Intel AMT Checker for Linux (opens in new tab)

(github.com)

227 pointslaamalif8y ago87 comments

87 comments

Why would Intel insist on being so secretive about their management engine? Is it some kind of competitive advantage for them?

Supposedly, it's useful for management tasks in enterprise environments, but if I were CIO, I think I would ban VPro chips. Who wants ring -3 processes running on their network for which they have no information about?

vectorEQ8y ago

So secretive because its so vulnerable as any of their shitty low level nonsense features. Would be nice if they just focsed on ipc and efficient throughput instead of making it swiss cheese!

pcwalton8y ago

> Why would Intel insist on being so secretive about their management engine?

It includes DRM (Protected Audio/Video Path), for one.

criddell8y ago

Documenting it shouldn't alter its effectiveness. I can tell you how AES works and that doesn't compromise anything.

4 more replies

101658y ago

Do you mean secretive about how it works or do you mean secretive about its existence?

There is a driver for it in the Linux kernel source tree.

Looks like it came in maybe around v3.9-rc1?

http://elixir.free-electrons.com/linux/v3.9-rc1/source/drive...

Did any Linux users question what this was at that time?

Is this driver part of the "default" Linux kernel configs?

What if the user compiles their kernel without this driver?

Would that change what could or could not be done by someone accessing the "ME" remotely?

wmf8y ago

The ME isn't much more secret than, say, the memory controller.

criddell8y ago

The memory controller isn't running a web server that is accessible to anybody on the LAN.

Artlav8y ago

So, if it says "Error: IOCTL_MEI_CONNECT_CLIENT receive message. err=-1", what does it mean?

Tried it on i5-6260U, should be new enough to have the thing.

knappa8y ago

The issues page has a report of the same error (as does my i5-6600) and the author says:

>Ok, I'm /inclined/ to believe that this indicates that the system doesn't implement AMT at all, but I'll try to do some more research.

rst8y ago

I got this message on a system which has a Core i7-4510 CPU; this is not on the list of systems with "vPro" technology. I've seen referenced as another name for the vulnerable component --- but given the marketing-spawned confusion around Intel CPU nomenclature, I can easily imagine someone (perhaps me!) getting confused on the point.

Search for "vPro" systems here: https://ark.intel.com/Search/FeatureFilter?productType=proce...

1 more reply

yorwba8y ago

> Requires that the mei_me driver (part of the upstream kernel) be loaded.

Maybe the driver isn't loaded?

Artlav8y ago

It is.

buovjaga8y ago

Here is an issue for it: https://github.com/mjg59/mei-amt-check/issues/1

guipsp8y ago

Upgrade your kernel, or build the kernel with the AMT module

SSLy8y ago

4.10 is fairly new, and the amt mod is loaded

chinket8y ago

Cool. thx

jaimex28y ago

God #$%@ing damn it, this is why we can't have nice things. You can do only so much to not get pwned software wise, now you need to be paranoid about the hardware too?!

Going through all Xeon servers is going to be fun tomorrow.

nom8y ago

Unfortunately, there are too few hardware developers and not enough hardware-awareness, thanks to the good abstraction nowadays. In the modern age, only few software devs cares about the underlying hardware, because it just works. The thing is, software _runs_ on hardware and any bug/backdoor etc in it undermines everything above.

Did you know that the baseband chip in your smartphone runs it's own linux? Or that every SIM card comes with java applications that can communicate with it? I guess not.

Considering how much hardware is required on a modern PC main board, it's really not that surprising that there are backdoors, bugs, or other mechanisms that can be exploited.

throwaypestban8y ago

> the baseband chip in your smartphone runs it's own ...

Microkernel

In many if not most cases this kernel would be an L4 implementation.

> OKL4 has been deployed on over 2 billion mobile phones (https://en.wikipedia.org/wiki/Open_Kernel_Labs)

1 more reply

criddell8y ago

If your servers have multiple network ports and you aren't using them all, don't use the first one. Apparently the ME interface is only exposed on the main network interface.

wmf8y ago

Xeon servers don't have AMT, but you might want to verify that your BMCs are firewalled and fully patched.

jaimex28y ago

Good to know, thanks :)

Kali9098y ago

It's comical at this stage.

digi_owl8y ago

I am tempted to go back to dialup style connectivity. Meaning i disconnect the router from the net unless i absolutely need something online.

mkl8y ago

You absolutely need security updates, or your system will be out of date and extra-vulnerable as soon as you plug it in.

