Unfortunately it seems to be full of holes.
After downloading and running a tool from Intel to check whether my system was vulnerable, Intel-SA-00086 Detection Tool , and getting the unfortunate message:
Based on the analysis performed by this tool: This system is vulnerable. Explanation: The detected version of the Intel(R) Management Engine firmware is considered vulnerable for INTEL-SA-00086. Contact your system manufacturer for support and remediation of this system.
I started looking for how to update the faulty code in my processor.
I found a description on how somebody updated their Lenovo X1 Carbon 5th gen, Solved: Re: X1 Carbon 5th gen on Linux: How to update Intel Management Engine 11.8 Firmware??, which was basically a couple of amendments to another guide: Updating Intel Management Engine firmware on a Lenovo without a Windows Install, which was written for a Gen 4.
Here is what I did to upgrade my Lenovo X1 Carbon 3rd gen running Debian unstable:
- Start downloading a Windows 10 32-bit English ISO from Microsoft: Download Windows 10 Disc Image (ISO File). It takes a while (3.3GB).
- Download the two updates from Lenovo, Intel Management Engine Firmware 10.0 for Windows 10 (64-bit), 8.1 (64-bit) - ThinkPad - n10rg48w.exe (4.5MB) and Intel Management Engine 11.0 Software for Windows 10 (64-bit), 8.1 (64-bit) - ThinkPad - n10rc02w.exe (89MB)
- To extract the content of the two
.exefiles from Lenovo, install the Debian packages
cabextract, and then run
innoextract n10rc02w.exe. This creates a new folder
- In the new
cabextract SetupME.exe, which, among other folders creates one called
HECI_REL, which you will be using later. Put the
appfolder into a new folder:
mkdir winpe_overlay; mv app winpe_overlay/
- Now, to make a bootable USB-stick with some kind of
Windows-recovery thing on it, you need to install the Debian package
wimtools. Wait until the Windows 10 iso has finished downloading, and then mount it:
sudo mount -o loop,ro Win10_1709_English_x32.iso /mnt
- You can now create the image for the USB stick, by running
mkwinpeimg -W /mnt/ -O winpe_overlay disk.img
- Write the
disk.imgto your USB stick, using
dd if=disk.img bs=128K of=/dev/sdX(where
Xis the letter of your USB stick,
bin my case), and boot he computer from it. If you haven't already, turn Secure Boot off, Legacy BIOS on.
- Once booted into the Windows command line recovery thing, you need to
run these commands:
cd \ cd app\HECI_REL\win10 drvload heci.inf cd \ cd app MEUpdate.cmdWait for the command to finish. For me it complained about
Shutdown.exenot being available at the end, so I just typed
exit, and that was enough to reboot the machine.
Running the detection tool now says:
INTEL-SA-00086 Detection Tool Copyright(C) 2017, Intel Corporation, All rights reserved
Application Version: 220.127.116.11 Scan date: 2017-12-09 16:59:33 GMT
*** Host Computer Information *** Name: tullinup Manufacturer: LENOVO Model: 20BSCTO1WW Processor Name: Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz OS Version: debian buster/sid (4.14.0-1-amd64)
*** Intel(R) ME Information *** Engine: Intel(R) Management Engine Version: 10.0.56.3002 SVN: 0
*** Risk Assessment *** Based on the analysis performed by this tool: This system is not vulnerable. It has already been patched.
For more information refer to the INTEL-SA-00086 Detection Tool Guide or the Intel Security Advisory Intel-SA-00086 at the following link: https://www.intel.com/sa-00086-support