mjg59 / mei-amt-check

Check whether AMT is enabled and provisioned under Linux
GNU General Public License v2.0
465 stars 36 forks source link

Dependence on presence of MEI device #8

Open paulmenzel opened 7 years ago

paulmenzel commented 7 years ago

It’d be great to get confirmation that the idea of the check program is correct as it claims to know if the AMT is disabled. From #coreboot@irce.freenode.net.

09:47 < nico_h> but generally, pretending that there is no issue if the MEI is missing, seems a bad idea 09:48 < nico_h> somebody should tell him 09:48 * nico_h doesn't have a github account 09:50 < PaulePanter> nico_h: Does https://github.com/mjg59/mei-amt-check/blob/master/mei-amt-check.c only check for the MEI presence? 09:51 < nico_h> no, but there's a message in the code "Unable to find a Management Engine interface - run sudo modprobe mei_me and retry.\nIf you receive the same error, this system does not have AMT\n" 09:53 < nico_h> I don't know for sure if the idea is wrong. but I would be careful with such statements. also the mei_me module could just miss a PCI ID...

mjg59 commented 7 years ago

I'd be pretty surprised if mei_me is missing any PCI IDs for any vulnerable hardware. What kind of clarification would be helpful here?

mpe commented 7 years ago

The MEI driver could be disabled completely, though presumably no distros do that.

To be completely thorough it should grovel through lspci looking for any known MEI devices.

swapdisk commented 6 years ago

Interesting results for Dell servers. For example, on PowerEdge R930, the MEI device is seen in lspci...

# lspci | egrep '(MEI|HECI)'
00:16.0 Communication controller: Intel Corporation C600/X79 series chipset MEI Controller #1 (rev 05)
00:16.1 Communication controller: Intel Corporation C600/X79 series chipset MEI Controller #2 (rev 05)

But the mei-amt-check output in question is output...

# ./mei-amt-check
Unable to find a Management Engine interface - run sudo modprobe mei_me and retry.
If you receive the same error, this system does not have AMT

Doing modprobe mei_me, we see the driver is unable to interface with the device...

# rmmod mei_me
# modprobe mei_me
# dmesg | tail
...
[74361.972046] mei_me 0000:00:16.0: Device doesn't have valid ME Interface

According to my Dell rep, while AMT is technically enabled in their servers (and can't be disabled by any BIOS setting), access from host OS or network interface is not possible...

Intel ME is enabled for basic silicon enabling (ie; embedded within the server). With that said, Dell PE servers do not enable any external communication interfaces (out of band network access or in-band driver based access to ME from OS) within our designs. The vulnerability from Intel that applies to any server CPU (ie, Skylake) is limited to "physical access only" and quite remote. This is unlike the client processors whereby ME has a much broader role in OOB manageability. The Dell PowerEdge servers achieve all of the manageability functions via iDRAC and not ME. ME’s role is limited to be conduit for some basic thermal /power info and only to iDRAC.

Just posting all this for folks awareness; not expecting a solution.

disjustin commented 1 year ago

@swapdisk This issue is still current on multiple of my SuperMicro Intel systems.

[root@localhost mei-amt-check]# lspci | grep MEI
00:16.0 Communication controller: Intel Corporation 100 Series/C230 Series Chipset Family MEI Controller #1 (rev 31)
00:16.1 Communication controller: Intel Corporation 100 Series/C230 Series Chipset Family MEI Controller #2 (rev 31)
[root@localhost mei-amt-check]# rmmod mei_me
[root@localhost mei-amt-check]# modprobe mei_me
[root@localhost mei-amt-check]# dmesg | tail
[95796.535490] mei_me 0000:00:16.0: Device doesn't have valid ME Interface
[95796.535491] mei_me 0000:00:16.1: Device doesn't have valid ME Interface
00:16.0 Communication controller: Intel Corporation 8 Series/C220 Series Chipset Family MEI Controller #1 (rev 04)
00:16.1 Communication controller: Intel Corporation 8 Series/C220 Series Chipset Family MEI Controller #2 (rev 04)
[15952.770601] mei_me 0000:00:16.0: Device doesn't have valid ME Interface
[15983.730694] mei_me 0000:00:16.0: Device doesn't have valid ME Interface
umlaeute commented 1 year ago

just to chime in with my new SuperMicro X12DPi-N6 board:

root@localhost:~# lspci | egrep '(MEI|HECI)'
00:16.0 Communication controller: Intel Corporation C620 Series Chipset Family MEI Controller #1 (rev 0a)
00:16.1 Communication controller: Intel Corporation C620 Series Chipset Family MEI Controller #2 (rev 0a)
00:16.4 Communication controller: Intel Corporation C620 Series Chipset Family MEI Controller #3 (rev 0a)
root@localhost:~# dmesg | grep -i mei
[   23.523573] mei_me 0000:00:16.0: Device doesn't have valid ME Interface
root@localhost:~#