every machine, have the machines boot to a (remote) OS install disk, run the install, and reboot.

ME allows one to do almost anything remotely to a PC, regardless of what the main processor is doing. That is both useful and frightening.


Fine, but putting it on all hardware?

How many corporate IT environments buy off-the-shelf motherboards and CPUs from the same channels as consumers? OEMs get an entirely different set of parts and enterprise sales works in completely different channels. If there is such a clean separation between corporate and consumer markets then why is this hardware on everything, and why does it need to pull power on the machine if it's disabled?


It isn't on all hardware. Intel has two ME firmwares, a small one for consumer systems, and a big one for corporate/enterprise systems. The small one does not (or at least, should not; is not supposed to) include the remote management features.

In other words, the separation that you describe exists.

Systems with the full firmware sport things such as the vPro branding, and only certain combinations of CPU and chipset support it.


AFAIK the consumer version still kills the system if it's disabled?


I'd be careful with assumptions on what "consumer hardware" means. There are desktops, NUC units, etc, that shipped with i5 and i7 chips that had vPro.


Even with the CPU, you also need the right chipset and the right firmware to actually light this stuff up. While especially in the laptop sector there are consumer devices that include this, it's far from universal.


Can't all that be done from the main OS? Repartition, modify the boot stuff, reboot from an image in a new partition, etc... Why did they need to add another processor with closed source and all the potential security issues?


You can't change the boot media or turn on a turned-off machine via the OS. The whole point is to get underneath it, so you can even do initial OS install with it.


It might not be trivial, but you can do this w/o the ME. My understanding is that most ethernet cards support a "Wake-on-LAN" feature to turn off machines on, and from there you can trigger the machine to reboot and then netboot (by writing to its boot config to instruct whatever boots it that it should take that action).

Even if you assert that the ME is absolutely necessary for such a use-case, I don't have that use case, it isn't work the risk for me, and I should be able to disable the ME because I, as the owner of the machine, want to. (Or really, otherwise interact with it and use it for creative use-cases.)


Just get a computer that doesn't have vPro.


That disqualifies a lot of otherwise really good hardware. My current Thinkpad, for example, and all current MBPs, I believe. Some manufacturers also aren't very clear about the exact hardware in their machines, either. (For example, Apple doesn't list the exact CPU on their tech specs page, only the somewhat vague "2.4GHz dual-core Intel Core i7, Turbo Boost up to 3.4GHz, with 4MB shared L3 cache". That might be unambiguous enough to map back to an actual piece of hardware, but it's still a considerable amount of work to do so.)


I was curious how much work it would be, so headed to ark.intel.com.

The filter for "Max Turbo Frequency" seems to be broken, BUT searching for "Cache: '4MB L3 SmartCache'" (which I assume means shared!) finds quite a number of results: http://ark.intel.com/Search/FeatureFilter?productType=proces...

The list is column-sortable by Max Turbo Frequency, and there are just 4 results in the 3.40GHz range:

- http://ark.intel.com/products/91169/Intel-Core-i7-6660U-Proc... - the only result with a Processor Base Frequency of 2.4GHz

- http://ark.intel.com/products/91497/Intel-Core-i7-6650U-Proc...

- http://ark.intel.com/products/88192/Intel-Core-i7-6600U-Proc...

- http://ark.intel.com/products/52231/Intel-Core-i7-2620M-Proc...


I think the problem is not that this technology exists but rather that the operation of this engine is not transparent, the user cannot examine or disable the software in this engine, cannot write his own software.


IME should exist on an external TPM chip so it's only for those that want it, like enterprises.

I really don't understand why the would just shove it into every chipset out there. I understand it needs to get its claws all over the system, but the core should be external and optional.


Because a separate chip costs more.


"There is anything to worry about if you have nothing to hide" /s




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: