cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
k71
Blue Screen Again
Posts: 4
Location: US
Views: 1,423
Message 1 of 4

to run critical Intel AMT firmware update do I have to install Windows?

I'm running Linux on a Thinkpad T440p. To do Intel AMT firmware update to address Intel AMT vulnerability CVE-2017-5689 (or INTEL-SA-00075)

 

https://support.lenovo.com/ch/en/product_security/len-14963

 

do I have to install Windows?

 

The vulnerability is well described here:

 

https://libreboot.org/faq.html#intelme

 

I've already used the Linux tool Intel provided to "unprovision" AMT

 

https://downloadcenter.intel.com/download/26799/INTEL-SA-00075-Linux-Detection-and-Mitigation-Tools

 

but Intel says that merely mitigates this critical vulnerability. Does this Windows tool do more than merely mitigate?

 

https://downloadcenter.intel.com/download/26755/INTEL-SA-00075-Detection-and-Mitigation-Tool

 

I see a chipset firmware update:

 

Intel Management Engine Firmware 9.1 for Windows 10 (64-bit), 8.1 (64-bit), 8 (64-bit), 7 (32-bit, 64-bit) - ThinkPad T440p, T540p, W540, W541 / version 9.1.41.3024 / date 2017/05/17

 

here:

 

https://pcsupport.lenovo.com/ch/en/products/laptops-and-netbooks/thinkpad-t-series-laptops/thinkpad-...

 

So does that mean I have to install Windows to run this critical firmware update?

 

Thanks.

Highlighted
k71
Blue Screen Again
Posts: 4
Location: US
Views: 1,330
Message 2 of 4

Re: to run critical Intel AMT firmware update do I have to install Windows?

see

Updating Intel Management Engine firmware on a Lenovo without a Windows Install

at

https://www.flamingspork.com/blog/2017/11/22/updating-windows-management-engine-firmware-on-a-lenovo...
k71
Blue Screen Again
Posts: 4
Location: US
Views: 1,224
Message 3 of 4

Re: to run critical Intel AMT firmware update do I have to install Windows?

It turns out to be easy enough to download and install Windows 10 for free. I used Windows 10 64K with no problem.

https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install-winpc/how-to-download-o...

I then burned the image to a USB stick following the instructions here (choose the most up-voted answer):

https://askubuntu.com/questions/599746/how-do-i-burn-the-windows-10-iso-to-a-usb#840797

And then, after booting up into Windows with that USB stick, I installed Windows 10 on a spare hard drive (with which I replaced my main drive - thanks, Lenovo, for making drive switching so easy! Microsoft in its infinite wisdom doesn't let you install Windows 10 on an external USB drive -- the sort of maddening restriction that should push more people to Linux).

Then, when I booted up into Windows 10, I ran the Lenovo chipset update that covers the lastest (November 2017) elaboration of this ongoing train-wreck of an Intel AMT firmware bug.

For my model, I found the updater here under "Chipset":

https://pcsupport.lenovo.com/us/en/products/laptops-and-netbooks/thinkpad-t-series-laptops/thinkpad-...

That updater in my experience didn't really provide any confirmation that it did anything, but it seemed to go through the motions.

I then switched hard drives, back to Linux, and ran Intel's "detection and mitigation" tool for Linux.

https://downloadcenter.intel.com/download/26799/INTEL-SA-00075-Linux-Detection-and-Mitigation-Tools

The "detection" tool confirmed that the T440p is indeed vulnerable (I'm assuming it always will show that). The "mitigation" tool showed that AMT was "unprovisioned" -- which is how you want it.

I can't tell for sure the Lenovo chipset updater worked, but at least it didn't "provision" AMT, LOL.  

This Intel bug (AMD has a similar and even less explored-for-vulnerabilities covert processor on their chipsets) should make us all go out and support Linux on ARM processors

https://www.linux.com/learn/4-fine-linux-arm-distros

http://www.arm.linux.org.uk/

and efforts like the PowerPC laptop project!

https://www.powerpc-notebook.org/en/



careta2000
Fanfold Paper
Posts: 4
Location: GB
Views: 1,198
Message 4 of 4

Re: to run critical Intel AMT firmware update do I have to install Windows?

Turns out there is another vulnerability, on the TPM chip, which is only updateable from Windows:
https://pcsupport.lenovo.com/jp/en/products/LAPTOPS-AND-NETBOOKS/THINKPAD-X-SERIES-LAPTOPS/THINKPAD-...

Come on Lenovo, either bundle it in the BIOS bootable CD, or create Linux versions of the updaters.
Top Kudoed Authors