mjg59
commented
7 years ago I'd be pretty surprised if mei_me is missing any PCI IDs for any vulnerable hardware. What kind of clarification would be helpful here?
Open paulmenzel opened 7 years ago
mjg59
commented
7 years ago I'd be pretty surprised if mei_me is missing any PCI IDs for any vulnerable hardware. What kind of clarification would be helpful here?
mpe
commented
7 years ago The MEI driver could be disabled completely, though presumably no distros do that.
To be completely thorough it should grovel through lspci looking for any known MEI devices.
swapdisk
commented
6 years ago Interesting results for Dell servers. For example, on PowerEdge R930, the MEI device is seen in lspci...
# lspci | egrep '(MEI|HECI)'
00:16.0 Communication controller: Intel Corporation C600/X79 series chipset MEI Controller #1 (rev 05)
00:16.1 Communication controller: Intel Corporation C600/X79 series chipset MEI Controller #2 (rev 05)But the mei-amt-check output in question is output...
# ./mei-amt-check
Unable to find a Management Engine interface - run sudo modprobe mei_me and retry.
If you receive the same error, this system does not have AMTDoing modprobe mei_me, we see the driver is unable to interface with the device...
# rmmod mei_me
# modprobe mei_me
# dmesg | tail
...
[74361.972046] mei_me 0000:00:16.0: Device doesn't have valid ME InterfaceAccording to my Dell rep, while AMT is technically enabled in their servers (and can't be disabled by any BIOS setting), access from host OS or network interface is not possible...
Intel ME is enabled for basic silicon enabling (ie; embedded within the server). With that said, Dell PE servers do not enable any external communication interfaces (out of band network access or in-band driver based access to ME from OS) within our designs. The vulnerability from Intel that applies to any server CPU (ie, Skylake) is limited to "physical access only" and quite remote. This is unlike the client processors whereby ME has a much broader role in OOB manageability. The Dell PowerEdge servers achieve all of the manageability functions via iDRAC and not ME. ME’s role is limited to be conduit for some basic thermal /power info and only to iDRAC.
Just posting all this for folks awareness; not expecting a solution.
disjustin
commented
1 year ago @swapdisk This issue is still current on multiple of my SuperMicro Intel systems.
[root@localhost mei-amt-check]# lspci | grep MEI
00:16.0 Communication controller: Intel Corporation 100 Series/C230 Series Chipset Family MEI Controller #1 (rev 31)
00:16.1 Communication controller: Intel Corporation 100 Series/C230 Series Chipset Family MEI Controller #2 (rev 31)
[root@localhost mei-amt-check]# rmmod mei_me
[root@localhost mei-amt-check]# modprobe mei_me
[root@localhost mei-amt-check]# dmesg | tail
[95796.535490] mei_me 0000:00:16.0: Device doesn't have valid ME Interface
[95796.535491] mei_me 0000:00:16.1: Device doesn't have valid ME Interface00:16.0 Communication controller: Intel Corporation 8 Series/C220 Series Chipset Family MEI Controller #1 (rev 04)
00:16.1 Communication controller: Intel Corporation 8 Series/C220 Series Chipset Family MEI Controller #2 (rev 04)
[15952.770601] mei_me 0000:00:16.0: Device doesn't have valid ME Interface
[15983.730694] mei_me 0000:00:16.0: Device doesn't have valid ME Interface
umlaeute
commented
1 year ago just to chime in with my new SuperMicro X12DPi-N6 board:
root@localhost:~# lspci | egrep '(MEI|HECI)'
00:16.0 Communication controller: Intel Corporation C620 Series Chipset Family MEI Controller #1 (rev 0a)
00:16.1 Communication controller: Intel Corporation C620 Series Chipset Family MEI Controller #2 (rev 0a)
00:16.4 Communication controller: Intel Corporation C620 Series Chipset Family MEI Controller #3 (rev 0a)
root@localhost:~# dmesg | grep -i mei
[ 23.523573] mei_me 0000:00:16.0: Device doesn't have valid ME Interface
root@localhost:~#
It’d be great to get confirmation that the idea of the check program is correct as it claims to know if the AMT is disabled. From #coreboot@irce.freenode.net.