https://www.coreboot.org/api.php?action=feedcontributions&user=GNUtoo&feedformat=atomcoreboot - User contributions [en]2024-03-29T06:44:55ZUser contributionsMediaWiki 1.40.0https://www.coreboot.org/index.php?title=User:GNUtoo/APU1_reflashing&diff=34848User:GNUtoo/APU1 reflashing2018-05-10T13:52:25Z<p>GNUtoo: </p>
<hr />
<div>== WARNING ==<br />
This howto is extremely dangerous as following it will most probably result in a non-booting mainboard. It is a work in progress, and when it will be in good shape, the warning will be removed.<br />
<br />
== WIP HOWTO ==<br />
$ git clone git://github.com/pcengines/flashrom.git<br />
$ TODO: checkout the right branch and apply patches if necessary<br />
$ make clean<br />
$ make CONFIG_INTERNAL=yes CONFIG_NOTHING=yes install<br />
<br />
$ sudo ./flashrom -w ../coreboot/build/coreboot.rom -p internal<br />
flashrom v1.0-25-gbf0ac34 on Linux 4.16.5-gnu-1 (x86_64)<br />
flashrom is free software, get the source code at https://flashrom.org<br />
<br />
coreboot table found at 0xdfd71000.<br />
Found chipset "AMD SB7x0/SB8x0/SB9x0".<br />
Enabling flash write... OK.<br />
Identifying board "PC Engines apu1"... OK.<br />
Found Macronix flash chip "MX25L1605A/MX25L1606E/MX25L1608E" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000.<br />
Reading old flash chip contents... done.<br />
Erasing and writing flash chip... AMD SPI FIFO pointer corruption! Pointer is 0, wanted 3<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
Verification impossible because read failed at 0x80000 (len 0x10000)<br />
ERASE FAILED!<br />
Reading current flash chip contents... AMD SPI FIFO pointer corruption! Pointer is 0, wanted 3<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
Can't read anymore! Aborting.<br />
FAILED!<br />
Uh oh. Erase/write failed. Checking if anything has changed.<br />
Reading current flash chip contents... done.<br />
Apparently at least some data has changed.<br />
Your flash chip is in an unknown state.<br />
Get help on IRC at chat.freenode.net (channel #flashrom) or<br />
mail flashrom@flashrom.org with the subject "FAILED: <your board name>"!<br />
-------------------------------------------------------------------------------<br />
DO NOT REBOOT OR POWEROFF!<br />
<br />
$ sudo flashrom -w ../coreboot/build/coreboot.rom -p internal<br />
flashrom v1.0-25-gbf0ac34 on Linux 4.16.5-gnu-1 (x86_64)<br />
flashrom is free software, get the source code at https://flashrom.org<br />
<br />
coreboot table found at 0xdfd71000.<br />
Found chipset "AMD SB7x0/SB8x0/SB9x0".<br />
Enabling flash write... OK.<br />
Identifying board "PC Engines apu1"... OK.<br />
Found Macronix flash chip "MX25L1605A/MX25L1606E/MX25L1608E" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000.<br />
Reading old flash chip contents... done.<br />
Erasing and writing flash chip... AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
Erase/write done.<br />
Verifying flash... VERIFIED.</div>GNUtoohttps://www.coreboot.org/index.php?title=User:GNUtoo/APU1_reflashing&diff=34847User:GNUtoo/APU1 reflashing2018-05-10T13:49:04Z<p>GNUtoo: </p>
<hr />
<div> $ git clone git://github.com/pcengines/flashrom.git<br />
$ TODO: checkout the right branch and apply patches if necessary<br />
$ make clean<br />
$ make CONFIG_INTERNAL=yes CONFIG_NOTHING=yes install<br />
<br />
$ sudo ./flashrom -w ../coreboot/build/coreboot.rom -p internal<br />
flashrom v1.0-25-gbf0ac34 on Linux 4.16.5-gnu-1 (x86_64)<br />
flashrom is free software, get the source code at https://flashrom.org<br />
<br />
coreboot table found at 0xdfd71000.<br />
Found chipset "AMD SB7x0/SB8x0/SB9x0".<br />
Enabling flash write... OK.<br />
Identifying board "PC Engines apu1"... OK.<br />
Found Macronix flash chip "MX25L1605A/MX25L1606E/MX25L1608E" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000.<br />
Reading old flash chip contents... done.<br />
Erasing and writing flash chip... AMD SPI FIFO pointer corruption! Pointer is 0, wanted 3<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
Verification impossible because read failed at 0x80000 (len 0x10000)<br />
ERASE FAILED!<br />
Reading current flash chip contents... AMD SPI FIFO pointer corruption! Pointer is 0, wanted 3<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
Can't read anymore! Aborting.<br />
FAILED!<br />
Uh oh. Erase/write failed. Checking if anything has changed.<br />
Reading current flash chip contents... done.<br />
Apparently at least some data has changed.<br />
Your flash chip is in an unknown state.<br />
Get help on IRC at chat.freenode.net (channel #flashrom) or<br />
mail flashrom@flashrom.org with the subject "FAILED: <your board name>"!<br />
-------------------------------------------------------------------------------<br />
DO NOT REBOOT OR POWEROFF!<br />
<br />
$ sudo flashrom -w ../coreboot/build/coreboot.rom -p internal<br />
flashrom v1.0-25-gbf0ac34 on Linux 4.16.5-gnu-1 (x86_64)<br />
flashrom is free software, get the source code at https://flashrom.org<br />
<br />
coreboot table found at 0xdfd71000.<br />
Found chipset "AMD SB7x0/SB8x0/SB9x0".<br />
Enabling flash write... OK.<br />
Identifying board "PC Engines apu1"... OK.<br />
Found Macronix flash chip "MX25L1605A/MX25L1606E/MX25L1608E" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000.<br />
Reading old flash chip contents... done.<br />
Erasing and writing flash chip... AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
Erase/write done.<br />
Verifying flash... VERIFIED.</div>GNUtoohttps://www.coreboot.org/index.php?title=Board:pcengines/apu1&diff=34846Board:pcengines/apu12018-05-10T13:44:38Z<p>GNUtoo: /* Status */</p>
<hr />
<div>== Status ==<br />
<br />
{{Status|<br />
<br />
|CPU_status = OK<br />
|CPU_L1_status = Unknown<br />
|CPU_L1_comments = How to test ?<br />
|CPU_L2_status = Unknown<br />
|CPU_L2_comments = How to test ?<br />
|CPU_L3_status = N/A<br />
|CPU_multiple_status = N/A<br />
|CPU_multicore_status = OK<br />
|CPU_virt_status = Untested<br />
<br />
|RAM_EDO_status = N/A<br />
|RAM_SDRAM_status = N/A<br />
|RAM_SODIMM_status = N/A<br />
|RAM_DDR_status = N/A<br />
|RAM_DDR2_status = N/A<br />
|RAM_DDR3_status = OK<br />
|RAM_DDR3_comments = Soldered on board<br />
|RAM_dualchannel_status = N/A<br />
|RAM_ecc_status = N/A<br />
<br />
|IDE_status = N/A<br />
|IDE_25_status = N/A<br />
|CDROM_DVD_status = N/A<br />
|SATA_status = OK<br />
|SATA_comments = Tested with an mSATA SSD and a SATA SSD at the same time<br />
|Onboard_SCSI_status = N/A<br />
|USB_status = OK<br />
|Onboard_VGA_status = N/A<br />
|Onboard_ethernet_status = OK<br />
|Onboard_ethernet_comments = Works in GNU/Linux<br />
|Onboard_audio_status = N/A<br />
|Onboard_modem_status = N/A<br />
|Onboard_firewire_status = N/A<br />
|Smartcard_status = N/A<br />
|Onboard_CF_status = N/A<br />
|Onboard_PCMCIA_status = N/A<br />
|ISA_cards_status = N/A<br />
|AMR_cards_status = N/A<br />
|AGP_cards_status = N/A<br />
|PCI_cards_status = N/A<br />
|PCIE_x1_status = N/A<br />
|PCIE_x2_status = N/A<br />
|PCIE_x4_status = N/A<br />
|PCIE_x8_status = N/A<br />
|PCIE_x16_status = N/A<br />
|PCIE_x32_status = N/A<br />
|HTX_status = N/A<br />
|Mini_PCI_cards_status = N/A<br />
|Mini_PCI_Express_cards_status = OK<br />
|Mini_PCI_Express_cards_comments = tested with one ath9k in each slot, works fine<br />
|PCIX_cards_status = N/A<br />
<br />
|Floppy_status = N/A<br />
|COM1_status = OK<br />
|COM1_comments = [[Serial_console#DE-9|DE-9]]<br />
|COM2_status = Untested<br />
|COM2_comments = Non-standard pin header<br />
|PP_status = N/A<br />
|PS2_keyboard_status = N/A<br />
|PS2_mouse_status = N/A<br />
|Game_port_status = N/A<br />
|IR_status = N/A<br />
|Speaker_status = Untested<br />
|DiskOnChip_status = N/A<br />
<br />
|Sensors_status = N/A<br />
|Watchdog_status = N/A<br />
|SMBus_status = Untested<br />
|SMBus_comments = SMBus header<br />
|CAN_bus_status = N/A<br />
|CPUfreq_status = Unknown<br />
|Powersave_status = Unknown<br />
|ACPI_status = OK<br />
|ACPI_comments = Works in GNU/Linux<br />
|Reboot_status = OK<br />
|Suspend_status = Untested<br />
|Poweroff_status = OK<br />
|LEDs_status = Untested<br />
|HPET_status = OK<br />
|RNG_status = N/A<br />
|WakeOnModem_status = N/A<br />
|WakeOnLAN_status = Untested<br />
|WakeOnKeyboard_status = N/A<br />
|WakeOnMouse_status = N/A<br />
|Flashrom_status = OK<br />
<br />
}}<br />
<br />
== Proprietary components status ==<br />
* VGA: No video ports populated, video disabled in coreboot config, but unpopulated HDMI header available.<br />
<br />
== TODO ==<br />
* Test untested things in "Status"<br />
<br />
== Recovery ==<br />
* SPI header for reflashing the BIOS flash<br />
* LPC header allows booting from LPC instead of SPI ([http://www.pcengines.ch/lpc1aapu.htm Flash recovery board LPC1AAPU]).<br />
<br />
{{GPL}}</div>GNUtoohttps://www.coreboot.org/index.php?title=Board:pcengines/apu1&diff=34845Board:pcengines/apu12018-05-10T13:42:56Z<p>GNUtoo: /* Status */</p>
<hr />
<div>== Status ==<br />
<br />
{{Status|<br />
<br />
|CPU_status = OK<br />
|CPU_L1_status = Unknown<br />
|CPU_L1_comments = How to test ?<br />
|CPU_L2_status = Unknown<br />
|CPU_L2_comments = How to test ?<br />
|CPU_L3_status = N/A<br />
|CPU_multiple_status = N/A<br />
|CPU_multicore_status = OK<br />
|CPU_virt_status = Untested<br />
<br />
|RAM_EDO_status = N/A<br />
|RAM_SDRAM_status = N/A<br />
|RAM_SODIMM_status = N/A<br />
|RAM_DDR_status = N/A<br />
|RAM_DDR2_status = N/A<br />
|RAM_DDR3_status = OK<br />
|RAM_DDR3_comments = Soldered on board<br />
|RAM_dualchannel_status = N/A<br />
|RAM_ecc_status = N/A<br />
<br />
|IDE_status = N/A<br />
|IDE_25_status = N/A<br />
|CDROM_DVD_status = N/A<br />
|SATA_status = OK<br />
|Onboard_SCSI_status = N/A<br />
|USB_status = OK<br />
|Onboard_VGA_status = N/A<br />
|Onboard_ethernet_status = OK<br />
|Onboard_ethernet_comments = Works in GNU/Linux<br />
|Onboard_audio_status = N/A<br />
|Onboard_modem_status = N/A<br />
|Onboard_firewire_status = N/A<br />
|Smartcard_status = N/A<br />
|Onboard_CF_status = N/A<br />
|Onboard_PCMCIA_status = N/A<br />
|ISA_cards_status = N/A<br />
|AMR_cards_status = N/A<br />
|AGP_cards_status = N/A<br />
|PCI_cards_status = N/A<br />
|PCIE_x1_status = N/A<br />
|PCIE_x2_status = N/A<br />
|PCIE_x4_status = N/A<br />
|PCIE_x8_status = N/A<br />
|PCIE_x16_status = N/A<br />
|PCIE_x32_status = N/A<br />
|HTX_status = N/A<br />
|Mini_PCI_cards_status = N/A<br />
|Mini_PCI_Express_cards_status = OK<br />
|Mini_PCI_Express_cards_comments = tested with one ath9k in each slot, works fine<br />
|PCIX_cards_status = N/A<br />
<br />
|Floppy_status = N/A<br />
|COM1_status = OK<br />
|COM1_comments = [[Serial_console#DE-9|DE-9]]<br />
|COM2_status = Untested<br />
|COM2_comments = Non-standard pin header<br />
|PP_status = N/A<br />
|PS2_keyboard_status = N/A<br />
|PS2_mouse_status = N/A<br />
|Game_port_status = N/A<br />
|IR_status = N/A<br />
|Speaker_status = Untested<br />
|DiskOnChip_status = N/A<br />
<br />
|Sensors_status = N/A<br />
|Watchdog_status = N/A<br />
|SMBus_status = Untested<br />
|SMBus_comments = SMBus header<br />
|CAN_bus_status = N/A<br />
|CPUfreq_status = Unknown<br />
|Powersave_status = Unknown<br />
|ACPI_status = OK<br />
|ACPI_comments = Works in GNU/Linux<br />
|Reboot_status = OK<br />
|Suspend_status = Untested<br />
|Poweroff_status = OK<br />
|LEDs_status = Untested<br />
|HPET_status = OK<br />
|RNG_status = N/A<br />
|WakeOnModem_status = N/A<br />
|WakeOnLAN_status = Untested<br />
|WakeOnKeyboard_status = N/A<br />
|WakeOnMouse_status = N/A<br />
|Flashrom_status = OK<br />
<br />
}}<br />
<br />
== Proprietary components status ==<br />
* VGA: No video ports populated, video disabled in coreboot config, but unpopulated HDMI header available.<br />
<br />
== TODO ==<br />
* Test untested things in "Status"<br />
<br />
== Recovery ==<br />
* SPI header for reflashing the BIOS flash<br />
* LPC header allows booting from LPC instead of SPI ([http://www.pcengines.ch/lpc1aapu.htm Flash recovery board LPC1AAPU]).<br />
<br />
{{GPL}}</div>GNUtoohttps://www.coreboot.org/index.php?title=Board:pcengines/apu1&diff=34844Board:pcengines/apu12018-05-10T13:42:29Z<p>GNUtoo: /* Status */ The 2 slots are mini PCI Express and not mini PCI</p>
<hr />
<div>== Status ==<br />
<br />
{{Status|<br />
<br />
|CPU_status = OK<br />
|CPU_L1_status = Unknown<br />
|CPU_L1_comments = How to test ?<br />
|CPU_L2_status = Unknown<br />
|CPU_L2_comments = How to test ?<br />
|CPU_L3_status = N/A<br />
|CPU_multiple_status = N/A<br />
|CPU_multicore_status = OK<br />
|CPU_virt_status = Untested<br />
<br />
|RAM_EDO_status = N/A<br />
|RAM_SDRAM_status = N/A<br />
|RAM_SODIMM_status = N/A<br />
|RAM_DDR_status = N/A<br />
|RAM_DDR2_status = N/A<br />
|RAM_DDR3_status = OK<br />
|RAM_DDR3_comments = Soldered on board<br />
|RAM_dualchannel_status = N/A<br />
|RAM_ecc_status = N/A<br />
<br />
|IDE_status = N/A<br />
|IDE_25_status = N/A<br />
|CDROM_DVD_status = N/A<br />
|SATA_status = OK<br />
|Onboard_SCSI_status = N/A<br />
|USB_status = OK<br />
|Onboard_VGA_status = N/A<br />
|Onboard_ethernet_status = OK<br />
|Onboard_ethernet_comments = Works in GNU/Linux<br />
|Onboard_audio_status = N/A<br />
|Onboard_modem_status = N/A<br />
|Onboard_firewire_status = N/A<br />
|Smartcard_status = N/A<br />
|Onboard_CF_status = N/A<br />
|Onboard_PCMCIA_status = N/A<br />
|ISA_cards_status = N/A<br />
|AMR_cards_status = N/A<br />
|AGP_cards_status = N/A<br />
|PCI_cards_status = N/A<br />
|PCIE_x1_status = N/A<br />
|PCIE_x2_status = N/A<br />
|PCIE_x4_status = N/A<br />
|PCIE_x8_status = N/A<br />
|PCIE_x16_status = N/A<br />
|PCIE_x32_status = N/A<br />
|HTX_status = N/A<br />
|Mini_PCI_cards_status = N/A<br />
|Mini_PCI_Express_cards_status = OK<br />
|Mini_PCI_Express_cards_comments = tested with an ath9k, works fine<br />
|PCIX_cards_status = N/A<br />
<br />
|Floppy_status = N/A<br />
|COM1_status = OK<br />
|COM1_comments = [[Serial_console#DE-9|DE-9]]<br />
|COM2_status = Untested<br />
|COM2_comments = Non-standard pin header<br />
|PP_status = N/A<br />
|PS2_keyboard_status = N/A<br />
|PS2_mouse_status = N/A<br />
|Game_port_status = N/A<br />
|IR_status = N/A<br />
|Speaker_status = Untested<br />
|DiskOnChip_status = N/A<br />
<br />
|Sensors_status = N/A<br />
|Watchdog_status = N/A<br />
|SMBus_status = Untested<br />
|SMBus_comments = SMBus header<br />
|CAN_bus_status = N/A<br />
|CPUfreq_status = Unknown<br />
|Powersave_status = Unknown<br />
|ACPI_status = OK<br />
|ACPI_comments = Works in GNU/Linux<br />
|Reboot_status = OK<br />
|Suspend_status = Untested<br />
|Poweroff_status = OK<br />
|LEDs_status = Untested<br />
|HPET_status = OK<br />
|RNG_status = N/A<br />
|WakeOnModem_status = N/A<br />
|WakeOnLAN_status = Untested<br />
|WakeOnKeyboard_status = N/A<br />
|WakeOnMouse_status = N/A<br />
|Flashrom_status = OK<br />
<br />
}}<br />
<br />
== Proprietary components status ==<br />
* VGA: No video ports populated, video disabled in coreboot config, but unpopulated HDMI header available.<br />
<br />
== TODO ==<br />
* Test untested things in "Status"<br />
<br />
== Recovery ==<br />
* SPI header for reflashing the BIOS flash<br />
* LPC header allows booting from LPC instead of SPI ([http://www.pcengines.ch/lpc1aapu.htm Flash recovery board LPC1AAPU]).<br />
<br />
{{GPL}}</div>GNUtoohttps://www.coreboot.org/index.php?title=User:GNUtoo/APU1_reflashing&diff=34843User:GNUtoo/APU1 reflashing2018-05-10T13:36:10Z<p>GNUtoo: </p>
<hr />
<div> # flashrom -w build/coreboot.rom -p internal<br />
flashrom v1.0-25-gbf0ac34 on Linux 4.16.5-gnu-1 (x86_64)<br />
flashrom is free software, get the source code at https://flashrom.org<br />
<br />
coreboot table found at 0xdfd71000.<br />
Found chipset "AMD SB7x0/SB8x0/SB9x0".<br />
Enabling flash write... OK.<br />
Identifying board "PC Engines apu1"... OK.<br />
Found Macronix flash chip "MX25L1605A/MX25L1606E/MX25L1608E" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000.<br />
Reading old flash chip contents... done.<br />
Erasing and writing flash chip... AMD SPI FIFO pointer corruption! Pointer is 0, wanted 3<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
Verification impossible because read failed at 0x80000 (len 0x10000)<br />
ERASE FAILED!<br />
Reading current flash chip contents... AMD SPI FIFO pointer corruption! Pointer is 0, wanted 3<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
Can't read anymore! Aborting.<br />
FAILED!<br />
Uh oh. Erase/write failed. Checking if anything has changed.<br />
Reading current flash chip contents... done.<br />
Apparently at least some data has changed.<br />
Your flash chip is in an unknown state.<br />
Get help on IRC at chat.freenode.net (channel #flashrom) or<br />
mail flashrom@flashrom.org with the subject "FAILED: <your board name>"!<br />
-------------------------------------------------------------------------------<br />
DO NOT REBOOT OR POWEROFF!<br />
<br />
# flashrom -w build/coreboot.rom -p internal<br />
flashrom v1.0-25-gbf0ac34 on Linux 4.16.5-gnu-1 (x86_64)<br />
flashrom is free software, get the source code at https://flashrom.org<br />
<br />
coreboot table found at 0xdfd71000.<br />
Found chipset "AMD SB7x0/SB8x0/SB9x0".<br />
Enabling flash write... OK.<br />
Identifying board "PC Engines apu1"... OK.<br />
Found Macronix flash chip "MX25L1605A/MX25L1606E/MX25L1608E" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000.<br />
Reading old flash chip contents... done.<br />
Erasing and writing flash chip... AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
Erase/write done.<br />
Verifying flash... VERIFIED.</div>GNUtoohttps://www.coreboot.org/index.php?title=User:GNUtoo/APU1_reflashing&diff=34842User:GNUtoo/APU1 reflashing2018-05-10T13:02:21Z<p>GNUtoo: </p>
<hr />
<div><source><br />
# flashrom -w ../coreboot/coreboot.rom -p internal<br />
flashrom v1.0-25-gbf0ac34 on Linux 4.16.5-gnu-1 (x86_64)<br />
flashrom is free software, get the source code at https://flashrom.org<br />
<br />
coreboot table found at 0xdfd71000.<br />
Found chipset "AMD SB7x0/SB8x0/SB9x0".<br />
Enabling flash write... OK.<br />
Identifying board "PC Engines apu1"... OK.<br />
Found Macronix flash chip "MX25L1605A/MX25L1606E/MX25L1608E" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000.<br />
Reading old flash chip contents... done.<br />
Erasing and writing flash chip... AMD SPI FIFO pointer corruption! Pointer is 0, wanted 3<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
Verification impossible because read failed at 0x80000 (len 0x10000)<br />
ERASE FAILED!<br />
Reading current flash chip contents... AMD SPI FIFO pointer corruption! Pointer is 0, wanted 3<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
Can't read anymore! Aborting.<br />
FAILED!<br />
Uh oh. Erase/write failed. Checking if anything has changed.<br />
Reading current flash chip contents... done.<br />
Apparently at least some data has changed.<br />
Your flash chip is in an unknown state.<br />
Get help on IRC at chat.freenode.net (channel #flashrom) or<br />
mail flashrom@flashrom.org with the subject "FAILED: <your board name>"!<br />
-------------------------------------------------------------------------------<br />
DO NOT REBOOT OR POWEROFF!<br />
</source><br />
<br />
<source><br />
# flashrom -w ../coreboot/coreboot.rom -p internal<br />
flashrom v1.0-25-gbf0ac34 on Linux 4.16.5-gnu-1 (x86_64)<br />
flashrom is free software, get the source code at https://flashrom.org<br />
<br />
coreboot table found at 0xdfd71000.<br />
Found chipset "AMD SB7x0/SB8x0/SB9x0".<br />
Enabling flash write... OK.<br />
Identifying board "PC Engines apu1"... OK.<br />
Found Macronix flash chip "MX25L1605A/MX25L1606E/MX25L1608E" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000.<br />
Reading old flash chip contents... done.<br />
Erasing and writing flash chip... AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
Erase/write done.<br />
Verifying flash... VERIFIED.<br />
</source></div>GNUtoohttps://www.coreboot.org/index.php?title=User:GNUtoo/APU1_reflashing&diff=34841User:GNUtoo/APU1 reflashing2018-05-10T13:01:53Z<p>GNUtoo: Created page with "<source lang="bash"> # flashrom -w ../coreboot/coreboot.rom -p internal flashrom v1.0-25-gbf0ac34 on Linux 4.16.5-gnu-1 (x86_64) flashrom is free software, get the source code..."</p>
<hr />
<div><source lang="bash"><br />
# flashrom -w ../coreboot/coreboot.rom -p internal<br />
flashrom v1.0-25-gbf0ac34 on Linux 4.16.5-gnu-1 (x86_64)<br />
flashrom is free software, get the source code at https://flashrom.org<br />
<br />
coreboot table found at 0xdfd71000.<br />
Found chipset "AMD SB7x0/SB8x0/SB9x0".<br />
Enabling flash write... OK.<br />
Identifying board "PC Engines apu1"... OK.<br />
Found Macronix flash chip "MX25L1605A/MX25L1606E/MX25L1608E" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000.<br />
Reading old flash chip contents... done.<br />
Erasing and writing flash chip... AMD SPI FIFO pointer corruption! Pointer is 0, wanted 3<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
Verification impossible because read failed at 0x80000 (len 0x10000)<br />
ERASE FAILED!<br />
Reading current flash chip contents... AMD SPI FIFO pointer corruption! Pointer is 0, wanted 3<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
Can't read anymore! Aborting.<br />
FAILED!<br />
Uh oh. Erase/write failed. Checking if anything has changed.<br />
Reading current flash chip contents... done.<br />
Apparently at least some data has changed.<br />
Your flash chip is in an unknown state.<br />
Get help on IRC at chat.freenode.net (channel #flashrom) or<br />
mail flashrom@flashrom.org with the subject "FAILED: <your board name>"!<br />
-------------------------------------------------------------------------------<br />
DO NOT REBOOT OR POWEROFF!<br />
</source><br />
<br />
<source lang="bash"><br />
# flashrom -w ../coreboot/coreboot.rom -p internal<br />
flashrom v1.0-25-gbf0ac34 on Linux 4.16.5-gnu-1 (x86_64)<br />
flashrom is free software, get the source code at https://flashrom.org<br />
<br />
coreboot table found at 0xdfd71000.<br />
Found chipset "AMD SB7x0/SB8x0/SB9x0".<br />
Enabling flash write... OK.<br />
Identifying board "PC Engines apu1"... OK.<br />
Found Macronix flash chip "MX25L1605A/MX25L1606E/MX25L1608E" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000.<br />
Reading old flash chip contents... done.<br />
Erasing and writing flash chip... AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2<br />
Something else is accessing the flash chip and causes random corruption.<br />
Please stop all applications and drivers and IPMI which access the flash chip.<br />
RDSR failed!<br />
Erase/write done.<br />
Verifying flash... VERIFIED.<br />
</source></div>GNUtoohttps://www.coreboot.org/index.php?title=SeaBIOS&diff=34839SeaBIOS2018-05-10T12:50:39Z<p>GNUtoo: /* Adding sgabios support */</p>
<hr />
<div>[http://seabios.org '''SeaBIOS'''] is an open-source legacy BIOS implementation which can be used as a coreboot [[Payloads|payload]]. It implements the standard [https://secure.wikimedia.org/wikipedia/en/wiki/BIOS BIOS] calling interfaces that a typical x86 proprietary BIOS implements.<br />
<br />
This page describes using SeaBIOS with coreboot. SeaBIOS can also run natively in [[QEMU]] and [http://bochs.sourceforge.net/ bochs] &mdash; see the [http://seabios.org SeaBIOS website] for information on non-coreboot uses.<br />
<br />
= Use cases =<br />
<br />
Any software requiring 16-bit BIOS services benefits from SeaBIOS (eg, Windows and DOS). SeaBIOS also enables booting Linux out of the box (using standard boot-loaders like GRUB and Syslinux).<br />
<br />
SeaBIOS supports booting from ATA hard drives, ATAPI CDROMs, USB hard drives, USB CDROMs, payloads in flash, and from [http://en.wikipedia.org/wiki/Option_ROM Option ROMs] (eg, SCSI or network cards). SeaBIOS can initialize and use a PS/2 keyboard or USB keyboard.<br />
<br />
== Windows ==<br />
<br />
SeaBIOS has been tested with Windows XP, Windows 2008, Windows Vista (64/32 bit), Windows 7 (32 bit and 64 bit).<br />
<br />
However, Windows has a very strict ACPI interpreter, and some coreboot boards do not have a complete [[ACPI|ACPI definition]]. As a result, some coreboot boards may fail during Windows boot (eg, it may fail with a '''STOP 0xA5''' code).<br />
<br />
Many boards do have working ACPI and are able to boot XP/Vista/Windows 7. Please check the board documentation or ask on the [[Mailinglist|mailing list]] if unsure of the status.<br />
<br />
== Linux ==<br />
<br />
SeaBIOS has been tested with GRUB, LILO, and Syslinux. Linux booting works well.<br />
<br />
== Other ==<br />
<br />
SeaBIOS has also been tested with FreeDOS, NetBSD, and OpenBSD.<br />
<br />
Because SeaBIOS implements the standard x86 BIOS interfaces, it is expected many other operating systems and boot-loaders will work.<br />
<br />
= Building =<br />
<br />
== Building via coreboot's menuconfig ==<br />
<br />
Probably the easiest way to use SeaBIOS as coreboot payload is to simply use the coreboot build process, which downloads and builds SeaBIOS as payload by default nowadays. You just have to run the following in your coreboot checkout:<br />
<br />
<source lang="bash"><br />
$ make menuconfig<br />
$ make<br />
</source><br />
<br />
Both SeaBIOS and coreboot will be built, and SeaBIOS will be added as payload to the '''coreboot.rom''' image that is being built.<br />
<br />
== Manual build ==<br />
<br />
One can download the latest version of SeaBIOS through a git repository:<br />
<br />
<source lang="bash"><br />
$ git clone git://git.seabios.org/seabios.git seabios<br />
$ cd seabios<br />
</source><br />
<br />
There's also a [https://review.coreboot.org/gitweb/cgit/seabios.git/ cgit] facility to browse the latest source code online.<br />
<br />
Run '''make menuconfig''' and set the following variables:<br />
<br />
* CONFIG_COREBOOT 1<br />
* CONFIG_DEBUG_SERIAL 1<br />
<br />
Then:<br />
<br />
<source lang="bash"><br />
$ make<br />
</source><br />
<br />
The final SeaBIOS payload file is '''out/bios.bin.elf'''.<br />
<br />
== coreboot ==<br />
<br />
Configure coreboot with the following all disabled: '''CONFIG_VGA_ROM_RUN''', '''CONFIG_PCI_ROM_RUN''', '''CONFIG_ON_DEVICE_ROM_RUN'''<br />
<br />
Then configure the SeaBIOS '''out/bios.bin.elf''' file as the coreboot payload and build coreboot. The resulting '''coreboot.rom''' file will contain both SeaBIOS and coreboot, and it can be flashed to a ROM chip.<br />
<br />
= SeaBIOS and CBFS =<br />
<br />
SeaBIOS can read the coreboot flash filesystem and extract files. Details on the CBFS files that SeaBIOS supports are on the [http://seabios.org/Runtime_config SeaBIOS wiki].<br />
<br />
The following examples show some commonly used features.<br />
<br />
== Adding a VGA option ROM ==<br />
<br />
It is frequently necessary to add a VGA option ROM to CBFS in order to use a VGA adapter that is built-in to a motherboard. Note, VGA adapters on external cards (PCI, AGP, PCIe) do not require this step as SeaBIOS will automatically extract the VGA BIOS directly from the card. For machines without a VGA adapter, please follow the [[#Adding sgabios support|sgabios instructions]] below.<br />
<br />
=== Using your BIOS's VGA option rom ===<br />
The first step is to find the vendor and device ID of the built-in VGA adapter. This information can be found from '''lspci''':<br />
<br />
<source lang="bash"><br />
$ lspci -vnn<br />
...<br />
01:00.0 VGA compatible controller [0300]: VIA Technologies, Inc. UniChrome Pro IGP ['''1106:3344'''] (rev 01) (prog-if 00 [VGA controller])<br />
</source><br />
<br />
In the above example, the VGA vendor/device ID is '''1106:3344'''. [[VGA support#How_to_retrieve_a_good_video_bios|Obtain the VGA ROM]] (eg, '''vgabios.bin''') and add it to the ROM with:<br />
<br />
<source lang="bash"><br />
$ ./build/cbfstool build/coreboot.rom add -f /path/to/vgabios.bin -n pci1106,3344.rom -t optionrom<br />
$ ./build/cbfstool build/coreboot.rom print<br />
</source><br />
<br />
Alternatively, SeaBIOS supports LZMA compressed option ROMs. Use the following to add a compressed option ROM instead:<br />
<br />
<source lang="bash"><br />
$ ./build/cbfstool build/coreboot.rom add -f /path/to/vgabios.bin -c lzma -n pci1106,3344.rom.lzma -t optionrom<br />
$ ./build/cbfstool build/coreboot.rom print<br />
</source><br />
<br />
After the above is done, one can write the '''coreboot.rom''' file to flash. SeaBIOS will extract the VGA ROM and run it during boot.<br />
<br />
=== Adding sgabios support ===<br />
<br />
An [http://code.google.com/p/sgabios/ sgabios] option ROM can forward many VGA BIOS requests and keyboard events over a serial port. One can deploy it in addition to the primary VGA BIOS or by itself.<br />
<br />
If the target machine does not have a VGA adapter, then one should install sgabios. Most bootloaders (eg, GRUB) require a VGA BIOS in order to function properly &mdash; the sgabios ROM can fill this requirement.<br />
<br />
Place the sgabios ROM file in the '''vgaroms/''' directory of CBFS. For example:<br />
<br />
<source lang="bash"><br />
$ ./build/cbfstool build/coreboot.rom add -f /path/to/sgabios.bin -n vgaroms/sgabios.bin -t raw<br />
$ ./build/cbfstool build/coreboot.rom print<br />
</source><br />
<br />
When using sgabios, all the characters that SeaBIOS writes to the screen will be seen twice &mdash; once from SeaBIOS sending the character to the serial port and once from sgabios forwarding the character. To prevent the duplicates set the [[#Other Configuration items|config file]] '''etc/screen-and-debug''' to zero. This could be done like that:<br />
<source lang="bash"><br />
$ ./build/cbfstool build/coreboot.rom add-int -i 0 -n etc/screen-and-debug<br />
</source><br />
<br />
=== Using coreboot VGA support ===<br />
Coreboot can initialize the GPU of some mainboards. After initializing the GPU, the information about it is passed to the payload.<br />
<br />
SeaBIOS can provide an option rom that implements legacy VGA BIOS compatibility for coreboot initialized GPUs. To use this feature select '''CONFIG_VGA_COREBOOT''' (in "make menuconfig" under "VGA ROM ---> VGA Hardware Type" select "coreboot linear framebuffer").<br />
<br />
The resulting option rom '''out/vgabios.rom''' should be added to the '''vgaroms/''' directory of CBFS. For example:<br />
<br />
<source lang="bash"><br />
$ ./build/cbfstool build/coreboot.rom add -f /path/to/seabios/out/vgabios.bin -n vgaroms/seavgabios.bin -t raw<br />
$ ./build/cbfstool build/coreboot.rom print<br />
</source><br />
<br />
One should note that many bootloaders expect some vbios functionality which this vgabios does not provide.<br />
To overcome this issue one can use a bootloader not requiring this functionality. For instance grub works fine if configured in textmode. To achieve this comment out or add to /etc/default/grub:<br />
<br />
GRUB_TERMINAL_OUTPUT=console<br />
<br />
