You can disable it, and maybe remove it one day completely (I’d count replacing all of the intel code as removing it)
Libreboot already disables the Intel ME by default, using me_cleaner, but the T480/T480s specifically have an additional quirk:
One of the benefits of deguard for Intel MEv11 is that it sets the ME in such a state where you can run unsigned code in there. This is how the Intel Boot Guard was disabled, because it is the ME that enforces such restrictions; more information about deguard is available on a dedicated page.
The deguard utility could also be used to enable the red-unlock hack, which would permit unsigned execution of new CPU microcode, though much more research is needed. Because of these two facts, this makes the T480/T480s the most freedom-feasible of all relatively modern x86 laptops.
With deguard, you have complete control of the flash. This is unprecedented on recent Intel systems in Libreboot, so it’s certainly a very interesting port!
Libreboot uses both me_cleaner and deguard on the T480/T480s.
Because it’s an 8th gen you can break things in favorable ways. But modern intel systems don’t have that vulnerability. And the ability to fully crush ME has yet to be realized. All we have right now is the ability to confuse it on a per-boot basis.
AMD has a similar problem thought its arguable less hostile and better executed than intel’s approach. We still want it gone though.
You can’t remove IME completely, but depending on the generation of the chip you can nerf it somewhat.
You can disable it, and maybe remove it one day completely (I’d count replacing all of the intel code as removing it)
Because it’s an 8th gen you can break things in favorable ways. But modern intel systems don’t have that vulnerability. And the ability to fully crush ME has yet to be realized. All we have right now is the ability to confuse it on a per-boot basis.
AMD has a similar problem thought its arguable less hostile and better executed than intel’s approach. We still want it gone though.