-
Notifications
You must be signed in to change notification settings - Fork 280
HAP AltMeDisable bit
me_cleaner supports two ways to disable Intel ME:
- by removing the non-fundamental partitions and modules from the Intel ME firmware
- by setting the HAP (Intel ME >= 11) or the AltMeDisable (Intel ME < 11) bit in the flash descriptor
The former is on by default and it is the older one; it has been tested on many platforms and it seems to work quite well. However it is not a "clean" solution, as it forces Intel ME to hang after the minimal necessary hardware initialization (and wasn't probably planned by Intel).
A new way to disable Intel ME has been discovered by Positive Technologies (as explained in this blog post): they found out that Intel ME (>= 11, Skylake or newer) has a "HAP" bit which acts like a kill-switch, telling Intel ME to hang after the initialization. Igor Skochinsky discovered a similar bit, the AltMeDisable bit, which does the same on Intel ME < 11. Essentially, they achieves exactly the same result as the "old" mode (as both modes stops the execution of Intel ME after the hardware initialization), however they have the advantage of:
- being something introduced by Intel, which report a nice
Alt Disable Mode
status to the BIOS (that should be handled better than the oldNormal
status but with anImage Failure
) - setting an alternate mode of Intel Boot Guard (however the outcome of this is currently unknown)
me_cleaner sets this HAP/AltMeDisable bit when the -s
(enable only the kill-switch, but don't remove the extra code from the firmware) or the -S
(enable the kill-switch and remove the extra code from the firmware) are passed.
Now the question is: which mode should I use? It depends... Some BIOS seem to work better with the code removal mode, some others with the kill-switch, it's up to you to test which one works better on your platform. Usually, if one mode works, the other follows (but may introduce delays in the boot).
You should try first with -S
(code removal + HAP/AltMeDisable bit) and, if it doesn't work, fallback to no arguments (code removal only) and, as last chance, -s
(HAP/AltMeDisable bit only).