I just tried dumping the firmware from an T430 with ATM enabled and with ATM permanently disabled.
It seems like sections of the dump gets zeroed out when you permanently disable ATM.
When I saved the change and exited the bios, the system reboots 4 times before starting normally, could be a POST to make sure the system actually is able to boot.
Would be curious to see what happens if one used a programmer to restore the missing zones of firmware.
B
I think you are right about something in the CPU gets locked.
I can try and restore the original dump, but I’m pretty sure it doesn’t work. From what I know, the only way to restore ATM is to replace the CPU/motherboard.
I tried restoring the rom, and it seems to also restore AMT.
The T430 is a naked motherboard, so I can’t boot a OS to confirm AMT is working, but the bios options are restored.
$ sudo flashrom -p ch341a_spi -c MX25L6405 -w dump1A-on.rom
flashrom v1.2 on Linux 5.15.0-25-generic (x86_64)
flashrom is free software, get the source code at https://flashrom.org
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Macronix flash chip "MX25L6405" (8192 kB, SPI) on ch341a_spi.
Reading old flash chip contents... done.
Erasing and writing flash chip... FAILED at 0x00001000! Expected=0xff, Found=0x28, failed byte count from 0x00000000-0x0000ffff: 0xa422
ERASE FAILED!
Reading current flash chip contents... done. Looking for another erase function.
Erase/write done.
Verifying flash... VERIFIED.
I kept getting that write error on address 0xa422, maybe all they do is somehow write protect a byte in the rom, but flashrom somehow knows how to erase the byte.
I tried 3 times, it failed at the same address every time.
Right…the important bit is: does it work after firmware restore or not? E.g. can you set up remote vnc or whatever on a dhcp Ethernet and watch the bios/boot via VNC remotely?
I don’t have a working NIC on that motherboard, so I can’t be 100% sure.
Ctrl+P at the boot screen allows me to access the IME menu and configure AMT, I’m as sure as I can be that it’s fully functional.
I tried to permanently disable it again, and I can no longer use Ctrl+P to access the IME menu.
So interesting. I wonder what would happen if one flashed the same firmware image onto the model with the non-vPro version of that CPU.
B
[quoteq=“renehoj, post:21, topic:12645”]
I just tried dumping the firmware from an T430 with ATM enabled and with ATM permanently disabled.
It seems like sections of the dump gets zeroed out when you permanently disable ATM.
[/quote]
@renehoj Well, that’s surprised me in both good and bad ways….
I honestly never would have thought that a hardware vendor would give the end user the option to “brick” parts of their hardware….
I guess I stand corrected 
….but still concerned that vPro could potentially be exploited without the user’s knowledge or awareness…
But there’s at least that’s one model that has been moved from the “untrusted hardware” lost to “somewhat trusted” list 
Ah, ThinkPads, you never seem to let us down!
I guess that goes for anyone making a public statement 
This is why this has surprised me. Let’s say you have a work laptop, and you permanently disable vPro on the board. Your laptop reaches end of life, and you then sell the laptop.
(Obviously a ROM dump would clearly show that you were lying, but the buyer wouldn’t know until they inspected the laptop)
Also:
2. Is a ROM flash with an external programmer the only way to “restore” vPro functionality, or is there user space software?
(If there is user space software, then that means there’s potential for it to be remotely executed by an attacker….)
@brendanhoar Theres only one way to find out 
I’d happily buy a laptop for testing, but have you seen the price of used hardware these days?!?!! 
That is normal. Intel Firmware Descriptor (IFD) locks itself and the ME region. An external backup with a programmer would be able to dump that firmware.
Interesting that setting ME to be permanently deactivated is bypassing IFD to be able to modify ME region here. I would love to know what happens in those multiple reboots.
I just tried dumping the firmware from an T430 with ATM enabled and with ATM permanently disabled.
thank for your very helpful experiment!
Still we don’t really have choices here, but at least we may trust more that BIOS settings… and all the laptops that offer such option.
Hard to say, but the Wikipedia article says that AMT doesn’t make the CPU vPro, VT-d/x, TXT, and AMT are all vPro technology, including all the security features. I don’t think it’s impossible that none of the CPU features are needed for AMT, and that it can run on any version of IME as long as you have a chipset that supports AMT.
