Is there anyway to get Intel TXT or some other measured/trusted local component to measure the MEBx/AMT configurations into some PCR?
I have been doing some experiments on some Intel NUCs looking at how different aspects of the boot process affect the different PCRs and none of the PCRs seem to reflect changes in MEBx. No changes in the PCRs when MEBx passwords are changed. No changes in the PCRs when AMT is setup to allow remote access through KVM.
1) Shouldn't such changes show up in PCR 1 or PCR 7?
2) If not, doesn't this present a significant security hole, especially from an LCP and remote-attestation perspective?
3) Is there any way for an application or the kernel running locally on a the machine to check that machine's MEBx or AMT configurations during run time?