1 more reply

acd8y ago

I want to be able to bios disable Intel AMT and AMDs variant of it. This is another bad attack vector. Further i want a simpler boot loader UEFI is bloatware and bad for security as its easy to hide things in those huge prorietary binary blobs.

FrozenVoid8y ago

If anyone get compiling errors with 'timeval tv' being undefined add this to headers #include <sys/time.h>

mjg598y ago

Thanks, I added that.

1 more reply

neves8y ago

It looks like I’m out the news cycle. What is AMT? Why would I need to check for it? Why just in Linux?

bo10248y ago

1) Intel ME. ALL Intel x86 processors for a long time have shipped with a second, closed-source processor on the same chip. This is called the Management Engine (ME). This processor has in theory complete control over the other one as well as its own ability to communicate over the network as long as the computer is connected to power even if powered down, with no way to check or control it securely.

2) AMT. These Intel processors may have a service enabled called Active Management Technology (AMT). Intel says that AMT usually comes disabled by default on "consumer" hardware (but Intel is not too specific about what this means, e.g. prebuilt only or CPUs you buy at the store?). AMT is like a remote desktop feature for the CPU. It allows someone to log in remotely and control the computer or diagnose problems, no matter what the "main" processor's state (even powered off).

3) The vulnerability. Suprise, AMT turns out to have a serious security vulnerability that allows a hacker to take control of the PC.

4) Uncertainty. It is difficult, due to Intel's vagueness, to figure out whether one's CPU even has AMT capability and whether it is turned on ("provisioned") by default. This is compounded by the fact that it is turned on or off by the motherboard BIOS settings but there are tons of motherboards from tons of manufacturers and it's not clear which ones support AMT, whether AMT might be provisioned on a motherboard that does not have any menu option regarding AMT, etc. The chances of motherboard manufacturers relasing information about this, let alone patches, for all their motherboards from the past 8 years, seems slim.

4.1) Linux. In particular, Intel has released a handy "detection guide"[1] that only applies to Windows. Macs are presumably "consumer hardware" only, so that mainly leaves Linux users out to dry.

Please correct me if I missed any details above.

[1] https://downloadcenter.intel.com/download/26755

qb458y ago

> Uncertainty. It is difficult, due to Intel's vagueness, to figure out whether one's CPU even has AMT capability and whether it is turned on ("provisioned") by default.

AMT is software so it's part of the BIOS image, not CPU. AFAIK it only works on "vPro" chipsets (Q series) thanks to Intel's market segmentation.

dom08y ago

The ME processor is located in the PCH as far as I know. SoC systems have it all on one die, of course.

0x08y ago

It turns out all(?) Intel CPUs in the last decade has a co-CPU that is always running as long as there is electricity available - even when shut down - that is continuously executing a "management engine" bios program, which your main CPU or OS cannot prevent (in fact, if the ME fails to "check in", the main CPU will automatically shutdown in 30 minutes). And, of course, it turns out there is a remote exploit for it. (The co-CPU intercepts network packets on its own, too, apparently)

lclarkmichalek8y ago

Not all Intel CPUs have AMT. Most consumer machines won't have it enabled, it's an enterprise targeted feature.

  > Does this mean every Intel system built since 2008 can be taken over by hackers?
  
  No. Most Intel systems don't ship with AMT. Most Intel systems with AMT don't have it turned on.

From an FAQ by MJG, the author of the tool we are discussing: https://mjg59.dreamwidth.org/48429.html

1 more reply

ue_8y ago

This sounds horrible, even though I knew about it before. What are the viable options for other manufacturers or architectures which don't come with this sort of thing, either for desktops or for laptops?

1 more reply

rnhmjoj8y ago

This explains what it is and why everyone is (or should be) upset about it: http://www.intel.com/content/www/us/en/architecture-and-tech...

tumdum_8y ago

Did anyone read that code before using it? :)

mkl8y ago

I looked through it first. Not thoroughly enough to spot anything really underhanded, but it seems to be well written code that does stuff like what it claims.

uzoodoo8y ago

The author is pretty well-known

https://en.wikipedia.org/wiki/Matthew_Garrett

mkl8y ago

That alone is not enough, though it helps. Being well-known means a more desirable account to steal, and this is code that must be run as root.

1 more reply

lucb1e8y ago

I did at least.

INTPenis8y ago

I'm shocked to say that the Thinkpad x260 does not have AMT at all.