My guess would be that the chipset and not the CPU decides if you can use AMT, but I also wouldn’t be surprised if they used the CPU ID as a “license key” to make sure you couldn’t use it without paying.
Reread this and wanted to clarify that this is not factual in all cases. You can have ME neutered/CSME disabled while still having VT-x and VT-d. TXT as well on some models. What can be disabled though is thr fTPM if provided by ME. And I think, unsure, rhat Bootguard requires CSME (nee name for ME) but I would love to read more on what happens on newer systems there.
I know as well that newer suspend mechanisms require CSME as well to keep idle on low power consumption (Alder Lake).
Nitpicking, but important distinctions. Haven’t read wikipedia page on that for a while but that was not my reading and thought it was pretty factual. Quotes?
12th gen non Vpro CPU’s have got Vtd/x support (but remove AMT/ME/TXT/TME)
But since most 12th gen laptops only support tpm 2.0 does txt even matter since aem requires 1.2?
And what about total memory encryption (tme) which is also absent on non vpro cpu? Is this feature even compatible with Qubes and is it worth it to get a vpro capable cpu
Buying a 12th gen CPU that isn’t vPro doesn’t mean it doesn’t have ME or AMT, they all have ME, vPro only means it’s AMT Enterprise eligible. I have the 12900K which has enterprise AMT support, but my motherboard is the MSI Z690 which doesn’t have the Q670 chipset need to use the AMT functions.
TPM and TXT only matters if you want to use AEM, I don’t use it and don’t know if it’s working with 12th gen.
The version I use of coreboot doesn’t currently support memory encryption, so I don’t know if it works with Qubes.
I wildly guess this was to be your question
My idea was to search for non-vPro-non-SGX CPU depending on the answer
Never got an answer though…
I tried this on the Lenovo T480, I had both the i5 and i7 motherboard, I tried flashing the i5 firmware to the i7 motherboard.
The BIOS didn’t have the AMT options, and it complains about failing some security check, but it boots. The i5 firmware has the AMT code, you can enter the menu using ctrl+p on the boot screen.
The motherboards are identical, but the mobile CPU has the PCH integrated, I don’t know if it’s the CPU or PCH that enables AMT to run.
Black Hat May 8th 2018
Intel AMT Stealth Breakthrough
video description:
Every modern computer system based on Intel architecture has Intel Management Engine (ME) - a built-in subsystem with a wide array of powerful capabilities (such as full access to operating memory, out-of-band access to a network interface, running independently of CPU even when it is in a shutdown state, etc.). During this talk we will discuss methods of remote pwning of almost every Intel based system, manufactured since 2010 or later.
In this article, we describe how we discovered this undocumented mode and how it is connected with the U.S. government’s High Assurance Platform (HAP) program.
Question: To be clear. I have purchased a Lenovo T480 for use with Qubes. When I receive it, if it has a sticker for Intel vPro on the front. (since I am not going to do external hardware flashing) Should I send the Intel T480 with vPro back? and Go looking for one without vPro. I hope I can easily determine if it has any memory soldered. (by the way, the purchase price for this was $200.00, with taxes $216.00 - price has gone up overnight - from Amazon - refurbished… Also from Amazon, Looking at RAM - Corsair Vengeance Performance SODIMM Memory 64GB (2x32GB) DDR4 2933MHz CL19 Unbuffered for 8th Generation or Newer Intel Core™ i7, and AMD Ryzen 4000 Series Notebooks for $150.00) Just in case someone was looking to buy some thing to try Qubes out.
Basic question; How serious a negative is having Intel vPro to using Qubes?
see Disabling ME on the T480 (and other laptops)
There is not an 1vyrain equivalent for xx80 series ThinkPads yet. You should be able to flip the HAP bit. The HAP bit was uncovered by Positive Technologies. Another thing you really want to do is not use Intel wifi chips which are designed to make the Intel ME accessible via wifi. ThinkPenguin wifi are what most people concerned with Intel ME/AMT aka “vPro” reach for. Some have pointed out that Intel ME/AMT can have drivers for the Atheros chips in the ThinkPenguin wifi chips. These users dedicated a small singleboard computer to proxy networking.
I have read extensively on various darknet imageboards that the only thing resembling a reasonably secure system involves multiple boards (multiple computers) working together. I am sorry that we don’t have nice things.