CINXE.COM
Deep dive into Intel Management Engine disablement – Purism
<!doctype html><html lang="en-US" prefix="og: http://ogp.me/ns#"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="http://gmpg.org/xfn/11"><link rel="me" href="https://social.librem.one/@purism"/><link type="text/css" media="all" href="https://puri.sm/wp-content/cache/autoptimize/css/autoptimize_bbdd963aeadeeb9ef96986f45e1775fa.css" rel="stylesheet" /><title>Deep dive into Intel Management Engine disablement – Purism</title><meta name="description" content="Purism makes premium phones, laptops, mini PCs and servers running free software on PureOS. Purism products respect people's privacy and freedom while protecting their security."/><link rel="canonical" href="https://puri.sm/posts/deep-dive-into-intel-me-disablement/" /><meta property="og:locale" content="en_US" /><meta property="og:type" content="article" /><meta property="og:title" content="Deep dive into Intel Management Engine disablement – Purism" /><meta property="og:description" content="Purism makes premium phones, laptops, mini PCs and servers running free software on PureOS. Purism products respect people's privacy and freedom while protecting their security." /><meta property="og:url" content="https://puri.sm/posts/deep-dive-into-intel-me-disablement/" /><meta property="og:site_name" content="Purism" /><meta property="article:tag" content="Advanced readers" /><meta property="article:tag" content="Boot and BIOS" /><meta property="article:tag" content="Laptops" /><meta property="article:tag" content="Newsletter and status updates" /><meta property="article:tag" content="Privacy" /><meta property="article:tag" content="Security" /><meta property="article:tag" content="Software freedom" /><meta property="article:section" content="Additional Press Information" /><meta property="article:published_time" content="2017-10-19T15:38:48+00:00" /><meta property="article:modified_time" content="2018-11-28T17:28:06+00:00" /><meta property="og:updated_time" content="2018-11-28T17:28:06+00:00" /><meta property="og:image" content="https://puri.sm/wp-content/uploads/2017/10/intel-me-status-eye-1024x223.png" /><meta property="og:image:secure_url" content="https://puri.sm/wp-content/uploads/2017/10/intel-me-status-eye-1024x223.png" /><meta name="twitter:card" content="summary_large_image" /><meta name="twitter:description" content="Purism makes premium phones, laptops, mini PCs and servers running free software on PureOS. Purism products respect people's privacy and freedom while protecting their security." /><meta name="twitter:title" content="Deep dive into Intel Management Engine disablement – Purism" /><meta name="twitter:image" content="https://puri.sm/wp-content/uploads/2017/10/intel-me-status-eye-1024x223.png" /> <script type='application/ld+json'>{"@context":"https://schema.org","@type":"Organization","url":"https://puri.sm/","sameAs":[],"@id":"https://puri.sm/#organization","name":"Purism SPC","logo":"https://puri.sm/wp-content/uploads/2020/11/purism-logo-no-text.png"}</script> <link rel="alternate" type="application/rss+xml" title="Purism » Feed" href="https://puri.sm/feed/" /><link rel="alternate" type="application/rss+xml" title="Purism » Comments Feed" href="https://puri.sm/comments/feed/" /><link rel='stylesheet' id='sccss_style-css' href='https://puri.sm/?sccss=1&ver=4.9.26' type='text/css' media='all' /> <!--[if !IE]><!--><link rel='stylesheet' id='tablepress-responsive-css' href='https://puri.sm/wp-content/plugins/tablepress-responsive-tables/tablepress-responsive.min.css?ver=1.2' type='text/css' media='all' /> <!--<![endif]--> <script type='text/javascript' src='https://puri.sm/wp-includes/js/jquery/jquery.js?ver=1.12.4'></script> <script type='text/javascript'>var inlineFootNotesVars = {"hover":""};</script> <script type='text/javascript'>var ajaxurl = "https:\/\/puri.sm\/wp-admin\/admin-ajax.php";</script> <link rel='https://api.w.org/' href='https://puri.sm/wp-json/' /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://puri.sm/xmlrpc.php?rsd" /><link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://puri.sm/wp-includes/wlwmanifest.xml" /><meta name="generator" content="WordPress 4.9.26" /><link rel='shortlink' href='https://puri.sm/?p=31772' /><link rel="alternate" type="application/json+oembed" href="https://puri.sm/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fhttps://puri.sm%2Fposts%2Fdeep-dive-into-intel-me-disablement%2F" /><link rel="alternate" type="text/xml+oembed" href="https://puri.sm/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fhttps://puri.sm%2Fposts%2Fdeep-dive-into-intel-me-disablement%2F&format=xml" /> <script>var _mtm = window._mtm = window._mtm || []; _mtm.push({'mtm.startTime': (new Date().getTime()), 'event': 'mtm.Start'}); var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0]; g.async=true; g.src='https://stats.puri.sm/js/container_LAXCS07c.js'; s.parentNode.insertBefore(g,s);</script> <script>var _paq = window._paq = window._paq || []; /* tracker methods like "setCustomDimension" should be called before "trackPageView" */ _paq.push(["setDocumentTitle", document.domain + "/" + document.title]); _paq.push(["setCookieDomain", "*.puri.sm"]); _paq.push(['trackPageView']); _paq.push(['enableLinkTracking']); (function() { var u="https://stats.puri.sm/"; _paq.push(['setTrackerUrl', u+'matomo.php']); _paq.push(['setSiteId', '2']); })();</script> <script src="https://stats.puri.sm/matomo.js"></script> <!--[if !IE]><!--> <!--<![endif]--> <!--[if lte IE 8]><script src="https://puri.sm/wp-content/plugins/wp-charts/js/excanvas.compiled.js"></script><![endif]--><link rel="icon" href="https://puri.sm/wp-content/uploads/2020/04/cropped-purism-logo-rectangle-1-32x32.png" sizes="32x32" /><link rel="icon" href="https://puri.sm/wp-content/uploads/2020/04/cropped-purism-logo-rectangle-1-192x192.png" sizes="192x192" /><link rel="apple-touch-icon-precomposed" href="https://puri.sm/wp-content/uploads/2020/04/cropped-purism-logo-rectangle-1-180x180.png" /><meta name="msapplication-TileImage" content="https://puri.sm/wp-content/uploads/2020/04/cropped-purism-logo-rectangle-1-270x270.png" /></head><body class="post-template-default single single-post postid-31772 single-format-standard wp-purism"><div id="page" class="app"><header id="masthead" class="navigation-top container inverted"><div class="brand"> <a href="https://puri.sm/" rel="home"> <img src="https://puri.sm/wp-content/themes/wp-purism/images/brand_alt.svg" alt="Purism" /> </a></div> <button class="navigation-toggle" aria-controls="primary-menu" aria-expanded="false"> <span class="ion-navicon-round"></span> </button><nav id="site-navigation" class="pages"><div class="menu-primary-menu-container"><ul id="primary-menu" class="menu"><li id="menu-item-68129" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-68129"><a href="http://shop.puri.sm/">Store</a></li><li id="menu-item-69249" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-69249"><a