and regenerate the grub configuration:<br />
<br />
<source lang="bash"><br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
</source><br />
<br />
=== Geode option roms ===<br />
There are two VGA option roms for geode in SeaBIOS, they can be found in "VGA ROM --->" in "make menuconfig":<br />
<br />
* The first one is for the Geode LX, its named "GeodeLX" in "make menuconfig"<br />
* The second one if for the Geode GX2, its named "Geode GX2" in "make menuconfig"<br />
<br />
== Adding a graphical "bootsplash" image ==<br />
<br />
SeaBIOS can show a custom [http://en.wikipedia.org/wiki/JPEG JPEG] image or [http://en.wikipedia.org/wiki/BMP_file_format BMP] image during bootup. To enable this, add the JPEG file to flash with the name '''bootsplash.jpg''' or BMP file as '''bootsplash.bmp'''. For example:<br />
<br />
<source lang="bash"><br />
$ ./build/cbfstool build/coreboot.rom add -f /path/to/image.jpg -n bootsplash.jpg -t raw<br />
$ ./build/cbfstool build/coreboot.rom print<br />
</source><br />
<br />
The size of the image determines the video mode to use for showing the image. Make sure the dimensions of the image exactly correspond to an available video mode (eg, 640x480, or 1024x768), otherwise it will not be displayed.<br />
<br />
SeaBIOS will show the image during the wait for the boot menu (if the boot menu has been disabled, users will not see the image). The image should probably have "Press F12 for boot menu" embedded in it so users know they can enter the normal SeaBIOS boot menu. By default, the boot menu prompt (and thus graphical image) is shown for 2.5 seconds. This can be customized via a [[#Other Configuration items|configuration parameter]].<br />
<br />
The JPEG viewer in SeaBIOS uses a simplified decoding algorithm. It supports most common JPEGs, but does not support all possible formats. Please see the [[#Trouble reporting|Trouble reporting]] section if a valid image isn't displayed properly.<br />
<br />
== Adding gpxe support ==<br />
<br />
A [[GPXE|gpxe]] option ROM can nicely complement SeaBIOS and coreboot by adding network boot support. Adding gpxe is similar to [[#Adding a VGA option ROM]]. The first step is to find the Ethernet vendor/device ID. For example:<br />
<br />
<source lang="bash"><br />
$ lspci -vnn<br />
...<br />
00:09.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd. RTL-8110SC/8169SC Gigabit Ethernet ['''10ec:8167'''] (rev 10)<br />
</source><br />
<br />
Then one can build a gpxe option ROM. For example:<br />
<br />
<source lang="bash"><br />
$ cd /path/to/gpxe/src/<br />
$ make bin/10ec8167.rom<br />
</source><br />
<br />
And add it to the coreboot image. For example:<br />
<br />
<source lang="bash"><br />
$ ./build/cbfstool build/coreboot.rom add -f /path/to/gpxe/src/bin/10ec8167.rom -n pci10ec,8167.rom -t optionrom<br />
$ ./build/cbfstool build/coreboot.rom print<br />
</source><br />
<br />
As with VGA option ROMs, the gpxe option ROM may be compressed with LZMA. However, compression won't significantly reduce gpxe's size as it implements its own compression.<br />
<br />
In addition to gpxe, other option ROMs can be added in the same manner.<br />
<br />
== Adding payloads ==<br />
<br />
Most [[Payloads|payloads]] can also be launched from SeaBIOS. To add a payload, build the corresponding .elf file and then add it to the '''coreboot.rom''' file in the '''img/''' directory. For example:<br />
<br />
<source lang="bash"><br />
$ ./build/cbfstool build/coreboot.rom add-payload -f /path/to/payload.elf -n img/MyPayload<br />
$ ./build/cbfstool build/coreboot.rom print<br />
</source><br />
<br />
During boot, one can press the '''ESC''' key to get a boot menu. SeaBIOS will show all files in the '''img/''' directory, and one can instruct SeaBIOS to run them.<br />
<br />
SeaBIOS supports both uncompressed and LZMA compressed payloads.<br />
<br />
== Adding a floppy image ==<br />
<br />
It is possible to embed an image of a floppy in flash. SeaBIOS can then boot from and redirect floppy BIOS calls to the flash image. This is mainly useful for legacy software (such as DOS utilities). To use this feature, place a floppy image into the CBFS directory '''floppyimg/'''. For example:<br />
<br />
<source lang="bash"><br />
$ ./build/cbfstool build/coreboot.rom add -f /path/to/myfloppy.img -c lzma -n floppyimg/MyFloppy.lzma -t raw<br />
$ ./build/cbfstool build/coreboot.rom print<br />
</source><br />
<br />
Both uncompressed and LZMA compressed images are supported. Several floppy formats are available: 360K, 1.2MB, 720K, 1.44MB, 2.88MB, 160K, 180K, 320K. SeaBIOS expects the uncompressed images size to be equal to the ones just mentioned. Else, given enough debug, it will complain with: "No floppy type found for ramdisk size".<br />
<br />
The floppy image will appear as writable to the system, however all writes are discarded on reboot.<br />
<br />
When using this system, SeaBIOS reserves high-memory to store the floppy. The reserved memory is then no longer available for OS use, so this feature should only be used when needed.<br />
<br />
== Configuring boot order ==<br />
<br />
Place a file in CBFS with the name '''bootorder''' to configure the boot up order. The file should be ASCII text and contain one line per boot method. The description of each boot method follows an [https://secure.wikimedia.org/wikipedia/en/wiki/Open_firmware Open Firmware] device path format. SeaBIOS will attempt to boot from each item in the file &mdash; first line of the file first.<br />
<br />
The easiest way to find the available boot methods is to look for "Searching bootorder for" in the SeaBIOS serial output. For example, one may see lines similar to:<br />
<br />
Searching bootorder for: /pci@i0cf8/*@f/drive@1/disk@0<br />
Searching bootorder for: /pci@i0cf8/*@f,1/drive@2/disk@1<br />
Searching bootorder for: /pci@i0cf8/usb@10,4/*@2<br />
<br />
The above represents the patterns SeaBIOS will search for in the bootorder file. However, it's safe to just copy and paste the pattern into bootorder. For example, the file:<br />
<br />
/pci@i0cf8/usb@10,4/*@2<br />
/pci@i0cf8/*@f/drive@1/disk@0<br />
<br />
will instruct SeaBIOS to attempt to boot from the given USB drive first and then attempt the given ATA harddrive second.<br />
<br />
Once a file has been created, add it to CBFS with the name '''bootorder'''. For example:<br />
<br />
<source lang="bash"><br />
$ ./build/cbfstool build/coreboot.rom add -f mybootlist.txt -n bootorder -t raw<br />
$ ./build/cbfstool build/coreboot.rom print<br />
</source><br />
<br />
== Other Configuration items ==<br />
<br />
Additional configuration options are available in the CBFS '''etc/''' directory. For example, to set the duration of the boot menu to five and a half seconds, one would do the following:<br />
<br />
<source lang="bash"><br />
$ ./build/cbfstool build/coreboot.rom add-int -i 5500 -n etc/boot-menu-wait<br />
$ ./build/cbfstool build/coreboot.rom print<br />
</source><br />
<br />
The cbfstool "add-int" command will create a litte-endian encoded binary integer and place it into the specified CBFS file.<br />
<br />
See the [http://seabios.org/Runtime_config SeaBIOS wiki] for details on available options.<br />
<br />
== File aliases ==<br />
<br />
It is possible to create the equivalent of "symbolic links" in CBFS so that one file's content appears under another name. To do this, create a links file with one line per link and each line having the format of "linkname" and "destname" separated by a space character. For example, the "links" file may look like:<br />
<br />
pci1234,1000.rom somerom.rom<br />
pci1234,1001.rom somerom.rom<br />
pci1234,1002.rom somerom.rom<br />
<br />
Then add the "links" file to CBFS:<br />
<br />
<source lang="bash"><br />
$ ./build/cbfstool build/coreboot.rom add -f links -n links -t raw<br />
$ ./build/cbfstool build/coreboot.rom print<br />
</source><br />
<br />
The above example would cause SeaBIOS to treat "pci1234,1000.rom" or "pci1234,1001.rom" as files with the same content as the file "somerom.rom".<br />
<br />
= Trouble reporting =<br />
<br />
If you are experiencing problems with SeaBIOS, please follow the directions on the [http://seabios.org/Debugging SeaBIOS wiki] to report the issue.</div>GNUtoohttps://www.coreboot.org/index.php?title=User:GNUtoo&diff=34838User:GNUtoo2018-05-10T12:40:03Z<p>GNUtoo: /* X60/I945 native GPU init History */</p>
<hr />
<div>== Wiki contributions ==<br />
My contributions to this wiki are available under the following licenses:<br />
* [https://creativecommons.org/licenses/by-sa/3.0/legalcode CC-BY-SA 3.0]<br />
* [https://creativecommons.org/licenses/by-sa/4.0/legalcode CC-BY-SA 4.0] or later<br />
* [https://www.gnu.org/licenses/fdl.txt GFDL 1.3] or later<br />
<br />
== Code contributions ==<br />
In the [https://review.coreboot.org/gitweb?p=coreboot.git;a=blob;f=Documentation/gerrit_guidelines.md;h=1833b0a8f0dc89001547c73457d113a4a56fbd31;hb=refs/heads/master#l31 gerrit guidelines] there the follwing line: "Don't modify other people's patches without their consent."<br />
<br />
I consent to the modification of my patches by anybody. I work on specific things because no one wants to do what I want to do. Else I'd be happy if someone else did the work, so I could pick the next task in my huge TODO list.<br />
<br />
Interests:<br />
* 100% Free computers(Laptops, Desktops, Home Servers, routers).<br />
* Security<br />
** Secure boot trough GRUB with full disk encryption (no /boot in clear)<br />
** Protect against DMA and other attacks that have access to the x86 cpu's RAM.<br />
* Making it possible for end user to be able to use coreboot/libreboot:<br />
** Making it easy or scalable to install coreboot/libreboot.<br />
** Making it usable.<br />
* Making less risky to reflash, permitting users without an external programmer to easily reflash, and developers to develop anywhere without a huge setup consisting of another computer and the coreboot computer beeing worked on. I'm also interested in getting the cbmem logs written to flash to make debugging easier when no other computer is available(for instance while the developer is traveling to a conference).<br />
<br />
== Howtos ==<br />
* [[/make boot software writable for recent Intel computers]]<br />
* [[/External GPU init without running the option rom]]<br />
<br />
= X60/I945 native GPU init History =<br />
The Lenovo X60 GPU init has been merged a long time ago.<br />
Since then it has been rewriten/improved a lot by other people (See git log for more details).<br />
Thanks to all that work it's now a proper driver.<br />
<br />
So I've moved the X60 GPU init information in [[/X60_GPU_init|a subpage]]<br />
<br />
= Personal oppinions =<br />
* [[/Microcode]]<br />
* [[/Yabel]]<br />
<br />
= For coreboot developers =<br />
This section is mainly usefull for finding informations for:<br />
* Asking me to test some code (that's why I listed all my hardware).<br />
* Find my work in progress code.<br />
* Find legacy code.<br />
* Find what I'm interested in working on:<br />
** If you want to work on the same thing than me, you could contact me if you want so:<br />
*** I could help if I have time.<br />
*** I could test if I have time.<br />
*** I may have some pointers.<br />
* HOWTO that documents how to do a native VGA init for the Lenovo x60:<br />
** It probably applies to the Lenovo t60 that have an Intel GPU, with no or very minor modifications.<br />
<br />
== My hardware ==<br />
=== Mainboard/Devices running coreboot ===<br />
{| class="wikitable" border="1"<br />
! Device/Mainboard<br />
! Serial/output<br />
! flash recovery mecanism<br />
! What I worked on<br />
|-<br />
| Asrock E350M1<br />
| <br />
* cbmem -c<br />
* Serial<br />
| rowspan="3" |<br />
* External programmer<br />
* Swapping the flash chip<br />
|<br />
|-<br />
| Asus F2A85-M PRO<br />
|<br />
* cbmem -c<br />
| rowspan="2" |<br />
* I've been the main porter.<br />
* Usability improvements<br />
|-<br />
| Asus M4A785T-M<br />
|<br />
* cbmem -c<br />
* Serial<br />
|-<br />
| Lenovo X60<br />
| rowspan="4" |<br />
* cbmem -c<br />
* Serial on the dock<br />
* spkmodem<br />
* USB debug<br />
| rowspan="5" |<br />
* External programmer with pomona clip<br />
| rowspan="2" |<br />
* Native GPU init<br />
* Usability improvements.<br />
|-<br />
| Lenovo X60T<br />
|-<br />
| Lenovo T60<br />
|<br />
* Usability improvements.<br />
|-<br />
| Lenovo T400<br />
|<br />
|-<br />
| Lenovo X200<br />
|<br />
* cbmem -c<br />
|<br />
|-<br />
| PC Engines Alix 1.C<br />
|<br />
* Serial<br />
| <br />
* Hot swap with the LPC dongle|<br />
* Usability improvements.<br />
|-<br />
|}<br />
<br />
=== Mainboard/Devices not running coreboot (yet?) ===<br />
If you need to have some tests done on the default boot firwmare, you should ask me as it is fast to do if I've the laptop nearby.<br />
<br />
{| class="wikitable" border="1"<br />
! Device/Mainboard<br />
! Reason<br />
|-<br />
| Lenovo Thinkpad X200T<br />
| I need to find a way to be able to easily, robustly, and safely reflash it:<br />
* If a SOIC8 SPI chips is soldered instead of the WSON8 one, the solder past must not affect the stability of the SOIC8 clip. That is probably the most adapted way for me.<br />
* Wires aren't ideal if they break easily.<br />
* Internal flashing can't be trusted for freedom/privacy/security: The hardware probably permits boot firmwares to very easily mess up with the flash content while it's being read or written: The hardware can probably be programmed to emmit SMM interrupts when the flash chip is accessed, and once in SMM, modify the data. This is the case on i945 thinkpads, however I didn't check the X200T datasheet yet, hence the "probably".<br />
|-<br />
|}<br />
<br />
=== Debugging tools ===<br />
* External programmers :<br />
** Arduino duemillanove (serprog based)<br />
** Arduino uno (serprog based)<br />
** openmoko debug board (FTDI based)<br />
** bug20 (linux_spi)<br />
* A pomona clip<br />
* a null-modem serial cable and 2 USB<->Serial adapters<br />
* [[EHCI Gadget Debug|USB debug]] compatible devices:<br />
** a bug20 (omap3530)<br />
** a GTA04 A3 (DM370)<br />
<br />
== My TODO list ==<br />
See also TODO of the respectives machines on their dedicated wiki page.<br />
* Merge or abandon my old patches.<br />
* I945, GM45, GS45 thinkpads: Have all hardware features working (feature parity with the default boot firmware):<br />
** IRDA<br />
** TPM<br />
** Testing: write tests for<br />
*** suspend/resume<br />
*** power consumption<br />
*** heat<br />
* GM45: Merge ich9gen functionality in ifdtool or ifdfake<br />
* GM45: Investigate internal flashing (Look if BIOS->Modded BIOS->Coreboot works and understand why)<br />
* I945: SeaBIOS: allow booting on SD cards.<br />
* Port a logging mecanism from chromebooks to all devices in order to be able to retrive the log of the failed boot at the next reboot.<br />
* Document flash protections and vboot.<br />
* Verify if all the microcodes were moved away from coreboot git.<br />
* (Alix 1.C: port the VSA to fasm)<br />
* (GDB improvements: allow gdb earlier than ramstage)<br />
* I945: Write a freedom/privacy/security review<br />
* GM45: Write a freedom/privacy/security review<br />
* More recent Intel with me_cleaner: Write a freedom/privacy/security review<br />
<br />
= Work in progress documentation =<br />
* [[/Blobs-rewrite]]<br />
* [[/Golden Finger Connector]]<br />
* [[/Hardware Comparison]]<br />
* [[/APU1 reflashing]]</div>GNUtoohttps://www.coreboot.org/index.php?title=User:GNUtoo/Yabel&diff=34837User:GNUtoo/Yabel2018-05-10T12:39:41Z<p>GNUtoo: Created page with "Yabel can be used for tracing what the GPU does, but it cannot really prevent a proprietary VGA option rom from doing nasty tricks: The GPUs in the Lenovo x60 and t60 have a..."</p>
<hr />
<div>Yabel can be used for tracing what the GPU does, but it cannot really prevent a proprietary VGA option rom from doing nasty tricks:<br />
<br />
The GPUs in the Lenovo x60 and t60 have a bar that gives access to the whole memory:<br />
Region 1: I/O ports at 50a0 [size=8]<br />
<br />
I was told that many other GPU also have that issue.<br />
<br />
The way to fix that is to get rid of the proprietary VGA option rom. On some boards it's possible and coreboot has a replacement for it. On some other boards, the kernel can initialize the GPU with or without tricks.</div>GNUtoohttps://www.coreboot.org/index.php?title=User:GNUtoo&diff=34836User:GNUtoo2018-05-10T12:39:30Z<p>GNUtoo: /* Yabel */</p>
<hr />
<div>== Wiki contributions ==<br />
My contributions to this wiki are available under the following licenses:<br />
* [https://creativecommons.org/licenses/by-sa/3.0/legalcode CC-BY-SA 3.0]<br />
* [https://creativecommons.org/licenses/by-sa/4.0/legalcode CC-BY-SA 4.0] or later<br />
* [https://www.gnu.org/licenses/fdl.txt GFDL 1.3] or later<br />
<br />
== Code contributions ==<br />
In the [https://review.coreboot.org/gitweb?p=coreboot.git;a=blob;f=Documentation/gerrit_guidelines.md;h=1833b0a8f0dc89001547c73457d113a4a56fbd31;hb=refs/heads/master#l31 gerrit guidelines] there the follwing line: "Don't modify other people's patches without their consent."<br />
<br />
I consent to the modification of my patches by anybody. I work on specific things because no one wants to do what I want to do. Else I'd be happy if someone else did the work, so I could pick the next task in my huge TODO list.<br />
<br />
Interests:<br />
* 100% Free computers(Laptops, Desktops, Home Servers, routers).<br />
* Security<br />
** Secure boot trough GRUB with full disk encryption (no /boot in clear)<br />
** Protect against DMA and other attacks that have access to the x86 cpu's RAM.<br />
* Making it possible for end user to be able to use coreboot/libreboot:<br />
** Making it easy or scalable to install coreboot/libreboot.<br />
** Making it usable.<br />
* Making less risky to reflash, permitting users without an external programmer to easily reflash, and developers to develop anywhere without a huge setup consisting of another computer and the coreboot computer beeing worked on. I'm also interested in getting the cbmem logs written to flash to make debugging easier when no other computer is available(for instance while the developer is traveling to a conference).<br />
<br />
== Howtos ==<br />
* [[/make boot software writable for recent Intel computers]]<br />
* [[/External GPU init without running the option rom]]<br />
<br />
= X60/I945 native GPU init History =<br />
The Lenovo X60 GPU init has been merged a long time ago.<br />
Since then it has been rewriten/improved a lot by other people (See git log for more details).<br />
Thanks to all that work it's now a proper driver.<br />
<br />
So I've moved the X60 GPU init information in [[/X60_GPU_init|a subpage]]<br />
<br />
== Personal oppinions ==<br />
* [[/Microcode]]<br />
* [[/Yabel]]<br />
<br />
= For coreboot developers =<br />
This section is mainly usefull for finding informations for:<br />
* Asking me to test some code (that's why I listed all my hardware).<br />
* Find my work in progress code.<br />
* Find legacy code.<br />
* Find what I'm interested in working on:<br />
** If you want to work on the same thing than me, you could contact me if you want so:<br />
*** I could help if I have time.<br />
*** I could test if I have time.<br />
*** I may have some pointers.<br />
* HOWTO that documents how to do a native VGA init for the Lenovo x60:<br />
** It probably applies to the Lenovo t60 that have an Intel GPU, with no or very minor modifications.<br />
<br />
== My hardware ==<br />
=== Mainboard/Devices running coreboot ===<br />
{| class="wikitable" border="1"<br />
! Device/Mainboard<br />
! Serial/output<br />
! flash recovery mecanism<br />
! What I worked on<br />
|-<br />
| Asrock E350M1<br />
| <br />
* cbmem -c<br />
* Serial<br />
| rowspan="3" |<br />
* External programmer<br />
* Swapping the flash chip<br />
|<br />
|-<br />
| Asus F2A85-M PRO<br />
|<br />
* cbmem -c<br />
| rowspan="2" |<br />
* I've been the main porter.<br />
* Usability improvements<br />
|-<br />
| Asus M4A785T-M<br />
|<br />
* cbmem -c<br />
* Serial<br />
|-<br />
| Lenovo X60<br />
| rowspan="4" |<br />
* cbmem -c<br />
* Serial on the dock<br />
* spkmodem<br />
* USB debug<br />
| rowspan="5" |<br />
* External programmer with pomona clip<br />
| rowspan="2" |<br />
* Native GPU init<br />
* Usability improvements.<br />
|-<br />
| Lenovo X60T<br />
|-<br />
| Lenovo T60<br />
|<br />
* Usability improvements.<br />
|-<br />
| Lenovo T400<br />
|<br />
|-<br />
| Lenovo X200<br />
|<br />
* cbmem -c<br />
|<br />
|-<br />
| PC Engines Alix 1.C<br />
|<br />
* Serial<br />
| <br />
* Hot swap with the LPC dongle|<br />
* Usability improvements.<br />
|-<br />
|}<br />
<br />
=== Mainboard/Devices not running coreboot (yet?) ===<br />
If you need to have some tests done on the default boot firwmare, you should ask me as it is fast to do if I've the laptop nearby.<br />
<br />
{| class="wikitable" border="1"<br />
! Device/Mainboard<br />
! Reason<br />
|-<br />
| Lenovo Thinkpad X200T<br />
| I need to find a way to be able to easily, robustly, and safely reflash it:<br />
* If a SOIC8 SPI chips is soldered instead of the WSON8 one, the solder past must not affect the stability of the SOIC8 clip. That is probably the most adapted way for me.<br />
* Wires aren't ideal if they break easily.<br />
* Internal flashing can't be trusted for freedom/privacy/security: The hardware probably permits boot firmwares to very easily mess up with the flash content while it's being read or written: The hardware can probably be programmed to emmit SMM interrupts when the flash chip is accessed, and once in SMM, modify the data. This is the case on i945 thinkpads, however I didn't check the X200T datasheet yet, hence the "probably".<br />
|-<br />
|}<br />
<br />
=== Debugging tools ===<br />
* External programmers :<br />
** Arduino duemillanove (serprog based)<br />
** Arduino uno (serprog based)<br />
** openmoko debug board (FTDI based)<br />
** bug20 (linux_spi)<br />
* A pomona clip<br />
* a null-modem serial cable and 2 USB<->Serial adapters<br />
* [[EHCI Gadget Debug|USB debug]] compatible devices:<br />
** a bug20 (omap3530)<br />
** a GTA04 A3 (DM370)<br />
<br />
== My TODO list ==<br />
See also TODO of the respectives machines on their dedicated wiki page.<br />
* Merge or abandon my old patches.<br />
* I945, GM45, GS45 thinkpads: Have all hardware features working (feature parity with the default boot firmware):<br />
** IRDA<br />
** TPM<br />
** Testing: write tests for<br />
*** suspend/resume<br />
*** power consumption<br />
*** heat<br />
* GM45: Merge ich9gen functionality in ifdtool or ifdfake<br />
* GM45: Investigate internal flashing (Look if BIOS->Modded BIOS->Coreboot works and understand why)<br />
* I945: SeaBIOS: allow booting on SD cards.<br />
* Port a logging mecanism from chromebooks to all devices in order to be able to retrive the log of the failed boot at the next reboot.<br />
* Document flash protections and vboot.<br />
* Verify if all the microcodes were moved away from coreboot git.<br />
* (Alix 1.C: port the VSA to fasm)<br />
* (GDB improvements: allow gdb earlier than ramstage)<br />
* I945: Write a freedom/privacy/security review<br />
* GM45: Write a freedom/privacy/security review<br />
* More recent Intel with me_cleaner: Write a freedom/privacy/security review<br />
<br />
= Work in progress documentation =<br />
* [[/Blobs-rewrite]]<br />
* [[/Golden Finger Connector]]<br />
* [[/Hardware Comparison]]<br />
* [[/APU1 reflashing]]</div>GNUtoohttps://www.coreboot.org/index.php?title=User:GNUtoo/Microcode&diff=34835User:GNUtoo/Microcode2018-05-10T12:39:10Z<p>GNUtoo: Created page with "* The CPU microcodes are under a non-free license that is incompatible with coreboot's license. * They are now moved away in a separate repository. Some people say that the m..."</p>
<hr />
<div>* The CPU microcodes are under a non-free license that is incompatible with coreboot's license.<br />
* They are now moved away in a separate repository.<br />
<br />
Some people say that the microcode is the equivalent of having a more recent CPU, as a justification for using it.<br />
<br />
However since Intel microcodes are encrypted and signed, so we cannot know what they really do.<br />
* People usually trust what the CPU vendor say about it, such as that it fixes some bugs(erratas for such bugs are published), but we don't know much more.<br />
* Speculating about what they really do or cannot do won't help much since we usually cannot verify that information.<br />
<br />
My goal is to have a 100% free computer, and also to spread that code, so that other people can have a 100% free computer too.<br />
According to the FSF, and the FSF criteria for differentiating software from hardware, that microcode is software.<br />
So since they consider it as non-free, a coreboot image containing that microcode would not be considered free by the FSF.<br />
<br />
On my Lenovo x60, the microcode was easy to remove, and it worked fine, beside printing a scary kernel message pointing to an Intel errata.<br />
<br />
What the errata says is that, when resuming from suspend to ram, the temperatures reading will not be updated, and the temperature overheat will not be reported. The hardware issues you may encounter will depend on your specific CPU. Not the CPU model, but instead the date at which it was manufactured.<br />
(To know if you are affected, under GNU/Linux, you can run the "dmesg" command and look for "coretemp: Errata AE18 not fixed, update BIOS or microcode of the CPU!" in its output. If you found it, you are affected)<br />
<br />
Removing the microcode make it possible to have the gluglug (now minifree) Lenovo Thinkpad X60 ceritified "Respects your freedom" By the FSF.<br />
<br />
So instead of debating trough huge flames about the fact that we should use, or not use the microcode, it was more effective to remove it and get the laptop certified.<br />
<br />
The benefit of that is the publicity around the fact that this laptop can be made to run 100% free software. This makes users aware of it and willing to switch to it.</div>GNUtoohttps://www.coreboot.org/index.php?title=User:GNUtoo&diff=34834User:GNUtoo2018-05-10T12:39:01Z<p>GNUtoo: /* Personal oppinions */</p>
<hr />
<div>== Wiki contributions ==<br />
My contributions to this wiki are available under the following licenses:<br />
* [https://creativecommons.org/licenses/by-sa/3.0/legalcode CC-BY-SA 3.0]<br />
* [https://creativecommons.org/licenses/by-sa/4.0/legalcode CC-BY-SA 4.0] or later<br />
* [https://www.gnu.org/licenses/fdl.txt GFDL 1.3] or later<br />
<br />
== Code contributions ==<br />
In the [https://review.coreboot.org/gitweb?p=coreboot.git;a=blob;f=Documentation/gerrit_guidelines.md;h=1833b0a8f0dc89001547c73457d113a4a56fbd31;hb=refs/heads/master#l31 gerrit guidelines] there the follwing line: "Don't modify other people's patches without their consent."<br />
<br />
I consent to the modification of my patches by anybody. I work on specific things because no one wants to do what I want to do. Else I'd be happy if someone else did the work, so I could pick the next task in my huge TODO list.<br />
<br />
Interests:<br />
* 100% Free computers(Laptops, Desktops, Home Servers, routers).<br />
* Security<br />
** Secure boot trough GRUB with full disk encryption (no /boot in clear)<br />
** Protect against DMA and other attacks that have access to the x86 cpu's RAM.<br />
* Making it possible for end user to be able to use coreboot/libreboot:<br />
** Making it easy or scalable to install coreboot/libreboot.<br />
** Making it usable.<br />
* Making less risky to reflash, permitting users without an external programmer to easily reflash, and developers to develop anywhere without a huge setup consisting of another computer and the coreboot computer beeing worked on. I'm also interested in getting the cbmem logs written to flash to make debugging easier when no other computer is available(for instance while the developer is traveling to a conference).<br />
<br />
== Howtos ==<br />
* [[/make boot software writable for recent Intel computers]]<br />
* [[/External GPU init without running the option rom]]<br />
<br />
= X60/I945 native GPU init History =<br />
The Lenovo X60 GPU init has been merged a long time ago.<br />
Since then it has been rewriten/improved a lot by other people (See git log for more details).<br />
Thanks to all that work it's now a proper driver.<br />
<br />
So I've moved the X60 GPU init information in [[/X60_GPU_init|a subpage]]<br />
<br />
== Personal oppinions ==<br />
* [[/Microcode]]<br />
=== Yabel ===<br />
Yabel can be used for tracing what the GPU does, but it cannot really prevent a proprietary VGA option rom from doing nasty tricks:<br />
<br />
The GPUs in the Lenovo x60 and t60 have a bar that gives access to the whole memory:<br />
Region 1: I/O ports at 50a0 [size=8]<br />
<br />
I was told that many other GPU also have that issue.<br />
<br />
The way to fix that is to get rid of the proprietary VGA option rom. On some boards it's possible and coreboot has a replacement for it. On some other boards, the kernel can initialize the GPU with or without tricks.<br />
<br />
= For coreboot developers =<br />
This section is mainly usefull for finding informations for:<br />
* Asking me to test some code (that's why I listed all my hardware).<br />
* Find my work in progress code.<br />
* Find legacy code.<br />
* Find what I'm interested in working on:<br />
** If you want to work on the same thing than me, you could contact me if you want so:<br />
*** I could help if I have time.<br />
*** I could test if I have time.<br />
*** I may have some pointers.<br />
* HOWTO that documents how to do a native VGA init for the Lenovo x60:<br />
** It probably applies to the Lenovo t60 that have an Intel GPU, with no or very minor modifications.<br />
<br />
== My hardware ==<br />
=== Mainboard/Devices running coreboot ===<br />
{| class="wikitable" border="1"<br />
! Device/Mainboard<br />
! Serial/output<br />
! flash recovery mecanism<br />
! What I worked on<br />
|-<br />
| Asrock E350M1<br />
| <br />
* cbmem -c<br />
* Serial<br />
| rowspan="3" |<br />
* External programmer<br />
* Swapping the flash chip<br />
|<br />
|-<br />
| Asus F2A85-M PRO<br />
|<br />
* cbmem -c<br />
| rowspan="2" |<br />
* I've been the main porter.<br />
* Usability improvements<br />
|-<br />
| Asus M4A785T-M<br />
|<br />
* cbmem -c<br />
* Serial<br />
|-<br />
| Lenovo X60<br />
| rowspan="4" |<br />
* cbmem -c<br />
* Serial on the dock<br />
* spkmodem<br />
* USB debug<br />
| rowspan="5" |<br />
* External programmer with pomona clip<br />
| rowspan="2" |<br />
* Native GPU init<br />
* Usability improvements.<br />
|-<br />
| Lenovo X60T<br />
|-<br />
| Lenovo T60<br />
|<br />
* Usability improvements.<br />
|-<br />
| Lenovo T400<br />
