Experimentation with Intel vPro and AMT on Q77 motherboard with i7 3770S

Hello everyone,

Introduction



I revived my old computer and decided to transform it as a racked server. It has a GA-Z77X-D3H rev 1.0 as motherboard and an Intel i7 3770S as CPU.

Sure, latest gens like AMD Ryzen are by far more powerfum and energy efficient, but I didn’t want to throw everything away as I still have 32Gio of RAM DDR3 and I wanted to still keep this machine from 2012 for 3 main reasons:
- compare with last gen hardware and see how things have evolved
- this will be the last Intel based computer I’ll have, all others are AMD or ARM based, sometimes some apps requires Intel spefific stuff
- having experience with Intel KVM over IP

I know Intel vPro is only available using the chipset Q77 instead of Z77. This is why I found an ASUS P8Q77-M on Ebay and am willing to buy it, but first I need to get these two questions answered.

Questions



1. Intel Q77 for gen 3 i7 core does have Intel AMT 8.0. Is the latter stored in the Intel ME firmware? If yes, does security CVE vulnerabilities can be patched easily by simply upgrading the Intel ME firmware even if the motherboard is not maintained any more? (I’m used to have custom BIOS, so BIOS patching is not new for me). Wikipedia specifies: “The AMT firmware is stored in the same SPI flash memory component used to store the BIOS and is generally updated along with the BIOS.” but doesn’t indeed specify whether this is in the Intel ME firmare or motherboard vendor specific BIOS/UEFI location.
2. Can I upgrade from AMT 8.0 to AMT 9.0 for example as the latter seems to a like a firmware? I don’t know if this is stored on the Q77 chipset or not. (depends on previous question). According to Wikipedia, “Software updates provide upgrades to the next minor version of Intel AMT. New major releases of Intel AMT are built into a new chipset, and are updated through new hardware.” I assume there is really no ability then as new major versions means new rewiring and hw changes. Just asking maybe you know some trick? :slight_smile:

Thanks in advance for your help.

----------------------

cc @Fernando o/

Yes, this needs to be enabled at ME FW and in BIOS as well. As long as ME FW is healthy, the ME FW can be updated to latest version while you enable the AMT settings.

As for updating “AMT version” I can’t answer that, only know you can update ME FW to latest/enable AMT
I checked BIOS, and AMT is enabled by default, so I assume it’s already enabled at ME FW too but I can’t confirm without a dump of ME FW from this model (it’s not included in Asus partial BIOS “upgrade” files online)

You can’t upgrade to ME 9 with a Q77 chipset. AMT ist part of the Intel ME, and the ME itself is part of the ‘bios’. Since Intel ME is designed for a specific chipset generation, it can’t be upgraded to a later version.

ME 8 and ME 9/9.1 are no longer supported. There were some more fixes for ME 9, but latest version is 06/18 (INTEL-SA-00141), for ME 8 it’s 10/17 (INTEL-SA-00086).

Depends if you want to expose your PC to the internet?

Intel® Active Management Technology (Intel® AMT) and Intel® Converged Security and Management Engine (Intel® CSME) Security Updates
Intel® Product Security Center Advisories

Thanks a lot for your answers both of you. And thanks Fernando for having passed by :slight_smile:

@Lost_N_BIOS : You meant even if ASUS is not providing updates for its Q77-based motherboards, that we are unable to upgrade manually to the latest ME engine version supported for this chipset? (In this case ME8).

After searching on my side upgrading the AMT version is not possible, I need to tick to the latest major version supported. This is due to the fact that the ME egine is using Huffman tables stored directly in the hardware to obfuscate things. So, without new hardwares, bits will be missing and latest ME egine won’t work. (cf. Wikipedia)

@lfb6 Actually, it will be connected to the internet, but ONLY the VMs running on the hypervisor. The local management subnet won’t be connected and will be carefully firewalled. From all the security issues reported from INTEL-SA-00086 to INTEL-SA0016X, it appears we need to be on the same network to exploit them. I was a bit reluctant in having the AMT engine running taking into account all these vulnerabilities happen at a level so low in the HW stack, but after reading the CVE descriptions on the MITRE website, I’m “a bit” relieved now.

This system will be used mainly for development purposes (macOS/Windows dev VMs) and in order to know AMT / vPro tech better and get a first hand on. In the future, if I see things don’t go well, I’ll disable the AMT and plug my own IPMI.

@wget You should be able to update to latest ME8 (8.1.72.3002) with help of the update- program of the firmware- tools (fwupdlcl[64].exe/efi), both can found in this thread.

Concerning security- Raspberry kernels are afaik heavily customized linux kernels, thereby not kept up to date as a normal linux kernel or at least with a relevant delay. Your project is quite intereseting/ impressing, but it uses kernel images from 2017. You’d possibly have the same amount of security flaws in these old kernels as in an old AMT- version…

For AMT I’d recommend MeshCommander- you probably know it already. It’s easier to configure than the Intel tools.

@lfb6 Thanks for the link to the ME update.

At the end I saw that the motherboard available next to my city has been sold and others available are only located way outside EU and their price have sky-rocked recently. So I’m giving up on the idea of testing AMT.

Wrt. the Raspberry Pi, the RPi kernels are completely up to date, especially as I’m using Arch Linux ARM whose team is really reactive. I’m even using the linux kernel from upstream with some proprietary modules and am not using distros like NOOBS or the well known Raspbian.

Wrt. the DIY IMPI project I linked above, I’ll be only taking inspiration from there just for the electronic wiring stuff. I won’t use the 2017 packages obviously and will do it myself on Arch, so the security will reach 100% :slight_smile:

Thanks any way for you time based on this topic :slight_smile: