Overview of AMT

AMT (included in Intel network chipset, usually high end laptop, PC, NOC..) provides out-of-band (OOB) management for Desktops and Laptops, using an agent integrated in the network adapter and in the motherboard.

?LibreBoot has described the Intel Management Engine (ME), foundation of the AMT solution, as a backdoor. Their concerns were proven to be well founded when Intel disclosed a critical security vulnerability in 2017. While Intel provided a fix for that issue, the source code has never been disclosed and so it is impossible for the community to eliminate other security faults or find out if backdoors have been deliberately concealed within ME/AMT/vPro technology.

Mitigating the risk

?LibreBoot has recommended getting rid of any modern Intel hardware as quickly as possible. They support older laptop models such as the Thinkpad X200 which does not suffer from these risks.

The me_cleaner project attempts to help remove most of the ME/AMT/vPro from more modern systems by modifying the BIOS. Some code (between 90 - 650 kb) is still left in the BIOS and executed at boot time.

AMT versions and features

Typical features and benefits of Intel Active Management Technology:

Note on AMT versions and protocol: New device with AMT >= 9.0 only support the WS-MAN / WS-Management protocol. That protocol was introduced in AMT >=3 to replace SOAP(EOI) (read Intel announcement). Most tools support only one of those protocols (so either AMT v1 to v3, or v3 to v9+)

Check this wiki page about AMT versions and features

Configuring the Management-Engine

Using

Identify

Once the Managment Engine is enabled (not necessarily configured), lspci -nn will show :

00:03.0 Communication controller [0780]: Intel Corporation Mobile PM965/GM965 MEI Controller [8086:2a04] (rev 0c)
00:03.2 IDE interface [0101]: Intel Corporation Mobile PM965/GM965 PT IDER Controller [8086:2a06] (rev 0c)
00:03.3 Serial controller [0700]: Intel Corporation Mobile PM965/GM965 KT Controller [8086:2a07] (rev 0c)

Linux Tools

(other tools / possibilities: https://github.com/sdague/amt , or a WS-MAN compatible tool?)

See Also