├── CHANGELOG ├── COPYING ├── INTEL-SA-00075-Discovery-Tool.c ├── INTEL-SA-00075-Unprovisioning-Tool.c ├── INTEL-SA-00075.c ├── INTEL-SA-00075.h ├── Makefile └── README.md /CHANGELOG: -------------------------------------------------------------------------------- 1 | Release 1.0 2 | INTEL-SA-00075-Discovery-Tool 3 | INTEL-SA-00075-Unprovisioning-Tool 4 | - Added code documentation and centralized common functions for the tools. 5 | ==================================== 6 | 7 | Release 0.8 8 | INTEL-SA-00075-Discovery-Tool 9 | - Tool should now support discovery on Intel(R) MEI firmware version 6.x 10 | ==================================== 11 | 12 | Release 0.5 13 | INTEL-SA-00075-Discovery-Tool 14 | INTEL-SA-00075-Unprovisioning-Tool 15 | - Tool not supported on systems with Intel(R) MEI firmware version 6.x 16 | ==================================== 17 | 18 | -------------------------------------------------------------------------------- /COPYING: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | 294 | Copyright (C) 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License along 307 | with this program; if not, write to the Free Software Foundation, Inc., 308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) year name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | , 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Lesser General 339 | Public License instead of this License. 340 | -------------------------------------------------------------------------------- /INTEL-SA-00075-Discovery-Tool.c: -------------------------------------------------------------------------------- 1 | /****************************************************************************** 2 | * Intel-SA-00075-Discovery-Tool 3 | * 4 | * This file is provided under a dual BSD/GPLv2 license. When using or 5 | * redistributing this file, you may do so under either license. 6 | * 7 | * GPL LICENSE SUMMARY 8 | * 9 | * Copyright (C) 2003-2012, 2017 Intel Corporation. All rights reserved. 10 | * 11 | * This program is free software; you can redistribute it and/or modify 12 | * it under the terms of version 2 of the GNU General Public License as 13 | * published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, but 16 | * WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 18 | * General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License 21 | * along with this program; if not, write to the Free Software 22 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110, 23 | * USA 24 | * 25 | * The full GNU General Public License is included in this distribution 26 | * in the file called COPYING. 27 | * 28 | * Contact Information: 29 | * Intel Corporation. 30 | * linux-mei@linux.intel.com 31 | * http://www.intel.com 32 | * 33 | * BSD LICENSE 34 | * 35 | * Copyright (C) 2003-2012, 2017 Intel Corporation. All rights reserved. 36 | * All rights reserved. 37 | * 38 | * Redistribution and use in source and binary forms, with or without 39 | * modification, are permitted provided that the following conditions 40 | * are met: 41 | * 42 | * * Redistributions of source code must retain the above copyright 43 | * notice, this list of conditions and the following disclaimer. 44 | * * Redistributions in binary form must reproduce the above copyright 45 | * notice, this list of conditions and the following disclaimer in 46 | * the documentation and/or other materials provided with the 47 | * distribution. 48 | * * Neither the name Intel Corporation nor the names of its 49 | * contributors may be used to endorse or promote products derived 50 | * from this software without specific prior written permission. 51 | * 52 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 53 | * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 54 | * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 55 | * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 56 | * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 57 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 58 | * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 59 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 60 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 61 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 62 | * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 63 | * 64 | *****************************************************************************/ 65 | 66 | #include "INTEL-SA-00075.h" 67 | 68 | /*************************************************************************** 69 | * Intel(R) AMT 70 | ***************************************************************************/ 71 | #define AMT_BIOS_VERSION_LEN 65 72 | #define AMT_VERSIONS_NUMBER 50 73 | #define AMT_UNICODE_STRING_LEN 20 74 | 75 | struct amt_unicode_string { 76 | uint16_t length; 77 | char string[AMT_UNICODE_STRING_LEN]; 78 | }__attribute__((packed)); 79 | 80 | struct amt_version_type { 81 | struct amt_unicode_string description; 82 | struct amt_unicode_string version; 83 | }__attribute__((packed)); 84 | 85 | struct amt_version { 86 | uint8_t major; 87 | uint8_t minor; 88 | }__attribute__((packed)); 89 | 90 | struct amt_code_versions { 91 | uint8_t bios[AMT_BIOS_VERSION_LEN]; 92 | uint32_t count; 93 | struct amt_version_type versions[AMT_VERSIONS_NUMBER]; 94 | }__attribute__((packed)); 95 | 96 | struct amt_host_if_msg_header { 97 | struct amt_version version; 98 | uint16_t _reserved; 99 | uint32_t command; 100 | uint32_t length; 101 | }__attribute__((packed)); 102 | 103 | struct amt_host_if_resp_header { 104 | struct amt_host_if_msg_header header; 105 | uint32_t status; 106 | unsigned char data[0]; 107 | }__attribute__((packed)); 108 | 109 | #define AMT_HOST_IF_CODE_VERSIONS_REQUEST 0x0400001A 110 | #define AMT_HOST_IF_CODE_VERSIONS_RESPONSE 0x0480001A 111 | 112 | const struct amt_host_if_msg_header CODE_VERSION_REQ = { 113 | .version = { 114 | AMT_MAJOR_VERSION, 115 | AMT_MINOR_VERSION 116 | }, 117 | ._reserved = 0, 118 | .command = AMT_HOST_IF_CODE_VERSIONS_REQUEST, 119 | .length = 0 120 | }; 121 | 122 | static uint32_t amt_verify_code_versions( 123 | const struct amt_host_if_resp_header *resp) { 124 | uint32_t status = AMT_STATUS_SUCCESS; 125 | struct amt_code_versions *code_ver; 126 | size_t code_ver_len; 127 | uint32_t ver_type_cnt; 128 | uint32_t len; 129 | uint32_t i; 130 | 131 | code_ver = (struct amt_code_versions *) resp->data; 132 | /* length - sizeof(status) */ 133 | code_ver_len = resp->header.length - sizeof(uint32_t); 134 | ver_type_cnt = code_ver_len - sizeof(code_ver->bios) 135 | - sizeof(code_ver->count); 136 | if (code_ver->count != ver_type_cnt / sizeof(struct amt_version_type)) { 137 | status = AMT_STATUS_INTERNAL_ERROR; 138 | goto out; 139 | } 140 | 141 | for (i = 0; i < code_ver->count; i++) { 142 | len = code_ver->versions[i].description.length; 143 | 144 | if (len > AMT_UNICODE_STRING_LEN) { 145 | status = AMT_STATUS_INTERNAL_ERROR; 146 | goto out; 147 | } 148 | 149 | len = code_ver->versions[i].version.length; 150 | if (code_ver->versions[i].version.string[len] != '\0' 151 | || len != strlen(code_ver->versions[i].version.string)) { 152 | status = AMT_STATUS_INTERNAL_ERROR; 153 | goto out; 154 | } 155 | } 156 | out: return status; 157 | } 158 | 159 | static uint32_t amt_verify_response_header(uint32_t command, 160 | const struct amt_host_if_msg_header *resp_hdr, uint32_t response_size) { 161 | if (response_size < sizeof(struct amt_host_if_resp_header)) { 162 | return AMT_STATUS_INTERNAL_ERROR; 163 | } else if (response_size 164 | != (resp_hdr->length + sizeof(struct amt_host_if_msg_header))) { 165 | return AMT_STATUS_INTERNAL_ERROR; 166 | } else if (resp_hdr->command != command) { 167 | return AMT_STATUS_INTERNAL_ERROR; 168 | } else if (resp_hdr->_reserved != 0) { 169 | return AMT_STATUS_INTERNAL_ERROR; 170 | } else if (resp_hdr->version.major != AMT_MAJOR_VERSION 171 | || resp_hdr->version.minor < AMT_MINOR_VERSION) { 172 | return AMT_STATUS_INTERNAL_ERROR; 173 | } 174 | return AMT_STATUS_SUCCESS; 175 | } 176 | 177 | static uint32_t amt_host_if_call(struct heci_host_if *acmd, 178 | const unsigned char *command, ssize_t command_sz, uint8_t **read_buf, 179 | uint32_t rcmd, unsigned int expected_sz) { 180 | uint32_t in_buf_sz; 181 | uint32_t out_buf_sz; 182 | ssize_t written; 183 | uint32_t status; 184 | struct amt_host_if_resp_header *msg_hdr; 185 | 186 | in_buf_sz = acmd->mei_cl.buf_size; 187 | *read_buf = (uint8_t *) malloc(sizeof(uint8_t) * in_buf_sz); 188 | if (*read_buf == NULL) 189 | return AMT_STATUS_SDK_RESOURCES; 190 | memset(*read_buf, 0, in_buf_sz); 191 | msg_hdr = (struct amt_host_if_resp_header *) *read_buf; 192 | 193 | written = mei_send_msg(&acmd->mei_cl, command, command_sz); 194 | if (written != command_sz) 195 | return AMT_STATUS_INTERNAL_ERROR; 196 | 197 | out_buf_sz = mei_recv_msg(&acmd->mei_cl, *read_buf, in_buf_sz); 198 | if (out_buf_sz <= 0) 199 | return AMT_STATUS_HOST_IF_EMPTY_RESPONSE; 200 | 201 | status = msg_hdr->status; 202 | if (status != AMT_STATUS_SUCCESS) 203 | return status; 204 | 205 | status = amt_verify_response_header(rcmd, &msg_hdr->header, out_buf_sz); 206 | if (status != AMT_STATUS_SUCCESS) 207 | return status; 208 | 209 | if (expected_sz && expected_sz != out_buf_sz) 210 | return AMT_STATUS_INTERNAL_ERROR; 211 | 212 | return AMT_STATUS_SUCCESS; 213 | } 214 | 215 | static uint32_t amt_get_code_versions(struct heci_host_if *cmd, 216 | struct amt_code_versions *versions) { 217 | struct amt_host_if_resp_header *response = NULL; 218 | uint32_t status; 219 | 220 | status = amt_host_if_call(cmd, (const unsigned char *) &CODE_VERSION_REQ, 221 | sizeof(CODE_VERSION_REQ), (uint8_t **) &response, 222 | AMT_HOST_IF_CODE_VERSIONS_RESPONSE, 0); 223 | 224 | if (status != AMT_STATUS_SUCCESS) 225 | goto out; 226 | 227 | status = amt_verify_code_versions(response); 228 | if (status != AMT_STATUS_SUCCESS) 229 | goto out; 230 | 231 | memcpy(versions, response->data, sizeof(struct amt_code_versions)); 232 | out: if (response != NULL) 233 | free(response); 234 | 235 | return status; 236 | } 237 | 238 | /***************************************************************************** 239 | * SKU Decode Context 240 | *****************************************************************************/ 241 | /* 242 | * Since the code is expected to be run exclusively on Intel Silicon, 243 | * only little endian implementation of the bitfield is done. 244 | */ 245 | typedef union { 246 | struct { 247 | unsigned reserved :1; 248 | unsigned intel_quiet_system_technology :1; 249 | unsigned asf :1; 250 | unsigned intel_amt :1; 251 | unsigned intel_standard_manageability :1; 252 | unsigned reserved_1 :1; 253 | unsigned reserved_2 :1; 254 | unsigned reserved_3 :1; 255 | unsigned intel_remote_pc_assist :1; 256 | unsigned reserved_4 :4; 257 | unsigned intel_anti_theft_technology :1; 258 | unsigned corporate_sku :1; 259 | unsigned level_3_manageability_upgrade :1; 260 | unsigned intel_small_business_technology :1; 261 | unsigned reserved_5 :15; 262 | }; 263 | uint32_t full_sku_value; 264 | } sku_decode; 265 | 266 | /* 267 | * SKU information is parsed per the bitfield definition in sku_decode 268 | * This information is used to print SKU features and also used in determining 269 | * Vulnerable skus per Intel-SA-00075 270 | */ 271 | void decode_amt_sku_information(sku_decode SKU) { 272 | printf("\n-----------------SKU Information-----------------\n"); 273 | if (SKU.intel_small_business_technology) { 274 | printf("\t\t Intel(R) Small Business Technology\n"); 275 | } 276 | if (SKU.level_3_manageability_upgrade) { 277 | printf("\t\t Level 3 Manageability Upgrade\n"); 278 | } 279 | if (SKU.corporate_sku) { 280 | printf("\t\t Corporate SKU\n"); 281 | } 282 | if (SKU.intel_anti_theft_technology) { 283 | printf("\t\t Intel(R) Anti-Theft Technology (Intel(R) AT)\n"); 284 | } 285 | if (SKU.intel_remote_pc_assist) { 286 | printf("\t\t Intel(R) Remote PC Assist Technology (Intel(R) RPAT)\n"); 287 | } 288 | if (SKU.intel_standard_manageability) { 289 | printf("\t\t Intel(R) Standard Manageability\n"); 290 | } 291 | if (SKU.intel_amt) { 292 | printf("\t\t Intel(R) Active Management Technology\n"); 293 | } 294 | if (SKU.asf) { 295 | printf("\t\t ASF\n"); 296 | } 297 | if (SKU.intel_quiet_system_technology) { 298 | printf("\t\t Intel(R) Quiet System Technology \n"); 299 | } 300 | printf("-------------------------------------------------\n\n"); 301 | } 302 | 303 | /***************************************************************************** 304 | * FW Decode Major.Minor.Hotfix.Build 305 | *****************************************************************************/ 306 | 307 | typedef struct { 308 | uint8_t me_major_num; 309 | uint8_t me_minor_num; 310 | uint8_t me_hotfix_num; 311 | } fw_decode; 312 | 313 | /* 314 | * Parses firmware version string sent by the Intel(R) MEI AMT client 315 | */ 316 | #define MAX_FW_STRING 20 317 | void decode_me_fw_information(char *fw_string, fw_decode *FW) { 318 | if (fw_string != NULL) fw_string[MAX_FW_STRING - 1] = 0; 319 | char *token_start = fw_string; 320 | char *token_end = fw_string; 321 | if (token_start != NULL) { 322 | strsep(&token_end, "."); 323 | FW->me_major_num = strtoul(token_start, NULL, 0); 324 | token_start = token_end; 325 | } 326 | if (token_start != NULL) { 327 | strsep(&token_end, "."); 328 | FW->me_minor_num = strtoul(token_start, NULL, 0); 329 | token_start = token_end; 330 | } 331 | if (token_start != NULL) { 332 | strsep(&token_end, "."); 333 | FW->me_hotfix_num = strtoul(token_start, NULL, 0); 334 | token_start = token_end; 335 | } 336 | } 337 | 338 | /***************************************************************************** 339 | * Discover Vulnerability 340 | *****************************************************************************/ 341 | /* 342 | * Function to determine vulnerable sku ranges based on 343 | * FW Version: Major#.Minor#.Hotfix# and Build# 344 | */ 345 | bool discover_vulnerability(sku_decode SKU, fw_decode FW, uint32_t me_build_num) { 346 | //sku 347 | if (SKU.corporate_sku || SKU.intel_small_business_technology 348 | || SKU.intel_standard_manageability || SKU.intel_amt) { 349 | 350 | //Major Version <6 351 | if (FW.me_major_num < 6) { 352 | return false; 353 | } 354 | //Major Version  6 and Minor == 0 355 | if (FW.me_major_num == 6 && FW.me_minor_num == 0 356 | && me_build_num >= 3000) { 357 | return false; 358 | } 359 | //Major Version  6 and Minor >= 1  and Build number >= 3000 360 | if (FW.me_major_num == 6 && FW.me_minor_num > 0 361 | && me_build_num >= 3000) { 362 | return false; 363 | } 364 | //Major Versions 7, 8 ,9, 10 and Build number >= 3000 365 | if (FW.me_major_num >= 7 && FW.me_major_num <= 10 366 | && me_build_num >= 3000) { 367 | return false; 368 | } 369 | //Major Version 11 and Minor <= 6 with Build Number >= 3000 370 | if (FW.me_major_num == 11 && FW.me_minor_num <= 6 371 | && me_build_num >= 3000) { 372 | return false; 373 | } 374 | //Major Version 11 and Minor = 7 and Build number: >= 1000 && < 2000 375 | if (FW.me_major_num == 11 && FW.me_minor_num == 7 376 | && me_build_num >= 1000 && me_build_num < 2000) { 377 | return true; 378 | } 379 | //Major Version 11 and Minor >= 7 380 | if (FW.me_major_num == 11 && FW.me_minor_num >= 7) { 381 | return false; 382 | } 383 | //Major Versions >=12 384 | if (FW.me_major_num >= 12) { 385 | return false; 386 | } 387 | } else { 388 | return false; 389 | } 390 | return true; 391 | } 392 | 393 | /***************************************************************************** 394 | * Check Corporate Sku with MKHI HECI connection 395 | *****************************************************************************/ 396 | /* 397 | * Enables alternative MKHI/ HCI client connection within Intel(R) ME FW 398 | * Required to determine Intel(R) MEI firmware readiness. 399 | */ 400 | static bool enable_fixed_clients_check(const char *device_path) { 401 | FILE *fp = fopen("/sys/kernel/debug/mei/allow_fixed_address", "w"); 402 | if (!fp) { 403 | fp = fopen("/sys/kernel/debug/mei0/allow_fixed_address", "w"); 404 | if (!fp) { 405 | return false; 406 | } 407 | } 408 | int ret = (fwrite("Y", sizeof(char), 1, fp) == 1) ? 0 : -1; 409 | fclose(fp); 410 | 411 | struct heci_host_if mkhi_cmd; 412 | CLIENT_TYPE client_type = MKHI_FIX_CLIENT_TYPE; 413 | bool heci_init_call = heci_host_if_init(&mkhi_cmd, 5000, device_path, 414 | client_type); 415 | if (!ret) { 416 | if (!heci_init_call) { 417 | mei_deinit(&mkhi_cmd.mei_cl); 418 | return false; 419 | } else { 420 | mei_deinit(&mkhi_cmd.mei_cl); 421 | return true; 422 | } 423 | } else { 424 | mei_deinit(&mkhi_cmd.mei_cl); 425 | return false; 426 | } 427 | } 428 | 429 | /* 430 | * Function: Checks if Intel(R) ME FW has an HCI/ MKHI client in the FW SKU. 431 | * Returns : True --> Connection with the client was successful. 432 | * False--> Connection with the client failed. 433 | * Arguments: # Intel(R) MEI kernel device node path 434 | * Dependencies: None. 435 | * Description: None 436 | * Notes: On Intel(R) ME FW version 6.0 connection of MKHI may fail and can 437 | * be achieved by enabling a allow_fixed address flag and an alternative UUID. 438 | */ 439 | static bool check_mei_init(struct mei *me, const uuid_le *guid, 440 | const char *device_path) { 441 | int result; 442 | bool rval = false; 443 | struct mei_connect_client_data data = { 0 }; 444 | 445 | me->fd = open(device_path, O_RDWR); 446 | if (me->fd == -1) { 447 | mei_err(me, "%s %s\nCannot establish a handle to the Intel(R) MEI driver." 448 | " Refer to Tool User Guide for more information.\n",strerror(errno), 449 | device_path); 450 | exit(-1); 451 | } 452 | memcpy(&me->guid, guid, sizeof(*guid)); 453 | me->initialized = true; 454 | 455 | memcpy(&data.in_client_uuid, &me->guid, sizeof(me->guid)); 456 | result = ioctl(me->fd, IOCTL_MEI_CONNECT_CLIENT, &data); 457 | if (result) { 458 | rval = false; 459 | goto err; 460 | } 461 | 462 | rval = true; 463 | err: 464 | mei_deinit(me); 465 | return rval; 466 | } 467 | 468 | /* 469 | * Function: Checks if Intel(R) ME FW has an Intel(R) AMT client in the FW SKU. 470 | * Returns : 0--> Connection with Intel(R) AMT client was successful. 471 | * -1--> Neither Intel(R) AMT nor MKHI clients were responsive. 472 | * -2--> Intel(R) AMT client was not responsive. 473 | * Arguments: # Intel(R) MEI kernel device node path 474 | * Dependencies: None 475 | * Description: If connection fails, then it tries to make connection with HCI/ MKHI 476 | * client to ensure Intel(R) MEI is responsive to avoid falsely 477 | * reporting absence of Intel(R) AMT client. 478 | * Notes: On Intel(R) ME FW version 6.0 connection of MKHI may fail and can 479 | * be achieved by enabling a allow_fixed address flag and an alternative UUID. 480 | */ 481 | int check_if_corporate_sku_by_connection(const char *device_path) { 482 | int rval = 0; 483 | //Check AMT connection 484 | struct mei amt_mei_check; 485 | 486 | bool heci_init_call = check_mei_init(&amt_mei_check, &MEI_IAMTHIF, 487 | device_path); 488 | if (!heci_init_call) { 489 | rval = -2; 490 | } else { 491 | return rval; 492 | } 493 | //Check HCI connection 494 | CLIENT_TYPE client_type = MKHI_CLIENT_TYPE; 495 | struct heci_host_if mkhi_cmd; 496 | heci_init_call = heci_host_if_init(&mkhi_cmd, 5000, device_path, 497 | client_type); 498 | if (mkhi_cmd.initialized) { 499 | mei_deinit(&mkhi_cmd.mei_cl); 500 | } 501 | if (!heci_init_call) { 502 | rval = -1; 503 | } else { 504 | return rval; 505 | } 506 | 507 | if (enable_fixed_clients_check(device_path)) { 508 | //Unable to connect with Intel(R) MEI AMT client on MEI v6.0 509 | rval = -2; 510 | } else { 511 | printf("Error: Failed connection to Intel(R) MEI Subsystem." 512 | " Contact OEM.\n"); 513 | } 514 | return rval; 515 | } 516 | 517 | /* 518 | * Parse, print and extract firmware information from the sku information retrieved 519 | * using the GetCodeVersion command going to the Intel(R) AMT client. 520 | */ 521 | int parse_code_version_information(uint32_t status, sku_decode *SKU, 522 | uint32_t *me_build_num, struct amt_code_versions *ver, char *fw_string) { 523 | int rval = 0; 524 | switch (status) { 525 | case AMT_STATUS_HOST_IF_EMPTY_RESPONSE: 526 | printf("\nIntel(R) AMT: DISABLED\n"); 527 | rval = -1; 528 | goto failed_parse_code_version_information; 529 | break; 530 | case AMT_STATUS_SUCCESS: 531 | printf( 532 | "\n------------------Firmware Information--------------------\n"); 533 | printf("\nIntel(R) AMT: ENABLED\n"); 534 | uint32_t i; 535 | for (i = 0; i < ver->count; i++) { 536 | printf("%s:\t%s\n", ver->versions[i].description.string, 537 | ver->versions[i].version.string); 538 | if (!strncmp(ver->versions[i].description.string, "Sku", 3)) { 539 | SKU->full_sku_value = strtoul(ver->versions[i].version.string, 540 | NULL, 0); 541 | if (!SKU->full_sku_value) { 542 | printf("Error: Unable to determine system state," 543 | " contact OEM\n"); 544 | rval = -1; 545 | goto failed_parse_code_version_information; 546 | //should be fatal 547 | } 548 | } 549 | if (!strncmp(ver->versions[i].description.string, "AMT", 3)) { 550 | if (strlen(ver->versions[i].version.string) < MAX_FW_STRING) { 551 | strncpy(fw_string, ver->versions[i].version.string, 552 | sizeof(strlen(ver->versions[i].version.string))); 553 | } else { 554 | printf("Error: Unable to determine system state," 555 | " contact OEM\n"); 556 | rval = -1; 557 | goto failed_parse_code_version_information; 558 | } 559 | } 560 | if (!strncmp(ver->versions[i].description.string, "Build Number", 12)) { 561 | *me_build_num = strtoul(ver->versions[i].version.string, NULL, 0); 562 | } 563 | } 564 | break; 565 | default: 566 | printf("Error: Unable to determine system state, contact OEM\n"); 567 | rval = -1; 568 | break; 569 | } 570 | failed_parse_code_version_information: 571 | return rval; 572 | } 573 | 574 | /***************************************************************************** 575 | * INTEL-SA-00075-Discovery-Tool Messages 576 | *****************************************************************************/ 577 | void print_vulnerability_message(bool provisioned, bool vulnerable) { 578 | printf("\n------------------Vulnerability Status--------------------\n"); 579 | if (vulnerable) { 580 | if (provisioned) { 581 | printf("Based on the version of the Intel(R) MEI, the System is Vulnerable.\n" 582 | "Run the unprovision tool to reset AMT to factory settings.\n" 583 | "If Vulnerable, contact your OEM for support and remediation of this system.\n" 584 | "For more information, refer to CVE-2017-5689 at:\n" 585 | "https://nvd.nist.gov/vuln/detail/CVE-2017-5689 or the Intel security advisory\n" 586 | "Intel-SA-00075 at:\n" 587 | "https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr"); 588 | } else { 589 | printf("Based on the version of the Intel(R) MEI, the System is Vulnerable.\n" 590 | "If Vulnerable, contact your OEM for support and remediation of this system.\n" 591 | "For more information, refer to CVE-2017-5689 at:\n" 592 | "https://nvd.nist.gov/vuln/detail/CVE-2017-5689 or the Intel security advisory\n" 593 | "Intel-SA-00075 at:\n" 594 | "https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr"); 595 | } 596 | } else { 597 | printf("System is not Vulnerable, no further action needed.\n"); 598 | } 599 | printf("\n----------------------------------------------------------\n\n"); 600 | } 601 | 602 | void print_tool_banner(void) { 603 | printf("\nINTEL-SA-00075-Discovery-Tool -- Release 1.0\n"); 604 | printf("Copyright (C) 2003-2012, 2017 Intel Corporation. All rights reserved\n\n"); 605 | } 606 | 607 | /***************************************************************************** 608 | * INTEL-SA-00075-Discovery-Tool 609 | *****************************************************************************/ 610 | /* 611 | * Function: Determine whether the Intel(R) MEI firmware version currently on 612 | * the platform is vulnerable as per INTEL-SA-00075 advisory. 613 | * Dependencies: Root privilege/ permissions. 614 | * Arguments: [INPUT] -d is the only expected command line option for 615 | * user defined /dev/mei# node 616 | * Description: (1) Displays the tool version and copyright info 617 | * (2) Ensures the tool was run with root permissions 618 | * (3) Defaults to open /dev/mei0 node unless specified by user option 619 | * (4) Checks the Intel (R) MEI fw sku to determine if it is a consumer 620 | * or a corporate sku by trying to connect to the Intel(R) AMT 621 | * client in the Intel(R) ME fw and parsing GetCodeVersion output. 622 | * If it is determined to be a consumer sku it 623 | * calls function to print system not vulnerable message and exits. 624 | * Another possibility is that application was not able to make 625 | * any connection with the Intel(R) ME fw at all, in which case 626 | * it also exits after printing this failure instead to the screen. 627 | * (5) If an Intel(R) AMT connection was successful, it then retrieves 628 | * the firmware sku information by issuing the GetCodeVersion 629 | * command. 630 | * (6) It then closes/ deinitializes the Intel(R) AMT connection 631 | * with the Intel(R) ME fw. 632 | * (7) Information retrieved from Intel(R) AMT client in step 5 is 633 | * parsed to record "firmware-version" (in a string fw_string), 634 | * "SKU value" and build_number required in decision making of 635 | * vulnerable skus. 636 | * Any failures reflected in return value of this function causes 637 | * the program to exit at this point. 638 | * (8) The SKU value is parsed to record and print the SKU type. 639 | * (9) The firmware string is parsed to record firmware: Major#, Minor# 640 | * and Hotfix# which is used in determining the vulnerable skus. 641 | * (10) The system is checked to see if it is in a provisioned state 642 | * by calling a function that returns a positive value if provisioned. 643 | * If get_provisioning_status fails, it still continues to see if 644 | * sku is infact vulnerable. 645 | * (11) If provisioned a function is called to determine provisioning mode. 646 | * (12) At this point we have all the information to determine if the 647 | * system is vulnerable along with its provisioning state and mode 648 | * and so a function is called to iterate 649 | * the SKU, FW: Major.Minor.Hotfix, build# to determine the 650 | * vulnerable skus. This function returns a boolean value to inform 651 | * a vulnerable sku. 652 | * (13) The information in step 11 and 12 is used to print the vulnerability 653 | * status along side information on the provisioning status. 654 | * if system is vulnerable and provisioned additional message 655 | * to perform the un-provisioning mitigation is provided. 656 | * Notes: None. 657 | */ 658 | int main(int argc, char **argv) { 659 | print_tool_banner(); 660 | 661 | if (geteuid() != 0) { 662 | mei_err(me, "Please run the tool with root privilege.