From 201f5b1a98113ff552f4ca176cdc5d8941c0510f Mon Sep 17 00:00:00 2001
From: waal70 <myemail@myprovider.lol>
Date: Tue, 2 Sep 2025 16:16:59 +0200
Subject: [PATCH] Improve handling of firmware Add blacklisting of mei_me

---
 handlers/main.yml             |  7 +++++++
 tasks/additional-firmware.yml | 29 ++++++++++++++++++++++++-----
 2 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/handlers/main.yml b/handlers/main.yml
index 3058174..24b1838 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -25,3 +25,10 @@
   environment:
     DEBIAN_FRONTEND: noninteractive
   changed_when: true
+
+- name: Update initramfs
+  ansible.builtin.command:
+    cmd: "update-initramfs -u"
+  environment:
+    DEBIAN_FRONTEND: noninteractive
+  changed_when: true
diff --git a/tasks/additional-firmware.yml b/tasks/additional-firmware.yml
index 9cbe8bd..884d786 100644
--- a/tasks/additional-firmware.yml
+++ b/tasks/additional-firmware.yml
@@ -33,12 +33,31 @@
     msg: "This is an Intel system, but it is a libreboot system. Removing intel-microcode package."
   when: "'GenuineIntel' in ansible_facts['processor'] and 'installed' in ansible_local['cpu_info']['libreboot']"
 
-- name: Remove intel-microcode on Intel libreboot systems
-  ansible.builtin.apt:
-    name: intel-microcode
-    state: absent
-    purge: true
+- name: Block for actions that need to be done when libreboot present
   when: "'GenuineIntel' in ansible_facts['processor'] and 'installed' in ansible_local['cpu_info']['libreboot']"
+  block:
+    - name: Remove intel-microcode on Intel libreboot systems
+      ansible.builtin.apt:
+        name: intel-microcode
+        state: absent
+        purge: true
+
+    - name: Blacklist mei_me module on libreboot systems
+      ansible.builtin.copy:
+        dest: /etc/modprobe.d/blacklist-mei.conf
+        content: |
+          # Disable Intel Management Engine Interface driver for libreboot systems
+          blacklist mei_me
+        owner: root
+        group: root
+        mode: '0644'
+      notify: Update initramfs
+
+    - name: Run depmod -ae as root
+      ansible.builtin.command: depmod -ae
+      become: true
+      changed_when: false
+# end block
 
 - name: Install intel-microcode on Intel non-libreboot systems
   ansible.builtin.apt: