Intel Management Engine - Wikipedia

Jump to content

Search

Search

Donate

Create account

Log in

Personal tools

Donate

Create account

Log in

Intel Management Engine

7 languages

العربية<br>Čeština<br>한국어<br>Русский<br>Türkçe<br>Українська<br>中文

Edit links

From Wikipedia, the free encyclopedia

Autonomous computer subsystem

Privilege rings for the x86 architecture. The ME is colloquially categorized as ring −3, below System Management Mode (ring −2) and the hypervisor (ring −1), all running at a higher privilege level than the kernel (ring 0).

This section needs to be updated . The reason given is: The Intel Management Engine has been renamed as of ~9 years ago to Intel CSME. I cite my sources in the "It was renamed 2017 to Intel CSME" discussion post. . Please help update this article to reflect recent events or newly available information. (March 2026)

The Intel Management Engine (ME ), also known as the Intel Manageability Engine[dubious – discuss],[1][2] is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008.[1][3][4] It is located in the Platform Controller Hub of modern Intel motherboards.

The Intel Management Engine always runs as long as the motherboard is receiving power, even when the computer is turned off. This issue can be mitigated with the deployment of a hardware device which is able to disconnect all connections to mains power as well as all internal forms of energy storage. The Electronic Frontier Foundation and some security researchers have voiced concern that the Management Engine is a backdoor.

Intel's main competitor, AMD, has incorporated the equivalent AMD Secure Technology (formally called Platform Security Processor) in virtually all of its post-2013 CPUs.

Difference from Intel AMT<br>[edit]

The Management Engine is often confused with Intel AMT (Intel Active Management Technology). AMT runs on the ME, but is only available on processors with vPro. AMT gives device owners remote administration of their computer,[5] such as powering it on or off, and reinstalling the operating system.

However, the ME itself has been built into all Intel chipsets since 2008, not only those with AMT. While AMT can be unprovisioned by the owner, there is no official, documented way to disable the ME.

Design<br>[edit]

The subsystem primarily consists of proprietary firmware running on a separate microprocessor that performs tasks during boot-up, while the computer is running, and while it is asleep.[6] As long as the chipset or SoC is supplied with power (via battery or power supply), it continues to run even when the system is turned off.[7] Intel claims the ME is required to provide full performance.[8] Its exact workings[9] are largely undocumented[10] and its code is obfuscated using confidential Huffman tables stored directly in hardware, so the firmware does not contain the information necessary to decode its contents.[11]

Hardware<br>[edit]

Starting with ME 11 (introduced in Skylake CPUs), it is based on the Intel Quark x86-based 32-bit CPU and runs the MINIX 3 operating system.[12] The ME firmware is stored in a partition of the SPI BIOS Flash, using the Embedded Flash File System (EFFS).[13] Previous versions were based on an ARC core, with the Management Engine running the ThreadX RTOS. Versions 1.x to 5.x of the ME used the ARCTangent-A4 (32-bit only instructions) whereas versions 6.x to 8.x used the newer ARCompact (mixed 32- and 16-bit instruction set architecture). Starting with ME 7.1, the ARC processor could also execute signed Java applets.

The ME has its own MAC and IP address for the out-of-band management interface, with direct access to the Ethernet controller; one portion of the Ethernet traffic is diverted to the ME even before reaching the host's operating system, for what support exists in various Ethernet controllers, exported and made configurable via Management Component Transport Protocol (MCTP).[14][15] The ME also communicates with the host via PCI interface.[13] Under Linux, communication between the host and the ME is done via /dev/mei or /dev/mei0.[16][17]

Until the release of Nehalem processors, the ME was usually embedded into the motherboard's northbridge, following the Memory Controller Hub (MCH) layout.[18] With the newer Intel architectures (Intel 5 Series onwards), the ME is integrated into the Platform Controller Hub (PCH).[19][20]

Firmware<br>[edit]

By Intel's current terminology as of 2017, ME is one of several firmware sets for the Converged Security and Manageability Engine (CSME). Prior to AMT version 11, CSME was called Intel Management Engine BIOS Extension (Intel MEBx).[1]

Management Engine (ME) – mainstream chipsets[21]

Server Platform Services (SPS) – server chipsets and SoCs[21][22][23]

Trusted Execution Engine (TXE) – tablet/embedded/low power[24][25]

It was also found that the ME firmware version 11 runs MINIX 3.[12][26] Management of the ME modules for provisioning inside the UEFI is done...