|<br />
|-<br />
| Lenovo X200<br />
|<br />
* cbmem -c<br />
|<br />
|-<br />
| PC Engines Alix 1.C<br />
|<br />
* Serial<br />
| <br />
* Hot swap with the LPC dongle|<br />
* Usability improvements.<br />
|-<br />
|}<br />
<br />
=== Mainboard/Devices not running coreboot (yet?) ===<br />
If you need to have some tests done on the default boot firwmare, you should ask me as it is fast to do if I've the laptop nearby.<br />
<br />
{| class="wikitable" border="1"<br />
! Device/Mainboard<br />
! Reason<br />
|-<br />
| Lenovo Thinkpad X200T<br />
| I need to find a way to be able to easily, robustly, and safely reflash it:<br />
* If a SOIC8 SPI chips is soldered instead of the WSON8 one, the solder past must not affect the stability of the SOIC8 clip. That is probably the most adapted way for me.<br />
* Wires aren't ideal if they break easily.<br />
* Internal flashing can't be trusted for freedom/privacy/security: The hardware probably permits boot firmwares to very easily mess up with the flash content while it's being read or written: The hardware can probably be programmed to emmit SMM interrupts when the flash chip is accessed, and once in SMM, modify the data. This is the case on i945 thinkpads, however I didn't check the X200T datasheet yet, hence the "probably".<br />
|-<br />
|}<br />
<br />
=== Debugging tools ===<br />
* External programmers :<br />
** Arduino duemillanove (serprog based)<br />
** Arduino uno (serprog based)<br />
** openmoko debug board (FTDI based)<br />
** bug20 (linux_spi)<br />
* A pomona clip<br />
* a null-modem serial cable and 2 USB<->Serial adapters<br />
* [[EHCI Gadget Debug|USB debug]] compatible devices:<br />
** a bug20 (omap3530)<br />
** a GTA04 A3 (DM370)<br />
<br />
== My TODO list ==<br />
See also TODO of the respectives machines on their dedicated wiki page.<br />
* Merge or abandon my old patches.<br />
* I945, GM45, GS45 thinkpads: Have all hardware features working (feature parity with the default boot firmware):<br />
** IRDA<br />
** TPM<br />
** Testing: write tests for<br />
*** suspend/resume<br />
*** power consumption<br />
*** heat<br />
* GM45: Merge ich9gen functionality in ifdtool or ifdfake<br />
* GM45: Investigate internal flashing (Look if BIOS->Modded BIOS->Coreboot works and understand why)<br />
* I945: SeaBIOS: allow booting on SD cards.<br />
* Port a logging mecanism from chromebooks to all devices in order to be able to retrive the log of the failed boot at the next reboot.<br />
* Document flash protections and vboot.<br />
* Verify if all the microcodes were moved away from coreboot git.<br />
* (Alix 1.C: port the VSA to fasm)<br />
* (GDB improvements: allow gdb earlier than ramstage)<br />
* I945: Write a freedom/privacy/security review<br />
* GM45: Write a freedom/privacy/security review<br />
* More recent Intel with me_cleaner: Write a freedom/privacy/security review<br />
<br />
= Work in progress documentation =<br />
* [[/Blobs-rewrite]]<br />
* [[/Golden Finger Connector]]<br />
* [[/Hardware Comparison]]<br />
* [[/APU1 reflashing]]</div>GNUtoohttps://www.coreboot.org/index.php?title=User:GNUtoo&diff=34833User:GNUtoo2018-05-10T12:38:21Z<p>GNUtoo: /* Work in progress documentation */</p>
<hr />
<div>== Wiki contributions ==<br />
My contributions to this wiki are available under the following licenses:<br />
* [https://creativecommons.org/licenses/by-sa/3.0/legalcode CC-BY-SA 3.0]<br />
* [https://creativecommons.org/licenses/by-sa/4.0/legalcode CC-BY-SA 4.0] or later<br />
* [https://www.gnu.org/licenses/fdl.txt GFDL 1.3] or later<br />
<br />
== Code contributions ==<br />
In the [https://review.coreboot.org/gitweb?p=coreboot.git;a=blob;f=Documentation/gerrit_guidelines.md;h=1833b0a8f0dc89001547c73457d113a4a56fbd31;hb=refs/heads/master#l31 gerrit guidelines] there the follwing line: "Don't modify other people's patches without their consent."<br />
<br />
I consent to the modification of my patches by anybody. I work on specific things because no one wants to do what I want to do. Else I'd be happy if someone else did the work, so I could pick the next task in my huge TODO list.<br />
<br />
Interests:<br />
* 100% Free computers(Laptops, Desktops, Home Servers, routers).<br />
* Security<br />
** Secure boot trough GRUB with full disk encryption (no /boot in clear)<br />
** Protect against DMA and other attacks that have access to the x86 cpu's RAM.<br />
* Making it possible for end user to be able to use coreboot/libreboot:<br />
** Making it easy or scalable to install coreboot/libreboot.<br />
** Making it usable.<br />
* Making less risky to reflash, permitting users without an external programmer to easily reflash, and developers to develop anywhere without a huge setup consisting of another computer and the coreboot computer beeing worked on. I'm also interested in getting the cbmem logs written to flash to make debugging easier when no other computer is available(for instance while the developer is traveling to a conference).<br />
<br />
== Howtos ==<br />
* [[/make boot software writable for recent Intel computers]]<br />
* [[/External GPU init without running the option rom]]<br />
<br />
= X60/I945 native GPU init History =<br />
The Lenovo X60 GPU init has been merged a long time ago.<br />
Since then it has been rewriten/improved a lot by other people (See git log for more details).<br />
Thanks to all that work it's now a proper driver.<br />
<br />
So I've moved the X60 GPU init information in [[/X60_GPU_init|a subpage]]<br />
<br />
== Personal oppinions ==<br />
=== Microcode ===<br />
* The CPU microcodes are under a non-free license that is incompatible with coreboot's license.<br />
* They are now moved away in a separate repository.<br />
<br />
Some people say that the microcode is the equivalent of having a more recent CPU, as a justification for using it.<br />
<br />
However since Intel microcodes are encrypted and signed, so we cannot know what they really do.<br />
* People usually trust what the CPU vendor say about it, such as that it fixes some bugs(erratas for such bugs are published), but we don't know much more.<br />
* Speculating about what they really do or cannot do won't help much since we usually cannot verify that information.<br />
<br />
My goal is to have a 100% free computer, and also to spread that code, so that other people can have a 100% free computer too.<br />
According to the FSF, and the FSF criteria for differentiating software from hardware, that microcode is software.<br />
So since they consider it as non-free, a coreboot image containing that microcode would not be considered free by the FSF.<br />
<br />
On my Lenovo x60, the microcode was easy to remove, and it worked fine, beside printing a scary kernel message pointing to an Intel errata.<br />
<br />
What the errata says is that, when resuming from suspend to ram, the temperatures reading will not be updated, and the temperature overheat will not be reported. The hardware issues you may encounter will depend on your specific CPU. Not the CPU model, but instead the date at which it was manufactured.<br />
(To know if you are affected, under GNU/Linux, you can run the "dmesg" command and look for "coretemp: Errata AE18 not fixed, update BIOS or microcode of the CPU!" in its output. If you found it, you are affected)<br />
<br />
Removing the microcode make it possible to have the gluglug (now minifree) Lenovo Thinkpad X60 ceritified "Respects your freedom" By the FSF.<br />
<br />
So instead of debating trough huge flames about the fact that we should use, or not use the microcode, it was more effective to remove it and get the laptop certified.<br />
<br />
The benefit of that is the publicity around the fact that this laptop can be made to run 100% free software. This makes users aware of it and willing to switch to it.<br />
<br />
=== Yabel ===<br />
Yabel can be used for tracing what the GPU does, but it cannot really prevent a proprietary VGA option rom from doing nasty tricks:<br />
<br />
The GPUs in the Lenovo x60 and t60 have a bar that gives access to the whole memory:<br />
Region 1: I/O ports at 50a0 [size=8]<br />
<br />
I was told that many other GPU also have that issue.<br />
<br />
The way to fix that is to get rid of the proprietary VGA option rom. On some boards it's possible and coreboot has a replacement for it. On some other boards, the kernel can initialize the GPU with or without tricks.<br />
<br />
= For coreboot developers =<br />
This section is mainly usefull for finding informations for:<br />
* Asking me to test some code (that's why I listed all my hardware).<br />
* Find my work in progress code.<br />
* Find legacy code.<br />
* Find what I'm interested in working on:<br />
** If you want to work on the same thing than me, you could contact me if you want so:<br />
*** I could help if I have time.<br />
*** I could test if I have time.<br />
*** I may have some pointers.<br />
* HOWTO that documents how to do a native VGA init for the Lenovo x60:<br />
** It probably applies to the Lenovo t60 that have an Intel GPU, with no or very minor modifications.<br />
<br />
== My hardware ==<br />
=== Mainboard/Devices running coreboot ===<br />
{| class="wikitable" border="1"<br />
! Device/Mainboard<br />
! Serial/output<br />
! flash recovery mecanism<br />
! What I worked on<br />
|-<br />
| Asrock E350M1<br />
| <br />
* cbmem -c<br />
* Serial<br />
| rowspan="3" |<br />
* External programmer<br />
* Swapping the flash chip<br />
|<br />
|-<br />
| Asus F2A85-M PRO<br />
|<br />
* cbmem -c<br />
| rowspan="2" |<br />
* I've been the main porter.<br />
* Usability improvements<br />
|-<br />
| Asus M4A785T-M<br />
|<br />
* cbmem -c<br />
* Serial<br />
|-<br />
| Lenovo X60<br />
| rowspan="4" |<br />
* cbmem -c<br />
* Serial on the dock<br />
* spkmodem<br />
* USB debug<br />
| rowspan="5" |<br />
* External programmer with pomona clip<br />
| rowspan="2" |<br />
* Native GPU init<br />
* Usability improvements.<br />
|-<br />
| Lenovo X60T<br />
|-<br />
| Lenovo T60<br />
|<br />
* Usability improvements.<br />
|-<br />
| Lenovo T400<br />
|<br />
|-<br />
| Lenovo X200<br />
|<br />
* cbmem -c<br />
|<br />
|-<br />
| PC Engines Alix 1.C<br />
|<br />
* Serial<br />
| <br />
* Hot swap with the LPC dongle|<br />
* Usability improvements.<br />
|-<br />
|}<br />
<br />
=== Mainboard/Devices not running coreboot (yet?) ===<br />
If you need to have some tests done on the default boot firwmare, you should ask me as it is fast to do if I've the laptop nearby.<br />
<br />
{| class="wikitable" border="1"<br />
! Device/Mainboard<br />
! Reason<br />
|-<br />
| Lenovo Thinkpad X200T<br />
| I need to find a way to be able to easily, robustly, and safely reflash it:<br />
* If a SOIC8 SPI chips is soldered instead of the WSON8 one, the solder past must not affect the stability of the SOIC8 clip. That is probably the most adapted way for me.<br />
* Wires aren't ideal if they break easily.<br />
* Internal flashing can't be trusted for freedom/privacy/security: The hardware probably permits boot firmwares to very easily mess up with the flash content while it's being read or written: The hardware can probably be programmed to emmit SMM interrupts when the flash chip is accessed, and once in SMM, modify the data. This is the case on i945 thinkpads, however I didn't check the X200T datasheet yet, hence the "probably".<br />
|-<br />
|}<br />
<br />
=== Debugging tools ===<br />
* External programmers :<br />
** Arduino duemillanove (serprog based)<br />
** Arduino uno (serprog based)<br />
** openmoko debug board (FTDI based)<br />
** bug20 (linux_spi)<br />
* A pomona clip<br />
* a null-modem serial cable and 2 USB<->Serial adapters<br />
* [[EHCI Gadget Debug|USB debug]] compatible devices:<br />
** a bug20 (omap3530)<br />
** a GTA04 A3 (DM370)<br />
<br />
== My TODO list ==<br />
See also TODO of the respectives machines on their dedicated wiki page.<br />
* Merge or abandon my old patches.<br />
* I945, GM45, GS45 thinkpads: Have all hardware features working (feature parity with the default boot firmware):<br />
** IRDA<br />
** TPM<br />
** Testing: write tests for<br />
*** suspend/resume<br />
*** power consumption<br />
*** heat<br />
* GM45: Merge ich9gen functionality in ifdtool or ifdfake<br />
* GM45: Investigate internal flashing (Look if BIOS->Modded BIOS->Coreboot works and understand why)<br />
* I945: SeaBIOS: allow booting on SD cards.<br />
* Port a logging mecanism from chromebooks to all devices in order to be able to retrive the log of the failed boot at the next reboot.<br />
* Document flash protections and vboot.<br />
* Verify if all the microcodes were moved away from coreboot git.<br />
* (Alix 1.C: port the VSA to fasm)<br />
* (GDB improvements: allow gdb earlier than ramstage)<br />
* I945: Write a freedom/privacy/security review<br />
* GM45: Write a freedom/privacy/security review<br />
* More recent Intel with me_cleaner: Write a freedom/privacy/security review<br />
<br />
= Work in progress documentation =<br />
* [[/Blobs-rewrite]]<br />
* [[/Golden Finger Connector]]<br />
* [[/Hardware Comparison]]<br />
* [[/APU1 reflashing]]</div>GNUtoohttps://www.coreboot.org/index.php?title=User:GNUtoo&diff=34832User:GNUtoo2018-05-10T12:37:47Z<p>GNUtoo: /* Howtos */</p>
<hr />
<div>== Wiki contributions ==<br />
My contributions to this wiki are available under the following licenses:<br />
* [https://creativecommons.org/licenses/by-sa/3.0/legalcode CC-BY-SA 3.0]<br />
* [https://creativecommons.org/licenses/by-sa/4.0/legalcode CC-BY-SA 4.0] or later<br />
* [https://www.gnu.org/licenses/fdl.txt GFDL 1.3] or later<br />
<br />
== Code contributions ==<br />
In the [https://review.coreboot.org/gitweb?p=coreboot.git;a=blob;f=Documentation/gerrit_guidelines.md;h=1833b0a8f0dc89001547c73457d113a4a56fbd31;hb=refs/heads/master#l31 gerrit guidelines] there the follwing line: "Don't modify other people's patches without their consent."<br />
<br />
I consent to the modification of my patches by anybody. I work on specific things because no one wants to do what I want to do. Else I'd be happy if someone else did the work, so I could pick the next task in my huge TODO list.<br />
<br />
Interests:<br />
* 100% Free computers(Laptops, Desktops, Home Servers, routers).<br />
* Security<br />
** Secure boot trough GRUB with full disk encryption (no /boot in clear)<br />
** Protect against DMA and other attacks that have access to the x86 cpu's RAM.<br />
* Making it possible for end user to be able to use coreboot/libreboot:<br />
** Making it easy or scalable to install coreboot/libreboot.<br />
** Making it usable.<br />
* Making less risky to reflash, permitting users without an external programmer to easily reflash, and developers to develop anywhere without a huge setup consisting of another computer and the coreboot computer beeing worked on. I'm also interested in getting the cbmem logs written to flash to make debugging easier when no other computer is available(for instance while the developer is traveling to a conference).<br />
<br />
== Howtos ==<br />
* [[/make boot software writable for recent Intel computers]]<br />
* [[/External GPU init without running the option rom]]<br />
<br />
= X60/I945 native GPU init History =<br />
The Lenovo X60 GPU init has been merged a long time ago.<br />
Since then it has been rewriten/improved a lot by other people (See git log for more details).<br />
Thanks to all that work it's now a proper driver.<br />
<br />
So I've moved the X60 GPU init information in [[/X60_GPU_init|a subpage]]<br />
<br />
== Personal oppinions ==<br />
=== Microcode ===<br />
* The CPU microcodes are under a non-free license that is incompatible with coreboot's license.<br />
* They are now moved away in a separate repository.<br />
<br />
Some people say that the microcode is the equivalent of having a more recent CPU, as a justification for using it.<br />
<br />
However since Intel microcodes are encrypted and signed, so we cannot know what they really do.<br />
* People usually trust what the CPU vendor say about it, such as that it fixes some bugs(erratas for such bugs are published), but we don't know much more.<br />
* Speculating about what they really do or cannot do won't help much since we usually cannot verify that information.<br />
<br />
My goal is to have a 100% free computer, and also to spread that code, so that other people can have a 100% free computer too.<br />
According to the FSF, and the FSF criteria for differentiating software from hardware, that microcode is software.<br />
So since they consider it as non-free, a coreboot image containing that microcode would not be considered free by the FSF.<br />
<br />
On my Lenovo x60, the microcode was easy to remove, and it worked fine, beside printing a scary kernel message pointing to an Intel errata.<br />
<br />
What the errata says is that, when resuming from suspend to ram, the temperatures reading will not be updated, and the temperature overheat will not be reported. The hardware issues you may encounter will depend on your specific CPU. Not the CPU model, but instead the date at which it was manufactured.<br />
(To know if you are affected, under GNU/Linux, you can run the "dmesg" command and look for "coretemp: Errata AE18 not fixed, update BIOS or microcode of the CPU!" in its output. If you found it, you are affected)<br />
<br />
Removing the microcode make it possible to have the gluglug (now minifree) Lenovo Thinkpad X60 ceritified "Respects your freedom" By the FSF.<br />
<br />
So instead of debating trough huge flames about the fact that we should use, or not use the microcode, it was more effective to remove it and get the laptop certified.<br />
<br />
The benefit of that is the publicity around the fact that this laptop can be made to run 100% free software. This makes users aware of it and willing to switch to it.<br />
<br />
=== Yabel ===<br />
Yabel can be used for tracing what the GPU does, but it cannot really prevent a proprietary VGA option rom from doing nasty tricks:<br />
<br />
The GPUs in the Lenovo x60 and t60 have a bar that gives access to the whole memory:<br />
Region 1: I/O ports at 50a0 [size=8]<br />
<br />
I was told that many other GPU also have that issue.<br />
<br />
The way to fix that is to get rid of the proprietary VGA option rom. On some boards it's possible and coreboot has a replacement for it. On some other boards, the kernel can initialize the GPU with or without tricks.<br />
<br />
= For coreboot developers =<br />
This section is mainly usefull for finding informations for:<br />
* Asking me to test some code (that's why I listed all my hardware).<br />
* Find my work in progress code.<br />
* Find legacy code.<br />
* Find what I'm interested in working on:<br />
** If you want to work on the same thing than me, you could contact me if you want so:<br />
*** I could help if I have time.<br />
*** I could test if I have time.<br />
*** I may have some pointers.<br />
* HOWTO that documents how to do a native VGA init for the Lenovo x60:<br />
** It probably applies to the Lenovo t60 that have an Intel GPU, with no or very minor modifications.<br />
<br />
== My hardware ==<br />
=== Mainboard/Devices running coreboot ===<br />
{| class="wikitable" border="1"<br />
! Device/Mainboard<br />
! Serial/output<br />
! flash recovery mecanism<br />
! What I worked on<br />
|-<br />
| Asrock E350M1<br />
| <br />
* cbmem -c<br />
* Serial<br />
| rowspan="3" |<br />
* External programmer<br />
* Swapping the flash chip<br />
|<br />
|-<br />
| Asus F2A85-M PRO<br />
|<br />
* cbmem -c<br />
| rowspan="2" |<br />
* I've been the main porter.<br />
* Usability improvements<br />
|-<br />
| Asus M4A785T-M<br />
|<br />
* cbmem -c<br />
* Serial<br />
|-<br />
| Lenovo X60<br />
| rowspan="4" |<br />
* cbmem -c<br />
* Serial on the dock<br />
* spkmodem<br />
* USB debug<br />
| rowspan="5" |<br />
* External programmer with pomona clip<br />
| rowspan="2" |<br />
* Native GPU init<br />
* Usability improvements.<br />
|-<br />
| Lenovo X60T<br />
|-<br />
| Lenovo T60<br />
|<br />
* Usability improvements.<br />
|-<br />
| Lenovo T400<br />
|<br />
|-<br />
| Lenovo X200<br />
|<br />
* cbmem -c<br />
|<br />
|-<br />
| PC Engines Alix 1.C<br />
|<br />
* Serial<br />
| <br />
* Hot swap with the LPC dongle|<br />
* Usability improvements.<br />
|-<br />
|}<br />
<br />
=== Mainboard/Devices not running coreboot (yet?) ===<br />
If you need to have some tests done on the default boot firwmare, you should ask me as it is fast to do if I've the laptop nearby.<br />
<br />
{| class="wikitable" border="1"<br />
! Device/Mainboard<br />
! Reason<br />
|-<br />
| Lenovo Thinkpad X200T<br />
| I need to find a way to be able to easily, robustly, and safely reflash it:<br />
* If a SOIC8 SPI chips is soldered instead of the WSON8 one, the solder past must not affect the stability of the SOIC8 clip. That is probably the most adapted way for me.<br />
* Wires aren't ideal if they break easily.<br />
* Internal flashing can't be trusted for freedom/privacy/security: The hardware probably permits boot firmwares to very easily mess up with the flash content while it's being read or written: The hardware can probably be programmed to emmit SMM interrupts when the flash chip is accessed, and once in SMM, modify the data. This is the case on i945 thinkpads, however I didn't check the X200T datasheet yet, hence the "probably".<br />
|-<br />
|}<br />
<br />
=== Debugging tools ===<br />
* External programmers :<br />
** Arduino duemillanove (serprog based)<br />
** Arduino uno (serprog based)<br />
** openmoko debug board (FTDI based)<br />
** bug20 (linux_spi)<br />
* A pomona clip<br />
* a null-modem serial cable and 2 USB<->Serial adapters<br />
* [[EHCI Gadget Debug|USB debug]] compatible devices:<br />
** a bug20 (omap3530)<br />
** a GTA04 A3 (DM370)<br />
<br />
== My TODO list ==<br />
See also TODO of the respectives machines on their dedicated wiki page.<br />
* Merge or abandon my old patches.<br />
* I945, GM45, GS45 thinkpads: Have all hardware features working (feature parity with the default boot firmware):<br />
** IRDA<br />
** TPM<br />
** Testing: write tests for<br />
*** suspend/resume<br />
*** power consumption<br />
*** heat<br />
* GM45: Merge ich9gen functionality in ifdtool or ifdfake<br />
* GM45: Investigate internal flashing (Look if BIOS->Modded BIOS->Coreboot works and understand why)<br />
* I945: SeaBIOS: allow booting on SD cards.<br />
* Port a logging mecanism from chromebooks to all devices in order to be able to retrive the log of the failed boot at the next reboot.<br />
* Document flash protections and vboot.<br />
* Verify if all the microcodes were moved away from coreboot git.<br />
* (Alix 1.C: port the VSA to fasm)<br />
* (GDB improvements: allow gdb earlier than ramstage)<br />
* I945: Write a freedom/privacy/security review<br />
* GM45: Write a freedom/privacy/security review<br />
* More recent Intel with me_cleaner: Write a freedom/privacy/security review<br />
<br />
= Work in progress documentation =<br />
* [[/Blobs-rewrite]]<br />
* [[/Golden Finger Connector]]<br />
* [[/Hardware Comparison]]</div>GNUtoohttps://www.coreboot.org/index.php?title=User:GNUtoo/make_boot_software_writable_for_recent_Intel_computers&diff=34831User:GNUtoo/make boot software writable for recent Intel computers2018-05-10T12:37:33Z<p>GNUtoo: Created page with "Coreboot has an uttility in util/ifdtool for that. * power off the laptop totally (remove the power, the battery etc...) * connect an external programmer to the BIOS flash chi..."</p>
<hr />
<div>Coreboot has an uttility in util/ifdtool for that.<br />
* power off the laptop totally (remove the power, the battery etc...)<br />
* connect an external programmer to the BIOS flash chip.<br />
* dump the chip content with flashrom and that external programmer.<br />
* run ifdtool on the extracted chip content<br />
* reflash the modified content</div>GNUtoohttps://www.coreboot.org/index.php?title=User:GNUtoo&diff=34830User:GNUtoo2018-05-10T12:37:15Z<p>GNUtoo: /* make recent intel BIOS flash writable and/or extract its pieces */</p>
<hr />
<div>== Wiki contributions ==<br />
My contributions to this wiki are available under the following licenses:<br />
* [https://creativecommons.org/licenses/by-sa/3.0/legalcode CC-BY-SA 3.0]<br />
* [https://creativecommons.org/licenses/by-sa/4.0/legalcode CC-BY-SA 4.0] or later<br />
* [https://www.gnu.org/licenses/fdl.txt GFDL 1.3] or later<br />
<br />
== Code contributions ==<br />
In the [https://review.coreboot.org/gitweb?p=coreboot.git;a=blob;f=Documentation/gerrit_guidelines.md;h=1833b0a8f0dc89001547c73457d113a4a56fbd31;hb=refs/heads/master#l31 gerrit guidelines] there the follwing line: "Don't modify other people's patches without their consent."<br />
<br />
I consent to the modification of my patches by anybody. I work on specific things because no one wants to do what I want to do. Else I'd be happy if someone else did the work, so I could pick the next task in my huge TODO list.<br />
<br />
Interests:<br />
* 100% Free computers(Laptops, Desktops, Home Servers, routers).<br />
* Security<br />
** Secure boot trough GRUB with full disk encryption (no /boot in clear)<br />
** Protect against DMA and other attacks that have access to the x86 cpu's RAM.<br />
* Making it possible for end user to be able to use coreboot/libreboot:<br />
** Making it easy or scalable to install coreboot/libreboot.<br />
** Making it usable.<br />
* Making less risky to reflash, permitting users without an external programmer to easily reflash, and developers to develop anywhere without a huge setup consisting of another computer and the coreboot computer beeing worked on. I'm also interested in getting the cbmem logs written to flash to make debugging easier when no other computer is available(for instance while the developer is traveling to a conference).<br />
<br />
== Howtos ==<br />
* [[/make boot software writable for recent Intel computers]]<br />
<br />
=== AMD/ATI/Nvidia GPU with SeaBIOS without running the option rom ===<br />
* [[/External GPU init without running the option rom]]<br />
<br />
= X60/I945 native GPU init History =<br />
The Lenovo X60 GPU init has been merged a long time ago.<br />
Since then it has been rewriten/improved a lot by other people (See git log for more details).<br />
Thanks to all that work it's now a proper driver.<br />
<br />
So I've moved the X60 GPU init information in [[/X60_GPU_init|a subpage]]<br />
<br />
== Personal oppinions ==<br />
=== Microcode ===<br />
* The CPU microcodes are under a non-free license that is incompatible with coreboot's license.<br />
* They are now moved away in a separate repository.<br />
<br />
Some people say that the microcode is the equivalent of having a more recent CPU, as a justification for using it.<br />
<br />
However since Intel microcodes are encrypted and signed, so we cannot know what they really do.<br />
* People usually trust what the CPU vendor say about it, such as that it fixes some bugs(erratas for such bugs are published), but we don't know much more.<br />
* Speculating about what they really do or cannot do won't help much since we usually cannot verify that information.<br />
<br />
My goal is to have a 100% free computer, and also to spread that code, so that other people can have a 100% free computer too.<br />
According to the FSF, and the FSF criteria for differentiating software from hardware, that microcode is software.<br />
So since they consider it as non-free, a coreboot image containing that microcode would not be considered free by the FSF.<br />
<br />
On my Lenovo x60, the microcode was easy to remove, and it worked fine, beside printing a scary kernel message pointing to an Intel errata.<br />
<br />
What the errata says is that, when resuming from suspend to ram, the temperatures reading will not be updated, and the temperature overheat will not be reported. The hardware issues you may encounter will depend on your specific CPU. Not the CPU model, but instead the date at which it was manufactured.<br />
(To know if you are affected, under GNU/Linux, you can run the "dmesg" command and look for "coretemp: Errata AE18 not fixed, update BIOS or microcode of the CPU!" in its output. If you found it, you are affected)<br />
<br />
Removing the microcode make it possible to have the gluglug (now minifree) Lenovo Thinkpad X60 ceritified "Respects your freedom" By the FSF.<br />
<br />
So instead of debating trough huge flames about the fact that we should use, or not use the microcode, it was more effective to remove it and get the laptop certified.<br />
<br />
The benefit of that is the publicity around the fact that this laptop can be made to run 100% free software. This makes users aware of it and willing to switch to it.<br />
<br />
=== Yabel ===<br />
Yabel can be used for tracing what the GPU does, but it cannot really prevent a proprietary VGA option rom from doing nasty tricks:<br />
<br />
The GPUs in the Lenovo x60 and t60 have a bar that gives access to the whole memory:<br />
Region 1: I/O ports at 50a0 [size=8]<br />
<br />
I was told that many other GPU also have that issue.<br />
<br />
The way to fix that is to get rid of the proprietary VGA option rom. On some boards it's possible and coreboot has a replacement for it. On some other boards, the kernel can initialize the GPU with or without tricks.<br />
<br />
= For coreboot developers =<br />
This section is mainly usefull for finding informations for:<br />
* Asking me to test some code (that's why I listed all my hardware).<br />
* Find my work in progress code.<br />
* Find legacy code.<br />
* Find what I'm interested in working on:<br />
** If you want to work on the same thing than me, you could contact me if you want so:<br />
*** I could help if I have time.<br />
*** I could test if I have time.<br />
*** I may have some pointers.<br />
* HOWTO that documents how to do a native VGA init for the Lenovo x60:<br />
** It probably applies to the Lenovo t60 that have an Intel GPU, with no or very minor modifications.<br />
<br />
== My hardware ==<br />
=== Mainboard/Devices running coreboot ===<br />
{| class="wikitable" border="1"<br />
! Device/Mainboard<br />
! Serial/output<br />
! flash recovery mecanism<br />
! What I worked on<br />
|-<br />
| Asrock E350M1<br />
| <br />
* cbmem -c<br />
* Serial<br />
| rowspan="3" |<br />
* External programmer<br />
* Swapping the flash chip<br />
|<br />
|-<br />
| Asus F2A85-M PRO<br />
|<br />
* cbmem -c<br />
| rowspan="2" |<br />
* I've been the main porter.<br />
* Usability improvements<br />
|-<br />
| Asus M4A785T-M<br />
|<br />
* cbmem -c<br />
* Serial<br />
|-<br />
| Lenovo X60<br />
| rowspan="4" |<br />
* cbmem -c<br />
* Serial on the dock<br />
* spkmodem<br />
* USB debug<br />
| rowspan="5" |<br />
* External programmer with pomona clip<br />
| rowspan="2" |<br />
* Native GPU init<br />
