I tried restoring the rom, and it seems to also restore AMT.
The T430 is a naked motherboard, so I can’t boot a OS to confirm AMT is working, but the bios options are restored.
$ sudo flashrom -p ch341a_spi -c MX25L6405 -w dump1A-on.rom
flashrom v1.2 on Linux 5.15.0-25-generic (x86_64)
flashrom is free software, get the source code at https://flashrom.org
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Macronix flash chip "MX25L6405" (8192 kB, SPI) on ch341a_spi.
Reading old flash chip contents... done.
Erasing and writing flash chip... FAILED at 0x00001000! Expected=0xff, Found=0x28, failed byte count from 0x00000000-0x0000ffff: 0xa422
Reading current flash chip contents... done. Looking for another erase function.
Verifying flash... VERIFIED.
I kept getting that write error on address 0xa422, maybe all they do is somehow write protect a byte in the rom, but flashrom somehow knows how to erase the byte.
I tried 3 times, it failed at the same address every time.
Hard to say, but the Wikipedia article says that AMT doesn’t make the CPU vPro, VT-d/x, TXT, and AMT are all vPro technology, including all the security features. I don’t think it’s impossible that none of the CPU features are needed for AMT, and that it can run on any version of IME as long as you have a chipset that supports AMT.
My guess would be that the chipset and not the CPU decides if you can use AMT, but I also wouldn’t be surprised if they used the CPU ID as a “license key” to make sure you couldn’t use it without paying.
Reread this and wanted to clarify that this is not factual in all cases. You can have ME neutered/CSME disabled while still having VT-x and VT-d. TXT as well on some models. What can be disabled though is thr fTPM if provided by ME. And I think, unsure, rhat Bootguard requires CSME (nee name for ME) but I would love to read more on what happens on newer systems there.
I know as well that newer suspend mechanisms require CSME as well to keep idle on low power consumption (Alder Lake).
Nitpicking, but important distinctions. Haven’t read wikipedia page on that for a while but that was not my reading and thought it was pretty factual. Quotes?
Buying a 12th gen CPU that isn’t vPro doesn’t mean it doesn’t have ME or AMT, they all have ME, vPro only means it’s AMT Enterprise eligible. I have the 12900K which has enterprise AMT support, but my motherboard is the MSI Z690 which doesn’t have the Q670 chipset need to use the AMT functions.
TPM and TXT only matters if you want to use AEM, I don’t use it and don’t know if it’s working with 12th gen.
The version I use of coreboot doesn’t currently support memory encryption, so I don’t know if it works with Qubes.
Black Hat May 8th 2018
Intel AMT Stealth Breakthrough
Every modern computer system based on Intel architecture has Intel Management Engine (ME) - a built-in subsystem with a wide array of powerful capabilities (such as full access to operating memory, out-of-band access to a network interface, running independently of CPU even when it is in a shutdown state, etc.). During this talk we will discuss methods of remote pwning of almost every Intel based system, manufactured since 2010 or later.
In this article, we describe how we discovered this undocumented mode and how it is connected with the U.S. government’s High Assurance Platform (HAP) program.
Question: To be clear. I have purchased a Lenovo T480 for use with Qubes. When I receive it, if it has a sticker for Intel vPro on the front. (since I am not going to do external hardware flashing) Should I send the Intel T480 with vPro back? and Go looking for one without vPro. I hope I can easily determine if it has any memory soldered. (by the way, the purchase price for this was $200.00, with taxes $216.00 - price has gone up overnight - from Amazon - refurbished… Also from Amazon, Looking at RAM - Corsair Vengeance Performance SODIMM Memory 64GB (2x32GB) DDR4 2933MHz CL19 Unbuffered for 8th Generation or Newer Intel Core™ i7, and AMD Ryzen 4000 Series Notebooks for $150.00) Just in case someone was looking to buy some thing to try Qubes out.
Basic question; How serious a negative is having Intel vPro to using Qubes?
There is not an 1vyrain equivalent for xx80 series ThinkPads yet. You should be able to flip the HAP bit. The HAP bit was uncovered by Positive Technologies. Another thing you really want to do is not use Intel wifi chips which are designed to make the Intel ME accessible via wifi. ThinkPenguin wifi are what most people concerned with Intel ME/AMT aka “vPro” reach for. Some have pointed out that Intel ME/AMT can have drivers for the Atheros chips in the ThinkPenguin wifi chips. These users dedicated a small singleboard computer to proxy networking.
I have read extensively on various darknet imageboards that the only thing resembling a reasonably secure system involves multiple boards (multiple computers) working together. I am sorry that we don’t have nice things.