[opensuse] Installing IME firmware updates in openSuSE

older
[opensuse] network change, name...

Christopher Myers

28 Nov 2017 28 Nov '17

15:08

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I ran Intel's IME firmware bug detection tool on my Lenovo T570 today, and it said that my laptop is vulnerable and to contact my vendor. So I went to Lenovo's website and found patches...for Windows only. I'm going to bet that Lenovo won't release Linux patches, or bootable CDs with firmware patches, etc. Out of curiosity, how are others addressing things like this? Do I really have to swap out my hard drive with a Windows version to install the patch, and then revert back to my nice safe Linux home afterwards? -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEE7GM/Dul8WSWn72odQ1nEo4DFCIUFAlode84ACgkQQ1nEo4DF CIUyAgf/eN/8zHeQVUqtrDgovckKz0QR9elBfgQKkLK/pVzeTpC9GKtKGzj7uNN+ RxTVc3Rdj0WzcoU7VfgvxAXj14B5TOpG/zEwdtPd5m1HtcvRPxOHYFQllGzKJgPx p5zF0gQ8TElLnskkO94AQDU0OAL/usgwqWtvPvu0nzS3EVr9NnezIdflxtsYLIDD Hhf+AwL6X1DfkEO7WsWFP5jEZU9KatfHgT9UP5msPU76Hk17b/ZSNX0GrO1vHNdk BPU+BJYNYlo5KvvSkk9pHz+t65H9l7iFNdh0rRjGxepmjDATdGKOWQOHbq+EQag4 991GWaYrrDG7rXq+JTglL6fkqg/LBQ== =N7ib -----END PGP SIGNATURE-----

Show replies by date

Paul Groves

28 Nov 28 Nov

15:19

On 28/11/17 15:08, Christopher Myers wrote:

...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

I ran Intel's IME firmware bug detection tool on my Lenovo T570 today, and it said that my laptop is vulnerable and to contact my vendor. So I went to Lenovo's website and found patches...for Windows only. I'm going to bet that Lenovo won't release Linux patches, or bootable CDs with firmware patches, etc.

Out of curiosity, how are others addressing things like this? Do I really have to swap out my hard drive with a Windows version to install the patch, and then revert back to my nice safe Linux home afterwards? -----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE7GM/Dul8WSWn72odQ1nEo4DFCIUFAlode84ACgkQQ1nEo4DF CIUyAgf/eN/8zHeQVUqtrDgovckKz0QR9elBfgQKkLK/pVzeTpC9GKtKGzj7uNN+ RxTVc3Rdj0WzcoU7VfgvxAXj14B5TOpG/zEwdtPd5m1HtcvRPxOHYFQllGzKJgPx p5zF0gQ8TElLnskkO94AQDU0OAL/usgwqWtvPvu0nzS3EVr9NnezIdflxtsYLIDD Hhf+AwL6X1DfkEO7WsWFP5jEZU9KatfHgT9UP5msPU76Hk17b/ZSNX0GrO1vHNdk BPU+BJYNYlo5KvvSkk9pHz+t65H9l7iFNdh0rRjGxepmjDATdGKOWQOHbq+EQag4 991GWaYrrDG7rXq+JTglL6fkqg/LBQ== =N7ib -----END PGP SIGNATURE----- N��r��y隊Z)z{.�ﮞ˛��m�)z{.��+�:�{Zr�az�'z��j)h��Ǿ� ޮ�^�ˬz�

I remember doing one on an old Intel Q35 chipset board. Check in the BIOS which IME you have and download the patch from Intel. Sometimes they have linux support and sometimes DOS support so you can use a bootable USB. Make sure you don't try to install the wrong firmware because if you do, you're gonna have a bad time! I found this interesting. https://www.theinquirer.net/inquirer/news/3019569/purism-disables-intels-man... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Christopher Myers

15:40

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Tue, 2017-11-28 at 15:19 +0000, Paul Groves wrote:

...

On 28/11/17 15:08, Christopher Myers wrote:

...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

I ran Intel's IME firmware bug detection tool on my Lenovo T570 today, and it said that my laptop is vulnerable and to contact my vendor. So I went to Lenovo's website and found patches...for Windows only. I'm going to bet that Lenovo won't release Linux patches, or bootable CDs with firmware patches, etc.

Out of curiosity, how are others addressing things like this? Do I really have to swap out my hard drive with a Windows version to install the patch, and then revert back to my nice safe Linux home afterwards? -----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE7GM/Dul8WSWn72odQ1nEo4DFCIUFAlode84ACgkQQ1nEo4DF CIUyAgf/eN/8zHeQVUqtrDgovckKz0QR9elBfgQKkLK/pVzeTpC9GKtKGzj7uNN+ RxTVc3Rdj0WzcoU7VfgvxAXj14B5TOpG/zEwdtPd5m1HtcvRPxOHYFQllGzKJgPx p5zF0gQ8TElLnskkO94AQDU0OAL/usgwqWtvPvu0nzS3EVr9NnezIdflxtsYLIDD Hhf+AwL6X1DfkEO7WsWFP5jEZU9KatfHgT9UP5msPU76Hk17b/ZSNX0GrO1vHNdk BPU+BJYNYlo5KvvSkk9pHz+t65H9l7iFNdh0rRjGxepmjDATdGKOWQOHbq+EQag4 991GWaYrrDG7rXq+JTglL6fkqg/LBQ== =N7ib -----END PGP SIGNATURE----- N��r��y隊Z)z{.�ﮞ˛��m�)z{.��+�:�{Zr�az�'z��j)h��Ǿ� ޮ�^�ˬ z�

I remember doing one on an old Intel Q35 chipset board.

Check in the BIOS which IME you have and download the patch from Intel. Sometimes they have linux support and sometimes DOS support so you can use a bootable USB. Make sure you don't try to install the wrong firmware because if you do, you're gonna have a bad time!

I found this interesting.

https://www.theinquirer.net/inquirer/news/3019569/purism-disables-int els-management-engine-on-linux-powered-laptops

I do like the idea of being able to run a laptop that doesn't have the backdoor enabled, but unfortunately work won't let us go that route (we've standardized on specific models.) In this case, Intel's not releasing firmware directly unfortunately :/ https://www.intel.com/content/www/us/en/support/articles/000025619/soft ware.html Why can’t Intel provide the necessary update for my system? Intel is unable to provide a generic update due to management engine firmware customizations performed by system and motherboard manufacturers. -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEE7GM/Dul8WSWn72odQ1nEo4DFCIUFAlodg3AACgkQQ1nEo4DF CIWB4AgAlA56raruR6Hk7K2odNS3yUPbBAUy36tx8QJyJYf+r9sPm5bZvcSyw2No FuylT6dR3uG9xQeugClHDL+zOGRHBLWo07W+CbbjzJ59Xg/cH4z9PAEPYgx7R77Y 2v2coGDvOJ71tdUqC+UehhroeHWh9feOGI599vmUT+yyrGqORGO6m4GB5Zn5Z1ag aNHsxYbnyhDxOHRpvztCx24bF0bYJvF+fwerbGxQT3+Kd42fGb2/8EMZhOWBSIlH XMr798/r2RvV2A69n7ioZRsaKOmbSkgd4Cmr0XRXYgYe3qSmWO6nj5dvhVS3cE0E 48p4RlKBhm+EWOmsbhVvj1zIljdtcQ== =qMJZ -----END PGP SIGNATURE-----

Per Jessen

16:14

Christopher Myers wrote:

...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

I ran Intel's IME firmware bug detection tool on my Lenovo T570 today, and it said that my laptop is vulnerable and to contact my vendor. So I went to Lenovo's website and found patches...for Windows only. I'm going to bet that Lenovo won't release Linux patches, or bootable CDs with firmware patches, etc.

For BIOS updates of Thinkstations and Thinkcentres, I have definitely downloaded bootable CDs in the past. -- Per Jessen, Zürich (5.1°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Bengt Gördén

17:11

Den 2017-11-28 kl. 17:14, skrev Per Jessen:

...