Shocked not because I think it's a huge conspiracy to control your computer but because I honestly do believe AMT was made with the best intentions of providing a level of theft mitigation for devices. Just like "Find my Mac" from Apple that seems to get very little flack.

I'd be surprised if this meant that my pretty expensive Lenovo Thinkpad X-series lacks theft protection.

ac298y ago

Lenovo lists the X260 as vulnerable to CVE-2017-5689 [0], implying it supports AMT. My X240 definitely has AMT, it would be a bit odd for them to remove it in later generations.

[0] https://support.lenovo.com/us/en/product_security/LEN-14963

eikenberry8y ago

My X230 does as well.

Angostura8y ago

When you first set up your Mac, you are asked explicitly whether you want Find My Mac turned on and the Preference to turn it off is then in plain sight in the iCloud preferences. In what way are the two comparable?

Saavedro8y ago

i don't think anyone has found a machine yet where AMT is enabled out of the box either

1 more reply

ingenium8y ago

Hmm, I ensured the mei driver was loaded (lsmod confirms it), but I get: "Cannot open /dev/mei: No such file or directory"

dmesg shows: "[ 18.233688] mei_me 0000:00:16.0: Device doesn't have valid ME Interface [ 18.233700] mei_me 0000:00:16.1: Device doesn't have valid ME Interface"

So I'm guessing I'm not vulnerable. I suppose Supermicro replaced it with their own IPMI interface.

pflanze8y ago

Similarly, on an Intel NUC with i5-6260U:

    # git rev-parse HEAD
    9aa755885093fc8ca8c822797a30ed98ffe2e166
    # make
    gcc     mei-amt-check.c   -o mei-amt-check
    # modprobe mei-me
    # ./mei-amt-check -v
    Cannot open /dev/mei: No such file or directory
    # l /dev/*mei*
    /bin/ls: cannot access /dev/*mei*: No such file or directory
    # dmesg |grep -i mei
    #

A little confusing as the program is supposed to show "Intel AMT: DISABLED" 'If run on a system with no AMT'.

pflanze8y ago

OK, with commit a4d8fca4d18e1ae896b0305a53e152b568596bc1 (still after running modprobe mei_me) it is saying:

    Unable to find a Management Engine interface - run sudo modprobe mei_me and retry.
    If you receive the same error, this system does not have AMT

(Sounds good)

HeadlessChild8y ago

Fixed in this commit: https://github.com/mjg59/mei-amt-check/pull/4/commits/4f2fef...

subway8y ago

IPMI does not replace MEI. It sits off to the side. Odds are, MEI/AMT is off in your firmware.

d338y ago

"Intel AMT: ENABLED, AMT is unprovisioned". Does that mean AMT is still potentially vulnerable to attacks from user/kernelspace?

lclarkmichalek8y ago

From the readme:

  In this state, AMT is not vulnerable to CVE-2017-5689.

d338y ago

Thanks! Missed this part. Also, do you think it's a good idea to keep it in this state as opposed to updating in case Intel's new patches lock AMT down even further? This is the pattern I saw with Sony once - groups of users not updating their consoles because via exploiting it they could get more control over it.

1 more reply

besogne8y ago

"Error: Management Engine refused connection. This probably means you don't have AMT"

$ ls /dev/mei0 -lh

crw------- 1 root root 246, 0 May 15 21:02 /dev/mei0

Is there a way to completely remove AMT ?

virtualwhys8y ago

> Intel AMT: ENABLED > AMT is unprovisioned

Think I'd be alright even if it were provisioned as the ethernet port on this Dell Precision laptop got fried during a lightning storm last year (i.e. from reports I've read a wired connection is needed for the exploit to work). Then again, better to know AMT isn't provisioned than to rely on third party reporting.

sigmar8y ago

I remember early word during this AMT debacle was that there were certain conditions in which AMT could be remotely provisioned. Were those statements false? Is Enabled/unprovisioned completely safe?

newman3148y ago

I'm running VMware on a whitebox with a H87 chipset and vPro capable processor. MEI shows up in dmesg.

Has anyone else checked their VMware box accordingly?

j / k navigate · click thread line to collapse

87 comments

criddell8y ago

Why would Intel insist on being so secretive about their management engine? Is it some kind of competitive advantage for them?

vectorEQ8y ago

So secretive because its so vulnerable as any of their shitty low level nonsense features. Would be nice if they just focsed on ipc and efficient throughput instead of making it swiss cheese!

pcwalton8y ago

> Why would Intel insist on being so secretive about their management engine?

