1. 19
  1.  

  2. 5

    What software actually uses Intel AMT? Like, what’s the management server software that controls corporate devices? I don’t do IT so I’ve never had a reason to know.

    Also, how do you choose to use the “consumer” version of Intel ME? That sounds like something I’d want to do. I’m aware of microcode updates but my intuition tells me those aren’t related.

    1. 3

      There’s multiple ways to enable and configure AMT, but apparently you can just do it from the firmware setup screen, and then it just hosts VNC and HTTPS access. A popular/recommended management system seems to be MeshCommander

      1. 2

        that’s the right question. very few computers can be remotely controlled via AMT, yet the firmware is active on almost all of them.

        notable exception, that I’ve seen are hp Z-series workstations, that are IN THEORY remotely controllable by AMT WebGUI.

        It feels like intel is charging vendors for fully enabling AMT, I got no other explanation why its so uncommon.

        1. 2

          Also, how do you choose to use the “consumer” version of Intel ME?

          With most manufacturers, all you can do as a buying customer is choosing a device where the Intel CPU does not have vPro.

          vPro and AMT (Active Management Technology) mean the same thing and are the part of the Intel ME (Management Engine) that make remote administration possible. There are many other parts to the ME that are present in every Intel CPU, irregardless of it having vPro or not.

          Example: The Lenovo X1 Carbon 2017 is/was available with an i5 CPU with vPro and without vPro. This is also reflected by the CPU-type number: Intel i5-8265U means without vPro and Intel i5-8365U means with vPro.

          If you wanted to go further, there are possibilities to disable almost all of the ME’s functionalities or even remove the relevant binary code from the firmware before flashing it back into your device’s firmware storage chip. Unfortunately this procedure is no easy task, the necessary steps are highly dependent on your specific device and you could maneuver yourself into a situation where you don’t know how to recover your bricked device anymore. But it’s much more doable than a few years ago.

          Lastly there are a handful of manufacturers, that disable as much of ME’s functionalities as possible by default (basically with the same procedure as mentioned above) and replace some of the necessary functionalities with open source firmware (usually Coreboot). Purism and system76 are two examples of such manufacturers.

          See my other comment about an overview talk regarding the Intel ME for further research.

        2. 2

          Intel ME (Management Engine) is a convoluted topic, especially because of the intransparency and the many marketing terms and abbreviations it encompasses. I found the following talk by Igor Skochinsky and Nicola Corna to be a helpful starting point: https://media.ccc.de/v/34c3-8782-intel_me_myths_and_reality

          Igor Skochinsky works at Hex Rays, a company that makes a famous binary reverse engineering software. Nicola Corna is the guy that created me cleaner, a repository/project/software-package/manual for disabling the Intel ME.

          1. 0

            Very noble, except nobody on his right mind wants an Intel-based laptop anyway. Current AMD offerings are much better.

            For the open-everything crowd, it would be far much more appealing if they made a POWER or RISC-V laptop.

            I’m not sure who their target customer is.

            1. 4

              AMD has a ME-like thing (PSP) that no one has managed to neuter. So you’re wrong, people who want an x86 laptop are better off with intel if they want a ‘more open’ system, but intel is still not ideal.

              Making a POWEr or RISC-V laptop is a huge amount of effort, and many existing applications won’t run on it without even more work.

              1. 1

                AMD has a ME-like thing (PSP) that no one has managed to neuter. So you’re wrong, people who want an x86 laptop are better off with intel if they want a ‘more open’ system, but intel is still not ideal.

                Intel still isn’t open. And it has non-ideal performance and a history of vulnerabilities.

                Making a POWEr or RISC-V laptop is a huge amount of effort

                Yes it’s effort, and yes that’s why they won’t bother. It’s easier to do almost the same thing everybody is doing, and they can sell that anyway.

                and many existing applications won’t run on it without even more work.

                Not an issue unless you run mainly proprietary software.

                1. 4

                  Intel still isn’t open. And it has non-ideal performance and a history of vulnerabilities.

                  Uh, no one has made anything RISC-V that performs all that well, from what I understand. And even if there was one, far, far fewer people are willing to drop a serious amount of money on it. If you really want that, there are companies selling it, so go put your money where your mouth is.

                  I never claimed intel platforms were fully open, just that they’re more open (just barely, by neutering the ME) than your recommendation to use amd… which has a chip running a blob that you cannot disable without bricking your system.

                  Yes it’s effort, and yes that’s why they won’t bother. It’s easier to do almost the same thing everybody is doing, and they can sell that anyway.

                  They haven’t completely solved the problem (and, IMHO, don’t give any illusion that they have?), but I think their efforts to bring a system with a deblobbed system with neutered ME and coreboot to the masses is still helpful. Purism even makes a choice to use a wifi chip that doesn’t require blobs to run.

                  1. 2

                    AMD allows disabling the PSP in the UEFI settings.

                    I’ve no idea, unfortunately, if any research has been done as to how the setting works and how effective it is.

              2. 3

                I would certainly like a POWER9 laptop, but power consumption is not its strong suit.

                POWER10 is claimed to have lower power usage, but Raptor is reportedly unhappy with IBM, and this suggests the firmware stack has not been fully released. That’s disappointing, if true.