> I don't think this is actually possible with physical access — a properly configured system will at least require a supervisor password to disable Secure Boot.
I don't think AMT lets you bypass a supervisor password, so you'd have the same problem there. The point I was trying to make (not terribly clearly) was that it doesn't give you any means of persistence that physical access wouldn't also give you.
> This is not true if you've rolled your own Platform Keys and sign&boot plain kernel images (with initramfs bundled into them).
True, there are some niche configurations where you wouldn't have to worry about this.
no subject
I don't think AMT lets you bypass a supervisor password, so you'd have the same problem there. The point I was trying to make (not terribly clearly) was that it doesn't give you any means of persistence that physical access wouldn't also give you.
> This is not true if you've rolled your own Platform Keys and sign&boot plain kernel images (with initramfs bundled into them).
True, there are some niche configurations where you wouldn't have to worry about this.