I’ve recently become more interested in digital privacy in an age of ever-increasing surveillance. I switched my main PC from Windows to Linux in 2024 (after first trying it in 2013 and using it off-and-on since then), and my two main laptops are currently a ThinkPad X1 Extreme with Linux and a 2021 MacBook Pro. While using Linux means you’re on a much more secure and private system than Windows, you can always aim to make your system respect your freedom more. I recently learned about the Intel Management Engine, a device built into all Intel chipsets since 2008 which was originally designed to remotely manage machines in corporate environments. The ME’s functionality is mostly undocumented, but what we know is that it runs completely independent of your operating system, can access all of your computer’s memory as well as its entire network stack, and it is always active even when the system is “powered off.” This means that the ME is capable of sending anything in your computer’s memory over the network, wherever it wants, without your knowledge – a massive security risk to say the least!
(It’s also worth noting that recent AMD processors have an equivalent to the ME called the AMD PSP (Platform Security Processor). The PSP is similarly undocumented, but it does not have a network stack, meaning that it’s arguably less of a security risk.)
Knowing, then, about this security flaw present within all modern Intel processors, I began looking into how to disable it. While the ME cannot be fully disabled due to its role in starting up the CPU, it can be disabled right after the system powers on, blocking its ability to act maliciously. A more recent way of doing this is with the HAP bit, an undocumented killswitch in the firmware that government agencies such as the NSA enable on their Intel machines to bring them up to their security standards. As I found out, the two most practical options to disable/neuter the ME are to either buy a system from the small subset of manufacturers that sell computers with the ME disabled or to modify your computer’s firmware (either by manually zeroing out the ME regions with something like me_cleaner or by using a custom firmware such as libreboot). One of the manufacturers I regularly saw listed among those that sell computers with ME disabled was System76, who have been selling computers with Linux preinstalled since 2005, and disabling ME on them since 2017. On a whim, I decided to open up eBay and search for “system76,” and saw an active listing that was suspiciously cheap: a Galago Pro (galp5) from 2021, with an Intel Core i7-1165G7, 1TB of SSD storage, and 16GB of RAM, listed for only $200. This would have been an absolute steal in a normal economy, but with today’s global memory shortage thanks to AI, just the RAM and SSD alone would be worth almost $200 alone. So, I bought it.
The computer showed up pretty quickly, and I was pleasantly surprised to discover that it had 32GB of RAM installed instead of the 16GB listed, and the battery had only 15 cycles on it, meaning this machine hardly saw any use. But there was one issue: when I entered the firmware settings, it told me that the Intel ME was enabled. Uh-oh. After a little bit of research, I found out that the laptop was initially sold with the ME enabled because with its CPU generation, disabling it would prevent it from properly entering sleep. Thankfully, about a year and a half after release, the galp5 got a firmware update allowing you to disable ME, but per my correspondence with System76 customer support, the issue with sleep mode is a hardware problem that was engineered around on newer models but unable to properly be fixed on mine. With the newest firmware loaded on my machine, I can confirm that with ME disabled it dies pretty quickly in sleep mode. Not a massive issue, but an important one to consider.
I’m really glad to have a modern laptop with this vulnerability patched, and I’m overall pretty pleased with the laptop itself. The build quality is decent enough, it has plenty of ports including HDMI, Ethernet, and an SD card slot, and it even has a function key commbo (Fn+F10) that disables the webcam from being visible on the USB bus. Most System76 laptops use Clevo as an OEM, meaning it is a generic reference design that they can do limited customization to, but I still think it’s a really nice machine and their open-source firmware and EC sweeten the deal. I probably wouldn’t have paid full retail for it, but for the price I paid I’m thrilled. I think it would be really cool if future System76 machines used Framework as an OEM, but that’s pretty wishful thinking on my part and I have no idea how tenable that would actually be.