Christopher Myers wrote:

...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

I ran Intel's IME firmware bug detection tool on my Lenovo T570 today, and it said that my laptop is vulnerable and to contact my vendor. So I went to Lenovo's website and found patches...for Windows only. I'm going to bet that Lenovo won't release Linux patches, or bootable CDs with firmware patches, etc. For BIOS updates of Thinkstations and Thinkcentres, I have definitely downloaded bootable CDs in the past.

Yes. That's how I do it on my X1 yoga. Christopher, Is it this you're looking for? https://pcsupport.lenovo.com/us/sv/downloads/ds120370 -- /bengan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Christopher Myers

17:47

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Tue, 2017-11-28 at 18:11 +0100, Bengt Gördén wrote:

...

Den 2017-11-28 kl. 17:14, skrev Per Jessen:

...
Christopher Myers wrote:

...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

I ran Intel's IME firmware bug detection tool on my Lenovo T570 today, and it said that my laptop is vulnerable and to contact my vendor. So I went to Lenovo's website and found patches...for Windows only. I'm going to bet that Lenovo won't release Linux patches, or bootable CDs with firmware patches, etc.

For BIOS updates of Thinkstations and Thinkcentres, I have definitely downloaded bootable CDs in the past.

Yes. That's how I do it on my X1 yoga.

Christopher,

Is it this you're looking for?

https://pcsupport.lenovo.com/us/sv/downloads/ds120370

-- /bengan

I'm not sure to be honest; that says that it's for the BIOS, but doesn't seem to reference the IME stuff. Also, the release date for those is older than the latest bug notifications from Intel. I'll give it a try and see if the Intel diagnostic is any happier after running it though :) -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEE7GM/Dul8WSWn72odQ1nEo4DFCIUFAlodoUgACgkQQ1nEo4DF CIU2jQf+L37avkbzlLQSuUDDePqzdf36l00poPQC/fWgiSwSJ6kkmOVv9RJ+tqJc VMm4YmFd7h79vgBqsEjKu/ee1BIGf3ksnrf/Jg35BPoWEloGly5AEvDoQHGMtvRU WCqcwHkGzIMUnjIXqwKHwtFOj1vfKR5cVwjZvqzdBshzuRZnz5WdoiOdzPyPpUvb PzEB03duiV2mJvNbz8qscCnW4NI1rHKeJB74/FlLPphwzyhYYQa5CqxaJOCReXRY QWC74q3DGq/Cx2yCxbJwQr9E8m7SltCiB0hBwLRfUuFV8PkUXiIwUwE1euANJaY+ lYlpM+RM3AZX89FNdwoVXbpPMYdzLQ== =/YnN -----END PGP SIGNATURE----- N��r��y隊Z)z{.�ﮞ˛��m�)z{.��+�:�{Zr�az�'z��j)h��Ǿ� ޮ�^�ˬz��

Richmond

18:16

Christopher Myers wrote:

...

Out of curiosity, how are others addressing things like this? Do I really have to swap out my hard drive with a Windows version to install the patch, and then revert back to my nice safe Linux home afterwards?

I haven't even been able to establish if I have IME. I tried running the utility but it says detection error, and refers me to a not very helpful website. Why is it not possible to detect if IME is there by actually logging into it? if as I understand it, it is a Minix installation. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Peter Suetterlin

20:27

Christopher Myers wrote:

...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

I ran Intel's IME firmware bug detection tool on my Lenovo T570 today, and it said that my laptop is vulnerable and to contact my vendor.

yes, same issue on my T460p :(

...

So I went to Lenovo's website and found patches...for Windows only. I'm going to bet that Lenovo won't release Linux patches, or bootable CDs with firmware patches, etc.

I'm not sure how/if the IME is 'part of the BIOS'. One possible thing would be that the current IME fix is really a hotfix, and that a more general BIOS update (that also brings this IME update) will show up at a later point. BIOS updates do work as they supply CD images that you can use to create a USB boot stick (done that twice so far in 15 months).

...

Out of curiosity, how are others addressing things like this? Do I really have to swap out my hard drive with a Windows version to install the patch, and then revert back to my nice safe Linux home afterwards?

