11-20-2017 12:31 AM - edited 11-20-2017 12:50 AM
I'm running Linux on a Thinkpad T440p. To do Intel AMT firmware update to address Intel AMT vulnerability CVE-2017-5689 (or INTEL-SA-00075)
do I have to install Windows?
The vulnerability is well described here:
I've already used the Linux tool Intel provided to "unprovision" AMT
but Intel says that merely mitigates this critical vulnerability. Does this Windows tool do more than merely mitigate?
I see a chipset firmware update:
Intel Management Engine Firmware 9.1 for Windows 10 (64-bit), 8.1 (64-bit), 8 (64-bit), 7 (32-bit, 64-bit) - ThinkPad T440p, T540p, W540, W541 / version 22.214.171.12424 / date 2017/05/17
So does that mean I have to install Windows to run this critical firmware update?
11-22-2017 09:26 PM
11-24-2017 08:14 PM - edited 11-24-2017 08:41 PM
It turns out to be easy enough to download and install Windows 10 for free. I used Windows 10 64K with no problem.
I then burned the image to a USB stick following the instructions here (choose the most up-voted answer):
And then, after booting up into Windows with that USB stick, I installed Windows 10 on a spare hard drive (with which I replaced my main drive - thanks, Lenovo, for making drive switching so easy! Microsoft in its infinite wisdom doesn't let you install Windows 10 on an external USB drive -- the sort of maddening restriction that should push more people to Linux).
Then, when I booted up into Windows 10, I ran the Lenovo chipset update that covers the lastest (November 2017) elaboration of this ongoing train-wreck of an Intel AMT firmware bug.
For my model, I found the updater here under "Chipset":
That updater in my experience didn't really provide any confirmation that it did anything, but it seemed to go through the motions.
I then switched hard drives, back to Linux, and ran Intel's "detection and mitigation" tool for Linux.
The "detection" tool confirmed that the T440p is indeed vulnerable (I'm assuming it always will show that). The "mitigation" tool showed that AMT was "unprovisioned" -- which is how you want it.
I can't tell for sure the Lenovo chipset updater worked, but at least it didn't "provision" AMT, LOL.
This Intel bug (AMD has a similar and even less explored-for-vulnerabilities covert processor on their chipsets) should make us all go out and support Linux on ARM processors
and efforts like the PowerPC laptop project!
11-25-2017 05:26 AM