About the car: it reminds of the show Uploads (Amazon Prime) 
Actually @brendanhoar clarified things with his post. There may be the possibility that a non-vPro CPU in fact still has vPro capabilities.
I hope this isn’t a possible issue for the Pursim laptops which I was hoping to get.
Well, yes and no….
These chips that hold and execute a BIOS or device firmware usually are incredibly simple. They contain a single binary that automatically executes as soon as the chip is powered on. When these chips are written to, it’s not like copying a file to NAND flash (I wish it was that simple sometimes…). Because of this, if you want to change even a tiny part of that binary you have to recompile that binary and flash the entire contents of the chip.
That’s why there’s usually a big “DO NOT TURN OFF YOUR COMPUTER WHILE FLASHING OR YOU COULD BRICK IT” warning when using consumer BIOS update tools…
I’m sure you’ve had a BIOS update fail. If you haven’t, then you’re lucky, and you need to tell me your secret 
.
Flashing BIOS and firmware chips sometimes goes wrong, and each flash does take its toll on the lifespan on the chip. That’s one of the reasons why manufacturers try to limit the number of BIOS updates they release to a couple of times a year, and urgent security updates.
But that’s only part of why I’d be surprised that it would alter the device’s firmware and remove a feature permanently. The other part is the logistics of actually doing it that way.
If that’s what it was actually doing, it would need a binary to flash to it. Where would it get it from? The CPU? Wouldn’t that mean that a full backup of a binary without vPro functionality was stored somewhere that the CPU/NIC/BIOS had access to?
What would happen if that hardware was sold to someone else, and that someone actually wanted to use vPro? How would they get it back into the device firmware?
And if you could just “reflash” the device firmware, what would happen to the serial number most likely stored within that binary?
Intel would have an insane number of their vPro devices sent back to them because the customer bricked them….
I’m just saying, it would be so much easier to keep the code for vPro on the chips in the binary, but have it compiled with an option to not execute it. It would also avoid unnecessary writes to the chips, prolonging their lifespan.
This is why I would be surprised if that’s what was actually happening…. 
And microcode updates aren’t actually stored on the CPU, at least not with Linux. They’re loaded onto the CPU at boot time, along with the Linux kernel, and they are gone as soon as power is lost to the CPU, and need to be loaded on next boot.
Maybe Intel and AMD have some kind of arrangement with Microsoft, and they allow flashing of the internals of the CPU while running Windows. That’s possible. It wouldn’t be the first time (we need more BIOS updating tools released by vendors for Linux and BSD. I mean, they probably used Linux/BSD to build the damn BIOS anyway!)
——
Basically being stuck inside a “docker container” behind a paywall on someone else’s computer, and calling it “the afterlife”.
That would easily be Richard Stallman’s definition of “hell” 
A good story, though…
And a very accurate depiction of what “technology” in society has become….
In HP Elitebook BIOS, there is only the option to unconfigure AMT, not remove it.
This is the menu from a ThinkPad, and the permanently disabled does something that requires multiple reboots, at least that is how I remember it.
Anti-theft and CompuTrace have similar options to permanently disable, and similarly to AMT can also be used to backdoor the device.
from this point, you must only belive that this really permanently disables somenting…
From what I’ve read, Disabling AMT through BIOS simply passes a request to the on-CPU ME coprocessor to disable the functions.
That state flag is then stored on-CPU in a small non-volatile (flash/sram?) area for settings and other power-cycle maintained values/state.
There is no published external command or other signal to tell the ME to enable the functions again and Intel claims they have not implemented such a command.
B
What I have learned is to read every letter of the statements, look to each comma and period. Reading that Intel’s statement, the first I’d ask them after this would be: is such a command implementable? Who else could implement it. And so on and so on…
I’m sure if one could modify the firmware of the ME one could do it. That module is signed and/or encrypted by Intel and Intel could do so with a future firmware update.
B
I just tried dumping the firmware from an T430 with ATM enabled and with ATM permanently disabled.
It seems like sections of the dump gets zeroed out when you permanently disable ATM.
When I saved the change and exited the bios, the system reboots 4 times before starting normally, could be a POST to make sure the system actually is able to boot.
Would be curious to see what happens if one used a programmer to restore the missing zones of firmware.
B
I think you are right about something in the CPU gets locked.
I can try and restore the original dump, but I’m pretty sure it doesn’t work. From what I know, the only way to restore ATM is to replace the CPU/motherboard.
I tried restoring the rom, and it seems to also restore AMT.
The T430 is a naked motherboard, so I can’t boot a OS to confirm AMT is working, but the bios options are restored.
$ sudo flashrom -p ch341a_spi -c MX25L6405 -w dump1A-on.rom
flashrom v1.2 on Linux 5.15.0-25-generic (x86_64)
flashrom is free software, get the source code at https://flashrom.org
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Macronix flash chip "MX25L6405" (8192 kB, SPI) on ch341a_spi.
Reading old flash chip contents... done.
Erasing and writing flash chip... FAILED at 0x00001000! Expected=0xff, Found=0x28, failed byte count from 0x00000000-0x0000ffff: 0xa422
ERASE FAILED!
Reading current flash chip contents... done. Looking for another erase function.
Erase/write done.
Verifying flash... VERIFIED.
I kept getting that write error on address 0xa422, maybe all they do is somehow write protect a byte in the rom, but flashrom somehow knows how to erase the byte.
I tried 3 times, it failed at the same address every time.
Right…the important bit is: does it work after firmware restore or not? E.g. can you set up remote vnc or whatever on a dhcp Ethernet and watch the bios/boot via VNC remotely?
I don’t have a working NIC on that motherboard, so I can’t be 100% sure.
Ctrl+P at the boot screen allows me to access the IME menu and configure AMT, I’m as sure as I can be that it’s fully functional.
I tried to permanently disable it again, and I can no longer use Ctrl+P to access the IME menu.
So interesting. I wonder what would happen if one flashed the same firmware image onto the model with the non-vPro version of that CPU.
B
[quoteq=“renehoj, post:21, topic:12645”]
I just tried dumping the firmware from an T430 with ATM enabled and with ATM permanently disabled.
It seems like sections of the dump gets zeroed out when you permanently disable ATM.
[/quote]
@renehoj Well, that’s surprised me in both good and bad ways….
I honestly never would have thought that a hardware vendor would give the end user the option to “brick” parts of their hardware….
I guess I stand corrected
….but still concerned that vPro could potentially be exploited without the user’s knowledge or awareness…
But there’s at least that’s one model that has been moved from the “untrusted hardware” lost to “somewhat trusted” list 
Ah, ThinkPads, you never seem to let us down!
I guess that goes for anyone making a public statement 
This is why this has surprised me. Let’s say you have a work laptop, and you permanently disable vPro on the board. Your laptop reaches end of life, and you then sell the laptop.
(Obviously a ROM dump would clearly show that you were lying, but the buyer wouldn’t know until they inspected the laptop)
Also:
2. Is a ROM flash with an external programmer the only way to “restore” vPro functionality, or is there user space software?
(If there is user space software, then that means there’s potential for it to be remotely executed by an attacker….)
@brendanhoar Theres only one way to find out 
I’d happily buy a laptop for testing, but have you seen the price of used hardware these days?!?!! 
That is normal. Intel Firmware Descriptor (IFD) locks itself and the ME region. An external backup with a programmer would be able to dump that firmware.
Interesting that setting ME to be permanently deactivated is bypassing IFD to be able to modify ME region here. I would love to know what happens in those multiple reboots.
I just tried dumping the firmware from an T430 with ATM enabled and with ATM permanently disabled.
thank for your very helpful experiment!
Still we don’t really have choices here, but at least we may trust more that BIOS settings… and all the laptops that offer such option.
Hard to say, but the Wikipedia article says that AMT doesn’t make the CPU vPro, VT-d/x, TXT, and AMT are all vPro technology, including all the security features. I don’t think it’s impossible that none of the CPU features are needed for AMT, and that it can run on any version of IME as long as you have a chipset that supports AMT.
My guess would be that the chipset and not the CPU decides if you can use AMT, but I also wouldn’t be surprised if they used the CPU ID as a “license key” to make sure you couldn’t use it without paying.