Introduction

This plugin is used to talk to the Intel ME device, typically CSME.

It allows us to get the Platform Key as used for BootGuard and to get the version number for the Intel AMT.

If AMT is enabled and provisioned and the AMT version is between 6.0 and 11.2, and you have not upgraded your firmware, you are vulnerable to CVE-2017-5689 and you should disable AMT in your system firmware.

This code is inspired by ‘AMT status checker for Linux’ by Matthew Garrett which can be found here: https://github.com/mjg59/mei-amt-check

That tool in turn is heavily based on mei-amt-version from samples/mei in the Linux source tree and copyright Intel Corporation.

GUID Generation

These devices use the existing GUIDs provided by the ME host interfaces.

Metadata

There have been several BootGuard key leaks that can be detected using the ME device. The metadata needed to match the KM checksum is found in the metadata, typically obtained from the LVFS project. This sets the leaked-km private flag which then causes the HSI org.fwupd.hsi.Mei.KeyManifest attribute to fail, and also adds a device inhibit which shows in the command line and GUI tools.

The org.linuxfoundation.bootguard.config component is currently used to match against both the MCA and MKHI ME devices. The latest cabinet archive can also be installed into the vendor-firmware remote found in /usr/share/fwupd/remotes.d/vendor/firmware/ which allows the detection to work even when offline — although using the LVFS source is recommended for most users.

New OEM Public Key Hash values found from MEInfo or calculated manually should be added to the checksums page on the LVFS.

Vendor ID Security

The devices are not upgradable and thus require no vendor ID set.

External Interface Access

This plugin requires ioctl(IOCTL_MEI_CONNECT_CLIENT) to /dev/mei0.

Version Considerations

This plugin has been available since fwupd version 1.8.7.