search

mjg59 / mei-amt-check

Check whether AMT is enabled and provisioned under Linux
GNU General Public License v2.0
464 stars 35 forks source link

Error: Management Engine refused connection #7

Closed laamalif closed 7 years ago

laamalif commented 7 years ago 
$ sudo ./mei-amt-check 
Error: Management Engine refused connection. This probably means you don't have AMT

lspci:

$ lspci |grep -i 16.0
00:16.0 Communication controller: Intel Corporation 9 Series Chipset Family ME Interface #1
processor   : 0
vendor_id   : GenuineIntel
cpu family  : 6
model       : 60
model name  : Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz
stepping    : 3
microcode   : 0x19
cpu MHz     : 3399.104
cache size  : 8192 KB
physical id : 0
siblings    : 8
core id     : 0
cpu cores   : 4
apicid      : 0
initial apicid  : 0
fpu     : yes
fpu_exception   : yes
cpuid level : 13
wp      : yes
flags       : fpu de tsc msr pae mce cx8 apic sep mca cmov pat clflush acpi mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc rep_good nopl nonstop_tsc eagerfpu pni pclmulqdq monitor est ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm ida arat xsaveopt pln pts dtherm fsgsbase bmi1 hle avx2 bmi2 erms rtm
bogomips    : 6798.20
clflush size    : 64
cache_alignment : 64
address sizes   : 39 bits physical, 48 bits virtual
mjg59 commented 7 years ago

What machine is this? Are you sure that your ME firmware includes AMT?

agnivade commented 7 years ago

I am having the same error too. I have a Lenovo L450 with Ubuntu 15.10.

Is there a way to check if my ME firmware includes AMT ? I went inside my BIOS too, but couldn't find anything related to AMT.

breznak commented 7 years ago

Same, Gigabyte u2442V (v2) notebook; CPU i7-3517u; no AMT mentioned in bios

xmikos commented 7 years ago

I have Lenovo ThinkPad 13 (20GJ003QMC) and according to Lenovo, it is vulnerable (see https://support.lenovo.com/cz/cs/product_security/len-14963#ThinkPad). But mei-amt-check outputs:

Error: Management Engine refused connection. This probably means you don't have AMT

I have mei_me module loaded:

$ sudo lsmod | grep mei
mei_me                 36864  0
mei                    86016  1 mei_me

This is lspci output:

$ sudo lspci | egrep -i 'mei|heci'
00:16.0 Communication controller: Intel Corporation Sunrise Point-LP CSME HECI #1 (rev 21)

And /proc/cpuinfo:

processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 78
model name      : Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz
stepping        : 3
microcode       : 0x9e
cpu MHz         : 499.951
cache size      : 3072 KB
physical id     : 0
siblings        : 4
core id         : 0
cpu cores       : 2
apicid          : 0
initial apicid  : 0
fpu             : yes
fpu_exception   : yes
cpuid level     : 22
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
bugs            :
bogomips        : 4801.00
clflush size    : 64
cache_alignment : 64
address sizes   : 39 bits physical, 48 bits virtual
xmikos commented 7 years ago

Just few more information:

aceforeverd commented 7 years ago

Same output. It seems AMT come with core processors with vPro tech or Xeon https://www-ssl.intel.com/content/www/us/en/architecture-and-technology/intel-active-management-technology.html For other cpu, just as output said, no AMT.

xmikos commented 7 years ago

I am aware that my CPU should not have vPro, but what confuses me is that Lenovo wrote that my laptop is vulnerable. But maybe it is only meant for variants with other CPU, Lenovo page is not specific about exact model number.

mjg59 commented 7 years ago

If Lenovo only produce a single firmware image for the entire range then this is pretty much expected - some models will support AMT, some won't.