
Intel AMT Checker for Linux - laamalif
https://github.com/mjg59/mei-amt-check
======
criddell
Why would Intel insist on being so secretive about their management engine? Is
it some kind of competitive advantage for them?

Supposedly, it's useful for management tasks in enterprise environments, but
if I were CIO, I think I would ban VPro chips. Who wants ring -3 processes
running on their network for which they have no information about?

~~~
pcwalton
> Why would Intel insist on being so secretive about their management engine?

It includes DRM (Protected Audio/Video Path), for one.

~~~
criddell
Documenting it shouldn't alter its effectiveness. I can tell you how AES works
and that doesn't compromise anything.

~~~
pcwalton
I agree with you. But Intel would have to convince skeptical Hollywood
executives of that, who are more inclined to just not let PCs have new content
at all, since relatively few people consume TV and movies on PCs to begin
with.

Personally, I think the right solution is to not have DRM for music, TV, and
movies on PCs, purely for _business_ reasons. What's happening today is that
Intel is effectively shipping everyone who buys an x86 CPU a content
decryption module, burning goodwill among free software advocates even though
fewer than 1% of consumers will ever use the functionality (actually, does
_anyone_ use it?) It makes more business sense for consumers to just buy set-
top boxes to consume content. It's not like anyone who buys a $450 Core i7 is
going to balk at paying $35 for a Chromecast.

~~~
flukus
> But Intel would have to convince skeptical Hollywood executives of that

Does hollywood have an leverage whatsoever on intel? If intel decided they
were removing any and all DRM features hollywood would have no choice but to
accept.

~~~
pcwalton
No, Hollywood would just not let Intel-based PCs have access to their content.
This would lose them zero revenue. As I said, anyone who can afford a $450
Intel CPU can afford a $35 Chromecast.

Hollywood holds _all_ the cards here.

------
Artlav
So, if it says "Error: IOCTL_MEI_CONNECT_CLIENT receive message. err=-1", what
does it mean?

Tried it on i5-6260U, should be new enough to have the thing.

~~~
guipsp
Upgrade your kernel, or build the kernel with the AMT module

~~~
SSLy
4.10 is fairly new, and the amt mod is loaded

------
jaimex2
God #$%@ing damn it, this is why we can't have nice things. You can do only so
much to not get pwned software wise, now you need to be paranoid about the
hardware too?!

Going through all Xeon servers is going to be fun tomorrow.

~~~
nom
Unfortunately, there are too few hardware developers and not enough hardware-
awareness, thanks to the good abstraction nowadays. In the modern age, only
few software devs cares about the underlying hardware, because it just works.
The thing is, software _runs_ on hardware and any bug/backdoor etc in it
undermines everything above.

Did you know that the baseband chip in your smartphone runs it's own linux? Or
that every SIM card comes with java applications that can communicate with it?
I guess not.

Considering how much hardware is required on a modern PC main board, it's
really not that surprising that there are backdoors, bugs, or other mechanisms
that can be exploited.

~~~
throwaypestban
> the baseband chip in your smartphone runs it's own ...

 _Microkernel_

In many if not most cases this kernel would be an L4 implementation.

> OKL4 has been deployed on over 2 billion mobile phones
> ([https://en.wikipedia.org/wiki/Open_Kernel_Labs](https://en.wikipedia.org/wiki/Open_Kernel_Labs))

~~~
monocasa
Modern hexagons run a full Linux under L4 also. It seems like the microkernel
separation isn't really architected towards security AFAICT, but for running
hard real time tasks on the same cores as the rest of the system.

------
acd
I want to be able to bios disable Intel AMT and AMDs variant of it. This is
another bad attack vector. Further i want a simpler boot loader UEFI is
bloatware and bad for security as its easy to hide things in those huge
prorietary binary blobs.

------
FrozenVoid
If anyone get compiling errors with 'timeval tv' being undefined add this to
headers #include <sys/time.h>

~~~
mjg59
Thanks, I added that.

------
neves
It looks like I’m out the news cycle. What is AMT? Why would I need to check
for it? Why just in Linux?