href="https://puri.sm/products/">Products</a></li><li id="menu-item-9338" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-9338"><a href="https://puri.sm/news/">News & Events</a></li><li id="menu-item-66416" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-66416"><a href="https://puri.sm/about/">About</a></li><li id="menu-item-8884" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-8884"><a>Support</a><ul class="sub-menu"><li id="menu-item-8885" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8885"><a href="https://puri.sm/contact/">Contact</a></li><li id="menu-item-63319" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-63319"><a href="http://docs.puri.sm/">Documentation</a></li><li id="menu-item-160" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-160"><a title="Frequently Asked Questions" href="https://puri.sm/faq/">FAQ</a></li><li id="menu-item-19156" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-19156"><a href="https://forums.puri.sm/">Forums</a></li><li id="menu-item-61056" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-61056"><a href="https://shop.puri.sm/my-account/">My Account</a></li></ul></li><li id="menu-item-66417" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-66417"><a href="https://pureos.net/">PureOS</a></li></ul></div></nav></header><div class="h-entry"><div class="page-header" style="padding: 70px;"></div></div><div class="h-entry"><div class="page-header" style="background-image: url()"><div class="container"><h1 class="p-name">Deep dive into Intel Management Engine disablement</h1><div class="blog-metadata"> <span class="blog-metadata__item"> <span class="ion-calendar"></span> <time class="dt-published" datetime="2017-10-19 15:38:48">October 19, 2017</time> </span> <span class="blog-metadata__item"> <span class="ion-document-text"></span> <a href="https://puri.sm/posts/category/add-info/" rel="category tag">Additional Press Information</a>, <a href="https://puri.sm/posts/category/firmware/" rel="category tag">Firmware and BIOS</a> </span> <span class="blog-metadata__item"> <span class="ion-pricetags"></span> <a href="https://puri.sm/posts/tag/advanced-readers/" rel="tag">Advanced readers</a> / <a href="https://puri.sm/posts/tag/boot-and-bios/" rel="tag">Boot and BIOS</a> / <a href="https://puri.sm/posts/tag/laptops/" rel="tag">Laptops</a> / <a href="https://puri.sm/posts/tag/newsletter-and-status-updates/" rel="tag">Newsletter and status updates</a> / <a href="https://puri.sm/posts/tag/privacy/" rel="tag">Privacy</a> / <a href="https://puri.sm/posts/tag/security/" rel="tag">Security</a> / <a href="https://puri.sm/posts/tag/software-freedom/" rel="tag">Software freedom</a> </span></div></div></div><div class="section"><div class="container"><div class="blog-entry e-content"><div class="abh_box abh_box_up abh_box_business"><ul class="abh_tabs"><li class="abh_about abh_active"><a href="#abh_about">About</a></li><li class="abh_posts"><a href="#abh_posts">Latest Posts</a></li></ul><div class="abh_tab_content"><section class="vcard abh_about_tab abh_tab" style="display:block"><div class="abh_image"><a href="https://puri.sm/posts/author/purism/" class="url" title="Purism"><img src="https://puri.sm/wp-content/uploads/gravatar/head-logo.jpg" class="photo" width="80" alt="Purism" /></a></div><div class="abh_social"></div><div class="abh_text"><h3 class="fn name" ><a href="https://puri.sm/posts/author/purism/" class="url">Purism</a></h3><div class="abh_job" ></div><div class="description note abh_description" >Beautiful, Secure, Privacy-Respecting Laptops, Tablets, PCs, and Phones</div></div></section><section class="abh_posts_tab abh_tab" ><div class="abh_image"><a href="https://puri.sm/posts/author/purism/" class="url" title="Purism"><img src="https://puri.sm/wp-content/uploads/gravatar/head-logo.jpg" class="photo" width="80" alt="Purism" /></a></div><div class="abh_social"></div><div class="abh_text"><h4 >Latest posts by Purism <span class="abh_allposts">(<a href="https://puri.sm/posts/author/purism/">see all</a>)</span></h4><div class="abh_description note" ><ul><li> <a href="https://puri.sm/posts/the-importance-of-software-bill-of-materials-sbom/">The Importance of Software Bill of Materials (SBOM)</a><span> - March 21, 2025</span></li><li> <a href="https://puri.sm/posts/pureos-crimson-development-report-february-2025/">PureOS Crimson Development Report: February 2025</a><span> - March 14, 2025</span></li><li> <a href="https://puri.sm/posts/pureos-crimson-development-report-january-2025/">PureOS Crimson Development Report: January 2025</a><span> - February 14, 2025</span></li></ul></div></div></section></div></div><p>Starting today, our second generation of laptops (based on the 6th gen Intel Skylake platform) will now come with the <a href="https://puri.sm/learn/intel-me/">Intel Management Engine</a> neutralized <em>and</em> disabled by default. Users who already received their orders can also update their flash to disable the ME on their machines.</p><p>In this post, I will dig deeper and explain in more details what this means exactly, and why it wasn’t done before today for the laptops that were shipping this spring and summer.</p><h1>The life and times of the ME</h1><p>Think of the ME as having 4 possible states:</p><p><img class="alignnone size-large wp-image-39684" src="https://puri.sm/wp-content/uploads/2017/10/intel-me-status-eye-1024x223.png" alt="" width="960" height="209" srcset="https://puri.sm/wp-content/uploads/2017/10/intel-me-status-eye-1024x223.png 1024w, https://puri.sm/wp-content/uploads/2017/10/intel-me-status-eye-300x65.png 300w, https://puri.sm/wp-content/uploads/2017/10/intel-me-status-eye-768x167.png 768w" sizes="(max-width: 960px) 100vw, 960px" /></p><ol><li>Fully operational ME: the ME is running normally like it does on other manufacturers’ machines (note that this could be a consumer or corporate ME image, which vary widely in the features they ‘provide’)</li><li>Neutralized ME: the ME is neutralized/neutered by removing the most “mission-critical” components from it, such as the kernel and network stack.</li><li>Disabled ME: the ME is officially “disabled” and is known to be completely stopped and non-functional</li><li>Removed ME: the ME is completely <em>removed</em> and doesn’t execute anything at any time, at all.</li></ol><p>In <a href="https://puri.sm/posts/neutralizing-intel-management-engine-on-librem-laptops/">my previous blog post about taming the ME</a>, we discussed how we neutralize the ME (note that this was on the first generation, Broadwell-based Purism laptops back then), but we’ve taken things one step further today by not only neutralizing the ME but also by <em>disabling</em> it. The difference between the two might not be immediately visible to some of you, so I’ll clarify below.</p><ul><li>A <em>neutralized</em> ME is a ME image which had most of its code removed.<img class="alignright wp-image-39688" src="https://puri.sm/wp-content/uploads/2017/10/intel-me-cleaner-1024x579.png" alt="" width="514" height="291" srcset="https://puri.sm/wp-content/uploads/2017/10/intel-me-cleaner-1024x579.png 1024w, https://puri.sm/wp-content/uploads/2017/10/intel-me-cleaner-300x170.png 300w, https://puri.sm/wp-content/uploads/2017/10/intel-me-cleaner-768x434.png 768w" sizes="(max-width: 514px) 100vw, 514px" /><ul><li>The way the ME firmware is packaged on the flash, is in the form of multiple <strong>modules</strong>, and each module has a specific task, such as : Hardware initialization, Firmware updates, Kernel, Network stack, Audio/Video processing, HECI communication over PCI, Java virtual machine, etc. When the ME is neutralized using the <a href="https://github.com/corna/me_cleaner">me_cleaner</a> tool, most of the modules will be removed. As we’ve seen on Broadwell, that meant almost 93% of the code is removed and only 7% remains (that proportion is different on Skylake, see further below).</li><li>A neutralized ME means that the ME firmware will encounter an error during its regular boot cycle; It will not find some of its critical modules and it will throw an error and somehow fail to proceed. However, the ME remains operational, it just can’t do anything “valuable”. While it’s unable to communicate with the main CPU through the HECI commands, the PCI interface to the ME processor is still active and lets us poke at the status of the ME for example, which lets us see which error caused it to stop functioning.</li></ul></li><li>When the ME is <em>disabled</em> using the “HAP” method (thanks to the <a href="http://blog.ptsecurity.com/2017/08/disabling-intel-me.html" class="broken_link"><em>Positive Technologies</em></a> for discovering this trick), however, it doesn’t throw an error “because it can’t load a module”: it actually stops itself in a graceful manner, by design.</li></ul><p>The two approaches are similar in that they both stop the execution of the ME during the hardware initialization (BUP) phase, but with the ME disabled through the HAP method, the ME stops on its own, without putting up a fight, potentially disabling things that the forceful “me_cleaner” approach, with the “unexpected error” state, wouldn’t have disabled. The PCI interface for example, is entirely unable to communicate with the ME processor, and the status of the ME is not even retrievable.</p><p>So the big, visible difference for us, between a neutralized and a disabled ME, is that the neutralized ME might appear “normal” when coreboot accesses its status, or it might show that it has terminated due to an error, while a disabled ME simply doesn’t give us a status at all—so coreboot will even think that the ME partition is corrupted. Another advantage, is that, from my understanding of the <em>Positive Technologies’s </em>research, a disabled ME stops its execution <em>before</em> a neutralized ME does, so there is at least a little bit of extra code that doesn’t get executed when the ME is disabled, compared to a neutralized ME.</p><h1>Kill it with fire! Then dump it into a volcano.</h1><p>In our case, we went with an ME that is both neutered <em>and</em> disabled. By doing so, we provide maximum security; even if the disablement of the ME isn’t functioning properly, the ME would still fail to load its mission-critical modules and will therefore be safe from any potential exploits or backdoors (unless one is found in the very early boot process of the ME).</p><p>I want to talk about the neutralizing of the Skylake ME then follow up on how the ME was disabled. However, I first want you to understand the differences between the ME on <em>Broadwell</em> systems (ME version 10.x) and the ME on <em>Skylake</em> systems (ME version 11.0.x).</p><ul><li>The Intel Management Engine can be seen as two things; first, the isolated processor core that run the Management Engine is considered “The ME”, and second, the firmware that runs on the ME Core is also considered as being “the ME”. I often used the two terms interchangeably, but to avoid confusion, I will from now on (try to) refer to them, respectively, as the<strong><em> ME Core</em></strong> and the <strong><em>ME Firmware</em></strong>, but note that if I simply say <em>the ME</em>, then I am probably referring to the ME Firmware.</li><li>The ME Firmware 10.x was used on Broadwell systems which had an <a href="https://en.wikipedia.org/wiki/ARC_(processor)">ARC core</a>, while the ME Firmware 11.0.x used on Skylake systems uses an <a href="https://en.wikipedia.org/wiki/X86">x86 core</a>. What this means is that the <em>architecture</em> used by the ME core is completely different (kind of like how PowerPC and Intel macs used a different architecture, or how most mobile devices use an ARM architecture, the Broadwell ME Core used an ARC architecture). This means that the difference between the 10.x and 11.0.x ME firmwares is major, and the cores themselves are also very different. It’s a bit like comparing arabic to korean!<br /> <a href="https://puri.sm/wp-content/uploads/2017/10/arab-vs-kor.png"><img class="size-large wp-image-39685 alignnone" src="https://puri.sm/wp-content/uploads/2017/10/arab-vs-kor-1024x400.png" alt="" width="960" height="375" srcset="https://puri.sm/wp-content/uploads/2017/10/arab-vs-kor-1024x400.png 1024w, https://puri.sm/wp-content/uploads/2017/10/arab-vs-kor-300x117.png 300w, https://puri.sm/wp-content/uploads/2017/10/arab-vs-kor-768x300.png 768w" sizes="(max-width: 960px) 100vw, 960px" /></a></li><li>As the format of the ME firmware changed significantly, it took a while to figure out how to decompress the modules and understand how to remove the modules without breaking anything else. Nicola Corna, the author of the me_cleaner tool, recently was able to add support for Skylake machines by removing all the non essential modules.</li></ul><p>In my <a href="https://puri.sm/posts/neutralizing-intel-management-engine-on-librem-laptops/">last ME-related post</a>, I gave everyone a rundown of the modules that were in the ME 10.x firmware and which ones were remaining after it was neutered, so, for Skylake, here is the list of modules in a regular ME 11.0.x firmware:</p><pre>-rw-r--r-- 1 kakaroto kakaroto 184320 Aug 29 16:33 bup.mod -rw-r--r-- 1 kakaroto kakaroto 36864 Aug 29 16:33 busdrv.mod -rw-r--r-- 1 kakaroto kakaroto 32768 Aug 29 16:33 cls.mod -rw-r--r-- 1 kakaroto kakaroto 163840 Aug 29 16:33 crypto.mod -rw-r--r-- 1 kakaroto kakaroto 389120 Aug 29 16:33 dal_ivm.mod -rw-r--r-- 1 kakaroto kakaroto 24576 Aug 29 16:33 dal_lnch.mod -rw-r--r-- 1 kakaroto kakaroto 49152 Aug 29 16:33 dal_sdm.mod -rw-r--r-- 1 kakaroto kakaroto 16384 Aug 29 16:33 evtdisp.mod -rw-r--r-- 1 kakaroto kakaroto 16384 Aug 29 16:33 fpf.mod -rw-r--r-- 1 kakaroto kakaroto 45056 Aug 29 16:33 fwupdate.mod -rw-r--r-- 1 kakaroto kakaroto 16384 Aug 29 16:33 gpio.mod -rw-r--r-- 1 kakaroto kakaroto 8192 Aug 29 16:33 hci.mod -rw-r--r-- 1 kakaroto kakaroto 36864 Aug 29 16:33 heci.mod -rw-r--r-- 1 