English Community

ThinkPad NotebooksThinkPad: T400 / T500 and newer T series Laptops
All Forum Topics
Options

4 Posts

11-20-2017

US

6 Signins

54 Page Views

  • Posts: 4
  • Registered: ‎11-20-2017
  • Location: US
  • Views: 54
  • Message 1 of 5

to run critical Intel AMT firmware update do I have to install Windows?

2017-11-20, 8:31 AM

I'm running Linux on a Thinkpad T440p. To do Intel AMT firmware update to address Intel AMT vulnerability CVE-2017-5689 (or INTEL-SA-00075)

 

https://support.lenovo.com/ch/en/product_security/len-14963

 

do I have to install Windows?

 

The vulnerability is well described here:

 

https://libreboot.org/faq.html#intelme

 

I've already used the Linux tool Intel provided to "unprovision" AMT

 

https://downloadcenter.intel.com/download/26799/INTEL-SA-00075-Linux-Detection-and-Mitigation-Tools

 

but Intel says that merely mitigates this critical vulnerability. Does this Windows tool do more than merely mitigate?

 

https://downloadcenter.intel.com/download/26755/INTEL-SA-00075-Detection-and-Mitigation-Tool

 

I see a chipset firmware update:

 

Intel Management Engine Firmware 9.1 for Windows 10 (64-bit), 8.1 (64-bit), 8 (64-bit), 7 (32-bit, 64-bit) - ThinkPad T440p, T540p, W540, W541 / version 9.1.41.3024 / date 2017/05/17

 

here:

 

https://pcsupport.lenovo.com/ch/en/products/laptops-and-netbooks/thinkpad-t-series-laptops/thinkpad-t440p/20aw/downloads

 

So does that mean I have to install Windows to run this critical firmware update?

 

Thanks.

Reply
Options

4 Posts

11-20-2017

US

6 Signins

54 Page Views

  • Posts: 4
  • Registered: ‎11-20-2017
  • Location: US
  • Views: 54
  • Message 2 of 5

Re: to run critical Intel AMT firmware update do I have to install Windows?

2017-11-23, 5:26 AM
see

Updating Intel Management Engine firmware on a Lenovo without a Windows Install

at

https://www.flamingspork.com/blog/2017/11/22/updating-windows-management-engine-firmware-on-a-lenovo-without-a-windows-install/
Reply
Options

4 Posts

11-20-2017

US

6 Signins

54 Page Views

  • Posts: 4
  • Registered: ‎11-20-2017
  • Location: US
  • Views: 54
  • Message 3 of 5

Re: to run critical Intel AMT firmware update do I have to install Windows?

2017-11-25, 3:06 AM

It turns out to be easy enough to download Windows 10 for free.

 

https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install-winpc/how-to-download-official-windows-10-iso-files/35cde7ec-5b6f-481c-a02d-dadf465df326

 

I then burned the image to a USB stick following the instructions here (choose the most up-voted answer):

 

https://askubuntu.com/questions/599746/how-do-i-burn-the-windows-10-iso-to-a-usb#840797

 

And then I installed Windows 10 (I used the 64k version with no problem) on a spare hard drive (with which I replaced my main drive - thanks, Lenovo, for making drive switching so easy! Windows in its infinite wisdom won't let you install Windows 10 onto an external USB drive.)

 

Then, when I booted up, I ran the Lenovo update that covers the lastest (November 2017) elaboration of this ongoing train-wreck of an Intel AMT firmware bug

 

for me, I found it under "Chipset" updates here:

 

https://pcsupport.lenovo.com/us/en/products/laptops-and-netbooks/thinkpad-t-series-laptops/thinkpad-t440p/20aw/downloads

 

Afterwards I doublechecked my machine's status using Intel's tool for Linux

 

https://downloadcenter.intel.com/download/26799/INTEL-SA-00075-Linux-Detection-and-Mitigation-Tools

 

The computer was reported as affected by the bug -- I'm assuming it's always going to be so reported. But I ran the unprovisioning tool (you want AMT to be "unprovisioned") and that tool reported, indeed, that AMT was unprovisioned. And presumably after running the Lenovo chipset update, things are as good, for now, as they are for now going to get with respect to this vulnerability.

 

This is a critical update so Linux / BSD users should take the trouble to fix it.

Reply
Options

4 Posts

11-20-2017

US

6 Signins

54 Page Views

  • Posts: 4
  • Registered: ‎11-20-2017
  • Location: US
  • Views: 54
  • Message 4 of 5

Re: to run critical Intel AMT firmware update do I have to install Windows?

2017-11-25, 4:14 AM

It turns out to be easy enough to download and install Windows 10 for free. I used Windows 10 64K with no problem.

https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install-winpc/how-to-download-official-windows-10-iso-files/35cde7ec-5b6f-481c-a02d-dadf465df326

I then burned the image to a USB stick following the instructions here (choose the most up-voted answer):

https://askubuntu.com/questions/599746/how-do-i-burn-the-windows-10-iso-to-a-usb#840797

And then, after booting up into Windows with that USB stick, I installed Windows 10 on a spare hard drive (with which I replaced my main drive - thanks, Lenovo, for making drive switching so easy! Microsoft in its infinite wisdom doesn't let you install Windows 10 on an external USB drive -- the sort of maddening restriction that should push more people to Linux).

Then, when I booted up into Windows 10, I ran the Lenovo chipset update that covers the lastest (November 2017) elaboration of this ongoing train-wreck of an Intel AMT firmware bug.

For my model, I found the updater here under "Chipset":

https://pcsupport.lenovo.com/us/en/products/laptops-and-netbooks/thinkpad-t-series-laptops/thinkpad-t440p/20aw/downloads

That updater in my experience didn't really provide any confirmation that it did anything, but it seemed to go through the motions.

I then switched hard drives, back to Linux, and ran Intel's "detection and mitigation" tool for Linux.

https://downloadcenter.intel.com/download/26799/INTEL-SA-00075-Linux-Detection-and-Mitigation-Tools

The "detection" tool confirmed that the T440p is indeed vulnerable (I'm assuming it always will show that). The "mitigation" tool showed that AMT was "unprovisioned" -- which is how you want it.

I can't tell for sure the Lenovo chipset updater worked, but at least it didn't "provision" AMT, LOL.  

This Intel bug (AMD has a similar and even less explored-for-vulnerabilities covert processor on their chipsets) should make us all go out and support Linux on ARM processors

https://www.linux.com/learn/4-fine-linux-arm-distros

http://www.arm.linux.org.uk/

and efforts like the PowerPC laptop project!

https://www.powerpc-notebook.org/en/



Reply
Options

4 Posts

11-15-2017

GB

11 Signins

135 Page Views

  • Posts: 4
  • Registered: ‎11-15-2017
  • Location: GB
  • Views: 135
  • Message 5 of 5

Re: to run critical Intel AMT firmware update do I have to install Windows?

2017-11-25, 13:26 PM
Turns out there is another vulnerability, on the TPM chip, which is only updateable from Windows:
https://pcsupport.lenovo.com/jp/en/products/LAPTOPS-AND-NETBOOKS/THINKPAD-X-SERIES-LAPTOPS/THINKPAD-X1-CARBON-TYPE-20HR-20HQ/downloads/DS501051

Come on Lenovo, either bundle it in the BIOS bootable CD, or create Linux versions of the updaters.
Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save