~~~
bo1024
1) Intel ME. ALL Intel x86 processors for a long time have shipped with a
second, closed-source processor on the same chip. This is called the
Management Engine (ME). This processor has in theory complete control over the
other one as well as its own ability to communicate over the network as long
as the computer is connected to power even if powered down, with no way to
check or control it securely.

2) AMT. These Intel processors may have a service enabled called Active
Management Technology (AMT). Intel says that AMT usually comes disabled by
default on "consumer" hardware (but Intel is not too specific about what this
means, e.g. prebuilt only or CPUs you buy at the store?). AMT is like a remote
desktop feature for the CPU. It allows someone to log in remotely and control
the computer or diagnose problems, no matter what the "main" processor's state
(even powered off).

3) The vulnerability. Suprise, AMT turns out to have a serious security
vulnerability that allows a hacker to take control of the PC.

4) Uncertainty. It is difficult, due to Intel's vagueness, to figure out
whether one's CPU even has AMT capability and whether it is turned on
("provisioned") by default. This is compounded by the fact that it is turned
on or off by the motherboard BIOS settings but there are tons of motherboards
from tons of manufacturers and it's not clear which ones support AMT, whether
AMT might be provisioned on a motherboard that does not have any menu option
regarding AMT, etc. The chances of motherboard manufacturers relasing
information about this, let alone patches, for all their motherboards from the
past 8 years, seems slim.

4.1) Linux. In particular, Intel has released a handy "detection guide"[1]
that only applies to Windows. Macs are presumably "consumer hardware" only, so
that mainly leaves Linux users out to dry.

Please correct me if I missed any details above.

[1]
[https://downloadcenter.intel.com/download/26755](https://downloadcenter.intel.com/download/26755)

~~~
qb45
> Uncertainty. It is difficult, due to Intel's vagueness, to figure out
> whether one's CPU even has AMT capability and whether it is turned on
> ("provisioned") by default.

AMT is software so it's part of the BIOS image, not CPU. AFAIK it only works
on "vPro" chipsets (Q series) thanks to Intel's market segmentation.

------
tumdum_
Did anyone read that code before using it? :)

~~~
uzoodoo
The author is pretty well-known

[https://en.wikipedia.org/wiki/Matthew_Garrett](https://en.wikipedia.org/wiki/Matthew_Garrett)

~~~
mkl
That alone is not enough, though it helps. Being well-known means a more
desirable account to steal, and this is code that must be run as root.

~~~
tumdum_
Moreover there is no _trivial_ way to verify that
[https://github.com/mjg59](https://github.com/mjg59) is github accout of
Matthew Garrett. So all one needs to do is to create account that looks good
and most people assume that it's safe.

Obviously I'm not saying that this is the case here. But it might not be the
best idea to run whichever github project someone links to under root.

~~~
filomeno
Yep, that's what I thought, too :-D

I tried to find some "Github" link in mjg59.dreamwidth.org pointing to
github.com/mjg59, but I don't think there is any.

Definitely, you don't feel comfortable cloning and building a git repo to run
it as root :P

~~~
dbdr
> I tried to find some "Github" link in mjg59.dreamwidth.org pointing to
> github.com/mjg59, but I don't think there is any.

There is one here:
[https://mjg59.dreamwidth.org/38136.html](https://mjg59.dreamwidth.org/38136.html)

------
INTPenis
I'm shocked to say that the Thinkpad x260 does not have AMT at all.

Shocked not because I think it's a huge conspiracy to control your computer
but because I honestly do believe AMT was made with the best intentions of
providing a level of theft mitigation for devices. Just like "Find my Mac"
from Apple that seems to get very little flack.

I'd be surprised if this meant that my pretty expensive Lenovo Thinkpad
X-series lacks theft protection.

~~~
ac29
Lenovo lists the X260 as vulnerable to CVE-2017-5689 [0], implying it supports
AMT. My X240 definitely has AMT, it would be a bit odd for them to remove it
in later generations.

[0]
[https://support.lenovo.com/us/en/product_security/LEN-14963](https://support.lenovo.com/us/en/product_security/LEN-14963)

~~~
eikenberry
My X230 does as well.

