Intel vPro - What it can do, what it *can't* do, and what it means for your future hardware choices

I tried to permanently disable it again, and I can no longer use Ctrl+P to access the IME menu.

So interesting. I wonder what would happen if one flashed the same firmware image onto the model with the non-vPro version of that CPU.

B

1 Like

[quoteq=“renehoj, post:21, topic:12645”]
I just tried dumping the firmware from an T430 with ATM enabled and with ATM permanently disabled.

It seems like sections of the dump gets zeroed out when you permanently disable ATM.
[/quote]

:partying_face::tada:

@renehoj Well, that’s surprised me in both good and bad ways….

I honestly never would have thought that a hardware vendor would give the end user the option to “brick” parts of their hardware….

I guess I stand corrected :slightly_smiling_face:

….but still concerned that vPro could potentially be exploited without the user’s knowledge or awareness…

But there’s at least that’s one model that has been moved from the “untrusted hardware” lost to “somewhat trusted” list :grin:

Ah, ThinkPads, you never seem to let us down!

I guess that goes for anyone making a public statement :grimacing:

This is why this has surprised me. Let’s say you have a work laptop, and you permanently disable vPro on the board. Your laptop reaches end of life, and you then sell the laptop.

  1. What’s stopping you from lying about it having vPro functionality, and charging more money for it?

(Obviously a ROM dump would clearly show that you were lying, but the buyer wouldn’t know until they inspected the laptop)

Also:
2. Is a ROM flash with an external programmer the only way to “restore” vPro functionality, or is there user space software?

(If there is user space software, then that means there’s potential for it to be remotely executed by an attacker….)

@brendanhoar Theres only one way to find out :sunglasses:

I’d happily buy a laptop for testing, but have you seen the price of used hardware these days?!?!! :sob:

That is normal. Intel Firmware Descriptor (IFD) locks itself and the ME region. An external backup with a programmer would be able to dump that firmware.

Interesting that setting ME to be permanently deactivated is bypassing IFD to be able to modify ME region here. I would love to know what happens in those multiple reboots.

1 Like

I just tried dumping the firmware from an T430 with ATM enabled and with ATM permanently disabled.

thank for your very helpful experiment!
Still we don’t really have choices here, but at least we may trust more that BIOS settings… and all the laptops that offer such option.

Hard to say, but the Wikipedia article says that AMT doesn’t make the CPU vPro, VT-d/x, TXT, and AMT are all vPro technology, including all the security features. I don’t think it’s impossible that none of the CPU features are needed for AMT, and that it can run on any version of IME as long as you have a chipset that supports AMT.

My guess would be that the chipset and not the CPU decides if you can use AMT, but I also wouldn’t be surprised if they used the CPU ID as a “license key” to make sure you couldn’t use it without paying.

Reread this and wanted to clarify that this is not factual in all cases. You can have ME neutered/CSME disabled while still having VT-x and VT-d. TXT as well on some models. What can be disabled though is thr fTPM if provided by ME. And I think, unsure, rhat Bootguard requires CSME (nee name for ME) but I would love to read more on what happens on newer systems there.

I know as well that newer suspend mechanisms require CSME as well to keep idle on low power consumption (Alder Lake).

Nitpicking, but important distinctions. Haven’t read wikipedia page on that for a while but that was not my reading and thought it was pretty factual. Quotes?

2 Likes

12th gen non Vpro CPU’s have got Vtd/x support (but remove AMT/ME/TXT/TME)

But since most 12th gen laptops only support tpm 2.0 does txt even matter since aem requires 1.2?

And what about total memory encryption (tme) which is also absent on non vpro cpu? Is this feature even compatible with Qubes and is it worth it to get a vpro capable cpu

Buying a 12th gen CPU that isn’t vPro doesn’t mean it doesn’t have ME or AMT, they all have ME, vPro only means it’s AMT Enterprise eligible. I have the 12900K which has enterprise AMT support, but my motherboard is the MSI Z690 which doesn’t have the Q670 chipset need to use the AMT functions.

TPM and TXT only matters if you want to use AEM, I don’t use it and don’t know if it’s working with 12th gen.

The version I use of coreboot doesn’t currently support memory encryption, so I don’t know if it works with Qubes.

I wildly guess this was to be your question

My idea was to search for non-vPro-non-SGX CPU depending on the answer
Never got an answer though…

I tried this on the Lenovo T480, I had both the i5 and i7 motherboard, I tried flashing the i5 firmware to the i7 motherboard.

The BIOS didn’t have the AMT options, and it complains about failing some security check, but it boots. The i5 firmware has the AMT code, you can enter the menu using ctrl+p on the boot screen.

The motherboards are identical, but the mobile CPU has the PCH integrated, I don’t know if it’s the CPU or PCH that enables AMT to run.

Black Hat May 8th 2018
Intel AMT Stealth Breakthrough

video description:
Every modern computer system based on Intel architecture has Intel Management Engine (ME) - a built-in subsystem with a wide array of powerful capabilities (such as full access to operating memory, out-of-band access to a network interface, running independently of CPU even when it is in a shutdown state, etc.). During this talk we will discuss methods of remote pwning of almost every Intel based system, manufactured since 2010 or later.


In this article, we describe how we discovered this undocumented mode and how it is connected with the U.S. government’s High Assurance Platform (HAP) program.

1 Like

Question: To be clear. I have purchased a Lenovo T480 for use with Qubes. When I receive it, if it has a sticker for Intel vPro on the front. (since I am not going to do external hardware flashing) Should I send the Intel T480 with vPro back? and Go looking for one without vPro. I hope I can easily determine if it has any memory soldered. (by the way, the purchase price for this was $200.00, with taxes $216.00 - price has gone up overnight - from Amazon - refurbished… Also from Amazon, Looking at RAM - Corsair Vengeance Performance SODIMM Memory 64GB (2x32GB) DDR4 2933MHz CL19 Unbuffered for 8th Generation or Newer Intel Core™ i7, and AMD Ryzen 4000 Series Notebooks for $150.00) Just in case someone was looking to buy some thing to try Qubes out.

Basic question; How serious a negative is having Intel vPro to using Qubes?

see Disabling ME on the T480 (and other laptops)

There is not an 1vyrain equivalent for xx80 series ThinkPads yet. You should be able to flip the HAP bit. The HAP bit was uncovered by Positive Technologies. Another thing you really want to do is not use Intel wifi chips which are designed to make the Intel ME accessible via wifi. ThinkPenguin wifi are what most people concerned with Intel ME/AMT aka “vPro” reach for. Some have pointed out that Intel ME/AMT can have drivers for the Atheros chips in the ThinkPenguin wifi chips. These users dedicated a small singleboard computer to proxy networking.

I have read extensively on various darknet imageboards that the only thing resembling a reasonably secure system involves multiple boards (multiple computers) working together. I am sorry that we don’t have nice things.

Panic level 9000+ bad.

1 Like

"For IT departments, vPro is an efficient way to monitor, update, and troubleshoot multiple PCs without needing to physically deal with hardware. This has become ever-more important as we move into a mobile reality where “the office” doesn’t necessarily mean four walls and a desk.

The company does the remote re-programming, not a nation state actor, Or CIA, NSA GHCQ or Chinese/Russian equivalent. An angry girl friend may be more dangerous.

I thought Intel vPro related to a company being able to forcible install software on their own corporate computers. Like Upgrades.

If I was a Corporate IT, I would want the capability to remotely disable, or find, a lost computer that belonged to my company.

Hard to guess if the encryption to do those things, for a group of ex-corporate hardware, might have been dumped onto the darknet for the entertainment of. . . .

On the Lenovo X-230 if one has not run 1vyrain, or done a hardware flash of core-boot or such. The laptop will not boot unless it has inside the original WiFi chip. Also a real IBM certified battery. I think Keyboard. Still, if one is going to progress into using Heads, with an external hardware flash. Then there are reputed to be some complications to already having used 1vyrain. Oh, For those who have not read about it. 1vyrain is a software flash of firmware to disable some parts of a few computers to allow some new parts to be used. and some other neetzy keen things. Effectively, as the other poster mentions. Changing the internal WiFi adapter effectively prevents the remote re-programming of part of Intel CPU chip by way of Management Engine (ME).

I am pretty sure one can now purchase a WiFi adapter for the X-230 that works better than the original. As well the replacement WiFi adapter having a FOSS driver. (module I think is the correct term for Linux) Sees possible connections better, faster, and can not be used by the software in the Intel ME, if it was still there.

I have not heard of any use of the Intel ME, in the wild, in actual use. Given the value of holding the potential of re programming a computer, it would only be used by a nation state actor, on the level of an act of war. Take down all the computers of another country. Not watch me. Use by a nation state is like using ICBM’s. Use it, and another country uses it in reprisal. In My Opinion; It is just dumb for Intel to keep adding it to current Processors. But a lot of noise, when Intel ME is not likely to be ever used. Less likely to be used specifically against me. Qubes Developers deal with more relevant security issues every day than the negative features of Intel ME.

Also guessing an adversary only gets to use it once, then the servers around the world will be modified to block it.

However, just the inconvenience of not being able to upgrade a WiFi chip, that is important.

And I still would want to get rid of security holes I know of.

Qubes is really like having several different computers on one laptop. In a similar vein, if I was using an at home connection: NitroWall NW678 | shop.nitrokey.com

drool. Hardware Firewall, good idea.

I would like an External USB Hub to block, handle certain risk factors. But who you gonna trust to design and build it??

I have worked with dozens of IT teams, some in the Fortune 500, and I have never seen organic use of Intel ME. Someone told me they were browsing LinkedIn and came across a profile of some woman who worked at Intel. On her LinkedIn page she described in one of her roles that she would “formulate strategies” to “increase demand for Intel AMT”, or something like that. The takeaway this person told me they had was that her role was to astroturf demand (so, plausible deniability) for AMT.