Well, I don't even have any windows around that I could use. For now I'll wait for the next BIOS update and see what happens then... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Tom Kacvinsky

20:42

...

On Nov 28, 2017, at 15:27:08, Peter Suetterlin wrote:

Christopher Myers wrote:

...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

I ran Intel's IME firmware bug detection tool on my Lenovo T570 today, and it said that my laptop is vulnerable and to contact my vendor.

yes, same issue on my T460p :(

...
So I went to Lenovo's website and found patches...for Windows only. I'm going to bet that Lenovo won't release Linux patches, or bootable CDs with firmware patches, etc.

I'm not sure how/if the IME is 'part of the BIOS'. One possible thing would be that the current IME fix is really a hotfix, and that a more general BIOS update (that also brings this IME update) will show up at a later point. BIOS updates do work as they supply CD images that you can use to create a USB boot stick (done that twice so far in 15 months).

...
Out of curiosity, how are others addressing things like this? Do I really have to swap out my hard drive with a Windows version to install the patch, and then revert back to my nice safe Linux home afterwards?

Well, I don't even have any windows around that I could use. For now I'll wait for the next BIOS update and see what happens then...

Try this download page: https://pcsupport.lenovo.com/us/en/downloads/DS120370 There there is a bootable CD image which you should be able to convert to a bootable USB stick. The mechanics of getting a bootable CD ISO on to a bootable USB stick I would need to research. I'm sure someone here would know the answer to the latter issue, -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Tom Kacvinsky

20:50

...

On Nov 28, 2017, at 15:42:14, Tom Kacvinsky wrote:

...
On Nov 28, 2017, at 15:27:08, Peter Suetterlin wrote:

Christopher Myers wrote:

...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

I ran Intel's IME firmware bug detection tool on my Lenovo T570 today, and it said that my laptop is vulnerable and to contact my vendor.

yes, same issue on my T460p :(

...
So I went to Lenovo's website and found patches...for Windows only. I'm going to bet that Lenovo won't release Linux patches, or bootable CDs with firmware patches, etc.

I'm not sure how/if the IME is 'part of the BIOS'. One possible thing would be that the current IME fix is really a hotfix, and that a more general BIOS update (that also brings this IME update) will show up at a later point. BIOS updates do work as they supply CD images that you can use to create a USB boot stick (done that twice so far in 15 months).

...
Out of curiosity, how are others addressing things like this? Do I really have to swap out my hard drive with a Windows version to install the patch, and then revert back to my nice safe Linux home afterwards?

Well, I don't even have any windows around that I could use. For now I'll wait for the next BIOS update and see what happens then...

Try this download page:

https://pcsupport.lenovo.com/us/en/downloads/DS120370

There there is a bootable CD image which you should be able to convert to a bootable USB stick. The mechanics of getting a bootable CD ISO on to a bootable USB stick I would need to research. I'm sure someone here would know the answer to the latter issue,

I see there is unetbootin for opensuse https://software.opensuse.org/package/unetbootin If I recall correctly, this should make a bootable USB stick from the ISO you downloaded. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Peter Suetterlin

20:53

Tom Kacvinsky wrote:

...

Try this download page:

https://pcsupport.lenovo.com/us/en/downloads/DS120370

Well, that's for a different laptop, and even more important, the date of the download is 13/10/2017. The IME updates were only rolled out mid november IIRC, so I doubt that BIOS update would fix the IME issue...

...

There there is a bootable CD image which you should be able to convert to a bootable USB stick. The mechanics of getting a bootable CD ISO on to a bootable USB stick I would need to research. I'm sure someone here would know the answer to the latter issue,

That's the easier part, you need geteltorito (from the geniosoimage package), geteltorito -o bios.img r07uj17wd.iso (or whatever your bios iso is called) and write that bios.img to a usb medium (using cat or dd) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

2348

Age (days ago)

2348

Last active (days ago)

List overview

Download

10 comments

7 participants

participants (7)

Bengt Gördén
Christopher Myers
Paul Groves
Per Jessen
Peter Suetterlin
Richmond
Tom Kacvinsky