\n"); 663 | exit(-1); 664 | } 665 | 666 | const char *dev_path; 667 | if (argc > 1 && !strncmp(argv[1], "-d", 2)) { 668 | dev_path = argv[2]; 669 | } else { 670 | dev_path = DEFAULT_MEI_DEV_NODE; 671 | } 672 | 673 | int ret = check_if_corporate_sku_by_connection(dev_path); 674 | if (ret == -1) { 675 | goto out; 676 | } 677 | if (ret == -2) { 678 | //not-provisioned, not-vulnerable 679 | print_vulnerability_message(false, false); 680 | goto out; 681 | } 682 | 683 | struct heci_host_if acmd; 684 | CLIENT_TYPE client_type = AMT_CLIENT_TYPE; 685 | if (!heci_host_if_init(&acmd, 5000, dev_path, client_type)) { 686 | ret = -1; 687 | goto out; 688 | } 689 | struct amt_code_versions ver; 690 | uint32_t status = amt_get_code_versions(&acmd, &ver); 691 | mei_deinit(&acmd.mei_cl); 692 | 693 | sku_decode SKU; 694 | char fw_string[MAX_FW_STRING]; 695 | memset(fw_string, 0, MAX_FW_STRING); 696 | fw_decode FW; 697 | uint32_t me_build_num; 698 | ret = parse_code_version_information(status, &SKU, &me_build_num, &ver, 699 | fw_string); 700 | if (ret < 0) { 701 | goto out; 702 | } 703 | 704 | decode_amt_sku_information(SKU); 705 | 706 | decode_me_fw_information(fw_string, &FW); 707 | 708 | bool provisioned = false; 709 | ret = get_provisioning_status(dev_path, false); 710 | if (ret > 0) { 711 | provisioned = true; 712 | } 713 | 714 | if (provisioned) { 715 | ret = get_provisioning_control_mode(dev_path); 716 | if (ret == 1) { 717 | printf("Control Mode: CLIENT / CCM\n"); 718 | } 719 | if (ret == 2) { 720 | printf("Control Mode: ADMIN / ACM\n"); 721 | } 722 | if (ret == -1 || ret == 0) { 723 | printf("Control Mode: Undetermined\n"); 724 | } 725 | } 726 | 727 | if (!discover_vulnerability(SKU, FW, me_build_num)) { 728 | print_vulnerability_message(provisioned, false); 729 | } else { 730 | print_vulnerability_message(provisioned, true); 731 | } 732 | 733 | out: 734 | return ret; 735 | } 736 | -------------------------------------------------------------------------------- /INTEL-SA-00075-Unprovisioning-Tool.c: -------------------------------------------------------------------------------- 1 | /****************************************************************************** 2 | * Intel-SA-00075-Unprovisioning-Tool 3 | * 4 | * This file is provided under a dual BSD/GPLv2 license. When using or 5 | * redistributing this file, you may do so under either license. 6 | * 7 | * GPL LICENSE SUMMARY 8 | * 9 | * Copyright (C) 2003-2012, 2017 Intel Corporation. All rights reserved. 10 | * 11 | * This program is free software; you can redistribute it and/or modify 12 | * it under the terms of version 2 of the GNU General Public License as 13 | * published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, but 16 | * WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 18 | * General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License 21 | * along with this program; if not, write to the Free Software 22 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110, 23 | * USA 24 | * 25 | * The full GNU General Public License is included in this distribution 26 | * in the file called COPYING. 27 | * 28 | * Contact Information: 29 | * Intel Corporation. 30 | * linux-mei@linux.intel.com 31 | * http://www.intel.com 32 | * 33 | * BSD LICENSE 34 | * 35 | * Copyright (C) 2003-2012, 2017 Intel Corporation. All rights reserved. 36 | * All rights reserved. 37 | * 38 | * Redistribution and use in source and binary forms, with or without 39 | * modification, are permitted provided that the following conditions 40 | * are met: 41 | * 42 | * * Redistributions of source code must retain the above copyright 43 | * notice, this list of conditions and the following disclaimer. 44 | * * Redistributions in binary form must reproduce the above copyright 45 | * notice, this list of conditions and the following disclaimer in 46 | * the documentation and/or other materials provided with the 47 | * distribution. 48 | * * Neither the name Intel Corporation nor the names of its 49 | * contributors may be used to endorse or promote products derived 50 | * from this software without specific prior written permission. 51 | * 52 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 53 | * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 54 | * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 55 | * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 56 | * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 57 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 58 | * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 59 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 60 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 61 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 62 | * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 63 | * 64 | *****************************************************************************/ 65 | 66 | #include "INTEL-SA-00075.h" 67 | 68 | /***************************************************************************** 69 | * Check UnProvisioning State 70 | *****************************************************************************/ 71 | /* 72 | * Function: Reveals if the previous un-provisioning attempt was successful. 73 | * Returns 1-->Un-Provisioning succeeded, 74 | * 0-->Un-Provisioning failed, 75 | * -1-->Failures. 76 | * Dependencies: None 77 | * Arguments: Intel(R) MEI kernel device node path 78 | * Description: (1) Prepares command structure to send an GetUnprovisioningState 79 | * request message to the connected Intel(R) AMT client in 80 | * Intel(R) ME FW. 81 | * (2) Calls the send receive message/ command function and it 82 | * records the unprovisioning state in the response structure 83 | * memmber State. 84 | * OR--> Sets return rval to -1 if connection fails and jumps 85 | * to exit label failed_check_amt_unprovisioning_status 86 | * (3) In either cases above, code now reaches the exit label where 87 | * it returns rval. 88 | * Notes: None 89 | */ 90 | int check_amt_unprovisioning_status(const char *device_path) { 91 | CFG_GetUnprovisioningState_Request request = { 92 | .Header.Version.MajorNumber = 1, 93 | .Header.Version.MinorNumber = 1, 94 | .Header.Command.Class = 4, 95 | .Header.Command.Operation = 0x68, 96 | .Header.Length = sizeof(request.Header) 97 | }; 98 | CFG_GetUnprovisioningState_Response response; 99 | 100 | CLIENT_TYPE client_type = AMT_CLIENT_TYPE; 101 | 102 | int rval = heci_send_recieve_message((const unsigned char *) &request, 103 | sizeof(request), (unsigned char *) &response, sizeof(response), 104 | client_type, device_path); 105 | 106 | if (rval < 0 || response.Status != AMT_STATUS_SUCCESS) { 107 | printf("Error: Failed Unprovisioning. Use Intel(R) MEBX to unprovision." 108 | " Or Contact OEM\n"); 109 | rval = -1; 110 | goto failed_check_amt_unprovisioning_status; 111 | } else { 112 | if (!response.State) { 113 | printf("System needs to be unprovisioned.\n"); 114 | } else { 115 | printf("System is already unprovisioned.\n"); 116 | rval = -1; 117 | } 118 | } 119 | 120 | failed_check_amt_unprovisioning_status: 121 | return rval; 122 | } 123 | 124 | /***************************************************************************** 125 | * CCM UNPROVISION COMMAND 126 | *****************************************************************************/ 127 | /* 128 | * Function: Attempts Full Intel (R) AMT UN-Provisioning in client mode/ CCM. 129 | * Returns: 0-->successful 130 | * -1-->failure cases. 131 | * Dependencies: System is Intel(R) AMT provisioned in client mode. 132 | * Arguments: 133 | * Description: (1) Prepares command structure to send an CFG_Unprovisioning_Request 134 | * request message to the connected Intel(R) AMT client in 135 | * Intel(R) ME FW. 136 | * (2) Calls the send receive message/ command function and it 137 | * records the unprovisioning response in the response structure 138 | * memmber Status. 139 | * if Status is not AMT_STATUS_SUCCESS, 140 | * Sets return rval to -1 if connection fails and jumps 141 | * to exit label failed_un_provision_amt_ccm 142 | * (3) In either cases above, code now reaches the exit label where 143 | * it returns rval. 144 | * Notes: None 145 | */ 146 | int un_provision_amt_ccm(const char *device_path) { 147 | CFG_PROVISIONING_MODE mode = CFG_PROVISIONING_MODE_NONE; 148 | CFG_Unprovision_Request request = { 149 | .Header.Version.MajorNumber = AMT_MAJOR_VERSION, 150 | .Header.Version.MinorNumber = AMT_MINOR_VERSION, 151 | .Header.Command.Class = 4, 152 | .Header.Command.Operation = 0x10, 153 | .Mode = mode, 154 | .Header.Length = sizeof(request.Header) 155 | }; 156 | CFG_Unprovision_Response response; 157 | 158 | CLIENT_TYPE client_type = AMT_CLIENT_TYPE; 159 | 160 | int rval = heci_send_recieve_message((const unsigned char *) &request, 161 | sizeof(request), (unsigned char *) &response, sizeof(response), 162 | client_type, device_path); 163 | 164 | if (rval < 0 || response.Status != AMT_STATUS_SUCCESS) { 165 | printf( 166 | "Error: Failed Unprovisioning. Use Intel(R) MEBX to unprovision. " 167 | "Or Contact OEM."); 168 | rval = -1; 169 | goto failed_un_provision_amt_ccm; 170 | } else { 171 | printf("\tSuccessfully Unprovisioned.\n"); 172 | } 173 | 174 | failed_un_provision_amt_ccm: 175 | return rval; 176 | } 177 | 178 | /***************************************************************************** 179 | * INTEL-SA-00075-Unprovisioning-Tool Messages 180 | *****************************************************************************/ 181 | /* 182 | * Function: Display tool banner along with copyright information. 183 | * Dependencies: None 184 | * Arguments: None 185 | * Description: None 186 | * Notes: Ensure to update the release number every release. 