kakaroto kakaroto 28672 Aug 29 16:33 hotham.mod -rw-r--r-- 1 kakaroto kakaroto 28672 Aug 29 16:33 icc.mod -rw-r--r-- 1 kakaroto kakaroto 16384 Aug 29 16:33 ipc_drv.mod -rw-r--r-- 1 kakaroto kakaroto 11832 Aug 29 16:33 ish_bup.mod -rw-r--r-- 1 kakaroto kakaroto 24576 Aug 29 16:33 ish_srv.mod -rw-r--r-- 1 kakaroto kakaroto 73728 Aug 29 16:33 kernel.mod -rw-r--r-- 1 kakaroto kakaroto 28672 Aug 29 16:33 loadmgr.mod -rw-r--r-- 1 kakaroto kakaroto 28672 Aug 29 16:33 maestro.mod -rw-r--r-- 1 kakaroto kakaroto 28672 Aug 29 16:33 mca_boot.mod -rw-r--r-- 1 kakaroto kakaroto 24576 Aug 29 16:33 mca_srv.mod -rw-r--r-- 1 kakaroto kakaroto 36864 Aug 29 16:33 mctp.mod -rw-r--r-- 1 kakaroto kakaroto 32768 Aug 29 16:33 nfc.mod -rw-r--r-- 1 kakaroto kakaroto 409600 Aug 29 16:33 pavp.mod -rw-r--r-- 1 kakaroto kakaroto 16384 Aug 29 16:33 pmdrv.mod -rw-r--r-- 1 kakaroto kakaroto 24576 Aug 29 16:33 pm.mod -rw-r--r-- 1 kakaroto kakaroto 61440 Aug 29 16:33 policy.mod -rw-r--r-- 1 kakaroto kakaroto 12288 Aug 29 16:33 prtc.mod -rw-r--r-- 1 kakaroto kakaroto 167936 Aug 29 16:33 ptt.mod -rw-r--r-- 1 kakaroto kakaroto 16384 Aug 29 16:33 rbe.mod -rw-r--r-- 1 kakaroto kakaroto 12288 Aug 29 16:33 rosm.mod -rw-r--r-- 1 kakaroto kakaroto 49152 Aug 29 16:33 sensor.mod -rw-r--r-- 1 kakaroto kakaroto 110592 Aug 29 16:33 sigma.mod -rw-r--r-- 1 kakaroto kakaroto 20480 Aug 29 16:33 smbus.mod -rw-r--r-- 1 kakaroto kakaroto 36864 Aug 29 16:33 storage.mod -rw-r--r-- 1 kakaroto kakaroto 8192 Aug 29 16:33 syncman.mod -rw-r--r-- 1 kakaroto kakaroto 94208 Aug 29 16:33 syslib.mod -rw-r--r-- 1 kakaroto kakaroto 16384 Aug 29 16:33 tcb.mod -rw-r--r-- 1 kakaroto kakaroto 28672 Aug 29 16:33 touch_fw.mod -rw-r--r-- 1 kakaroto kakaroto 12288 Aug 29 16:33 vdm.mod -rw-r--r-- 1 kakaroto kakaroto 98304 Aug 29 16:33 vfs.mod </pre><p>And here is the list of modules in a neutered ME :</p><pre>-rw-r--r-- 1 kakaroto kakaroto 184320 Oct 4 16:21 bup.mod -rw-r--r-- 1 kakaroto kakaroto 73728 Oct 4 16:21 kernel.mod -rw-r--r-- 1 kakaroto kakaroto 16384 Oct 4 16:21 rbe.mod -rw-r--r-- 1 kakaroto kakaroto 94208 Oct 4 16:21 syslib.mod</pre><p>The total ME size dropped from 2.5MB to 360KB, which means that 14.42% of the code remains, while 85.58% of the code was neutralized with me_cleaner.</p><p>The reason the neutering on Skylake-based systems removed less code than on Broadwell-based systems is because of the code in <strong>the ME’s read-only memory</strong> (ROM). What this “ROM” means is that a small part of the ME firmware is actually burned in the silicon of the ME Core. The ROM content is the first code executed, loaded internally from the ROM, by the ME core, and it has the simple task of reading the ME firmware from the flash, verifying its signature, making sure it hasn’t been tampered with, loading it in the ME Core’s memory and executing it.</p><ul><li>On Broadwell, there is about 128KB of code burned in the ME Core’s ROM. That 128KB of code contains the bootloader as well as some system APIs that the other modules can use.</li><li>On Skylake, the ROM code was decreased to 17KB, leaving only the basic bootloader, and moving the system APIs to a module of their own inside the ME firmware.</li><li>This means that the total amount of code remaining, including the ROM is 360+17KB out of 2524+17KB = 377/2541 = 14.84% for Skylake, while on Broadwell, it’s 120 + 128KB out of 1624+128KB = 248/1752 = 14.15% of code remaining. The difference is much smaller now when we account for the code hidden in the ROM of the processor.</li></ul><p>The problem with the code in the ROM is that it cannot be removed because it’s inside of the processor itself and, well, it’s <em>Read-Only</em> Memory—it cannot be overwritten in any way, by definition. On the bright side, it is nice to see that most of the code that was previously in the ROM has now been moved to the flash in Skylake systems.</p><p>The ME firmware itself has multiple “partitions”, each containing something that the ME firmware needs. Some of those partitions will contain code modules, some will contain configuration files, and some will contain “other data” (I don’t really know what). Either way, the ME firmware contains about a dozen different partitions, each for a specific purpose, and two of those partitions contain the majority of the code modules.</p><h1>Schrödinger’s Wi-Fi</h1><p>I’ll now explain what has been done to get to this point in the project. When I was done with the coreboot port to the new Skylake machines, I tried to neutralize the ME, thinking it would be a breeze, since me_cleaner claimed support for Skylake. Unfortunately, it wasn’t working as it should and I spent the entire hacking day at the coreboot conference trying to fix it.</p><p><img class="wp-image-39687 alignright" src="https://puri.sm/wp-content/uploads/2017/10/purism-coreboot-schrodinger-wifi-1024x589.png" alt="" width="576" height="331" srcset="https://puri.sm/wp-content/uploads/2017/10/purism-coreboot-schrodinger-wifi-1024x589.png 1024w, https://puri.sm/wp-content/uploads/2017/10/purism-coreboot-schrodinger-wifi-300x173.png 300w, https://puri.sm/wp-content/uploads/2017/10/purism-coreboot-schrodinger-wifi-768x442.png 768w" sizes="(max-width: 576px) 100vw, 576px" /></p><p>The problem is that once the ME was neutralized with me_cleaner, the Wi-Fi module on the Librem was unpredictable: it sometimes would work and sometimes wouldn’t, which was confusing. I eventually realized that if I reboot after replacing the ME, the wifi would keep the same state as it was in before:</p><ul><li>if I neutralized the ME and reboot, it would still work, but after powering off the machine and turning it on, the wifi would stop working;</li><li>if I restored a full ME (instead of a neutralized one) and rebooted, the wifi would remain dead;</li><li>…but if I power off the machine and turn it back on, the wifi would finally be restored.</li></ul><p>I figured that it has something to do with how the PCI-Express card is initialized, and I spent quite some time trying to “enable it” from coreboot with a neutralized ME. I’ll spare you the details but I eventually realized that I couldn’t get it to work because the PCIe device completely ignored all my commands and would simply <em>refuse</em> to power up. It turns out that <strong>the ME controls the ICC</strong> (Integrated Clock Controller) so without it, it would simply not enable the clock for the PCIe device, so the wifi card wouldn’t work and there is <em>nothing</em> you can do about it because only the ME has control over the ICC registers. I tried to test a handful of different ME firmware versions, but surprisingly, the wifi module never worked on any of those images, even when the ME was not neutralized. Obviously, it meant that the ME firmware was not properly configured, so I used the Intel FIT tool (which is used to configure ME images, allowing us to set things like PCIe lanes, and which clocks to enable, and all of that). Unfortunately, even when an image was configured the exact same way as the original ME image we had, the wifi would still not work, and I couldn’t figure out why.</p><p>I shelved the problem to concentrate on the release of coreboot and eventually on the <a href="https://puri.sm/posts/coreboot-on-the-skylake-librems-part-2/">SATA issues</a> we were experiencing. The decision was made to release the Librem 13 v2 and Librem 15 v3 with a regular ME until more work was done on that front, because we couldn’t hold back shipments any longer (and because we can provide updates after shipment). Also note that at that time, the support for Skylake in me_cleaner was very rough—it was removing only half of the ME code because the format of the new ME 11.x firmware wasn’t fully known yet.</p><p>A few weeks later, I saw the release of <a href="https://github.com/ptresearch/unME11">unME11</a> from <em>Positive Technologies</em> and a week later, Nicola Corna pushed more complete support for Skylake in a testing branch of me_cleaner. I immediatly jumped on it and tested it on our machines. Unfortunately, <strong>the wifi issue was still there.</strong> I decided to debug the cause by figuring out what me_cleaner does that could be affecting the ME firmware that way.</p><p>As I mentioned earlier in this post, the ME firmware is made up of a dozen of <em>partitions,</em> some of those containing code modules, and me_cleaner will remove all the partitions except one, in which it will remove most of the modules and leave only the critical modules needed for the startup of the system. Therefore, I started progressively whitelisting more modules so me_cleaner wouldn’t remove them, and testing if it affected the wifi module. This was annoying to test because I’d have to change me_cleaner, neutralize the ME firmware, then copy the image from my main PC to the Librem then flash the new image, poweroff, then restart the machine, and if the Wifi wasn’t working, which was 99% of the time, I had to copy the files through a USB drive. I eventually restored all of the modules and it was <em>still</em> not working, which made me suspect the cause might be in one of the other partitions, so I gradually added one partition at a time, until the Wifi suddenly worked. I had just added the “MFS” partition, so I started removing the other partitions again one at a time, but keeping the “MFS” partition, and the Wifi was still working. I eventually removed all of the code modules (apart from the critical ones) but keeping the MFS partition, and the wifi was still working. So <strong>I had found my fix: I just need to keep the “MFS” partition in the image and the wifi would work.</strong></p><h1>So many firmwares, so little time</h1><p>So, what is this mysterious “MFS” partition? There’s not a lot of information about it anywhere online, other than one forum or mailing list user mentioning the MFS partition as “ME File System”. I decided to use a comparative approach.</p><p>The fun thing when comparing ME firmware images: not only are there multiple <em>versions</em> (ex: 10.x vs 11.x), for each single ME version there are multiple “flavors” of it, such as “Consumer” or “Corporate”, and there are <em>also</em> multiple flavors for “mobile” and “desktop”.</p><ul><li>When I extracted and compared all the partitions of all the variants and flavors, the only difference between a mobile and a desktop image is in the MFS partition, as every other partition shares the same hash between two flavors of the same version.</li><li>I then compared the various partitions between a configured and a non configured ME firmware, and noticed that what the Intel FIT tool does when you change the system’s configuration is to simply write that configuration inside of the MFS partition.</li><li>This means that the MFS partition, which doesn’t contain any code modules, is used for storage of configuration files used by the ME firmware. This is somewhat confirmed by the fact that the MFS partition is marked as containing data.</li></ul><p><a href="https://puri.sm/wp-content/uploads/2017/10/intel-me-versions.png"><img class="alignnone size-large wp-image-39686" src="https://puri.sm/wp-content/uploads/2017/10/intel-me-versions-1024x446.png" alt="" width="960" height="418" srcset="https://puri.sm/wp-content/uploads/2017/10/intel-me-versions-1024x446.png 1024w, https://puri.sm/wp-content/uploads/2017/10/intel-me-versions-300x131.png 300w, https://puri.sm/wp-content/uploads/2017/10/intel-me-versions-768x335.png 768w" sizes="(max-width: 960px) 100vw, 960px" /></a></p><p>After modifying me_cleaner to add support for the Librem, which allows us to neutralize the ME while keeping the Wifi module working, I discussed with Nicola Corna how to best integrate the feature into me_cleaner. We came to the conclusion that having a new option to allow users to select which partitions to keep would be a better method, so I sent a <a href="https://github.com/corna/me_cleaner/pull/70">pull request</a> that adds such a feature.</p><p>Unfortunately, while the wifi module was working with this change, I also had an adverse side-effect when adding the MFS partition back into the ME firmware: my machine would refuse to power off, for example, and would have trouble rebooting.</p><ul><li>The exact behavior is that if I power off the machine, Linux would do the entire power off sequence then stop, and I would have to manually force shutdown the Librem by holding the power button for 5 seconds. As for the rebooting issue, instead of actually rebooting when Linux finishes its poweroff sequence, the system will be frozen for a few seconds before suddenly shutting itself down forcibly, then turning itself back on 5 seconds later, on its own. This isn’t the most critical of issues, but it would be very annoying to users, and unfortunately, I couldn’t find the cause of this strange behavior. All I knew was that if I remove the MFS partition, coreboot says the ME partition is corrupted, and the wifi module doesn’t work, and if I keep the MFS partition, coreboot says the ME partition is valid, the wifi module works, but the poweroff/reboot issues automatically appear.</li><li>The solution for these issues turned out to be unexpectedly simple. After another of our developers said he was ready to live with the poweroff/reboot issues, and I sent him a neutralized ME for his system, I was told that his machine was working fine with no side-effects at all. I didn’t know what the difference between his machine and mine was, other than the fact that my machine is a prototype and his was a “production” machine. I then tested my neutralized ME on the “production” Librem 13 unit I had on hand, and I didn’t have any side effects of the neutralizing of the ME firmware. I then updated my coreboot build script to add the neutralization option and <a href="https://forums.puri.sm/t/building-coreboot-from-source-official-script/1264/21">asked users on our forums</a> to test it, and every one who tested the neutralized ME reported back success with no side-effects. I then realized the problem is probably only caused by the prototype machine that I was using. Well, <em>I can live with that.</em></li></ul><h1>Disabling the ME</h1><p>The next step for me was to start reverse-engineering the ME firmware, like I had <a href="https://puri.sm/posts/reverse-engineering-the-intel-management-engine-romp-module/">done before</a>. This is of course a very long and arduous process that took a while and for which I don’t really have much progress to show. One thing I wanted to reverse-engineer was the MFS file system format so I could see which configuration files are within it and to start eliminating as much from it as possible. I started from the beginning however, by reverse engineering the entry point in the ROM. I will spare you much of the detail and the troubles in trying to understand some of the instructions, and mostly some of the memory accesses. The important thing to know is that before I got too far along, <em>Positive Technologies</em> announced the discovery of a way to <a href="http://blog.ptsecurity.com/2017/08/disabling-intel-me.html" class="broken_link">disable the Intel ME</a>, and I needed to test it.</p><p>Unfortunately, enabling the HAP bit which disables the ME Core, didn’t work on the Librem: it was causing the power LED to blink very slowly, and nothing I could do would stop it until I removed the battery. I first thought the machine was stuck in a boot loop, but it was just blinking really slowly. I figured out eventually that the reason was that the “HAP” bit was not added in version 11.0.0, but rather in version 11.0.x (where x > 0). I decided to try a newer ME firmware version and the HAP bit did work on that, which confirmed that the ME disablement was a feature added to the ME <em>after</em> the version the Librem came with (11.0.0.1180). So now I have a newer ME (version 11.0.18.1002) that is disabled thanks to the HAP bit, but… no Wi-Fi again.</p><p>I decided to retry using the FIT tool to configure the ME with the exact same settings as the old ME firmware. I went through every setting available to make sure it matches, and when I tried booting it again, the ME Core was disabled and the Wifi module was working. <em>Great Success!</em></p><p><img class="wp-image-39683 size-medium alignnone" src="https://puri.sm/wp-content/uploads/2017/10/intel-me-neutdis-300x200.png" alt="" width="300" height="200" srcset="https://puri.sm/wp-content/uploads/2017/10/intel-me-neutdis-300x200.png 300w, https://puri.sm/wp-content/uploads/2017/10/intel-me-neutdis-768x512.png 768w, https://puri.sm/wp-content/uploads/2017/10/intel-me-neutdis-1024x683.png 1024w, https://puri.sm/wp-content/uploads/2017/10/intel-me-neutdis.png 1293w" sizes="(max-width: 300px) 100vw, 300px" /></p><p>Obviously, I then needed to do plenty of testing, make sure it’s all working as it should, confirm that the ME Core was disabled, test the behavior of the system with a ME firmware both disabled <em>and</em> neutralized, and that it has no side effects other than what we wanted.</p><p>My previous coreboot <a href="https://source.puri.sm/kakaroto/coreboot-files/src/master/build_coreboot.sh">build script</a> was using the ME image from the local machine, but unfortunately, I can’t do that now for disabling the ME since it’s not supported on the ME image that most people have on their machines. So I updated my coreboot build script to make it download the new ME version from a public link (found <a href="http://www.win-raid.com/t832f39-Intel-Engine-Firmware-Repositories.html" class="broken_link">here</a>), and I used <a href="http://www.daemonology.net/bsdiff/">bsdiff</a> to patch the ME image with the proper configuration for the WiFi to work. I made sure to check that the only changes to the ME image is in the MFS partition and is configuration data, so the binary patch does not contain any binary code and we can safely distribute it.</p><h1>Moving towards the FSP</h1><p>The next step will be to continue the reverse-engineering efforts, but for now, I’ve put that on hold because <em>Positive Technologies</em> have announced that they found an exploit in the ME Firmware allowing the executing of unsigned code. This exploit will be announced at the <a href="https://www.blackhat.com/eu-17/briefings/schedule/index.html#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668">BlackHat Europe 2017</a> conference in December, so we’ll have to wait and see how their exploit works and what we can achieve with it before going further. Also, once <em>Positive Technologies </em>release their information, it might be possible for us to work together and share our knowledge. I am hoping that I can get some information from them on code that they already reverse engineered, so I don’t have to duplicate all of their efforts. I’d also like to mention that, just as last time, Igor Skochinsky has generously shared his research with us, but also getting data from <em>Positive Technologies</em> would be a tremendous help, considering how much work they have already invested on this.</p><p>Right now, I have decided to move my focus to investigating the FSP, which is another important binary that needs to be reverse-engineered and removed from coreboot. I don’t think that anyone is currently actively working on it, so hopefully, I can achieve something without duplicating someone else’s work, and we can advance the cause much faster this way. I think I will concentrate first on the PCH initialization code, then move to the memory initialization.</p></div></div></div><div class="blog-entry blog-entry-links"><div><h2 class="">Recent Posts</h2><ul><li> <a href="https://puri.sm/posts/the-importance-of-software-bill-of-materials-sbom/">The Importance of Software Bill of Materials (SBOM)</a></li><li> <a href="https://puri.sm/posts/pureos-crimson-development-report-february-2025/">PureOS Crimson Development Report: February 2025</a></li><li> <a href="https://puri.sm/posts/pureos-crimson-development-report-january-2025/">PureOS Crimson Development Report: January 2025</a></li><li> <a href="https://puri.sm/posts/why-the-salt-typhoon-hacks-make-our-public-networks-vulnerable/">Why the Salt Typhoon Hacks Make Our Public Networks Vulnerable</a></li><li> <a href="https://puri.sm/posts/pureos-crimson-development-report-december-2024/">PureOS Crimson Development Report: December 2024</a></li></ul></div><div><h2 class="">Related Content</h2><ul class="lcp_catlist" id="lcp_instance_listcategorypostswidget-3"><li ><a href="https://puri.sm/posts/abside-and-purism-partner-to-deliver-secure-mobile-solution-for-u-s-government-and-nato-countries/" title="Abside and Purism Partner to Deliver Secure Mobile Solution for U.S. Government and NATO Countries">Abside and Purism Partner to Deliver Secure Mobile Solution for U.S. Government and NATO Countries</a></li><li ><a href="https://puri.sm/posts/purism-crosses-100000-00-in-fewer-than-48-hours/" title="Purism Crosses $100,000.00 in fewer than 48 Hours">Purism Crosses $100,000.00 in fewer than 48 Hours</a></li><li ><a href="https://puri.sm/posts/purism-announces-first-public-offering-on-startengine/" title="Purism Announces First Public Offering on StartEngine">Purism Announces First Public Offering on StartEngine</a></li><li ><a href="https://puri.sm/posts/pureboot-not-vulnerable-to-uefi-exploits-again/" title="PureBoot Not Vulnerable to UEFI Exploits (Again)">PureBoot Not Vulnerable to UEFI Exploits (Again)</a></li><li ><a href="https://puri.sm/posts/intel-ax200-wi-fi-bluetooth-shipping-for-new-orders/" title="Intel AX200 Wi-Fi/Bluetooth Shipping for New Orders">Intel AX200 Wi-Fi/Bluetooth Shipping for New Orders</a></li></ul><a href="https://puri.sm/posts/category/add-info/" > </a></div><div><h2 class="">Tags</h2><div class="tagcloud"><a href="https://puri.sm/posts/tag/advanced-readers/" class="tag-cloud-link tag-link-246 tag-link-position-1" style="font-size: 17.663716814159pt;" aria-label="Advanced readers (72 items)">Advanced readers</a> <a href="https://puri.sm/posts/tag/awesim/" class="tag-cloud-link tag-link-406 tag-link-position-2" style="font-size: 10.973451327434pt;" aria-label="AweSIM (20 items)">AweSIM</a> <a href="https://puri.sm/posts/tag/battery-life/" class="tag-cloud-link tag-link-257 tag-link-position-3" style="font-size: 8.8672566371681pt;" aria-label="Battery life (13 items)">Battery life</a> <a href="https://puri.sm/posts/tag/boot-and-bios/" class="tag-cloud-link tag-link-260 tag-link-position-4" style="font-size: 16.796460176991pt;" aria-label="Boot and BIOS (60 items)">Boot and BIOS</a> <a href="https://puri.sm/posts/tag/chipsets-and-components/" class="tag-cloud-link tag-link-238 tag-link-position-5" style="font-size: 14.442477876106pt;" aria-label="Chipsets and components (39 items)">Chipsets and components</a> <a href="https://puri.sm/posts/tag/ciso/" class="tag-cloud-link tag-link-433 tag-link-position-6" style="font-size: 10.477876106195pt;" aria-label="CISO (18 items)">CISO</a> <a href="https://puri.sm/posts/tag/communications-infrastructure/" class="tag-cloud-link tag-link-254 tag-link-position-7" style="font-size: 9.858407079646pt;" aria-label="Communications infrastructure (16 items)">Communications infrastructure</a> <a href="https://puri.sm/posts/tag/consumer-privacy/" class="tag-cloud-link tag-link-441 tag-link-position-8" style="font-size: 8.3716814159292pt;" aria-label="Consumer Privacy (12 items)">Consumer Privacy</a> <a href="https://puri.sm/posts/tag/crowdfunding/" class="tag-cloud-link tag-link-245 tag-link-position-9" style="font-size: 12.088495575221pt;" aria-label="Crowdfunding (25 items)">Crowdfunding</a> <a href="https://puri.sm/posts/tag/feedback/" class="tag-cloud-link tag-link-247 tag-link-position-10" style="font-size: 10.725663716814pt;" aria-label="Customer Feedback (19 items)">Customer Feedback</a> <a href="https://puri.sm/posts/tag/cybersecurity/" class="tag-cloud-link tag-link-432 tag-link-position-11" style="font-size: 12.58407079646pt;" aria-label="cybersecurity (27 items)">cybersecurity</a> <a href="https://puri.sm/posts/tag/enterprise/" class="tag-cloud-link tag-link-388 tag-link-position-12" style="font-size: 8pt;" aria-label="Enterprise (11 items)">Enterprise</a> <a href="https://puri.sm/posts/tag/floss-apps/" class="tag-cloud-link tag-link-240 tag-link-position-13" style="font-size: 17.16814159292pt;" aria-label="FLOSS applications (65 items)">FLOSS applications</a> <a href="https://puri.sm/posts/tag/giving-back/" class="tag-cloud-link tag-link-250 tag-link-position-14" style="font-size: 15.309734513274pt;" aria-label="Giving and contributing back (46 items)">Giving and contributing back</a> <a href="https://puri.sm/posts/tag/graphics/" class="tag-cloud-link tag-link-41 tag-link-position-15" style="font-size: 11.716814159292pt;" aria-label="Graphics (23 items)">Graphics</a> <a href="https://puri.sm/posts/tag/infosec/" class="tag-cloud-link tag-link-431 tag-link-position-16" style="font-size: 11.716814159292pt;" aria-label="infosec (23 items)">infosec</a> <a href="https://puri.sm/posts/tag/laptops/" class="tag-cloud-link tag-link-234 tag-link-position-17" style="font-size: 21.87610619469pt;" aria-label="Laptops (158 items)">Laptops</a> <a href="https://puri.sm/posts/tag/liberty-phone/" class="tag-cloud-link tag-link-446 tag-link-position-18" style="font-size: 11.221238938053pt;" aria-label="Liberty Phone (21 items)">Liberty Phone</a> <a href="https://puri.sm/posts/tag/librem-5/" class="tag-cloud-link tag-link-396 tag-link-position-19" style="font-size: 18.159292035398pt;" aria-label="librem 5 (78 items)">librem 5</a> <a href="https://puri.sm/posts/tag/librem-5-usa/" class="tag-cloud-link tag-link-400 tag-link-position-20" style="font-size: 14.814159292035pt;" aria-label="Librem 5 USA (42 items)">Librem 5 USA</a> <a href="https://puri.sm/posts/tag/librem-14/" class="tag-cloud-link tag-link-407 tag-link-position-21" style="font-size: 11.964601769912pt;" aria-label="Librem 14 (24 items)">Librem 14</a> <a href="https://puri.sm/posts/tag/linux-kernel/" class="tag-cloud-link tag-link-259 tag-link-position-22" style="font-size: 13.327433628319pt;" aria-label="Linux kernel (31 items)">Linux kernel</a> <a href="https://puri.sm/posts/tag/made-in-usa-electronics/" class="tag-cloud-link tag-link-401 tag-link-position-23" style="font-size: 12.58407079646pt;" aria-label="Made in USA Electronics (27 items)">Made in USA Electronics</a> <a href="https://puri.sm/posts/tag/most-secure-computer/" class="tag-cloud-link tag-link-390 tag-link-position-24" style="font-size: 11.469026548673pt;" aria-label="most secure computer (22 items)">most secure computer</a> <a href="https://puri.sm/posts/tag/most-secure-laptop/" class="tag-cloud-link tag-link-391 tag-link-position-25" style="font-size: 14.814159292035pt;" aria-label="most secure laptop (42 items)">most secure laptop</a> <a href="https://puri.sm/posts/tag/most-secure-pc/" class="tag-cloud-link tag-link-392 tag-link-position-26" style="font-size: 10.725663716814pt;" aria-label="most secure pc (19 items)">most secure pc</a> <a href="https://puri.sm/posts/tag/most-secure-phone/" class="tag-cloud-link tag-link-393 tag-link-position-27" style="font-size: 16.672566371681pt;" aria-label="most secure phone (59 items)">most secure phone</a> <a href="https://puri.sm/posts/tag/newsletter-and-status-updates/" class="tag-cloud-link tag-link-236 tag-link-position-28" style="font-size: 22pt;" aria-label="Newsletter and status updates (161 items)">Newsletter and status updates</a> <a href="https://puri.sm/posts/tag/phones/" class="tag-cloud-link tag-link-249 tag-link-position-29" style="font-size: 21.628318584071pt;" aria-label="Phones (149 items)">Phones</a> <a href="https://puri.sm/posts/tag/press/" class="tag-cloud-link tag-link-381 tag-link-position-30" style="font-size: 10.230088495575pt;" aria-label="Press (17 items)">Press</a> <a