Intel Management Engine: Difference between revisions

From coreboot
Jump to navigation Jump to search
Line 11: Line 11:
! Firmware
! Firmware
! Microarchitecture
! Microarchitecture
! ME location
! ME location and physical capabilities
! ME physical capabilities
! ME restrictions
! ME restrictions
|-
|-
Line 18: Line 17:
| [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT]
| [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT]
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]
| rowspan="2" | Inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH]
| rowspan="2" |
| rowspan="2" |
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:
* Has access to the memory
* Has access to the memory
* Controls the computer's original networking adapters  
* Controls the computer's original networking adapters  
Line 31: Line 30:
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]
| rowspan="3" | Inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH]
| rowspan="3" |
| rowspan="3" |
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:
* Has access to the memory
* Has access to the memory
* Controls the computer's original networking adapters  
* Controls the computer's original networking adapters  
Line 47: Line 46:
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]
| rowspan="7" | Inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH]
| rowspan="7" |
| rowspan="7" |
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:
* Has access to the memory
* Has access to the memory
* Controls the computer's original networking adapters  
* Controls the computer's original networking adapters  
Line 75: Line 74:
| ?
| ?
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]
| rowspan="2" | Inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH]
| rowspan="2" |
| rowspan="2" |
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:
* Has access to the memory
* Has access to the memory
* Controls the computer's original networking adapters  
* Controls the computer's original networking adapters  
| rowspan="2" |  
| rowspan="2" |
* The ME firmware is signed.
* The ME firmware is signed.
|-
|-

Revision as of 18:26, 13 August 2014

Uses of the Management Engine

The management engine(Often abreviated ME) is a CPU which permits Out of band management of the computer.

Freedom and security issues

  • The code that is running inside the management engine is proprietary and signed
  • The management engine CPU has access to a lot of things, see "ME physical capabilities" for more details.

Where

Board Firmware Microarchitecture ME location and physical capabilities ME restrictions
Lenovo x201 AMT Nehalem

The ME is inside the PCH, it:

  • Has access to the memory
  • Controls the computer's original networking adapters
  • The ME firmware is signed.
Packard Bell EasyNote LM85 (MS2290) AMT?
Samsung Series 5 550 Chromebook me.bin Sandy Bridge

The ME is inside the PCH, it:

  • Has access to the memory
  • Controls the computer's original networking adapters
  • The ME firmware is signed.
Samsung Series 3 Chromebox me.bin
Lenovo t520 AMT
Google/HP Pavilion Chromebook 14 me.bin Ivy Bridge

The ME is inside the PCH, it:

  • Has access to the memory
  • Controls the computer's original networking adapters
  • The ME firmware is signed.
Google Chromebook Pixel me.bin
Google/Acer C7 Chromebook me.bin
Google/Lenovo Thinkpad X131e Chromebook me.bin
Lenovo t530 AMT
Lenovo x230 AMT
Kotron KTQM77/mITX AMT?
Google/Acer C720 Chromebook ? Haswell

The ME is inside the PCH, it:

  • Has access to the memory
  • Controls the computer's original networking adapters
  • The ME firmware is signed.
Google/HP Chromebook 14 ?

Why there is no replacement for it yet

Replacing the ME firmware is not that easy because:

  • Its firmware is signed
  • On recent chipset its RAM reagion is locked while it is allocated

Firmware signature

RAM reagion is locked

See also