You'd think if the ME truly wasn't nefarious that Intel would offer chips without it and capitalize on the extra features in the enterprise market. I've yet to encounter anyone who actually wants it.
It's also a convenient place to put in all the things they don't want to hard wire. Which gets more every day.
Need to maintain crypto keys for SGX enclave memory? Do it in the ME.
Need to do some extra stuff on suspend/resume? Do it in the ME.
Not sure if any other special handling might require updates at a later date? Do it in the ME.
...
There's no need for nefarious purposes to explain why the ME isn't optional anymore - it's just more convenient.
>Based on the items identified through the comprehensive security review, an attacker could gain unauthorized access to platform, Intel® ME feature, and 3rd party secrets protected by the Intel® Management Engine (ME), Intel® Server Platform Service (SPS), or Intel® Trusted Execution Engine (TXE).
It seems like there's a reasonable chance of that being the case.
Several corporations use it for Lights-Out management or on laptops to ensure data security compliance.
The things for which you actually want a backdoor in your server to control it from. Maybe even in the face of an attacker who has gained full control of both software and hardware.
I would love a potential employer/recruiter to woo me with, "Your choice of non-backdoor-ed laptop that respects your privacy." I would at least give them a phone call for that line.
What is private about a company laptop? Your own laptop shouldn’t be backdoored, but I think it’s irrational to expect the a laptop owned by the company won’t be managed by that company.
I say it also has to do with them just not caring about what their users want. You’re still gonna buy an x86 processor and AMD has their own ME-like tool too. What are you gonna do, run your desktop on ARM or RISC-V?
Would be good to have a low performance riscv motherboard with something like a PCI bus. Then, run an x86 daughter card. Early arm systems (acorn RISC pc) could house a 486 daughter card like this, and you could run Windows on it in a box. Have one at home.
In that case, it actually goes against your "they don't care about their users" narrative. Or maybe they partially care about their users.
Anyway, I see some value in the features that ME provides, and so I'm not as anti-ME as a lot of the commenters on here. But obviously, I want the security bugs to be fixed too.
What I was trying to say is that Intel doesn’t really have a financial incentive to have non-ME SKUs because, besides the majority of users not caring, those who do care don’t really have any other options.
Sadly, the main reason IMO this isn't possible is not just that desktop software is designed for the x86 instruction set, but that it's designed for lots of RAM and CPU usage, when it could be slimmer.