* Usability improvements.<br />
|-<br />
| Lenovo X60T<br />
|-<br />
| Lenovo T60<br />
|<br />
* Usability improvements.<br />
|-<br />
| Lenovo T400<br />
|<br />
|-<br />
| Lenovo X200<br />
|<br />
* cbmem -c<br />
|<br />
|-<br />
| PC Engines Alix 1.C<br />
|<br />
* Serial<br />
| <br />
* Hot swap with the LPC dongle|<br />
* Usability improvements.<br />
|-<br />
|}<br />
<br />
=== Mainboard/Devices not running coreboot (yet?) ===<br />
If you need to have some tests done on the default boot firwmare, you should ask me as it is fast to do if I've the laptop nearby.<br />
<br />
{| class="wikitable" border="1"<br />
! Device/Mainboard<br />
! Reason<br />
|-<br />
| Lenovo Thinkpad X200T<br />
| I need to find a way to be able to easily, robustly, and safely reflash it:<br />
* If a SOIC8 SPI chips is soldered instead of the WSON8 one, the solder past must not affect the stability of the SOIC8 clip. That is probably the most adapted way for me.<br />
* Wires aren't ideal if they break easily.<br />
* Internal flashing can't be trusted for freedom/privacy/security: The hardware probably permits boot firmwares to very easily mess up with the flash content while it's being read or written: The hardware can probably be programmed to emmit SMM interrupts when the flash chip is accessed, and once in SMM, modify the data. This is the case on i945 thinkpads, however I didn't check the X200T datasheet yet, hence the "probably".<br />
|-<br />
|}<br />
<br />
=== Debugging tools ===<br />
* External programmers :<br />
** Arduino duemillanove (serprog based)<br />
** Arduino uno (serprog based)<br />
** openmoko debug board (FTDI based)<br />
** bug20 (linux_spi)<br />
* A pomona clip<br />
* a null-modem serial cable and 2 USB<->Serial adapters<br />
* [[EHCI Gadget Debug|USB debug]] compatible devices:<br />
** a bug20 (omap3530)<br />
** a GTA04 A3 (DM370)<br />
<br />
== My TODO list ==<br />
See also TODO of the respectives machines on their dedicated wiki page.<br />
* Merge or abandon my old patches.<br />
* I945, GM45, GS45 thinkpads: Have all hardware features working (feature parity with the default boot firmware):<br />
** IRDA<br />
** TPM<br />
** Testing: write tests for<br />
*** suspend/resume<br />
*** power consumption<br />
*** heat<br />
* GM45: Merge ich9gen functionality in ifdtool or ifdfake<br />
* GM45: Investigate internal flashing (Look if BIOS->Modded BIOS->Coreboot works and understand why)<br />
* I945: SeaBIOS: allow booting on SD cards.<br />
* Port a logging mecanism from chromebooks to all devices in order to be able to retrive the log of the failed boot at the next reboot.<br />
* Document flash protections and vboot.<br />
* Verify if all the microcodes were moved away from coreboot git.<br />
* (Alix 1.C: port the VSA to fasm)<br />
* (GDB improvements: allow gdb earlier than ramstage)<br />
* I945: Write a freedom/privacy/security review<br />
* GM45: Write a freedom/privacy/security review<br />
* More recent Intel with me_cleaner: Write a freedom/privacy/security review<br />
<br />
= Work in progress documentation =<br />
* [[/Blobs-rewrite]]<br />
* [[/Golden Finger Connector]]<br />
* [[/Hardware Comparison]]</div>GNUtoohttps://www.coreboot.org/index.php?title=User:GNUtoo/External_GPU_init_without_running_the_option_rom&diff=34829User:GNUtoo/External GPU init without running the option rom2018-05-10T12:35:38Z<p>GNUtoo: Created page with " The idea is to keep the option rom in memory while making SeaBIOS not run it. This has the effect of permitting linux(-libre) to initalize the GPU on all AMD/ATI and Nvidia G..."</p>
<hr />
<div><br />
The idea is to keep the option rom in memory while making SeaBIOS not run it.<br />
This has the effect of permitting linux(-libre) to initalize the GPU on all AMD/ATI and Nvidia GPU I tried it with. The downside is the lack of graphics before that. That means no graphics in GRUB.<br />
<br />
==== Patch ====<br />
From 73aae33b7e70d15b595b3f127ffe98bd76f9a646 Mon Sep 17 00:00:00 2001<br />
From: Denis 'GNUtoo' Carikli <GNUtoo@no-log.org><br />
Date: Sat, 7 Mar 2015 15:39:52 +0100<br />
Subject: [PATCH] Kconfig: Add option not to run option roms<br />
<br />
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@no-log.org><br />
---<br />
src/Kconfig | 8 ++++++++<br />
src/optionroms.c | 2 ++<br />
2 files changed, 10 insertions(+)<br />
<br />
diff --git a/src/Kconfig b/src/Kconfig<br />
index 95bf087..1988f56 100644<br />
--- a/src/Kconfig<br />
+++ b/src/Kconfig<br />
@@ -403,6 +403,14 @@ menu "BIOS interfaces"<br />
default y<br />
help<br />
Support Post Memory Manager (PMM) entry point.<br />
+ config OPTIONROMS_NORUN<br />
+ depends on OPTIONROMS<br />
+ bool "Put the option roms in memory, but don't run them"<br />
+ default n<br />
+ help<br />
+ Some GPU drivers are capable of initializing the display alone,<br />
+ but they still require some data from the option rom.<br />
+<br />
config BOOT<br />
bool "Boot interface"<br />
default y<br />
diff --git a/src/optionroms.c b/src/optionroms.c<br />
index c81eff2..c7c89da 100644<br />
--- a/src/optionroms.c<br />
+++ b/src/optionroms.c<br />
@@ -53,7 +53,9 @@ __callrom(struct rom_header *rom, u16 offset, u16 bdf)<br />
void<br />
callrom(struct rom_header *rom, u16 bdf)<br />
{<br />
+#if (!CONFIG_OPTIONROMS_NORUN)<br />
__callrom(rom, OPTION_ROM_INITVECTOR, bdf);<br />
+#endif<br />
}<br />
<br />
// Execute a BCV option rom registered via add_bcv().<br />
-- <br />
2.6.4</div>GNUtoohttps://www.coreboot.org/index.php?title=User:GNUtoo&diff=34828User:GNUtoo2018-05-10T12:35:31Z<p>GNUtoo: /* AMD/ATI/Nvidia GPU with SeaBIOS without running the option rom */</p>
<hr />
<div>== Wiki contributions ==<br />
My contributions to this wiki are available under the following licenses:<br />
* [https://creativecommons.org/licenses/by-sa/3.0/legalcode CC-BY-SA 3.0]<br />
* [https://creativecommons.org/licenses/by-sa/4.0/legalcode CC-BY-SA 4.0] or later<br />
* [https://www.gnu.org/licenses/fdl.txt GFDL 1.3] or later<br />
<br />
== Code contributions ==<br />
In the [https://review.coreboot.org/gitweb?p=coreboot.git;a=blob;f=Documentation/gerrit_guidelines.md;h=1833b0a8f0dc89001547c73457d113a4a56fbd31;hb=refs/heads/master#l31 gerrit guidelines] there the follwing line: "Don't modify other people's patches without their consent."<br />
<br />
I consent to the modification of my patches by anybody. I work on specific things because no one wants to do what I want to do. Else I'd be happy if someone else did the work, so I could pick the next task in my huge TODO list.<br />
<br />
Interests:<br />
* 100% Free computers(Laptops, Desktops, Home Servers, routers).<br />
* Security<br />
** Secure boot trough GRUB with full disk encryption (no /boot in clear)<br />
** Protect against DMA and other attacks that have access to the x86 cpu's RAM.<br />
* Making it possible for end user to be able to use coreboot/libreboot:<br />
** Making it easy or scalable to install coreboot/libreboot.<br />
** Making it usable.<br />
* Making less risky to reflash, permitting users without an external programmer to easily reflash, and developers to develop anywhere without a huge setup consisting of another computer and the coreboot computer beeing worked on. I'm also interested in getting the cbmem logs written to flash to make debugging easier when no other computer is available(for instance while the developer is traveling to a conference).<br />
<br />
== Howtos ==<br />
=== make recent intel BIOS flash writable and/or extract its pieces ===<br />
Coreboot has an uttility in util/ifdtool for that.<br />
* power off the laptop totally (remove the power, the battery etc...)<br />
* connect an external programmer to the BIOS flash chip.<br />
* dump the chip content with flashrom and that external programmer.<br />
* run ifdtool on the extracted chip content<br />
* reflash the modified content<br />
=== AMD/ATI/Nvidia GPU with SeaBIOS without running the option rom ===<br />
* [[/External GPU init without running the option rom]]<br />
<br />
= X60/I945 native GPU init History =<br />
The Lenovo X60 GPU init has been merged a long time ago.<br />
Since then it has been rewriten/improved a lot by other people (See git log for more details).<br />
Thanks to all that work it's now a proper driver.<br />
<br />
So I've moved the X60 GPU init information in [[/X60_GPU_init|a subpage]]<br />
<br />
== Personal oppinions ==<br />
=== Microcode ===<br />
* The CPU microcodes are under a non-free license that is incompatible with coreboot's license.<br />
* They are now moved away in a separate repository.<br />
<br />
Some people say that the microcode is the equivalent of having a more recent CPU, as a justification for using it.<br />
<br />
However since Intel microcodes are encrypted and signed, so we cannot know what they really do.<br />
* People usually trust what the CPU vendor say about it, such as that it fixes some bugs(erratas for such bugs are published), but we don't know much more.<br />
* Speculating about what they really do or cannot do won't help much since we usually cannot verify that information.<br />
<br />
My goal is to have a 100% free computer, and also to spread that code, so that other people can have a 100% free computer too.<br />
According to the FSF, and the FSF criteria for differentiating software from hardware, that microcode is software.<br />
So since they consider it as non-free, a coreboot image containing that microcode would not be considered free by the FSF.<br />
<br />
On my Lenovo x60, the microcode was easy to remove, and it worked fine, beside printing a scary kernel message pointing to an Intel errata.<br />
<br />
What the errata says is that, when resuming from suspend to ram, the temperatures reading will not be updated, and the temperature overheat will not be reported. The hardware issues you may encounter will depend on your specific CPU. Not the CPU model, but instead the date at which it was manufactured.<br />
(To know if you are affected, under GNU/Linux, you can run the "dmesg" command and look for "coretemp: Errata AE18 not fixed, update BIOS or microcode of the CPU!" in its output. If you found it, you are affected)<br />
<br />
Removing the microcode make it possible to have the gluglug (now minifree) Lenovo Thinkpad X60 ceritified "Respects your freedom" By the FSF.<br />
<br />
So instead of debating trough huge flames about the fact that we should use, or not use the microcode, it was more effective to remove it and get the laptop certified.<br />
<br />
The benefit of that is the publicity around the fact that this laptop can be made to run 100% free software. This makes users aware of it and willing to switch to it.<br />
<br />
=== Yabel ===<br />
Yabel can be used for tracing what the GPU does, but it cannot really prevent a proprietary VGA option rom from doing nasty tricks:<br />
<br />
The GPUs in the Lenovo x60 and t60 have a bar that gives access to the whole memory:<br />
Region 1: I/O ports at 50a0 [size=8]<br />
<br />
I was told that many other GPU also have that issue.<br />
<br />
The way to fix that is to get rid of the proprietary VGA option rom. On some boards it's possible and coreboot has a replacement for it. On some other boards, the kernel can initialize the GPU with or without tricks.<br />
<br />
= For coreboot developers =<br />
This section is mainly usefull for finding informations for:<br />
* Asking me to test some code (that's why I listed all my hardware).<br />
* Find my work in progress code.<br />
* Find legacy code.<br />
* Find what I'm interested in working on:<br />
** If you want to work on the same thing than me, you could contact me if you want so:<br />
*** I could help if I have time.<br />
*** I could test if I have time.<br />
*** I may have some pointers.<br />
* HOWTO that documents how to do a native VGA init for the Lenovo x60:<br />
** It probably applies to the Lenovo t60 that have an Intel GPU, with no or very minor modifications.<br />
<br />
== My hardware ==<br />
=== Mainboard/Devices running coreboot ===<br />
{| class="wikitable" border="1"<br />
! Device/Mainboard<br />
! Serial/output<br />
! flash recovery mecanism<br />
! What I worked on<br />
|-<br />
| Asrock E350M1<br />
| <br />
* cbmem -c<br />
* Serial<br />
| rowspan="3" |<br />
* External programmer<br />
* Swapping the flash chip<br />
|<br />
|-<br />
| Asus F2A85-M PRO<br />
|<br />
* cbmem -c<br />
| rowspan="2" |<br />
* I've been the main porter.<br />
* Usability improvements<br />
|-<br />
| Asus M4A785T-M<br />
|<br />
* cbmem -c<br />
* Serial<br />
|-<br />
| Lenovo X60<br />
| rowspan="4" |<br />
* cbmem -c<br />
* Serial on the dock<br />
* spkmodem<br />
* USB debug<br />
| rowspan="5" |<br />
* External programmer with pomona clip<br />
| rowspan="2" |<br />
* Native GPU init<br />
* Usability improvements.<br />
|-<br />
| Lenovo X60T<br />
|-<br />
| Lenovo T60<br />
|<br />
* Usability improvements.<br />
|-<br />
| Lenovo T400<br />
|<br />
|-<br />
| Lenovo X200<br />
|<br />
* cbmem -c<br />
|<br />
|-<br />
| PC Engines Alix 1.C<br />
|<br />
* Serial<br />
| <br />
* Hot swap with the LPC dongle|<br />
* Usability improvements.<br />
|-<br />
|}<br />
<br />
=== Mainboard/Devices not running coreboot (yet?) ===<br />
If you need to have some tests done on the default boot firwmare, you should ask me as it is fast to do if I've the laptop nearby.<br />
<br />
{| class="wikitable" border="1"<br />
! Device/Mainboard<br />
! Reason<br />
|-<br />
| Lenovo Thinkpad X200T<br />
| I need to find a way to be able to easily, robustly, and safely reflash it:<br />
* If a SOIC8 SPI chips is soldered instead of the WSON8 one, the solder past must not affect the stability of the SOIC8 clip. That is probably the most adapted way for me.<br />
* Wires aren't ideal if they break easily.<br />
* Internal flashing can't be trusted for freedom/privacy/security: The hardware probably permits boot firmwares to very easily mess up with the flash content while it's being read or written: The hardware can probably be programmed to emmit SMM interrupts when the flash chip is accessed, and once in SMM, modify the data. This is the case on i945 thinkpads, however I didn't check the X200T datasheet yet, hence the "probably".<br />
|-<br />
|}<br />
<br />
=== Debugging tools ===<br />
* External programmers :<br />
** Arduino duemillanove (serprog based)<br />
** Arduino uno (serprog based)<br />
** openmoko debug board (FTDI based)<br />
** bug20 (linux_spi)<br />
* A pomona clip<br />
* a null-modem serial cable and 2 USB<->Serial adapters<br />
* [[EHCI Gadget Debug|USB debug]] compatible devices:<br />
** a bug20 (omap3530)<br />
** a GTA04 A3 (DM370)<br />
<br />
== My TODO list ==<br />
See also TODO of the respectives machines on their dedicated wiki page.<br />
* Merge or abandon my old patches.<br />
* I945, GM45, GS45 thinkpads: Have all hardware features working (feature parity with the default boot firmware):<br />
** IRDA<br />
** TPM<br />
** Testing: write tests for<br />
*** suspend/resume<br />
*** power consumption<br />
*** heat<br />
* GM45: Merge ich9gen functionality in ifdtool or ifdfake<br />
* GM45: Investigate internal flashing (Look if BIOS->Modded BIOS->Coreboot works and understand why)<br />
* I945: SeaBIOS: allow booting on SD cards.<br />
* Port a logging mecanism from chromebooks to all devices in order to be able to retrive the log of the failed boot at the next reboot.<br />
* Document flash protections and vboot.<br />
