This does not and cannot "fully disable" the ME subsystem on modern CPUs.
A small remnant is left operational - without it, a PC shuts down after 30 minutes (this is well-known).
The Core 2 Duo/Quad architecture was the last iteration where the ME subsystem could be entirely removed.
I posted two BIOS images on this link for old HP machines. They can easily be flashed from within the booted bios without much hassle. Looking for the link...
Sadly I just learned that even the remnants seem to cause known harm
Neither of the two methods to disable the ME discovered so far turned out to be an effective countermeasure against the SA-00086 vulnerability. This is because the vulnerability is in an early-loaded ME module that is essential to boot the main CPU.
"Additional major security flaws in the ME affecting a very large number of computers incorporating ME, Trusted Execution Engine (TXE), and Server Platform Services (SPS) firmware, from Skylake in 2015 to Coffee Lake in 2017, were confirmed by Intel on 20 November 2017 (SA-00086).[39] Unlike SA-00075, this bug is even present if AMT is absent, not provisioned or if the ME was ‘disabled’ by any of the known unofficial methods.[40] In July 2018 another set of vulnerabilitites were disclosed (SA-00112).[41] In September 2018, yet another vulnerability was published (SA-00125).[42]"
The citation indexed [40] (that is, the relevant portion) in your quote points to the Register article you also linked, just as the Wikipedia entry does in support of the statement:
"Unlike SA-00075, this bug is even present if AMT is absent, not provisioned or if the ME was "disabled" by any of the known unofficial methods."
That being the case I would expect the Register article to contain something that bolsters the quote above but if it does, it is so subtle as to escape my repeated rereading.
> The Core 2 Duo/Quad architecture was the last iteration where the ME subsystem could be entirely removed.
Yeah, but unfortunately intel also didn't bother providing microcode patches for meltdown on those chipsets "because to old" by some arbitrary definition of "old".
These are vulnerable to Meltdown, and the page table isolation patches are required to secure kernel memory. These do involve a performance hit, so I'd recommend Core-2 Quad 9550s as an upgrade for a minimally-usable machine.
However, these are not SMT/hyperthreaded, so many of the Specter vulnerabilities do not apply.
OpenBSD runs well enough on them, and these machines are likely what I trust most with this OS.
Most Linux runs on these machines (RedHat 9 doesn't - requires an i3), but will pause on the mei_me module and look for a response from the ME that you have lobotomized; blacklist the related modules if you want to boot faster.
A small remnant is left operational - without it, a PC shuts down after 30 minutes (this is well-known).
The Core 2 Duo/Quad architecture was the last iteration where the ME subsystem could be entirely removed.
I posted two BIOS images on this link for old HP machines. They can easily be flashed from within the booted bios without much hassle. Looking for the link...
Found it on Bing of all places!
https://github.com/corna/me_cleaner/issues/233