On Thinkpad x260 the program says AMT is not available but Lenovo says it's vulnerable

[stemid]

I get this message.

Error: Management Engine refused connection. This probably means you don't have AMT

On a thinkpad x260.

But according to lenovo it's vulnerable to CVE-2017-5689.

I've tried with SElinux in permissive but I can't see that it would be blocking the program in any way.

I make and I run sudo ./mei-amt-check.

I've also verified that mei_me is loaded in lsmod and /dev/mei0 exists.

[norpol]

I don't know what is going on, but providing more info will definitively help debugging or other people figuring out if they are dealing with the same situation. Some 'low hanging fruits' are probably sharing:

1. strace output with us. Make sure to check any output you are sharing with us not leaking any unique details (MAC-address, hostname, ...).`:

$ strace -o "./mei-amt-check.strace" -s 256 -f ./mei-amt-check
---
$ man strace # in case you are curious about the strace flags.
# [...]
-o filename Write the trace output to the file filename rather than  to  stderr.   Use
            filename.pid  if -ff is used.  If the argument begins with '|' or with '!'
            then the rest of the argument is treated as a command and  all  output  is
            piped to it.  This is convenient for piping the debugging output to a pro‐
            gram without affecting the redirections of executed programs.
# [...]
-s strsize  Specify  the  maximum string size to print (the default is 32).  Note that
            filenames are not considered strings and are always printed in full.
# [...]
-f          Trace child processes as they are created by currently traced processes as
            a result of the fork(2), vfork(2) and clone(2) system calls.  Note that -p
            PID -f will attach all threads of process PID if it is multi-threaded, not
            only thread with thread_id = PID.

2. ?full? output of lspci -v, lsmod and cat /proc/cpuinfo
3. git rev-parse HEAD you've compiled mei-amt-check with
4. I've also quickly skimmed trough the me_cleaner documentation where they mention checking the mangement engine status via. ./intelmetool -s, this might be useful for you too.

I hope this helps a tiny little bit, thanks for this tool!

[stemid]

It's actually the same error as in #1.

execve("./mei-amt-check", ["./mei-amt-check"], [/* 20 vars */]) = 0
brk(NULL)                               = 0x1125000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9972293000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=129381, ...}) = 0
mmap(NULL, 129381, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f9972273000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \5\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2115824, ...}) = 0
mmap(NULL, 3955040, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9971caa000
mprotect(0x7f9971e67000, 2093056, PROT_NONE) = 0
mmap(0x7f9972066000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1bc000) = 0x7f9972066000
mmap(0x7f997206c000, 14688, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f997206c000
close(3)                                = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9972271000
arch_prctl(ARCH_SET_FS, 0x7f9972271700) = 0
mprotect(0x7f9972066000, 16384, PROT_READ) = 0
mprotect(0x602000, 4096, PROT_READ)     = 0
mprotect(0x7f9972295000, 4096, PROT_READ) = 0
munmap(0x7f9972273000, 129381)          = 0
open("/dev/mei0", O_RDWR)               = 3
ioctl(3, IOCTL_MEI_CONNECT_CLIENT, 0x7ffd168768b0) = -1 ENOTTY (Inappropriate ioctl for device)
write(2, "Error: Management Engine refused"..., 84Error: Management Engine refused connection. This probably means you don't have AMT
) = 84
close(3)                                = 0
exit_group(1)                           = ?
+++ exited with 1 +++