[bo1024]

1) Intel ME. ALL Intel x86 processors for a long time have shipped with a second, closed-source processor on the same chip. This is called the Management Engine (ME). This processor has in theory complete control over the other one as well as its own ability to communicate over the network as long as the computer is connected to power even if powered down, with no way to check or control it securely.

2) AMT. These Intel processors may have a service enabled called Active Management Technology (AMT). Intel says that AMT usually comes disabled by default on "consumer" hardware (but Intel is not too specific about what this means, e.g. prebuilt only or CPUs you buy at the store?). AMT is like a remote desktop feature for the CPU. It allows someone to log in remotely and control the computer or diagnose problems, no matter what the "main" processor's state (even powered off).

3) The vulnerability. Suprise, AMT turns out to have a serious security vulnerability that allows a hacker to take control of the PC.

4) Uncertainty. It is difficult, due to Intel's vagueness, to figure out whether one's CPU even has AMT capability and whether it is turned on ("provisioned") by default. This is compounded by the fact that it is turned on or off by the motherboard BIOS settings but there are tons of motherboards from tons of manufacturers and it's not clear which ones support AMT, whether AMT might be provisioned on a motherboard that does not have any menu option regarding AMT, etc. The chances of motherboard manufacturers relasing information about this, let alone patches, for all their motherboards from the past 8 years, seems slim.

4.1) Linux. In particular, Intel has released a handy "detection guide"[1] that only applies to Windows. Macs are presumably "consumer hardware" only, so that mainly leaves Linux users out to dry.

Please correct me if I missed any details above.

[1] https://downloadcenter.intel.com/download/26755

[qb45]

> Uncertainty. It is difficult, due to Intel's vagueness, to figure out whether one's CPU even has AMT capability and whether it is turned on ("provisioned") by default.

AMT is software so it's part of the BIOS image, not CPU. AFAIK it only works on "vPro" chipsets (Q series) thanks to Intel's market segmentation.

[dom0]

The ME processor is located in the PCH as far as I know. SoC systems have it all on one die, of course.