187 | */ 188 | void print_tool_banner(void) { 189 | printf("\nINTEL-SA-00075-Unprovisioning-Tool -- Release 1.0\n"); 190 | printf("Copyright (C) 2003-2012, 2017 Intel Corporation. All rights reserved\n\n"); 191 | } 192 | 193 | /***************************************************************************** 194 | * INTEL-SA-00075-Unprovisioning-Tool 195 | *****************************************************************************/ 196 | /* 197 | * Function: To un-provision client mode (CCM) AMT provisioned platform. 198 | * Dependencies: Root privilege/ permissions. 199 | * Arguments: [INPUT] -d is the only expected command line option for 200 | * user defined /dev/mei# node 201 | * Description: (1) Displays the tool version and copyright info 202 | * (2) Ensures the tool was run with root permissions 203 | * (3) Defaults to open /dev/mei0 node unless specified by user option 204 | * (4) Checks if system is in provisioned state, if not - exits. 205 | * (5) Checks if provisioning mode is ACM, if yes - exits. 206 | * Note it will attempt unprovisioning if mode is CCM/Unknown. 207 | * (6) Checks if an UN-provisioning attempt has been made already. 208 | * Does nothing? (??Reboot-Message??) --Need this step? 209 | * (7) Attempt UN-provisioning and exit if it fails. 210 | * (8) Checks if the above UN-provisioning attempt go through. 211 | * Notes: If everything went fine, run Discovery tool to ensure system is 212 | * unprovisioned/ not vulnerable. Note unprovisioning is a mitigation. 213 | */ 214 | int main(int argc, char **argv) { 215 | print_tool_banner(); 216 | 217 | if (geteuid() != 0) { 218 | mei_err(me, "Please run the tool with root privilege.\n"); 219 | exit(-1); 220 | } 221 | 222 | const char *dev_path; 223 | if (argc > 1 && !strncmp(argv[1], "-d", 2)) { 224 | dev_path = argv[2]; 225 | } else { 226 | dev_path = DEFAULT_MEI_DEV_NODE; 227 | } 228 | 229 | printf("\n-----------------------------------------------------------\n"); 230 | int ret = get_provisioning_status(dev_path, true); 231 | if (ret < 0) { 232 | goto out; 233 | } 234 | if (ret == 0) { 235 | printf("System is in unprovisioned state. Exiting.\n"); 236 | goto out; 237 | } 238 | 239 | ret = get_provisioning_control_mode(dev_path); 240 | if (ret == 0) { 241 | printf("Control Mode: CLIENT / CCM\n"); 242 | } 243 | if (ret == 2) { 244 | printf("Control Mode: ADMIN / ACM\n"); 245 | printf("\tError: Cannot Unprovision - System provisioned in Admin Control" 246 | " Mode.\n"); 247 | printf("\tUnprovision via Intel(R) MEBX. Press CTRL+P during system boot." 248 | " Or Contact OEM.\n"); 249 | goto out; 250 | } 251 | if (ret == -1) { 252 | printf("Control Mode: Undetermined\n"); 253 | } 254 | 255 | ret = check_amt_unprovisioning_status(dev_path); 256 | if (ret < 0) { 257 | goto out; 258 | } 259 | 260 | printf("Attempting Unprovisioning:\n"); 261 | ret = un_provision_amt_ccm(dev_path); 262 | if (ret < 0) { 263 | goto out; 264 | } 265 | 266 | ret = check_amt_unprovisioning_status(dev_path); 267 | if (ret < 0) { 268 | goto out; 269 | } 270 | 271 | out: 272 | printf("\n----------------------------------------------------------\n"); 273 | return ret; 274 | } 275 | -------------------------------------------------------------------------------- /INTEL-SA-00075.c: -------------------------------------------------------------------------------- 1 | /****************************************************************************** 2 | * Intel-SA-00075.c 3 | * 4 | * This file is provided under a dual BSD/GPLv2 license. When using or 5 | * redistributing this file, you may do so under either license. 6 | * 7 | * GPL LICENSE SUMMARY 8 | * 9 | * Copyright (C) 2003-2012, 2017 Intel Corporation. All rights reserved. 10 | * 11 | * This program is free software; you can redistribute it and/or modify 12 | * it under the terms of version 2 of the GNU General Public License as 13 | * published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, but 16 | * WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 18 | * General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License 21 | * along with this program; if not, write to the Free Software 22 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110, 23 | * USA 24 | * 25 | * The full GNU General Public License is included in this distribution 26 | * in the file called COPYING. 27 | * 28 | * Contact Information: 29 | * Intel Corporation. 30 | * linux-mei@linux.intel.com 31 | * http://www.intel.com 32 | * 33 | * BSD LICENSE 34 | * 35 | * Copyright (C) 2003-2012, 2017 Intel Corporation. All rights reserved. 36 | * All rights reserved. 37 | * 38 | * Redistribution and use in source and binary forms, with or without 39 | * modification, are permitted provided that the following conditions 40 | * are met: 41 | * 42 | * * Redistributions of source code must retain the above copyright 43 | * notice, this list of conditions and the following disclaimer. 44 | * * Redistributions in binary form must reproduce the above copyright 45 | * notice, this list of conditions and the following disclaimer in 46 | * the documentation and/or other materials provided with the 47 | * distribution. 48 | * * Neither the name Intel Corporation nor the names of its 49 | * contributors may be used to endorse or promote products derived 50 | * from this software without specific prior written permission. 51 | * 52 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 53 | * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 54 | * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 55 | * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 56 | * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 57 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 58 | * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 59 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 60 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 61 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 62 | * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 63 | * 64 | *****************************************************************************/ 65 | 66 | #include "INTEL-SA-00075.h" 67 | 68 | /***************************************************************************** 69 | * Intel(R) MEI 70 | *****************************************************************************/ 71 | 72 | /* 73 | * Close the device handle to the Intel(R) MEI driver 74 | * And reset the initialized flag. 75 | */ 76 | void mei_deinit(struct mei *cl) { 77 | if (cl->fd != -1) 78 | close(cl->fd); 79 | cl->fd = -1; 80 | cl->buf_size = 0; 81 | cl->prot_ver = 0; 82 | cl->initialized = false; 83 | } 84 | 85 | /* 86 | * Attempts to open the dev node for Intel(R) MEI device driver and establish 87 | * connection with specified client uuid. 88 | * Returns a boolean: True if the handle was established and connection was made 89 | * successfully, False otherwise. 90 | */ 91 | bool mei_init(struct mei *me, const uuid_le *guid, const char *device_path) { 92 | int result; 93 | struct mei_client *cl; 94 | struct mei_connect_client_data data = { 0 }; 95 | 96 | me->fd = open(device_path, O_RDWR); 97 | if (me->fd == -1) { 98 | mei_err(me, "%s %s\nCannot establish a handle to the Intel(R) MEI driver." 99 | " Refer to Tool User Guide for more information.\n", strerror(errno), 100 | device_path); 101 | exit(-1); 102 | } 103 | memcpy(&me->guid, guid, sizeof(*guid)); 104 | me->initialized = true; 105 | 106 | memcpy(&data.in_client_uuid, &me->guid, sizeof(me->guid)); 107 | result = ioctl(me->fd, IOCTL_MEI_CONNECT_CLIENT, &data); 108 | if (result) { 109 | mei_err(me, "IOCTL_MEI_CONNECT_CLIENT receive message. err=%d\n", result); 110 | goto err; 111 | } 112 | cl = &data.out_client_properties; 113 | 114 | me->buf_size = cl->max_msg_length; 115 | me->prot_ver = cl->protocol_version; 116 | 117 | return true; 118 | err: 119 | mei_deinit(me); 120 | return false; 121 | } 122 | 123 | /* 124 | * Writes out the command/ message to the initialized Intel(R) MEI client connection 125 | * with specified length of the message/ command. 126 | * If write goes through, returns number of bytes written otherwise the errno value. 127 | * After the message is sent it de-initializes the connection. 128 | */ 129 | ssize_t mei_send_msg(struct mei *me, const unsigned char *buffer, ssize_t len) { 130 | ssize_t written; 131 | ssize_t rc; 132 | 133 | written = write(me->fd, buffer, len); 134 | if (written < 0) { 135 | rc = -errno; 136 | mei_err(me, "write failed with status %zd %s\n", written, strerror(errno)); 137 | goto out; 138 | } else { 139 | rc = written; 140 | } 141 | out: 142 | if (rc < 0) { 143 | mei_deinit(me); 144 | } 145 | return rc; 146 | } 147 | 148 | /* 149 | * Retrieves response of specified length in the response buffer within a timeout 150 | * value specified, Any failures here would cause the code to exit since the Intel(R) 151 | * MEI clients are irresponsive. Otherwise return value is 0 for successful reads. 