Why would Intel insist on being so secretive about their management engine? Is it some kind of competitive advantage for them?<p>Supposedly, it's useful for management tasks in enterprise environments, but if I were CIO, I think I would ban VPro chips. Who wants ring -3 processes running on their network for which they have no information about?
So, if it says "Error: IOCTL_MEI_CONNECT_CLIENT receive message. err=-1", what does it mean?<p>Tried it on i5-6260U, should be new enough to have the thing.
God #$%@ing damn it, this is why we can't have nice things. You can do only so much to not get pwned software wise, now you need to be paranoid about the hardware too?!<p>Going through all Xeon servers is going to be fun tomorrow.
I want to be able to bios disable Intel AMT and AMDs variant of it. This is another bad attack vector. Further i want a simpler boot loader UEFI is bloatware and bad for security as its easy to hide things in those huge prorietary binary blobs.
I'm shocked to say that the Thinkpad x260 does not have AMT at all.<p>Shocked not because I think it's a huge conspiracy to control your computer but because I honestly do believe AMT was made with the best intentions of providing a level of theft mitigation for devices. Just like "Find my Mac" from Apple that seems to get very little flack.<p>I'd be surprised if this meant that my pretty expensive Lenovo Thinkpad X-series lacks theft protection.
Hmm, I ensured the mei driver was loaded (lsmod confirms it), but I get:
"Cannot open /dev/mei: No such file or directory"<p>dmesg shows:
"[ 18.233688] mei_me 0000:00:16.0: Device doesn't have valid ME Interface
[ 18.233700] mei_me 0000:00:16.1: Device doesn't have valid ME Interface"<p>So I'm guessing I'm not vulnerable. I suppose Supermicro replaced it with their own IPMI interface.
"Error: Management Engine refused connection. This probably means you don't have AMT"<p>$ ls /dev/mei0 -lh<p>crw------- 1 root root 246, 0 May 15 21:02 /dev/mei0<p>Is there a way to completely remove AMT ?
> Intel AMT: ENABLED
> AMT is unprovisioned<p>Think I'd be alright even if it were provisioned as the ethernet port on this Dell Precision laptop got fried during a lightning storm last year (i.e. from reports I've read a wired connection is needed for the exploit to work). Then again, better to know AMT isn't provisioned than to rely on third party reporting.
I remember early word during this AMT debacle was that there were certain conditions in which AMT could be remotely provisioned. Were those statements false? Is Enabled/unprovisioned completely safe?
I'm running VMware on a whitebox with a H87 chipset and vPro capable processor. MEI shows up in dmesg.<p>Has anyone else checked their VMware box accordingly?