Home / ubuntu / Questions / 1528418
Accepted
Håkon A. Hjortland
Asked: 2024-09-29 09:31:26 +0800 CST

How to update the Intel ME firmware in a secure manner?

  • 772

The Intel ME (Management Engine) firmware needs to be updated from time to time. Unfortunately, the update tool is often provided only as a Windows executable. Some pre-existing workarounds for Linux users are as follows:

  • Linux versions of the FWUpdLcl update tool are available in the WinRAID forum, but this is an unofficial source, so it is hard to be entirely sure about the safety and suitability of these executables.
  • Windows PE (Preinstallation Environment) can be started from a USB thumb drive and the official update utility can be run inside it. The problem with this, is that proprietary software will have access to your drives, the network, etc., which you might not want.

Is there any way to update the Intel ME firmware without jeopardizing the security of my computer?

updates

1 Answers

  1. Best Answer

    Run WinPE in a virtual machine with PCI passthrough

    One way to update the Intel ME firmware is to run Windows PE (Preinstallation Environment) in a virtual machine and give it access to the Intel ME Interface (MEI / HECI) PCI device on the host. The Intel ME firmware can then be updated from within this environment.

    Features of this solution:

    • Uses an official Windows ISO, not a live CD from somewhere on the internet
    • The proprietary software will not have access to your drives, the network, etc., which it would if it were run on bare metal
    • The firmware update is performed from within your regular Linux OS, i.e. there is no need to boot from a USB thumb drive

    Warning: The proprietary software will have access to the Intel ME Interface (MEI / HECI). It is unclear what kind of access this gives to the system, but it could potentially give access to the RAM and to any encrypted drives in their unlocked states, since this is the level of access Intel ME has to the system. So this solution could potentially be even less secure than running the Windows image on bare metal, since the drives would not be in an unlocked state in that case. Use at your own risk. This passage from an EFF article could be relevant, though: "AMT access is not the same as running arbitrary ME code, so attackers can't access system memory directly; they have to use the console, VNC, or boot OS images to accomplish their goals." A workaround could be to boot Ubuntu from a USB thumb drive and run WinPE in a virtual machine there.

    The solution presented here has been tested on an ASUS Pro WS W680-ACE motherboard with Ubuntu 24.04.

    Make a Windows PE image

    Download the necessary files

    • Official Windows 11 ISO (free to download)
    • Intel ME Interface (MEI / HECI) driver for Windows for the specific motherboard
    • Intel ME firmware update tool for Windows for the specific motherboard

    Prepare files (example)

    mkdir overlay
cp -ai motherboard/DRV_MEI_Intel_Corp_TP_W11_64_V2407.../Drivers/MEI/win10 overlay/driver-mei-win10
cp -ai motherboard/MEUpdateTool_16.1.30.2307_TP overlay/

    Make the image

    ./make-winpe

    The parent directories of the image need particular permission settings in order for virt-manager to be able to access the image, so the make-winpe script creates a world-readable /tmp/iso directory and places the image there.

    Run the image in a virtual machine

    sudo apt install virt-manager
virt-manager

    Set up a virtual machine in virt-manager:

    • Installation media: Manual install
    • Enable storage: Off
    • Customize configuration before install: Yes
    • Remove the NIC (no need for network, so avoid the security risk)
    • Add hardware: Storage: /tmp/iso/winpe-intel-me.img, disk device, USB, readonly
    • Add hardware: PCI host device: HECI controller
    • Click "Begin installation" ("Cancel installation" would remove the virtual machine)

    Screenshot of FWUpdLcl64.exe running in WinPE in virt-manager

    Screenshot of FWUpdLcl64.exe running in WinPE in virt-manager

    Files

    make-winpe

    This script is based on https://wiki.archlinux.org/title/Windows_PE.

    #!/bin/bash
set -e

# Make a Windows PE (Preinstallation Environment) GPT + FAT32 image with firmware
# update tools included.
#
# If the script crashes, use the following commands to clean up:
# sudo umount /media/winimg /media/winpe /media/winpefat
# sudo rmdir /media/winimg /media/winpe /media/winpefat
# sudo losetup -l -a | grep -v /var/lib/snapd/
# sudo losetup -d /dev/loopX
# rm winpe.iso
#
# The script is based on <https://wiki.archlinux.org/title/Windows_PE>.

################################################################################
# File locations
win_iso='win11/Win11_22H2_EnglishInternational_x64v2.iso'
overlay_dir='overlay'
start_script='start_script.cmd'
output_image='/tmp/iso/winpe-intel-me.img'
################################################################################

if ! which -s mkwinpeimg mkisofs; then
  echo 'Please run the following command:' >&2
  echo 'sudo apt install wimtools genisoimage' >&2
  exit 1
fi

if [ "$output_image" != "${output_image#/tmp/iso/}" ]; then
  if [ ! -e /tmp/iso ]; then
    mkdir --mode=755 /tmp/iso
  fi
  if [ ! -d /tmp/iso -o "$(stat -c%U /tmp/iso)" != "$USER" ]; then
    echo '/tmp/iso must be a directory owned by user!' >&2
    exit 1
  fi
fi

rm -f -- "$output_image"
if [ -e "$output_image" ]; then echo "Unable to remove $output_image!" >&2; exit 1; fi
truncate --size=1G -- "$output_image"

sudo mkdir /media/winimg
sudo mkdir /media/winpe
sudo mkdir /media/winpefat

sudo mount --read-only -- "$win_iso" /media/winimg
mkwinpeimg --iso --windows-dir=/media/winimg --overlay="$overlay_dir" \
  --start-script="$start_script" winpe.iso
sudo mount --read-only winpe.iso /media/winpe

loop="$(sudo losetup --find --show -- "$output_image")"
if [ "$loop" = "${loop#/dev/loop}" ]; then echo 'Error creating loop device!' >&2; exit 1; fi
sudo parted "$loop" \
  mklabel gpt \
  mkpart fat32 0% 100% \
  set 1 boot on \
  set 1 esp on
sudo mkfs.fat -F 32 "${loop}p1"
sudo mount -o uid="$USER" "${loop}p1" /media/winpefat

cp -a /media/winpe/* /media/winpefat/
cp -a /media/winimg/efi /media/winpefat/

sudo umount /media/winimg
sudo umount /media/winpe
sudo umount /media/winpefat
sudo losetup --detach "$loop"
rm -f -- winpe.iso

sudo rmdir /media/winimg
sudo rmdir /media/winpe
sudo rmdir /media/winpefat

echo
echo 'The UEFI-bootable WinPE image can be found here:'
printf '%s\n' "$output_image"

    start_script.cmd

    @echo Loading Intel ME Interface (MEI / HECI) driver:
@drvload \driver-mei-win10\heci.inf

@echo.
@echo ------------------------------------------------------------------------------
@type \README.txt
@echo ------------------------------------------------------------------------------
@echo.

@cd \MEUpdateTool*\FW
@echo Type "exit" to shut down the computer.
@echo.
@cmd /k

@REM Shut down the computer
@wpeutil shutdown

    Convert the file to DOS format (CRLF):

    unix2dos start_script.cmd

    overlay/README.txt

    To display the contents of this file:
type \README.txt

To show help, show current/new firmware version, update the Intel ME firmware:
cd \MEUpdateTool*\FW
FWUpdLcl64.exe -h
FWUpdLcl64.exe -fwver
FWUpdLcl64.exe -fwver ME.bin
FWUpdLcl64.exe -f ME.bin

    Convert the file to DOS format (CRLF):

    unix2dos overlay/README.txt
    • 0