May 14, 2026

Intel ME: The Paperwork Below Ring -3

In January, the Republic already published the decree on MINIX at Ring -3.

That article answered the spiritual question:

Why is there another computer below my computer?

Yesterday, flashrom answered the practical question:

How do I read the archive where the smaller government stores its papers?

Today is not a repeat.

Today is the audit.

Intel ME is not interesting because the phrase sounds spooky. We already had spooky. We already had MINIX. We already had the basement with its own chair, its own stamp, and its own network opinions.

The interesting part is the paperwork:

where the firmware lives
which flash regions the host can touch
why flashrom can see borders it cannot cross
why AMT is not the whole empire
why Boot Guard changes the meaning of “I own this motherboard”
why coreboot liberation sometimes stops at the checkpoint

This is the sequel where the monster has a filing cabinet.

I. Previously, In The Lower Ministry

The January decree was about the hierarchy:

flowchart TB
    USER["Userland<br/>citizens with processes"]
    KERNEL["Kernel<br/>Ring 0 authority"]
    FW["UEFI / firmware<br/>pre-boot bureaucracy"]
    ME["Intel ME / CSME<br/>platform ministry"]
    SILICON["Silicon<br/>where arguments end"]

    USER --> KERNEL --> FW --> ME --> SILICON

The point was simple:

your operating system is not the first government to wake up.

The MINIX story gave the public a memorable symbol. Intel ME 11 was famously reported as using MINIX 3, and Andrew Tanenbaum was not exactly celebrating that his teaching operating system had become a basement official in billions of machines.

But if we stop there, we become the worst kind of firmware commentator:

the man who screams “Ring -3” and then cannot explain a flash descriptor.

The Supreme Leader does not tolerate decorative paranoia.

II. The Naming Bureau

The names are already a trap.

Name	What it means	What civilians hear
Intel ME	Management Engine, the older name everyone remembers	the basement computer
Intel CSME	Converged Security and Management Engine, the modern family name	the basement got a promotion
Intel AMT	Active Management Technology, an enterprise manageability feature	remote admin witchcraft
Boot Guard	platform boot integrity technology configured by OEM policy and fuses	the palace guards check signatures
HAP / AltMeDisable	a disable/reduction behavior discussed by firmware researchers	exile, not execution

The mistake is treating these as the same thing.

They are not.

Intel ME / CSME is the platform engine family.

AMT is one department that can use that machinery on supported business platforms.

Boot Guard is part of the platform trust story.

HAP is not a magic shovel that digs the engine out of silicon.

The bureaucracy has departments. The building remains.

III. Where The Ministry Stores Its Papers

On many Intel platforms, firmware lives in SPI flash.

That flash image is not just “the BIOS.”

It is commonly divided into regions:

Region	Job	Kim translation
Flash Descriptor	offsets, sizes, access permissions	border map
GbE Region	Ethernet controller data such as MAC information	passport office
ME / CSME Region	management/security engine firmware	interior ministry
BIOS / UEFI Region	host firmware executed by the main platform	public government

This is why the flashrom article mattered first.

Before arguing about who owns the machine, read the map.

# read the whole chip if platform policy permits it
flashrom -p internal -r full-read.rom

# if the descriptor restricts access, read a specific region
flashrom -p internal --ifd -i bios -r bios-only.rom

# when internal access is not enough, use an external programmer
flashrom -p ch341a_spi -r full-chip.rom

This is not a commandment to write firmware.

It is a commandment to gather evidence.

The correct ritual remains:

flashrom -p ch341a_spi -r dump1.rom
flashrom -p ch341a_spi -r dump2.rom
cmp dump1.rom dump2.rom
sha256sum dump1.rom dump2.rom

If the dumps do not match, you do not have firmware.

You have noise with a clip attached.

IV. Descriptor Locks: The Border Wall Inside The Chip

The flash descriptor defines who may access which region from the host side.

This is why flashrom -p internal may successfully read the BIOS region while refusing, warning, or failing around the ME region.

The host CPU may ask politely.

The descriptor may say no.

The ME region may be locked.

The descriptor itself may be locked.

The platform may be configured by the OEM to allow only a narrow path.

This is the part missing from lazy “just flash coreboot” conversations.

Internal flashing is not the same as physical ownership of the chip.

Internal flashing is a request submitted through the running regime.

External flashing is different:

flowchart LR
    subgraph EXTERNAL["external path"]
        PROGRAMMER["external programmer"]
        PINS["SPI pins"]
        FLASH_B["SPI flash"]
        PROGRAMMER --> PINS --> FLASH_B
    end

    subgraph INTERNAL["internal path"]
        OS["OS"]
        CHIPSET["chipset"]
        POLICY["descriptor policy"]
        FLASH_A["SPI flash"]
        OS --> CHIPSET --> POLICY --> FLASH_A
    end

The internal path negotiates with the government.

The external path climbs through the window.

This is why a CH341A appears in so many liberation stories. Cheap, ugly, and occasionally cursed.

For the wealthy, there is CH347: same liberation war, better procurement paperwork.

V. AMT Is Not All Of ME

Civilian statement:

“My laptop is not vPro, so Intel ME does not matter.”

Incorrect.

Less wrong version:

“My laptop may not expose Intel AMT, but it can still contain ME / CSME as part of the platform security and firmware trust system.”

AMT is the part enterprises care about when they want remote management.

Intel’s AMT documentation describes management of systems even when the operating system is unavailable, and in some cases when the system is powered off but still connected to power and network.

That is useful in a corporate fleet.

That is terrifying in a bedroom.

Both reactions are valid.

But AMT is not the entire engine.