152 | */ 153 | ssize_t mei_recv_msg(struct mei *me, unsigned char *buffer, ssize_t len) { 154 | //receive message 155 | ssize_t rc = read(me->fd, buffer, len); 156 | 157 | if (rc < 0) { 158 | mei_err(me, "read operation failed with status %zd %s\n", rc, 159 | strerror(errno)); 160 | mei_deinit(me); 161 | } 162 | return rc; 163 | } 164 | 165 | /***************************************************************************** 166 | * HECI send/ receive message 167 | *****************************************************************************/ 168 | /* 169 | * Function: Send a message to a specific HECI client and retrieve responses 170 | * after establishing heci connection with the specified client. 171 | * Returns: 0 -->Successful sending message and receiving responses. 172 | * -1 -->Failures 173 | * Dependencies: Command structure is properly initialized 174 | * Arguments: # Request/ Message - void* to accept different message structures. 175 | * # Size of the request. 176 | * # Response - void* to commonly record all types of responses. 177 | * # Size of the response. 178 | * # Intel(R) MEI HECI client to connect to send/ recevie message/responses 179 | * # Intel(R) MEI kernel device node path 180 | * Description: (1) Establishes connection with Intel (R) AMT client in Intel(R) MEI 181 | * firmware. If connection fails, Sets return rval to -1 and jumps 182 | * to exit label failed_check_amt_provisioning_status. 183 | * (2) Calls the send message/ command function and records the 184 | * number of bytes written which should equal size of request, 185 | * if not it sets rval to -1 and jumps to exit label. 186 | * (3) It records the number of bytes received in out_buf_sz variable. 187 | * If out_buf_sz <= 0 it sets the rval to -1 and jumps to exit tag. 188 | * Otherwise it records the response structure. 189 | * (4) In either cases above, code now reaches the exit label, where 190 | * it disconnects the Intel(R) AMT client connection, closes the 191 | * open dev/mei# node and returns rval. 192 | * Notes: None 193 | */ 194 | int heci_send_recieve_message(const unsigned char *request, ssize_t req_len, 195 | unsigned char *response, ssize_t rsp_len, CLIENT_TYPE client_type, 196 | const char *device_path) { 197 | //Send receive message to a heci client 198 | int rval = 0; 199 | struct heci_host_if acmd; 200 | if (!heci_host_if_init(&acmd, 5000, device_path, client_type)) { 201 | rval = -1; 202 | goto failed_heci_send_recieve_message; 203 | } 204 | 205 | uint32_t written = mei_send_msg(&acmd.mei_cl, request, req_len); 206 | if (written != req_len) { 207 | rval = -1; 208 | goto failed_heci_send_recieve_message; 209 | } 210 | 211 | uint32_t out_buf_sz = mei_recv_msg(&acmd.mei_cl, response, rsp_len); 212 | if (out_buf_sz <= 0) { 213 | rval = -1; 214 | goto failed_heci_send_recieve_message; 215 | } 216 | failed_heci_send_recieve_message: 217 | mei_deinit(&acmd.mei_cl); 218 | return rval; 219 | } 220 | 221 | /*************************************************************************** 222 | * Intel(R) AMT - Host Interface 223 | ***************************************************************************/ 224 | /* 225 | * Passes the information required to connect to specific Intel(R) MEI clients. 226 | * The function is commonly called by the tools prior to sending commands to the 227 | * specified clients and also sets up the timeout values. 228 | */ 229 | bool heci_host_if_init(struct heci_host_if *acmd, unsigned long send_timeout, 230 | const char *device_path, CLIENT_TYPE client_type) { 231 | acmd->send_timeout = (send_timeout) ? send_timeout : 20000; 232 | switch (client_type) { 233 | //Connect appropriate client 234 | case AMT_CLIENT_TYPE: 235 | acmd->initialized = mei_init(&acmd->mei_cl, &MEI_IAMTHIF, device_path); 236 | break; 237 | case MKHI_CLIENT_TYPE: 238 | acmd->initialized = mei_init(&acmd->mei_cl, &MEI_MKHI_HIF, device_path); 239 | break; 240 | case MKHI_FIX_CLIENT_TYPE: 241 | acmd->initialized = mei_init(&acmd->mei_cl, &MEI_MKHI_HIF_FIX, 242 | device_path); 243 | break; 244 | default: 245 | printf("DEBUG %d\n", client_type); 246 | acmd->initialized = false; 247 | break; 248 | } 249 | return acmd->initialized; 250 | } 251 | 252 | /***************************************************************************** 253 | * Check Provisioning Control Mode 254 | *****************************************************************************/ 255 | /* 256 | * Function: Retrieves the mode in which the Intel(R) AMT was provisioned. 257 | * Returns 1-->CCM, 258 | * 2-->ACM, 259 | * 0-->Undetermined, 260 | * -1-->Failures. 261 | * Dependencies: None 262 | * Arguments: Intel(R) MEI kernel device node path 263 | * Description: (1) Prepares command structure to send an GetControlMode request 264 | * message to the connected Intel(R) AMT client in Intel(R) ME FW. 265 | * (2) Calls the send receive message/ command function 266 | * and records the provisioning control mode in the 267 | * response structure member ControlMode. 268 | * (3) In either cases above, code now reaches the exit label, where 269 | * it returns rval. 270 | * Notes: None 271 | */ 272 | int get_provisioning_control_mode(const char *device_path) { 273 | CFG_GetControlMode_Request request = { 274 | .Header.Version.MajorNumber = 1, 275 | .Header.Version.MinorNumber = 1, 276 | .Header.Command.Class = 0x4, 277 | .Header.Command.Operation = 0x6B, 278 | .Header.Length = sizeof(request.Header) 279 | }; 280 | CFG_GetControlMode_Response response; 281 | 282 | CLIENT_TYPE client_type = AMT_CLIENT_TYPE; 283 | int rval = heci_send_recieve_message((const unsigned char *) &request, 284 | sizeof(request), (unsigned char *) &response, sizeof(response), 285 | client_type, device_path); 286 | 287 | if (rval < 0 || response.Status != AMT_STATUS_SUCCESS) { 288 | rval = -1; 289 | goto failed_get_provisioning_control_mode; 290 | } else { 291 | rval = response.ControlMode; 292 | } 293 | 294 | failed_get_provisioning_control_mode: 295 | return rval; 296 | } 297 | 298 | /***************************************************************************** 299 | * Check Provisioned State 300 | *****************************************************************************/ 301 | /* 302 | * Function: Reveals if the previous un-provisioning attempt was successful. 303 | * Returns 0-->PROVISIONING_STATE_PRE 304 | * 1-->PROVISIONING_STATE_IN 305 | * 2-->PROVISIONING_STATE_POST 306 | * -1-->Failures 307 | * Dependencies: None 308 | * Arguments: # Intel(R) MEI kernel device node path 309 | * # Flag to track tool message handling for the discovery and unprovisioning 310 | * Description: (1) Prepares command structure to send an GetProvisioningState request 311 | * message to the connected Intel(R) AMT client in Intel(R) ME FW. 312 | * (2) Calls the send receive message/ command function 313 | * and records the provisioning status in the response structure 314 | * member ProvisioningState. 315 | * (3) In either cases above, code now reaches the exit label, where 316 | * it returns rval. 317 | * Notes: None 318 | */ 319 | int get_provisioning_status(const char *device_path, bool unprovision) { 320 | CFG_GetProvisioningState_Request request = { 321 | .Header.Version.MajorNumber = 1, 322 | .Header.Version.MinorNumber = 1, 323 | .Header.Command.Class = 4, 324 | .Header.Command.Operation = 0x11, 325 | .Header.Length = sizeof(request.Header) 326 | }; 327 | CFG_GetProvisioningState_Response response; 328 | 329 | CLIENT_TYPE client_type = AMT_CLIENT_TYPE; 330 | int rval = heci_send_recieve_message((const unsigned char *) &request, 331 | sizeof(request), (unsigned char *) &response, sizeof(response), 332 | client_type, device_path); 333 | 334 | if (rval < 0 || response.Status != AMT_STATUS_SUCCESS) { 335 | rval = -1; 336 | if (unprovision) { 337 | printf("Error: Failed Unprovisioning. Use Intel(R) MEBX to " 338 | "unprovision. Or Contact OEM\n"); 339 | } else { 340 | printf("Error: Failed to retrieve response for provisioning status:" 341 | " %08X\n", response.Status); 342 | } 343 | goto failed_check_amt_provision_status; 344 | } else { 345 | if (response.ProvisioningState == PROVISIONING_STATE_PRE) { 346 | printf("PROVISIONING_STATE = PRE\n"); //Not Provisioned 347 | rval = 0; 348 | } 349 | if (response.ProvisioningState == PROVISIONING_STATE_IN) { 350 | printf("PROVISIONING_STATE = IN\n"); 351 | rval = 1; 352 | } 353 | if (response.ProvisioningState == PROVISIONING_STATE_POST) { 354 | printf("PROVISIONING_STATE = POST\n"); //Provisioned 355 | rval = 2; 356 | } 357 | } 358 | failed_check_amt_provision_status: 359 | return rval; 360 | } 361 | -------------------------------------------------------------------------------- /INTEL-SA-00075.h: -------------------------------------------------------------------------------- 1 | /****************************************************************************** 2 | * Intel-SA-00075.h 3 | * 4 | * This file is provided under a dual BSD/GPLv2 license. When using or 5 | * redistributing this file, you may do so under either license. 6 | * 7 | * GPL LICENSE SUMMARY 8 | * 9 | * Copyright (C) 2003-2012, 2017 Intel Corporation. All rights reserved. 