QubesOS won't protect you from Intel ME though.
replies(3):
Considering the researchers who actually disabled IME require physical access to the machine[1], Purism's claim that they can do it to previously sold devices with only a software update[2] stinks of BS to me.
[1] https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Di...
[2] https://puri.sm/posts/purism-librem-laptops-completely-disab...
Also the post you linked to directly gives credit to me_cleaner and Positive Technologies.
The reason the researchers required physical access:
> Although some systems do allow the full contents of the BIOS flash chip to be reprogrammed using software tools only (so called 'internal flashing'), on most PCs this facility is either completely unavailable, or can only write to the unprotected areas of the flash filesystem (excluding the ME area), or will only write vendor-signed images. Accordingly, we will describe the approach of using 'external' flashing in this guide, as that is the most reliable.
Purism being, uhhhh, the vendor, allowed full write access.
If that was the case they could have shipped IME-free machines from the start. They are selling whitebox machines for an exorbitant markup with their own spin on a Linux distro.
Disabling IME can have other impacts, and Purism even has a blog post explaining what the issues were and how they resolved them -- once they figured out what IME modules were needed for their laptop to work properly they could disable IME with a software update.
I don't know if that's how they did it, but you're misunderstanding the difference between disabling IME and enabling internal flashing.