From 4fd4b33f28f183d87361427f2ce8dd3e8a04fc90 Mon Sep 17 00:00:00 2001 From: Andrew Mello Date: Wed, 10 Jun 2026 16:05:10 -0400 Subject: [PATCH] Fix Lenovo P3 Ultra (30HA) activation: ManageabilityControl attribute + AmtNotReady handling Real-world run on a ThinkStation P3 Ultra 30HA (CSME 16.1.27) hit two gaps: - think-lmi attribute on P3 Ultra is ManageabilityControl (Disabled/Enabled), not AMTControl as documented; 30HA ships it Disabled from factory, so rpc activate returns AMT_STATUS_NOT_PERMITTED / Error 4 AmtNotReady until the staged toggle is applied at next POST. README now documents the per-platform attribute name, the staging command, and the one required reboot; troubleshooting table gets a matching row. - amt-activate.sh now detects AMT_STATUS_NOT_PERMITTED/AmtNotReady in the rpc log and prints the Lenovo/Dell no-BIOS-menu fix instead of the generic failure message. Also adds a headless/automation note: yay's final pacman -U dies without a TTY; build then install the cached packages explicitly. --- README.md | 19 +++++++++++++++++-- scripts/amt-activate.sh | 8 ++++++++ 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a204560..842ffbc 100644 --- a/README.md +++ b/README.md @@ -51,6 +51,13 @@ sudo amt-activate That's it. Tool checks state, generates a strong password, activates, verifies. ~40-90 seconds total. +**Headless / automation note:** in sessions without a TTY (CI, agents, `ssh host cmd`), yay builds fine but its final `pacman -U` dies on the interactive sudo prompt. Build then install explicitly: + +```bash +yay -S --noconfirm intel-amt-activate || true # builds even if install step fails +sudo pacman -U --noconfirm ~/.cache/yay/{rpc-go-bin,intel-amt-activate}/*.pkg.tar.zst +``` + --- ## Manual flow (any distro) @@ -128,10 +135,17 @@ After activation, `rpc amtinfo` shows `DHCP Mode` flipping from `passive` → `a | **ThinkPad** | T480, T490/T490s, T14 Gen 1–5, T16, X1 Carbon Gen 6+, X280/X390/X13, P14s/P15s/P16s | ✅ vPro Enterprise SKUs only | i5/i7-vPro suffix required; vPro Essentials SKUs lack AMT | | **ThinkPad L-series** | L13, L14, L15 | ❌ | vPro Essentials only — no AMT firmware | | **ThinkCentre** | M70q/s/t, M80q/s/t, M90q/s/t Gen 1–6, M90n Nano | ✅ | M75/M9 AMD variants excluded | -| **ThinkStation** | P330, P340, P350, P360, P3 Ultra/Tower/Tiny, P520, P720 | ✅ | **P360/P3 Ultra confirmed in this repo** | +| **ThinkStation** | P330, P340, P350, P360, P3 Ultra/Tower/Tiny, P520, P720 | ✅ | **P360/P3 Ultra confirmed in this repo**; P3 Ultra (30HA) ships `ManageabilityControl=Disabled` from factory — enable + one reboot first (see below) | | **ThinkStation P620** | (AMD Threadripper Pro) | ❌ | AMD platform — no AMT | -**Lenovo BIOS toggle from Linux:** `think-lmi` exposes `/sys/class/firmware-attributes/thinklmi/attributes/AMTControl` on T14 Gen 2+, X1 Gen 9+, M90q Gen 2+, P3 Ultra. Set to `Enable`, save, then `rpc activate`. No BIOS visit required if your platform exposes this attribute. +**Lenovo BIOS toggle from Linux:** `think-lmi` exposes the AMT toggle under `/sys/class/firmware-attributes/thinklmi/attributes/` — the attribute **name varies by platform**: `AMTControl` on T14 Gen 2+, X1 Gen 9+, M90q Gen 2+; `ManageabilityControl` on ThinkStation P3 Ultra (30HA, values `Disabled`/`Enabled`). Find yours, then stage it: + +```bash +ls /sys/class/firmware-attributes/thinklmi/attributes/ | grep -iE 'amt|manage' +echo Enabled | sudo tee /sys/class/firmware-attributes/thinklmi/attributes/ManageabilityControl/current_value +``` + +The change is staged in NVRAM and takes effect at the **next POST** — running `rpc activate` before rebooting fails with `AMT_STATUS_NOT_PERMITTED` / `Error 4: AmtNotReady`. Reboot once, then activate. Still no BIOS menu visit required. #### Dell @@ -254,6 +268,7 @@ sudo rpc deactivate -local | Activation hangs 5-15 minutes | Expected on AMT 16.1.25 / AMT 18.x without LMS | Be patient. AMT 16.1.27 takes ~40s. AMT 18 may take 15 min per rpc-go #1119 | | Activation never completes on AMT 19+ | LME interface removed in CSME 19.x | Install LMS daemon: `yay -S intel-amt-linux` ships LMS in Docker | | `Execution timeout after 20s` × 3 then exit | AMT not in pre-provisioning, BIOS has AMT disabled, or OEM-preset MEBx password | Check `rpc amtinfo`; reset BIOS / Unconfigure AMT if MEBx is locked | +| `AMT_STATUS_NOT_PERMITTED` / `Error 4: AmtNotReady` on activate | Manageability disabled in BIOS — `rpc amtinfo` shows `Operational State: disabled`. ThinkStation P3 Ultra (30HA) ships this way from factory | Stage the BIOS toggle from Linux (Lenovo `think-lmi` / Dell `cctk`, see vendor table), reboot once, re-run `rpc activate -local -ccm` | | IP stays `0.0.0.0` after activation | DHCP not yet leased | Wait 30-60s, re-run `rpc amtinfo`. AMT NIC requests DHCP after CCM transition completes | | `401 Unauthorized` after activation | Known WiFi/802.1x sync bug on certain firmware | rpc-go #1310 — open issue as of May 2026 | | `wsmancli`/`openwsman` build fails on Arch | Upstream openwsman is dead since 2019; Ruby rdoc build crash | Use `rpc-go-bin` instead; do not install wsmancli on Arch | diff --git a/scripts/amt-activate.sh b/scripts/amt-activate.sh index 8a19801..11b31b1 100755 --- a/scripts/amt-activate.sh +++ b/scripts/amt-activate.sh @@ -102,6 +102,14 @@ echo "" if grep -q "Device activated in Client Control Mode" "$LOG_FILE"; then info "Activation successful." +elif grep -qE "AMT_STATUS_NOT_PERMITTED|AmtNotReady" "$LOG_FILE"; then + warn "Firmware refused activation: manageability is disabled in BIOS." + echo " Stage the toggle from Linux (no BIOS menu needed), reboot once, re-run:" + echo " Lenovo: ls /sys/class/firmware-attributes/thinklmi/attributes/ | grep -iE 'amt|manage'" + echo " echo Enabled | sudo tee /sys/class/firmware-attributes/thinklmi/attributes/ManageabilityControl/current_value" + echo " Dell: sudo cctk --AdvancedAmt=Enable" + echo " The setting takes effect at next POST." + exit 1 else err "Activation may have failed — check $LOG_FILE" fi