It includes DRM (Protected Audio/Video Path), for one.

criddell8y ago

Documenting it shouldn't alter its effectiveness. I can tell you how AES works and that doesn't compromise anything.

4 more replies

101658y ago

Do you mean secretive about how it works or do you mean secretive about its existence?

There is a driver for it in the Linux kernel source tree.

Looks like it came in maybe around v3.9-rc1?

http://elixir.free-electrons.com/linux/v3.9-rc1/source/drive...

Did any Linux users question what this was at that time?

Is this driver part of the "default" Linux kernel configs?

What if the user compiles their kernel without this driver?

Would that change what could or could not be done by someone accessing the "ME" remotely?

wmf8y ago

The ME isn't much more secret than, say, the memory controller.

criddell8y ago

The memory controller isn't running a web server that is accessible to anybody on the LAN.

Artlav8y ago

So, if it says "Error: IOCTL_MEI_CONNECT_CLIENT receive message. err=-1", what does it mean?

Tried it on i5-6260U, should be new enough to have the thing.

knappa8y ago

The issues page has a report of the same error (as does my i5-6600) and the author says:

>Ok, I'm /inclined/ to believe that this indicates that the system doesn't implement AMT at all, but I'll try to do some more research.

rst8y ago

Search for "vPro" systems here: https://ark.intel.com/Search/FeatureFilter?productType=proce...

1 more reply

yorwba8y ago

> Requires that the mei_me driver (part of the upstream kernel) be loaded.

Maybe the driver isn't loaded?

Artlav8y ago

It is.

buovjaga8y ago

Here is an issue for it: https://github.com/mjg59/mei-amt-check/issues/1

guipsp8y ago

Upgrade your kernel, or build the kernel with the AMT module

SSLy8y ago

4.10 is fairly new, and the amt mod is loaded

chinket8y ago

Cool. thx

jaimex28y ago

God #$%@ing damn it, this is why we can't have nice things. You can do only so much to not get pwned software wise, now you need to be paranoid about the hardware too?!

Going through all Xeon servers is going to be fun tomorrow.

nom8y ago

Did you know that the baseband chip in your smartphone runs it's own linux? Or that every SIM card comes with java applications that can communicate with it? I guess not.

Considering how much hardware is required on a modern PC main board, it's really not that surprising that there are backdoors, bugs, or other mechanisms that can be exploited.

throwaypestban8y ago

> the baseband chip in your smartphone runs it's own ...

Microkernel

In many if not most cases this kernel would be an L4 implementation.

> OKL4 has been deployed on over 2 billion mobile phones (https://en.wikipedia.org/wiki/Open_Kernel_Labs)

1 more reply

criddell8y ago

If your servers have multiple network ports and you aren't using them all, don't use the first one. Apparently the ME interface is only exposed on the main network interface.

wmf8y ago

Xeon servers don't have AMT, but you might want to verify that your BMCs are firewalled and fully patched.

jaimex28y ago

Good to know, thanks :)

Kali9098y ago

It's comical at this stage.

digi_owl8y ago

I am tempted to go back to dialup style connectivity. Meaning i disconnect the router from the net unless i absolutely need something online.

mkl8y ago

You absolutely need security updates, or your system will be out of date and extra-vulnerable as soon as you plug it in.

1 more reply

acd8y ago

FrozenVoid8y ago

If anyone get compiling errors with 'timeval tv' being undefined add this to headers #include <sys/time.h>

mjg598y ago

Thanks, I added that.

1 more reply

neves8y ago

It looks like I’m out the news cycle. What is AMT? Why would I need to check for it? Why just in Linux?

bo10248y ago

3) The vulnerability. Suprise, AMT turns out to have a serious security vulnerability that allows a hacker to take control of the PC.

4.1) Linux. In particular, Intel has released a handy "detection guide"[1] that only applies to Windows. Macs are presumably "consumer hardware" only, so that mainly leaves Linux users out to dry.

Please correct me if I missed any details above.

[1] https://downloadcenter.intel.com/download/26755

qb458y ago

> Uncertainty. It is difficult, due to Intel's vagueness, to figure out whether one's CPU even has AMT capability and whether it is turned on ("provisioned") by default.

AMT is software so it's part of the BIOS image, not CPU. AFAIK it only works on "vPro" chipsets (Q series) thanks to Intel's market segmentation.

dom08y ago

The ME processor is located in the PCH as far as I know. SoC systems have it all on one die, of course.