href="https://puri.sm/posts/tag/privacy/" class="tag-cloud-link tag-link-51 tag-link-position-31" style="font-size: 20.389380530973pt;" aria-label="Privacy (120 items)">Privacy</a> <a href="https://puri.sm/posts/tag/launch/" class="tag-cloud-link tag-link-261 tag-link-position-32" style="font-size: 13.946902654867pt;" aria-label="Product or service launch (35 items)">Product or service launch</a> <a href="https://puri.sm/posts/tag/pureos/" class="tag-cloud-link tag-link-14 tag-link-position-33" style="font-size: 20.637168141593pt;" aria-label="PureOS (124 items)">PureOS</a> <a href="https://puri.sm/posts/tag/secure-computing/" class="tag-cloud-link tag-link-398 tag-link-position-34" style="font-size: 10.477876106195pt;" aria-label="secure computing (18 items)">secure computing</a> <a href="https://puri.sm/posts/tag/secure-supply-chain/" class="tag-cloud-link tag-link-452 tag-link-position-35" style="font-size: 9.2389380530973pt;" aria-label="Secure Supply Chain (14 items)">Secure Supply Chain</a> <a href="https://puri.sm/posts/tag/security/" class="tag-cloud-link tag-link-116 tag-link-position-36" style="font-size: 21.504424778761pt;" aria-label="Security (147 items)">Security</a> <a href="https://puri.sm/posts/tag/software-freedom/" class="tag-cloud-link tag-link-244 tag-link-position-37" style="font-size: 19.893805309735pt;" aria-label="Software freedom (108 items)">Software freedom</a> <a href="https://puri.sm/posts/tag/supply-chain/" class="tag-cloud-link tag-link-205 tag-link-position-38" style="font-size: 16.548672566372pt;" aria-label="Supply chain (58 items)">Supply chain</a> <a href="https://puri.sm/posts/tag/testimonials-and-user-stories/" class="tag-cloud-link tag-link-243 tag-link-position-39" style="font-size: 8pt;" aria-label="Testimonials and user stories (11 items)">Testimonials and user stories</a> <a href="https://puri.sm/posts/tag/tips-and-tricks/" class="tag-cloud-link tag-link-242 tag-link-position-40" style="font-size: 13.575221238938pt;" aria-label="Tips and tricks (33 items)">Tips and tricks</a> <a href="https://puri.sm/posts/tag/user-empowerment/" class="tag-cloud-link tag-link-383 tag-link-position-41" style="font-size: 16.548672566372pt;" aria-label="User empowerment (58 items)">User empowerment</a> <a href="https://puri.sm/posts/tag/uxd/" class="tag-cloud-link tag-link-252 tag-link-position-42" style="font-size: 12.955752212389pt;" aria-label="User experience design (29 items)">User experience design</a> <a href="https://puri.sm/posts/tag/ixd/" class="tag-cloud-link tag-link-251 tag-link-position-43" style="font-size: 10.725663716814pt;" aria-label="User interaction design (19 items)">User interaction design</a> <a href="https://puri.sm/posts/tag/videos/" class="tag-cloud-link tag-link-235 tag-link-position-44" style="font-size: 12.70796460177pt;" aria-label="Videos (28 items)">Videos</a> <a href="https://puri.sm/posts/tag/website/" class="tag-cloud-link tag-link-253 tag-link-position-45" style="font-size: 8.3716814159292pt;" aria-label="Website (12 items)">Website</a></div></div></div></div></div><div class="container"><div class="adv"><a href="https://librem.one/"><img src="https://puri.sm/wp-content/uploads/2019/05/banner-2.jpg" alt=""></a></div></div><hr /><footer id="colophon" class="footer"><div class="container"><div class="row grid"><div class="column-4"><h5>Resources</h5><div class="menu-footer-1-container"><ul id="resources-menu" class="menu"><li id="menu-item-61372" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-61372"><a href="https://puri.sm/pr/">Press Room</a></li><li id="menu-item-61371" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-61371"><a href="https://puri.sm/enterprise/">Enterprise</a></li><li id="menu-item-61165" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-61165"><a href="https://developer.puri.sm/">Developers</a></li><li id="menu-item-69871" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-69871"><a href="https://puri.sm/purism-librem-affiliate-program/">Affiliates</a></li><li id="menu-item-70189" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-70189"><a href="https://puri.sm/pages/">Pages</a></li><li id="menu-item-80268" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-80268"><a href="https://puri.sm/videos/">Videos</a></li></ul></div></div><div class="column-4"><h5>About Purism</h5><div class="menu-footer-2-container"><ul id="about-menu" class="menu"><li id="menu-item-70774" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-70774"><a href="https://puri.sm/security/">Security</a></li><li id="menu-item-61035" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-61035"><a href="https://puri.sm/jobs/">Jobs</a></li><li id="menu-item-66415" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-66415"><a href="https://puri.sm/policies/">Policies</a></li><li id="menu-item-66413" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-66413"><a href="https://puri.sm/contributing/">Get involved</a></li><li id="menu-item-61038" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-61038"><a href="https://puri.sm/warrant-canary/">Warrant Canary</a></li></ul></div></div><div class="column-4 brands"><form class="newsletter-form" method="POST" action="https://announce.puri.sm/subscribe/announce"><h5>Newsletter</h5><p class="hint">Want to get announcements & news digests once in a while?</p><p class="hint">To subscribe, email <a href="mailto:text@puri.sm?subject=subscribe%20newsletter">text@puri.sm</a> with the subject "subscribe newsletter".</p><hr/><p class="hint hint--subtle">You will receive an automated e-mail you will need to reply to to confirm your subscription.</p></form><div class="social-brands"> <a href="https://puri.sm/feed/"><span class="ion-social-rss"></span></a> <a rel="nofollow me" target="_blank" href="https://social.librem.one/@purism"><img src="https://puri.sm/wp-content/themes/wp-purism/images/social-symbolic.svg" alt="Safe, public social media with millions of people already active" class="social-icon-mastodon" /></a> <a rel="nofollow" target="_blank" href="https://matrix.to/#/#community-general:talk.puri.sm"><img src="https://puri.sm/wp-content/themes/wp-purism/images/messages-symbolic.svg" alt="Librem Chat - End-to-end encrypted chat, VoIP, and video calling used by millions of people" class="social-icon-mastodon" /></a></div></div></div></div></footer><hr /><div class="section legal"><div class="container"> <a href="https://puri.sm/" class="brand"> <img src="https://puri.sm/wp-content/themes/wp-purism/images/brand.svg" alt="Purism" /> </a><p>3D renders are artist renderings, for illustration purposes. Images and specifications are subject to change depending on manufacturing requirements.</p><p>Unless otherwise noted, contents created by the Purism team on this website are copyleft with a CC-by-SA 4.0 license.</p></div></div></div> <script type="text/javascript" defer src="https://puri.sm/wp-content/cache/autoptimize/js/autoptimize_83f07466d4a76eafc58f6b825742f5a5.js"></script></body></html>