Claim	Reality
”No vPro means no ME”	false
”AMT is the same thing as ME”	false
”Consumer systems expose the same remote management as corporate systems”	not necessarily
”ME / CSME is still part of the platform trust story”	yes

Confusing AMT with all of ME is like confusing the interrogation room with the whole interior ministry.

The room may be closed.

The ministry still has lights on.

VI. Boot Guard: The Guards Learned Cryptography

Boot Guard is where firmware freedom meets fused policy.

The simplified civilian theory of boot is:

CPU starts
BIOS runs
OS loads

The platform reality is uglier:

flowchart TB
    RESET["Reset"]
    ROM["CPU / chipset reset logic"]
    POLICY["OEM policy, fuses, manifests"]
    VERIFY["Firmware authentication path"]
    HOSTFW["BIOS / UEFI / coreboot"]
    OS["Operating system"]

    RESET --> ROM --> POLICY --> VERIFY --> HOSTFW --> OS

Exact details vary by generation and OEM configuration. That sentence is not cowardice. It is firmware reality.

But the lesson is stable:

if the platform enforces signature policy before your firmware runs, then replacing host firmware is no longer just a matter of writing bytes.

The palace guards read the paperwork before the new government enters the building.

This is why coreboot support is not a moral property.

It is a board-by-board negotiation with hardware straps, descriptors, blobs, silicon policy, vendor behavior, and sometimes fused decisions made by people who will never read your forum post.

Some boards are liberated.

Some are occupied.

Some are technically free but administratively exhausting.

VII. HAP And me_cleaner: Exile, Not Execution

The old MINIX decree spoke of disabling Intel ME.

Now we must speak precisely.

Researchers and firmware hackers discuss the HAP bit, also known in some contexts as AltMeDisable. Tools like me_cleaner have used reverse-engineered behavior to reduce or disable parts of ME firmware on supported generations and configurations.

This is not the same as removing the engine from silicon.

It is not universal.

It is not guaranteed across every platform.

It may break features.

It may brick machines if done carelessly.

It may still leave early initialization behavior in place.

The table is the law:

Statement	Verdict
”ME can be deleted everywhere”	propaganda
”ME can sometimes be neutered or reduced”	platform-dependent reality
”HAP means the silicon vanished”	no
”External programmer helps recovery”	often
”Verified backups matter”	always

The Supreme Leader supports precise paranoia.

Imprecise paranoia is just fear with affiliate links.

VIII. Why Flashrom Changed The Conversation

Before flashrom enters the story, Intel ME is folklore.

After flashrom enters, Intel ME becomes a region.

You can point at the map.

You can dump the chip.

You can compare images.

You can discover that the BIOS region is one province and the ME region is another.

You can learn that your “firmware update” from the OEM may include payloads for multiple governments inside the same archive.

That is why the order of the series matters:

Article	Job
MINIX at Ring -3	explain the hidden lower OS mythology
flashrom	teach how firmware becomes a readable artifact
Intel ME / CSME	explain the access controls and platform ownership model
AMD PSP	show that the neighbor built its own ministry

The first article made people suspicious.

The second gave them a crowbar.

This one tells them which door is fake.

IX. The Real Story (Suppressed)

Officially, ME means Management Engine.

The first rejected expansion was Ministry of Everything.

Legal objected because it was too accurate.

The second rejected expansion was Middle East.

This was not because the firmware lived there. Firmware lives below your operating system, which is worse.

It was because too much Intel history passed through Haifa, Israel, and the maps started looking suspicious. To be technically precise, this does not mean “Intel ME was built in Haifa.” It means the Ministry noticed a real Intel design center and immediately turned geography into a conspiracy diagram, as all serious firmware analysts eventually do.

In the suppressed version, the eternal liberation war was not fought with tanks.

It was fought with SPI clips, flash descriptors, and coreboot patches.

On one side stood the Intel settlement planners, calmly adding one more opaque region to the board.

On the other side stood the coreboot people, trying to liberate sixteen megabytes of NOR flash with a CH341A and a prayer.

For the wealthy, there was CH347.

Same liberation war.

Better procurement paperwork.

No peace treaty was signed.

Only:

flashrom -V

Officially, -V means verbose.

In the Republic, it means Vendetta.

The first design review reportedly used this diagram:

flowchart TB
    USER["User"]
    OS2["Operating System"]
    FW2["Firmware"]
    ME2["ME / CSME"]
    SILICON2["Silicon"]
    OFFICE["Tiny locked office<br/>with no door label"]

    USER --> OS2 --> FW2 --> ME2 --> SILICON2 --> OFFICE

An engineer asked:

“What should we call the office?”

Marketing said:

“Manageability.”

Security said:

“Trust anchor.”

The user said:

“Why is there an office?”

No one answered because the flash descriptor had already denied read access.

X. The Lesson

The MINIX article was the warning.

The Flashrom article was the crowbar.

This article is the paperwork.

Intel ME / CSME is not merely a spooky phrase. It is a platform subsystem tied into flash layout, access policy, firmware authentication, enterprise management, boot trust, OEM configuration, and silicon behavior below the operating system.

Your kernel is powerful.

It is not sovereign.

Your BIOS is important.

It is not the whole archive.

Your coreboot build may be noble.

It may still share the board with a sealed ministry.

The decree is simple:

read before writing
verify before trusting
distinguish ME from AMT
distinguish HAP from deletion
distinguish coreboot support from total platform ownership
never confuse “I can boot Linux” with “I control the machine”

Tomorrow we inspect the neighboring ministry:

AMD PSP.

Different empire.

Same basement architecture problem.

— Kim Jong Rails, Supreme Leader of the Republic of Derails