"On systems with MEv11, a bug exists in older versions (of MEv11) that allows for unsigned code execution, at a very early stage in the boot process, to the point that almost all of the ME firmware in flash can be fully replaced. The ME is also what implements Boot Guard, and the hack is possible before Boot Guard is enforced, allowing for it to be disabled."<p>"Libreboot’s build system automatically downloads this older version, runs me_cleaner on it, and applies the deguard hack; this includes machine-specific ME configuration, which is added per machine by extracting it from a dump of the original flash. The resulting configuration (for the MFS partition in the ME) is then inserted into the generic ME image."<p><a href="https://libreboot.org/docs/install/deguard.html" rel="nofollow">https://libreboot.org/docs/install/deguard.html</a>