From what I’ve read, Disabling AMT through BIOS simply passes a request to the on-CPU ME coprocessor to disable the functions.
That state flag is then stored on-CPU in a small non-volatile (flash/sram?) area for settings and other power-cycle maintained values/state.
There is no published external command or other signal to tell the ME to enable the functions again and Intel claims they have not implemented such a command.
B
What I have learned is to read every letter of the statements, look to each comma and period. Reading that Intel’s statement, the first I’d ask them after this would be: is such a command implementable? Who else could implement it. And so on and so on…
I’m sure if one could modify the firmware of the ME one could do it. That module is signed and/or encrypted by Intel and Intel could do so with a future firmware update.
B
I just tried dumping the firmware from an T430 with ATM enabled and with ATM permanently disabled.
It seems like sections of the dump gets zeroed out when you permanently disable ATM.
When I saved the change and exited the bios, the system reboots 4 times before starting normally, could be a POST to make sure the system actually is able to boot.
Would be curious to see what happens if one used a programmer to restore the missing zones of firmware.
B
I think you are right about something in the CPU gets locked.
I can try and restore the original dump, but I’m pretty sure it doesn’t work. From what I know, the only way to restore ATM is to replace the CPU/motherboard.
I tried restoring the rom, and it seems to also restore AMT.
The T430 is a naked motherboard, so I can’t boot a OS to confirm AMT is working, but the bios options are restored.
$ sudo flashrom -p ch341a_spi -c MX25L6405 -w dump1A-on.rom
flashrom v1.2 on Linux 5.15.0-25-generic (x86_64)
flashrom is free software, get the source code at https://flashrom.org
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Macronix flash chip "MX25L6405" (8192 kB, SPI) on ch341a_spi.
Reading old flash chip contents... done.
Erasing and writing flash chip... FAILED at 0x00001000! Expected=0xff, Found=0x28, failed byte count from 0x00000000-0x0000ffff: 0xa422
ERASE FAILED!
Reading current flash chip contents... done. Looking for another erase function.
Erase/write done.
Verifying flash... VERIFIED.
I kept getting that write error on address 0xa422, maybe all they do is somehow write protect a byte in the rom, but flashrom somehow knows how to erase the byte.
I tried 3 times, it failed at the same address every time.
Right…the important bit is: does it work after firmware restore or not? E.g. can you set up remote vnc or whatever on a dhcp Ethernet and watch the bios/boot via VNC remotely?
I don’t have a working NIC on that motherboard, so I can’t be 100% sure.
Ctrl+P at the boot screen allows me to access the IME menu and configure AMT, I’m as sure as I can be that it’s fully functional.
I tried to permanently disable it again, and I can no longer use Ctrl+P to access the IME menu.
So interesting. I wonder what would happen if one flashed the same firmware image onto the model with the non-vPro version of that CPU.
B
[quoteq=“renehoj, post:21, topic:12645”]
I just tried dumping the firmware from an T430 with ATM enabled and with ATM permanently disabled.
It seems like sections of the dump gets zeroed out when you permanently disable ATM.
[/quote]
@renehoj Well, that’s surprised me in both good and bad ways….
I honestly never would have thought that a hardware vendor would give the end user the option to “brick” parts of their hardware….
I guess I stand corrected 
….but still concerned that vPro could potentially be exploited without the user’s knowledge or awareness…
But there’s at least that’s one model that has been moved from the “untrusted hardware” lost to “somewhat trusted” list 
Ah, ThinkPads, you never seem to let us down!
I guess that goes for anyone making a public statement 
This is why this has surprised me. Let’s say you have a work laptop, and you permanently disable vPro on the board. Your laptop reaches end of life, and you then sell the laptop.
(Obviously a ROM dump would clearly show that you were lying, but the buyer wouldn’t know until they inspected the laptop)
Also:
2. Is a ROM flash with an external programmer the only way to “restore” vPro functionality, or is there user space software?
(If there is user space software, then that means there’s potential for it to be remotely executed by an attacker….)
@brendanhoar Theres only one way to find out 
I’d happily buy a laptop for testing, but have you seen the price of used hardware these days?!?!! 
That is normal. Intel Firmware Descriptor (IFD) locks itself and the ME region. An external backup with a programmer would be able to dump that firmware.
Interesting that setting ME to be permanently deactivated is bypassing IFD to be able to modify ME region here. I would love to know what happens in those multiple reboots.
I just tried dumping the firmware from an T430 with ATM enabled and with ATM permanently disabled.
thank for your very helpful experiment!
Still we don’t really have choices here, but at least we may trust more that BIOS settings… and all the laptops that offer such option.
Hard to say, but the Wikipedia article says that AMT doesn’t make the CPU vPro, VT-d/x, TXT, and AMT are all vPro technology, including all the security features. I don’t think it’s impossible that none of the CPU features are needed for AMT, and that it can run on any version of IME as long as you have a chipset that supports AMT.
My guess would be that the chipset and not the CPU decides if you can use AMT, but I also wouldn’t be surprised if they used the CPU ID as a “license key” to make sure you couldn’t use it without paying.
Reread this and wanted to clarify that this is not factual in all cases. You can have ME neutered/CSME disabled while still having VT-x and VT-d. TXT as well on some models. What can be disabled though is thr fTPM if provided by ME. And I think, unsure, rhat Bootguard requires CSME (nee name for ME) but I would love to read more on what happens on newer systems there.
I know as well that newer suspend mechanisms require CSME as well to keep idle on low power consumption (Alder Lake).
Nitpicking, but important distinctions. Haven’t read wikipedia page on that for a while but that was not my reading and thought it was pretty factual. Quotes?
12th gen non Vpro CPU’s have got Vtd/x support (but remove AMT/ME/TXT/TME)
But since most 12th gen laptops only support tpm 2.0 does txt even matter since aem requires 1.2?
And what about total memory encryption (tme) which is also absent on non vpro cpu? Is this feature even compatible with Qubes and is it worth it to get a vpro capable cpu
Buying a 12th gen CPU that isn’t vPro doesn’t mean it doesn’t have ME or AMT, they all have ME, vPro only means it’s AMT Enterprise eligible. I have the 12900K which has enterprise AMT support, but my motherboard is the MSI Z690 which doesn’t have the Q670 chipset need to use the AMT functions.
TPM and TXT only matters if you want to use AEM, I don’t use it and don’t know if it’s working with 12th gen.
The version I use of coreboot doesn’t currently support memory encryption, so I don’t know if it works with Qubes.
I wildly guess this was to be your question
My idea was to search for non-vPro-non-SGX CPU depending on the answer
Never got an answer though…
I tried this on the Lenovo T480, I had both the i5 and i7 motherboard, I tried flashing the i5 firmware to the i7 motherboard.
The BIOS didn’t have the AMT options, and it complains about failing some security check, but it boots. The i5 firmware has the AMT code, you can enter the menu using ctrl+p on the boot screen.
The motherboards are identical, but the mobile CPU has the PCH integrated, I don’t know if it’s the CPU or PCH that enables AMT to run.