0x08y ago

lclarkmichalek8y ago

Not all Intel CPUs have AMT. Most consumer machines won't have it enabled, it's an enterprise targeted feature.

  > Does this mean every Intel system built since 2008 can be taken over by hackers?
  
  No. Most Intel systems don't ship with AMT. Most Intel systems with AMT don't have it turned on.

From an FAQ by MJG, the author of the tool we are discussing: https://mjg59.dreamwidth.org/48429.html

1 more reply

ue_8y ago

1 more reply

rnhmjoj8y ago

This explains what it is and why everyone is (or should be) upset about it: http://www.intel.com/content/www/us/en/architecture-and-tech...

tumdum_8y ago

Did anyone read that code before using it? :)

mkl8y ago

I looked through it first. Not thoroughly enough to spot anything really underhanded, but it seems to be well written code that does stuff like what it claims.

uzoodoo8y ago

The author is pretty well-known

https://en.wikipedia.org/wiki/Matthew_Garrett

mkl8y ago

That alone is not enough, though it helps. Being well-known means a more desirable account to steal, and this is code that must be run as root.

1 more reply

lucb1e8y ago

I did at least.

INTPenis8y ago

I'm shocked to say that the Thinkpad x260 does not have AMT at all.

I'd be surprised if this meant that my pretty expensive Lenovo Thinkpad X-series lacks theft protection.

ac298y ago

Lenovo lists the X260 as vulnerable to CVE-2017-5689 [0], implying it supports AMT. My X240 definitely has AMT, it would be a bit odd for them to remove it in later generations.

[0] https://support.lenovo.com/us/en/product_security/LEN-14963

eikenberry8y ago

My X230 does as well.

Angostura8y ago

Saavedro8y ago

i don't think anyone has found a machine yet where AMT is enabled out of the box either

1 more reply

ingenium8y ago

Hmm, I ensured the mei driver was loaded (lsmod confirms it), but I get: "Cannot open /dev/mei: No such file or directory"

dmesg shows: "[ 18.233688] mei_me 0000:00:16.0: Device doesn't have valid ME Interface [ 18.233700] mei_me 0000:00:16.1: Device doesn't have valid ME Interface"

So I'm guessing I'm not vulnerable. I suppose Supermicro replaced it with their own IPMI interface.

pflanze8y ago

Similarly, on an Intel NUC with i5-6260U:

    # git rev-parse HEAD
    9aa755885093fc8ca8c822797a30ed98ffe2e166
    # make
    gcc     mei-amt-check.c   -o mei-amt-check
    # modprobe mei-me
    # ./mei-amt-check -v
    Cannot open /dev/mei: No such file or directory
    # l /dev/*mei*
    /bin/ls: cannot access /dev/*mei*: No such file or directory
    # dmesg |grep -i mei
    #

A little confusing as the program is supposed to show "Intel AMT: DISABLED" 'If run on a system with no AMT'.

pflanze8y ago

OK, with commit a4d8fca4d18e1ae896b0305a53e152b568596bc1 (still after running modprobe mei_me) it is saying:

    Unable to find a Management Engine interface - run sudo modprobe mei_me and retry.
    If you receive the same error, this system does not have AMT

(Sounds good)

HeadlessChild8y ago

Fixed in this commit: https://github.com/mjg59/mei-amt-check/pull/4/commits/4f2fef...

subway8y ago

IPMI does not replace MEI. It sits off to the side. Odds are, MEI/AMT is off in your firmware.

d338y ago

"Intel AMT: ENABLED, AMT is unprovisioned". Does that mean AMT is still potentially vulnerable to attacks from user/kernelspace?

lclarkmichalek8y ago

From the readme:

  In this state, AMT is not vulnerable to CVE-2017-5689.

d338y ago

1 more reply

besogne8y ago

"Error: Management Engine refused connection. This probably means you don't have AMT"

$ ls /dev/mei0 -lh

crw------- 1 root root 246, 0 May 15 21:02 /dev/mei0

Is there a way to completely remove AMT ?

virtualwhys8y ago

> Intel AMT: ENABLED > AMT is unprovisioned

sigmar8y ago

I remember early word during this AMT debacle was that there were certain conditions in which AMT could be remotely provisioned. Were those statements false? Is Enabled/unprovisioned completely safe?

newman3148y ago

I'm running VMware on a whitebox with a H87 chipset and vPro capable processor. MEI shows up in dmesg.

Has anyone else checked their VMware box accordingly?

j / k navigate · click thread line to collapse