Intel ME/AMT is a total scam. Most government and corporate workers (even the IT departments) in USA have no idea that Intel ME/AMT is even a thing.

edit: Intel is headquartered in State of California

1 Like

This means that for many years when these X230 were in production use by various government workers and businesses, their machines were vulnerable to anyone who was tipped off with advanced knowledge of Intel wifi and Intel ME.

Intel ME has access to pci lanes and USB ports. A smart user could choose to use a wifi chip other than an Intel wifi chip, but Intel could work with OEMs to smuggle in firmware updates additional wifi drivers for Intel ME to use these other wifi chips.

Intel ME can also run when the system appears to be “off” if there is a power source. Intel wifi chips seem to use “extra” teeth on the pci connector. At the very least, Intel ME can potentially leverage non-Intel wifi while a system is on.

There are some out there who are convinced that the only way to safely use an Intel machine is behind one or more less problematic systems.

This subject is well known, and there has been provisions for the security hazard created with Intel ME. Or just part of Intel ME.

Intel ME is needed as part of the boot up of any computer with an Intel processor. What we are interested in, is the part of Intel ME that has the code to surreptitiously, covertly re-program the Intel ME Processor to do whatever the change is.

A great deal has been done to mitigate the problem part of Intel ME.

Is one example. If you want to say that you would prefer to use AMD processors because of this. AMD processors also have security issues. Although I am not sure how much is known about those, or how to mitigate them.

When I changed my Lenovo X-230 to fix the Intel ME problem, I installed an internal ‘Atheros chip based’ wireless adapter. Although I was apprehensive as that as that Atheros wireless processor came on a slow boat from China. I would be pretty sure the Firmware that Qubes used on that Atheros chip was FOSS, as the same Atheros chip is used by folks who know a great deal more reading through the code used in the chip, and Networking than I do. That because this is what Insurgo used on the Lenovo X-230 he sold for use with Qubes. If you read through the forums, you would notice Insurgo works on improving Heads, and providing free advice for folks.

The reason the Qubes HCL tends to favor older computers is, a great deal is known about them. Whereas the latest processor, with a bunch of newish other hardware, is unknown in what might be hidden in it. Perhaps it has security problems unknown to the manufacturer, as well.

Intel vPro is an alternate means to re-program my computer that might be likely be beyond my control.

Perhaps the other posters were unaware, that there was an age when nearly every update from M$ (shorthand for Microsoft) crashed the hardware and required part of the software rolled back to a previous version of Windows. So a lot of people turned off M$ Updates. As we also had malware which infected computers, then spewed onto the internet more copies of itself. The effect was that everything was slowed down. I can understand why a company, who had a lot of computers, perhaps hundreds of laptops wanted a way to force, trusted Updates onto the computers which they purchased.

From what I read Intel vPro was a means to do that. Someone said of all the IT groups he knew of, none used Intel vPro. Well, after I fix the Intel ME, in the next computer I purchase. I hoped to find an absolute means to to also fix Intel vPro. Then again, when the company bought a group of laptops, I would guess they were given an encryption key to forcibly do updates on the computers the company purchased for their employees to use. I need to read a good bit, and see if someone has a way to be sure I can turn Intel vPro off. That I can trust. Not so sure I trust a hack written by someone I do not know.

BTW. Intel provides a bit of a program to test and see if the obnoxious part of Intel ME is functional.

If all you do with an Lenovo X-230 is replace the WiFi adapter with say, the Atheros one. You will find the computer will not boot.

This is a lot of talking of someone invoking the power of the Intel ME to alter a particular computer. Not likely. It is like using an atomic bomb to rid your cat of fleas.

I am perplexed that Intel still trusts the loyalty of its engineers to keep the secret, and keeps installing the irritating feature within Intel ME.

I will guess this silliness ends when an Intel Engineer goes to work someday and says, "Hey boss, never gonna believe what happened. Someone offer me five hundred million dollars to tell him about we might be able to use Intel ME. Not that it would work from just any internet address, but what is done to test the functionality of Intel ME feature that re-programs my computer.

Insofar as another processor, like RISC-V coming along to prevent all the same. Well there are other ways to use a modification on the Mobo to accomplish the same thing.

Again why Qubes recommendations are usually for computers which are at least two years old. A lot has been discovered about them. Those newest computers which are Qubes trusted, were specifically engineered to not have the Intel ME problem.

Notice the computers which were built by a (a then chinese owned) Lenovo for the US Air Force, which had an extra chip added so after initial testing period, they could spew all kinds of data to China about the US Air Force. Although I can not find a trusted version to the news story now. Which means, if you see something interesting regarding security. Save the web page, not just the link. Cause now, without proof of the hacked US Air Force computers, I look a little paranoid.

If you know something provable, and can provide a link to a well trusted security site. Please tell me.

Hi @catacombs, I am curious how you came to this conclusion. The reasons I am aware of include upstream projects like Xen supporting new CPU as well as the general state of hardware support in the version of Fedora that is shipped in dom0.

Where did you get the notion that … “latest processor, with a bunch of newish other hardware, is unknown in what might be hidden in it. Perhaps it has security problems unknown to the manufacturer, as well” …is something that is considered by Qubes OS in terms of supporting hardware?

1 Like