Intel AMT Checker for Linux(github.com) |
Intel AMT Checker for Linux(github.com) |
Supposedly, it's useful for management tasks in enterprise environments, but if I were CIO, I think I would ban VPro chips. Who wants ring -3 processes running on their network for which they have no information about?
It includes DRM (Protected Audio/Video Path), for one.
There is a driver for it in the Linux kernel source tree.
Looks like it came in maybe around v3.9-rc1?
http://elixir.free-electrons.com/linux/v3.9-rc1/source/drive...
Did any Linux users question what this was at that time?
Is this driver part of the "default" Linux kernel configs?
What if the user compiles their kernel without this driver?
Would that change what could or could not be done by someone accessing the "ME" remotely?
Tried it on i5-6260U, should be new enough to have the thing.
>Ok, I'm /inclined/ to believe that this indicates that the system doesn't implement AMT at all, but I'll try to do some more research.
Search for "vPro" systems here: https://ark.intel.com/Search/FeatureFilter?productType=proce...
Maybe the driver isn't loaded?
Going through all Xeon servers is going to be fun tomorrow.
Did you know that the baseband chip in your smartphone runs it's own linux? Or that every SIM card comes with java applications that can communicate with it? I guess not.
Considering how much hardware is required on a modern PC main board, it's really not that surprising that there are backdoors, bugs, or other mechanisms that can be exploited.
Microkernel
In many if not most cases this kernel would be an L4 implementation.
> OKL4 has been deployed on over 2 billion mobile phones (https://en.wikipedia.org/wiki/Open_Kernel_Labs)
Shocked not because I think it's a huge conspiracy to control your computer but because I honestly do believe AMT was made with the best intentions of providing a level of theft mitigation for devices. Just like "Find my Mac" from Apple that seems to get very little flack.
I'd be surprised if this meant that my pretty expensive Lenovo Thinkpad X-series lacks theft protection.
[0] https://support.lenovo.com/us/en/product_security/LEN-14963
dmesg shows: "[ 18.233688] mei_me 0000:00:16.0: Device doesn't have valid ME Interface [ 18.233700] mei_me 0000:00:16.1: Device doesn't have valid ME Interface"
So I'm guessing I'm not vulnerable. I suppose Supermicro replaced it with their own IPMI interface.
# git rev-parse HEAD
9aa755885093fc8ca8c822797a30ed98ffe2e166
# make
gcc mei-amt-check.c -o mei-amt-check
# modprobe mei-me
# ./mei-amt-check -v
Cannot open /dev/mei: No such file or directory
# l /dev/*mei*
/bin/ls: cannot access /dev/*mei*: No such file or directory
# dmesg |grep -i mei
#
A little confusing as the program is supposed to show "Intel AMT: DISABLED" 'If run on a system with no AMT'. Unable to find a Management Engine interface - run sudo modprobe mei_me and retry.
If you receive the same error, this system does not have AMT
(Sounds good) In this state, AMT is not vulnerable to CVE-2017-5689.$ ls /dev/mei0 -lh
crw------- 1 root root 246, 0 May 15 21:02 /dev/mei0
Is there a way to completely remove AMT ?
Think I'd be alright even if it were provisioned as the ethernet port on this Dell Precision laptop got fried during a lightning storm last year (i.e. from reports I've read a wired connection is needed for the exploit to work). Then again, better to know AMT isn't provisioned than to rely on third party reporting.
Has anyone else checked their VMware box accordingly?
2) AMT. These Intel processors may have a service enabled called Active Management Technology (AMT). Intel says that AMT usually comes disabled by default on "consumer" hardware (but Intel is not too specific about what this means, e.g. prebuilt only or CPUs you buy at the store?). AMT is like a remote desktop feature for the CPU. It allows someone to log in remotely and control the computer or diagnose problems, no matter what the "main" processor's state (even powered off).
3) The vulnerability. Suprise, AMT turns out to have a serious security vulnerability that allows a hacker to take control of the PC.
4) Uncertainty. It is difficult, due to Intel's vagueness, to figure out whether one's CPU even has AMT capability and whether it is turned on ("provisioned") by default. This is compounded by the fact that it is turned on or off by the motherboard BIOS settings but there are tons of motherboards from tons of manufacturers and it's not clear which ones support AMT, whether AMT might be provisioned on a motherboard that does not have any menu option regarding AMT, etc. The chances of motherboard manufacturers relasing information about this, let alone patches, for all their motherboards from the past 8 years, seems slim.
4.1) Linux. In particular, Intel has released a handy "detection guide"[1] that only applies to Windows. Macs are presumably "consumer hardware" only, so that mainly leaves Linux users out to dry.
Please correct me if I missed any details above.
AMT is software so it's part of the BIOS image, not CPU. AFAIK it only works on "vPro" chipsets (Q series) thanks to Intel's market segmentation.
> Does this mean every Intel system built since 2008 can be taken over by hackers?
No. Most Intel systems don't ship with AMT. Most Intel systems with AMT don't have it turned on.
From an FAQ by MJG, the author of the tool we are discussing: https://mjg59.dreamwidth.org/48429.htmlhttps://libreboot.org/faq.html#intel https://libreboot.org/faq.html#amd
See https://libreboot.org/faq.html#whatcaniuse -- your best bet is older Intel / AMD.
There are some laptops https://www.crowdsupply.com/sutajio-kosagi/novena which are open.
Obviously I'm not saying that this is the case here. But it might not be the best idea to run whichever github project someone links to under root.
I tried to find some "Github" link in mjg59.dreamwidth.org pointing to github.com/mjg59, but I don't think there is any.
Definitely, you don't feel comfortable cloning and building a git repo to run it as root :P
There is one here: https://mjg59.dreamwidth.org/38136.html
As far as I know (could be wrong) it doesn't even listen to any network ports until its provisioned
Personally, I think the right solution is to not have DRM for music, TV, and movies on PCs, purely for business reasons. What's happening today is that Intel is effectively shipping everyone who buys an x86 CPU a content decryption module, burning goodwill among free software advocates even though fewer than 1% of consumers will ever use the functionality (actually, does anyone use it?) It makes more business sense for consumers to just buy set-top boxes to consume content. It's not like anyone who buys a $450 Core i7 is going to balk at paying $35 for a Chromecast.
Does hollywood have an leverage whatsoever on intel? If intel decided they were removing any and all DRM features hollywood would have no choice but to accept.
Hollywood holds all the cards here.
DRM is based on "physical access is not complete access", which is different.
Intel AMT is present AMT is unprovisioned
So disabling it puts it in the same state.
If your machine's manufacturer still supports the device, check if they have any firmware updates available. Hopefully they will have recent updates that include a fix for the AMT authn issue.
If you want to disable it, Intel has provided a mitigation guide which has instructions on disabling LMS (which AMT is part of): https://downloadmirror.intel.com/26754/eng/Intel-SA-00075%20.... I've not had to follow it myself, good luck if you do :)
I'm just repeating stuff I've read from MJG, take a look at his FAQ around this issue: https://mjg59.dreamwidth.org/48429.html
I don’t run windows, though.
> Well, firstly, don't connect your machine to networks you don't trust the members of :)
I’ve already had issues with the intel card, so I’m running on a RealTek ethernet card for now anyway. But that’s no long term solution.
And I’ve had massive issues with AMT before – for some reason, on Linux, the ME would force a reset of the network connection every 90 seconds (which is why I use an ancient realtek network card currently).
Possible explanations include bad defaults in the UEFI, a store sending me a used part instead of a new part, etc. If we go into conspiracy territory, NSA TAO interception would also be on the table. Very unlikely, though.