10 | * 11 | * This program is free software; you can redistribute it and/or modify 12 | * it under the terms of version 2 of the GNU General Public License as 13 | * published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, but 16 | * WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 18 | * General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License 21 | * along with this program; if not, write to the Free Software 22 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110, 23 | * USA 24 | * 25 | * The full GNU General Public License is included in this distribution 26 | * in the file called COPYING. 27 | * 28 | * Contact Information: 29 | * Intel Corporation. 30 | * linux-mei@linux.intel.com 31 | * http://www.intel.com 32 | * 33 | * BSD LICENSE 34 | * 35 | * Copyright (C) 2003-2012, 2017 Intel Corporation. All rights reserved. 36 | * All rights reserved. 37 | * 38 | * Redistribution and use in source and binary forms, with or without 39 | * modification, are permitted provided that the following conditions 40 | * are met: 41 | * 42 | * * Redistributions of source code must retain the above copyright 43 | * notice, this list of conditions and the following disclaimer. 44 | * * Redistributions in binary form must reproduce the above copyright 45 | * notice, this list of conditions and the following disclaimer in 46 | * the documentation and/or other materials provided with the 47 | * distribution. 48 | * * Neither the name Intel Corporation nor the names of its 49 | * contributors may be used to endorse or promote products derived 50 | * from this software without specific prior written permission. 51 | * 52 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 53 | * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 54 | * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 55 | * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 56 | * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 57 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 58 | * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 59 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 60 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 61 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 62 | * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 63 | * 64 | *****************************************************************************/ 65 | 66 | #include 67 | #include 68 | #include 69 | #include 70 | #include 71 | #include 72 | #include 73 | #include 74 | #include 75 | #include 76 | #include 77 | 78 | #define DEFAULT_MEI_DEV_NODE "/dev/mei0" 79 | 80 | #define MEI_IAMTHIF UUID_LE(0x12f80028, 0xb4b7, 0x4b2d, 0xac, 0xa8, 0x46, 0xe0, \ 81 | 0xff, 0x65, 0x81, 0x4c) 82 | #define MEI_MKHI_HIF UUID_LE(0x8e6a6715, 0x9abc, 0x4043, 0x88, 0xef, 0x9e, 0x39,\ 83 | 0xc6, 0xf6, 0x3e, 0x0f) 84 | #define MEI_MKHI_HIF_FIX UUID_LE(0x55213584, 0x9a29, 0x4916, 0xba, 0xdf, 0xf, \ 85 | 0xb7, 0xed, 0x68, 0x2a, 0xeb) 86 | 87 | /***************************************************************************** 88 | * Intel(R) MEI 89 | *****************************************************************************/ 90 | #define mei_err(_me, fmt, ARGS...) do { \ 91 | fprintf(stderr, "Error: " fmt, ##ARGS); \ 92 | } while (0) 93 | 94 | struct mei { 95 | uuid_le guid; 96 | bool initialized; 97 | bool verbose; 98 | unsigned int buf_size; 99 | unsigned char prot_ver; 100 | int fd; 101 | }; 102 | 103 | /*************************************************************************** 104 | * Intel(R) AMT 105 | ***************************************************************************/ 106 | 107 | #define AMT_MAJOR_VERSION 1 108 | #define AMT_MINOR_VERSION 1 109 | 110 | #define AMT_STATUS_SUCCESS 0x0 111 | #define AMT_STATUS_INTERNAL_ERROR 0x1 112 | #define AMT_STATUS_NOT_READY 0x2 113 | #define AMT_STATUS_INVALID_AMT_MODE 0x3 114 | #define AMT_STATUS_INVALID_MESSAGE_LENGTH 0x4 115 | 116 | #define AMT_STATUS_HOST_IF_EMPTY_RESPONSE 0x4000 117 | #define AMT_STATUS_SDK_RESOURCES 0x1004 118 | 119 | typedef enum { 120 | AMT_CLIENT_TYPE = 1, MKHI_CLIENT_TYPE = 2, MKHI_FIX_CLIENT_TYPE = 3, 121 | } CLIENT_TYPE; 122 | 123 | struct heci_host_if { 124 | struct mei mei_cl; 125 | unsigned long send_timeout; 126 | bool initialized; 127 | }; 128 | 129 | /***************************************************************************** 130 | * Check Provisioned State 131 | *****************************************************************************/ 132 | #define PROVISIONING_STATE_PRE 0 133 | #define PROVISIONING_STATE_IN 1 134 | #define PROVISIONING_STATE_POST 2 135 | 136 | typedef struct { 137 | uint32_t Operation :23; 138 | uint32_t IsResponse :1; 139 | uint32_t Class :8; 140 | } COMMAND_FMT; 141 | 142 | typedef struct { 143 | uint8_t MajorNumber; 144 | uint8_t MinorNumber; 145 | } PTHI_VERSION; 146 | 147 | typedef struct { 148 | PTHI_VERSION Version; 149 | uint16_t Reserved; 150 | COMMAND_FMT Command; 151 | uint32_t Length; 152 | } PTHI_MESSAGE_HEADER; 153 | 154 | typedef struct { 155 | PTHI_MESSAGE_HEADER Header; 156 | } CFG_GetProvisioningState_Request; 157 | 158 | typedef struct { 159 | PTHI_MESSAGE_HEADER Header; 160 | uint32_t Status; 161 | uint32_t ProvisioningState; 162 | } CFG_GetProvisioningState_Response; 163 | 164 | /***************************************************************************** 165 | * MKHI Command constructs 166 | *****************************************************************************/ 167 | typedef struct { 168 | uint32_t GroupId :8; 169 | uint32_t Command :7; 170 | uint32_t IsResponse :1; 171 | uint32_t Reserved :8; 172 | uint32_t Result :8; 173 | } MKHI_MESSAGE_HEADER; 174 | 175 | typedef struct { 176 | MKHI_MESSAGE_HEADER Header; 177 | } GEN_GET_VPRO_ALLOWED_Request; 178 | 179 | typedef struct { 180 | MKHI_MESSAGE_HEADER Header; 181 | uint8_t VproAllowed; 182 | } GEN_GET_VPRO_ALLOWED_Response; 183 | 184 | /***************************************************************************** 185 | * Check Provisioning Control Mode 186 | *****************************************************************************/ 187 | typedef struct { 188 | PTHI_MESSAGE_HEADER Header; 189 | } CFG_GetControlMode_Request; 190 | 191 | typedef struct { 192 | PTHI_MESSAGE_HEADER Header; 193 | uint32_t Status; 194 | uint32_t ControlMode; // returned upon success only 195 | } CFG_GetControlMode_Response; 196 | 197 | /***************************************************************************** 198 | * CCM UNPROVISION COMMAND 199 | *****************************************************************************/ 200 | typedef uint32_t AMT_STATUS; 201 | 202 | typedef enum { 203 | CFG_PROVISIONING_MODE_NONE = 0, 204 | CFG_PROVISIONING_MODE_ENTERPRISE = 1, 205 | CFG_PROVISIONING_MODE_SMALL_BUSINESS = 2, 206 | CFG_PROVISIONING_MODE_REMOTE_CONNECTIVITY_SERVICE = 3, 207 | } CFG_PROVISIONING_MODE; 208 | 209 | typedef struct { 210 | PTHI_MESSAGE_HEADER Header; 211 | CFG_PROVISIONING_MODE Mode; 212 | } CFG_Unprovision_Request; 213 | 214 | typedef struct { 215 | PTHI_MESSAGE_HEADER Header; 216 | AMT_STATUS Status; 217 | } CFG_Unprovision_Response; 218 | 219 | /***************************************************************************** 220 | * Check UnProvisioning State 221 | *****************************************************************************/ 222 | typedef enum { 223 | CFG_UNPROVISIONING_STATE_NONE = 0, CFG_UNPROVISIONING_STATE_IN = 1, 224 | } CFG_UNPROVISIONING_STATE; 225 | 226 | typedef struct { 227 | PTHI_MESSAGE_HEADER Header; 228 | } CFG_GetUnprovisioningState_Request; 229 | 230 | typedef struct { 231 | PTHI_MESSAGE_HEADER Header; 232 | AMT_STATUS Status; 233 | CFG_UNPROVISIONING_STATE State; // returned upon success only 234 | } CFG_GetUnprovisioningState_Response; 235 | 236 | /***************************************************************************** 237 | * Common Functions 238 | *****************************************************************************/ 239 | 240 | bool mei_init(struct mei *me, const uuid_le *guid, const char *device_path); 241 | 242 | void mei_deinit(struct mei *cl); 243 | 244 | ssize_t mei_recv_msg(struct mei *me, unsigned char *buffer, ssize_t len); 245 | 246 | ssize_t mei_send_msg(struct mei *me, const unsigned char *buffer, ssize_t len); 247 | 248 | int heci_send_recieve_message(const unsigned char *request, ssize_t req_len, 249 | unsigned char *response, ssize_t rsp_len, CLIENT_TYPE client_type, 250 | const char *device_path); 251 | 252 | bool heci_host_if_init(struct heci_host_if *acmd, unsigned long send_timeout, 253 | const char *device_path, CLIENT_TYPE client_type); 254 | 255 | int get_provisioning_control_mode(const char *device_path); 256 | 257 | int get_provisioning_status(const char *device_path, bool unprovision); 258 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | #;****************************************************************************; 2 | # Intel-SA-00075-Discovery-And-Unprovisioning-Tool-Makefile 3 | # 4 | # This file is provided under a dual BSD/GPLv2 license. When using or 5 | # redistributing this file, you may do so under either license. 6 | # 7 | # GPL LICENSE SUMMARY 8 | # 9 | # Copyright (C) 2003-2012, 2017 Intel Corporation. All rights reserved. 10 | # 11 | # This program is free software; you can redistribute it and/or modify 12 | # it under the terms of version 2 of the GNU General Public License as 13 | # published by the Free Software Foundation. 14 | # 15 | # This program is distributed in the hope that it will be useful, but 16 | # WITHOUT ANY WARRANTY; without even the implied warranty of 17 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 18 | # General Public License for more details. 19 | # 20 | # You should have received a copy of the GNU General Public License 21 | # along with this program; if not, write to the Free Software 22 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110, 23 | # USA 24 | # 25 | # The full GNU General Public License is included in this distribution 26 | # in the file called COPYING. 27 | # 28 | # Contact Information: 29 | # Intel Corporation. 30 | # linux-mei@linux.intel.com 31 | # http://www.intel.com 32 | # 33 | # BSD LICENSE 34 | # 35 | # Copyright (C) 2003-2012, 2017 Intel Corporation. All rights reserved. 36 | # All rights reserved. 37 | # 38 | # Redistribution and use in source and binary forms, with or without 39 | # modification, are permitted provided that the following conditions 40 | # are met: 41 | # 42 | # * Redistributions of source code must retain the above copyright 43 | # notice, this list of conditions and the following disclaimer. 44 | # * Redistributions in binary form must reproduce the above copyright 45 | # notice, this list of conditions and the following disclaimer in 46 | # the documentation and/or other materials provided with the 47 | # distribution. 48 | # * Neither the name Intel Corporation nor the names of its 49 | # contributors may be used to endorse or promote products derived 50 | # from this software without specific prior written permission. 51 | # 52 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 53 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 54 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 55 | # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 56 | # OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 57 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 58 | # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 59 | # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 60 | # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 61 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 62 | # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 63 | # 64 | #;****************************************************************************; 65 | 66 | 67 | PROGS = INTEL-SA-00075-Discovery-Tool \ 68 | INTEL-SA-00075-Unprovisioning-Tool 69 | 70 | all:$(PROGS) 71 | strip $(PROGS) 72 | 73 | INTEL-SA-00075-Discovery-Tool: INTEL-SA-00075-Discovery-Tool.o INTEL-SA-00075.o 74 | INTEL-SA-00075-Unprovisioning-Tool: INTEL-SA-00075-Unprovisioning-Tool.o INTEL-SA-00075.o 75 | 76 | clean: 77 | rm -f $(PROGS) 78 | rm -f *.o 79 | 80 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | DISCONTINUATION OF PROJECT. 2 | 3 | This project will no longer be maintained by Intel. 4 | 5 | Intel has ceased development and contributions including, but not limited to, maintenance, bug fixes, new releases, or updates, to this project. 6 | 7 | Intel no longer accepts patches to this project. 8 | 9 | If you have an ongoing need to use this project, are interested in independently developing it, or would like to maintain patches for the open source software community, please create your own fork of this project. 10 | # INTEL-SA-00075-Linux-Detection-And-Mitigation-Tools 11 | 12 | ## Summary: 13 | There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products. This vulnerability does not exist on Intel-based consumer PCs with consumer firmware, Intel servers utilizing Intel® Server Platform Services (Intel® SPS), or Intel® Xeon® Processor E3 and Intel® Xeon® Processor E5 workstations utilizing Intel® SPS firmware.
14 |
15 | For general guidance on this issue please see - http://www.intel.com/content/www/us/en/architecture-and-technology/intel-amt-vulnerability-announcement.html
16 |
17 | As Intel becomes aware of computer maker schedules for updated firmware this list will be updated:
18 | HP Inc. - http://www8.hp.com/us/en/intelmanageabilityissue.html
19 | HP Enterprise - http://h22208.www2.hpe.com/eginfolib/securityalerts/CVE-2017-5689-Intel/CVE-2017-5689.html
20 | Lenovo - https://support.lenovo.com/us/en/product_security/LEN-14963
21 | Fujitsu - http://www.fmworld.net/globalpc/intel_firmware/
22 | Dell Client - http://en.community.dell.com/techcenter/extras/m/white_papers/20443914
23 | Dell EMC - http://en.community.dell.com/techcenter/extras/m/white_papers/20443937
24 | Acer - https://us.answers.acer.com/app/answers/detail/a_id/47605
25 | Asus - https://www.asus.com/News/uztEkib4zFMHCn5r
26 | Panasonic - http://pc-dl.panasonic.co.jp/itn/info/osinfo20170512.html
27 | Toshiba - https://support.toshiba.com/sscontent?contentId=4015668
28 | Getac - http://intl.getac.com/aboutgetac/activities/activities_2017051648.html
29 | Intel – NUC, Compute Stick and Desktop Boards
30 | Samsung - http://www.samsung.com/uk/support/intel_update/
31 | 32 | ## Description: 33 | There are two ways this vulnerability may be accessed please note that Intel® Small Business Technology is not vulnerable to the first issue.
34 |
35 | An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology (AMT) and Intel® Standard Manageability (ISM). 36 | CVSSv3 9.8 Critical /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
37 | An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT). 38 | CVSSv3 8.4 High /AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
39 |
40 | Affected products:
41 | The issue has been observed in Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel® Active Management Technology, Intel® Small Business Technology, and Intel® Standard Manageability. Versions before 6 or after 11.6 are not impacted. 42 | 43 | ## Recommendations: 44 | Intel has released a downloadable discovery tool located at downloadcenter.intel.com, which will analyze your system for the vulnerability. IT professionals who are familiar with the configuration of their systems and networks can use this tool or can find more details below.
45 |
46 | Step 1: Determine if you have an Intel® AMT, Intel® SBA, or Intel® ISM capable system. If you determine that you do not have an Intel® AMT, Intel® SBA, or Intel® ISM capable system then no further action is required.
47 |
48 | Step 2: Utilize the INTEL-SA-00075 Detection Guide to assess if your system has the impacted firmware. If you do have a version in the “Resolved Firmware” column no further action is required to secure your system from this vulnerability.
49 | Linux users use the INTEL-SA-00075-Discovery-Tool on this github page.
For documentation and release binaries please visit https://downloadcenter.intel.com/download/26799/INTEL-SA-00075-Linux-Detection-and-Mitigation-Tools
50 |
51 | Step 3: Intel highly recommends checking with your system OEM for updated firmware. Firmware versions that resolve the issue have a four digit build number that starts with a “3” (X.X.XX.3XXX) Ex: 8.1.71.3608. Firmware Deployment Guide at http://www.intel.com/content/www/us/en/support/technologies/intel-active-management-technology-intel-amt/000024236.html
52 |
53 | Step 4: If a firmware update is not available from your OEM, mitigations are provided the INTEL-SA-00075 Mitigation Guide. 54 | Linux users use the INTEL-SA-00075-Unprovisioning-Tool on this github page.
55 | For assistance in implementing the mitigations steps provided in this document, please contact Intel Customer Support at http://www.intel.com/content/www/us/en/support/contact-support.html#@23; from the Technologies section, select Intel® Active Management Technology (Intel® AMT).
56 | 57 | 58 | ## Build instructions for the INTEL-SA-00075-Discovery-Tool and INTEL-SA-00075-Unprovisioning-Tool 59 | 60 | make clean; make
61 | sudo ./INTEL-SA-00075-Discovery-Tool or sudo ./INTEL-SA-00075-Discovery-Tool -d /dev/mei
62 | sudo ./INTEL-SA-00075-Unprovisioning-Tool or sudo ./INTEL-SA-00075-Unprovisioning-Tool -d /dev/mei
63 |
64 | NOTE:
65 | If mei device /dev/mei0 is not found, Open Terminal and list available devices with ls /dev/mei*
66 | This should give the proper device node /dev/mei# ; then re-run the application with correct node
67 | e.g sudo ./ INTEL-SA-00075-Unprovisioning-Tool –d /dev/mei0
68 |
69 | This tool requires MEI support from the running kernel (in recent kernels that is CONFIG_INTEL_MEI and CONFIG_INTEL_MEI_ME under Device Drivers|Misc devices)
70 |
71 | WARNING: Being unable to access /dev/mei0 does NOT imply that this system has no MEI support and may be still vulnerable.For assistance in implementing the mitigations steps provided in this document, please contact Intel Customer Support at http://www.intel.com/content/www/us/en/support/contact-support.html#@23; from the Technologies section, select Intel® Active Management Technology (Intel® AMT).
72 | 73 | --------------------------------------------------------------------------------