------
ingenium
Hmm, I ensured the mei driver was loaded (lsmod confirms it), but I get:
"Cannot open /dev/mei: No such file or directory"

dmesg shows: "[ 18.233688] mei_me 0000:00:16.0: Device doesn't have valid ME
Interface [ 18.233700] mei_me 0000:00:16.1: Device doesn't have valid ME
Interface"

So I'm guessing I'm not vulnerable. I suppose Supermicro replaced it with
their own IPMI interface.

~~~
pflanze
Similarly, on an Intel NUC with i5-6260U:

    
    
        # git rev-parse HEAD
        9aa755885093fc8ca8c822797a30ed98ffe2e166
        # make
        gcc     mei-amt-check.c   -o mei-amt-check
        # modprobe mei-me
        # ./mei-amt-check -v
        Cannot open /dev/mei: No such file or directory
        # l /dev/*mei*
        /bin/ls: cannot access /dev/*mei*: No such file or directory
        # dmesg |grep -i mei
        #
    

A little confusing as the program is supposed to show "Intel AMT: DISABLED"
'If run on a system with no AMT'.

~~~
pflanze
OK, with commit a4d8fca4d18e1ae896b0305a53e152b568596bc1 (still after running
modprobe mei_me) it is saying:

    
    
        Unable to find a Management Engine interface - run sudo modprobe mei_me and retry.
        If you receive the same error, this system does not have AMT
    

(Sounds good)

------
d33
"Intel AMT: ENABLED, AMT is unprovisioned". Does that mean AMT is still
potentially vulnerable to attacks from user/kernelspace?

~~~
lclarkmichalek
From the readme:

    
    
      In this state, AMT is not vulnerable to CVE-2017-5689.

~~~
d33
Thanks! Missed this part. Also, do you think it's a good idea to keep it in
this state as opposed to updating in case Intel's new patches lock AMT down
even further? This is the pattern I saw with Sony once - groups of users not
updating their consoles because via exploiting it they could get more control
over it.

~~~
lclarkmichalek
You should be able to disable it in the BIOS. If you're not going to use it,
I'd suggest disabling it. You could always reenable it later, should you find
a need for it.

~~~
hsivonen
Is disabling always possible? I don’t find UI to disable in recent Lenovo
ThinkStation BIOS even though I’ve seen such option previously in ThinkPad
BIOS.

~~~
lclarkmichalek
Intel has provided a mitigation guide that goes through how to disable LMS
(local manageability services), which AMT is a part of. Take a look:
[https://downloadmirror.intel.com/26754/eng/Intel-
SA-00075%20...](https://downloadmirror.intel.com/26754/eng/Intel-
SA-00075%20Mitigation%20Guide-Rev%201.2.pdf)

~~~
hsivonen
I meant disabling the ME-side stuff from BIOS. That’s for disabling the
Windows-side component.

------
besogne
"Error: Management Engine refused connection. This probably means you don't
have AMT"

$ ls /dev/mei0 -lh

crw------- 1 root root 246, 0 May 15 21:02 /dev/mei0

Is there a way to completely remove AMT ?

------
virtualwhys
> Intel AMT: ENABLED > AMT is unprovisioned

Think I'd be alright even if it were provisioned as the ethernet port on this
Dell Precision laptop got fried during a lightning storm last year (i.e. from
reports I've read a wired connection is needed for the exploit to work). Then
again, better to know AMT isn't provisioned than to rely on third party
reporting.

------
sigmar
I remember early word during this AMT debacle was that there were certain
conditions in which AMT could be remotely provisioned. Were those statements
false? Is Enabled/unprovisioned completely safe?

------
newman314
I'm running VMware on a whitebox with a H87 chipset and vPro capable
processor. MEI shows up in dmesg.

Has anyone else checked their VMware box accordingly?