* Verify if all the microcodes were moved away from coreboot git.<br />
* (Alix 1.C: port the VSA to fasm)<br />
* (GDB improvements: allow gdb earlier than ramstage)<br />
* I945: Write a freedom/privacy/security review<br />
* GM45: Write a freedom/privacy/security review<br />
* More recent Intel with me_cleaner: Write a freedom/privacy/security review<br />
<br />
= Work in progress documentation =<br />
* [[/Blobs-rewrite]]<br />
* [[/Golden Finger Connector]]<br />
* [[/Hardware Comparison]]</div>GNUtoohttps://www.coreboot.org/index.php?title=User:GNUtoo&diff=33645User:GNUtoo2018-03-26T22:36:59Z<p>GNUtoo: /* Mainboard/Devices running coreboot */ Fixed it with an APU1</p>
<hr />
<div>== Wiki contributions ==<br />
My contributions to this wiki are available under the following licenses:<br />
* [https://creativecommons.org/licenses/by-sa/3.0/legalcode CC-BY-SA 3.0]<br />
* [https://creativecommons.org/licenses/by-sa/4.0/legalcode CC-BY-SA 4.0] or later<br />
* [https://www.gnu.org/licenses/fdl.txt GFDL 1.3] or later<br />
<br />
== Code contributions ==<br />
In the [https://review.coreboot.org/gitweb?p=coreboot.git;a=blob;f=Documentation/gerrit_guidelines.md;h=1833b0a8f0dc89001547c73457d113a4a56fbd31;hb=refs/heads/master#l31 gerrit guidelines] there the follwing line: "Don't modify other people's patches without their consent."<br />
<br />
I consent to the modification of my patches by anybody. I work on specific things because no one wants to do what I want to do. Else I'd be happy if someone else did the work, so I could pick the next task in my huge TODO list.<br />
<br />
Interests:<br />
* 100% Free computers(Laptops, Desktops, Home Servers, routers).<br />
* Security<br />
** Secure boot trough GRUB with full disk encryption (no /boot in clear)<br />
** Protect against DMA and other attacks that have access to the x86 cpu's RAM.<br />
* Making it possible for end user to be able to use coreboot/libreboot:<br />
** Making it easy or scalable to install coreboot/libreboot.<br />
** Making it usable.<br />
* Making less risky to reflash, permitting users without an external programmer to easily reflash, and developers to develop anywhere without a huge setup consisting of another computer and the coreboot computer beeing worked on. I'm also interested in getting the cbmem logs written to flash to make debugging easier when no other computer is available(for instance while the developer is traveling to a conference).<br />
<br />
== Howtos ==<br />
=== make recent intel BIOS flash writable and/or extract its pieces ===<br />
Coreboot has an uttility in util/ifdtool for that.<br />
* power off the laptop totally (remove the power, the battery etc...)<br />
* connect an external programmer to the BIOS flash chip.<br />
* dump the chip content with flashrom and that external programmer.<br />
* run ifdtool on the extracted chip content<br />
* reflash the modified content<br />
=== AMD/ATI/Nvidia GPU with SeaBIOS without running the option rom ===<br />
The idea is to keep the option rom in memory while making SeaBIOS not run it.<br />
This has the effect of permitting linux(-libre) to initalize the GPU on all AMD/ATI and Nvidia GPU I tried it with. The downside is the lack of graphics before that. That means no graphics in GRUB.<br />
<br />
==== Patch ====<br />
From 73aae33b7e70d15b595b3f127ffe98bd76f9a646 Mon Sep 17 00:00:00 2001<br />
From: Denis 'GNUtoo' Carikli <GNUtoo@no-log.org><br />
Date: Sat, 7 Mar 2015 15:39:52 +0100<br />
Subject: [PATCH] Kconfig: Add option not to run option roms<br />
<br />
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@no-log.org><br />
---<br />
src/Kconfig | 8 ++++++++<br />
src/optionroms.c | 2 ++<br />
2 files changed, 10 insertions(+)<br />
<br />
diff --git a/src/Kconfig b/src/Kconfig<br />
index 95bf087..1988f56 100644<br />
--- a/src/Kconfig<br />
+++ b/src/Kconfig<br />
@@ -403,6 +403,14 @@ menu "BIOS interfaces"<br />
default y<br />
help<br />
Support Post Memory Manager (PMM) entry point.<br />
+ config OPTIONROMS_NORUN<br />
+ depends on OPTIONROMS<br />
+ bool "Put the option roms in memory, but don't run them"<br />
+ default n<br />
+ help<br />
+ Some GPU drivers are capable of initializing the display alone,<br />
+ but they still require some data from the option rom.<br />
+<br />
config BOOT<br />
bool "Boot interface"<br />
default y<br />
diff --git a/src/optionroms.c b/src/optionroms.c<br />
index c81eff2..c7c89da 100644<br />
--- a/src/optionroms.c<br />
+++ b/src/optionroms.c<br />
@@ -53,7 +53,9 @@ __callrom(struct rom_header *rom, u16 offset, u16 bdf)<br />
void<br />
callrom(struct rom_header *rom, u16 bdf)<br />
{<br />
+#if (!CONFIG_OPTIONROMS_NORUN)<br />
__callrom(rom, OPTION_ROM_INITVECTOR, bdf);<br />
+#endif<br />
}<br />
<br />
// Execute a BCV option rom registered via add_bcv().<br />
-- <br />
2.6.4<br />
<br />
= X60/I945 native GPU init History =<br />
The Lenovo X60 GPU init has been merged a long time ago.<br />
Since then it has been rewriten/improved a lot by other people (See git log for more details).<br />
Thanks to all that work it's now a proper driver.<br />
<br />
So I've moved the X60 GPU init information in [[/X60_GPU_init|a subpage]]<br />
<br />
== Personal oppinions ==<br />
=== Microcode ===<br />
* The CPU microcodes are under a non-free license that is incompatible with coreboot's license.<br />
* They are now moved away in a separate repository.<br />
<br />
Some people say that the microcode is the equivalent of having a more recent CPU, as a justification for using it.<br />
<br />
However since Intel microcodes are encrypted and signed, so we cannot know what they really do.<br />
* People usually trust what the CPU vendor say about it, such as that it fixes some bugs(erratas for such bugs are published), but we don't know much more.<br />
* Speculating about what they really do or cannot do won't help much since we usually cannot verify that information.<br />
<br />
My goal is to have a 100% free computer, and also to spread that code, so that other people can have a 100% free computer too.<br />
According to the FSF, and the FSF criteria for differentiating software from hardware, that microcode is software.<br />
So since they consider it as non-free, a coreboot image containing that microcode would not be considered free by the FSF.<br />
<br />
On my Lenovo x60, the microcode was easy to remove, and it worked fine, beside printing a scary kernel message pointing to an Intel errata.<br />
<br />
What the errata says is that, when resuming from suspend to ram, the temperatures reading will not be updated, and the temperature overheat will not be reported. The hardware issues you may encounter will depend on your specific CPU. Not the CPU model, but instead the date at which it was manufactured.<br />
(To know if you are affected, under GNU/Linux, you can run the "dmesg" command and look for "coretemp: Errata AE18 not fixed, update BIOS or microcode of the CPU!" in its output. If you found it, you are affected)<br />
<br />
Removing the microcode make it possible to have the gluglug (now minifree) Lenovo Thinkpad X60 ceritified "Respects your freedom" By the FSF.<br />
<br />
So instead of debating trough huge flames about the fact that we should use, or not use the microcode, it was more effective to remove it and get the laptop certified.<br />
<br />
The benefit of that is the publicity around the fact that this laptop can be made to run 100% free software. This makes users aware of it and willing to switch to it.<br />
<br />
=== Yabel ===<br />
Yabel can be used for tracing what the GPU does, but it cannot really prevent a proprietary VGA option rom from doing nasty tricks:<br />
<br />
The GPUs in the Lenovo x60 and t60 have a bar that gives access to the whole memory:<br />
Region 1: I/O ports at 50a0 [size=8]<br />
<br />
I was told that many other GPU also have that issue.<br />
<br />
The way to fix that is to get rid of the proprietary VGA option rom. On some boards it's possible and coreboot has a replacement for it. On some other boards, the kernel can initialize the GPU with or without tricks.<br />
<br />
= For coreboot developers =<br />
This section is mainly usefull for finding informations for:<br />
* Asking me to test some code (that's why I listed all my hardware).<br />
* Find my work in progress code.<br />
* Find legacy code.<br />
* Find what I'm interested in working on:<br />
** If you want to work on the same thing than me, you could contact me if you want so:<br />
*** I could help if I have time.<br />
*** I could test if I have time.<br />
*** I may have some pointers.<br />
* HOWTO that documents how to do a native VGA init for the Lenovo x60:<br />
** It probably applies to the Lenovo t60 that have an Intel GPU, with no or very minor modifications.<br />
<br />
== My hardware ==<br />
=== Mainboard/Devices running coreboot ===<br />
{| class="wikitable" border="1"<br />
! Device/Mainboard<br />
! Serial/output<br />
! flash recovery mecanism<br />
! What I worked on<br />
|-<br />
| Asrock E350M1<br />
| <br />
* cbmem -c<br />
* Serial<br />
| rowspan="3" |<br />
* External programmer<br />
* Swapping the flash chip<br />
|<br />
|-<br />
| Asus F2A85-M PRO<br />
|<br />
* cbmem -c<br />
| rowspan="2" |<br />
* I've been the main porter.<br />
* Usability improvements<br />
|-<br />
| Asus M4A785T-M<br />
|<br />
* cbmem -c<br />
* Serial<br />
|-<br />
| Lenovo X60<br />
| rowspan="4" |<br />
* cbmem -c<br />
* Serial on the dock<br />
* spkmodem<br />
* USB debug<br />
| rowspan="5" |<br />
* External programmer with pomona clip<br />
| rowspan="2" |<br />
* Native GPU init<br />
* Usability improvements.<br />
|-<br />
| Lenovo X60T<br />
|-<br />
| Lenovo T60<br />
|<br />
* Usability improvements.<br />
|-<br />
| Lenovo T400<br />
|<br />
|-<br />
| Lenovo X200<br />
|<br />
* cbmem -c<br />
|<br />
|-<br />
| PC Engines Alix 1.C<br />
|<br />
* Serial<br />
| <br />
* Hot swap with the LPC dongle|<br />
* Usability improvements.<br />
|-<br />
|}<br />
<br />
=== Mainboard/Devices not running coreboot (yet?) ===<br />
If you need to have some tests done on the default boot firwmare, you should ask me as it is fast to do if I've the laptop nearby.<br />
<br />
{| class="wikitable" border="1"<br />
! Device/Mainboard<br />
! Reason<br />
|-<br />
| Lenovo Thinkpad X200T<br />
| I need to find a way to be able to easily, robustly, and safely reflash it:<br />
* If a SOIC8 SPI chips is soldered instead of the WSON8 one, the solder past must not affect the stability of the SOIC8 clip. That is probably the most adapted way for me.<br />
* Wires aren't ideal if they break easily.<br />
* Internal flashing can't be trusted for freedom/privacy/security: The hardware probably permits boot firmwares to very easily mess up with the flash content while it's being read or written: The hardware can probably be programmed to emmit SMM interrupts when the flash chip is accessed, and once in SMM, modify the data. This is the case on i945 thinkpads, however I didn't check the X200T datasheet yet, hence the "probably".<br />
|-<br />
|}<br />
<br />
=== Debugging tools ===<br />
* External programmers :<br />
** Arduino duemillanove (serprog based)<br />
** Arduino uno (serprog based)<br />
** openmoko debug board (FTDI based)<br />
** bug20 (linux_spi)<br />
* A pomona clip<br />
* a null-modem serial cable and 2 USB<->Serial adapters<br />
* [[EHCI Gadget Debug|USB debug]] compatible devices:<br />
** a bug20 (omap3530)<br />
** a GTA04 A3 (DM370)<br />
<br />
== My TODO list ==<br />
See also TODO of the respectives machines on their dedicated wiki page.<br />
* Merge or abandon my old patches.<br />
* I945, GM45, GS45 thinkpads: Have all hardware features working (feature parity with the default boot firmware):<br />
** IRDA<br />
** TPM<br />
** Testing: write tests for<br />
*** suspend/resume<br />
*** power consumption<br />
*** heat<br />
* GM45: Merge ich9gen functionality in ifdtool or ifdfake<br />
* GM45: Investigate internal flashing (Look if BIOS->Modded BIOS->Coreboot works and understand why)<br />
* I945: SeaBIOS: allow booting on SD cards.<br />
* Port a logging mecanism from chromebooks to all devices in order to be able to retrive the log of the failed boot at the next reboot.<br />
* Document flash protections and vboot.<br />
* Verify if all the microcodes were moved away from coreboot git.<br />
* (Alix 1.C: port the VSA to fasm)<br />
* (GDB improvements: allow gdb earlier than ramstage)<br />
* I945: Write a freedom/privacy/security review<br />
* GM45: Write a freedom/privacy/security review<br />
* More recent Intel with me_cleaner: Write a freedom/privacy/security review<br />
<br />
= Work in progress documentation =<br />
* [[/Blobs-rewrite]]<br />
* [[/Golden Finger Connector]]<br />
* [[/Hardware Comparison]]</div>GNUtoohttps://www.coreboot.org/index.php?title=Console_and_outputs&diff=32862Console and outputs2018-02-24T17:01:33Z<p>GNUtoo: </p>
<hr />
<div>Coreboot has various possible consoles:<br />
{| class="wikitable" border="1"<br />
! Output name<br />
! direction (from the coreboot target machine point of view)<br />
! Requirements<br />
! Compatibility with software loaded after coreboot, like OS and payloads<br />
|-<br />
! [[Serial console]]<br />
(sends coreboot logs over the serial port)<br />
|<br />
* input<br />
* output<br />
|<br />
* A supported serial port:<br />
** it can be on the mainboard<br />
** it can also be a PCIe OXPCIe952 card with the 0x1415 and 0xc158 vendor and device ID (respectively).<br />
** USB serial ports are not supported by this driver, see EHCI debug port for that.<br />
|<br />
* seabios<br />
* grub as a payload<br />
* grub running after seabios<br />
* libpayload<br />
* linux kernel (loaded after the payload)<br />
* most GNU/Linux init systems(sysvinit, systemd, upstart etc...)<br />
|-<br />
! [[EHCI Debug Port| Console Over EHCI debug port]]<br />
(sends coreboot logs over the usb debug port)<br />
|<br />
* input?<br />
* output<br />
|<br />
* An USB debug port supported by coreboot.<br />
* To find on which usb connector it goes.<br />
* A supported dongle:<br />
** A GNU/Linux computer with usb peripheral or OTG and the g_dbpg driver. Single Board computers typically have that.<br />
|<br />
* grub<br />
* linux kernel in its early initialisation (I'm not sure that it can be kept afterward, because, after the early initialisation, by default it tries to initialise the USB port normally)<br />
<br />
|-<br />
! [[EHCI Debug Port| Console Over USB serial port through EHCI debug port]]<br />
(sends coreboot logs over the usb debug port)<br />
|<br />
* input (probably not in coreboot)<br />
* output<br />
|<br />
* An USB debug port supported by coreboot.<br />
* To find on which usb connector it goes.<br />
* A supported dongle:<br />
** FTDI FT232H Serial adapter<br />
|<br />
* grub<br />
* linux kernel<br />
|-<br />
! [[Spkmodem| Console trough spkmodem]]<br />
(sends coreboot logs over the sound card)<br />
|<br />
* output only<br />
|<br />
* A working sound card that can emmit beeps boot.<br />
* On some laptops it's necessary to make sure the sound is enabled and the volume is correct to work:<br />
** On many laptops it can be done beforehand in GNU/Linux.<br />
|<br />
For writting to it from the coreboot target computer:<br />
* coreboot's console<br />
* grub's console<br />
For reading it from a remote computer:<br />
* coreboot's/grub's spkmodem_recv uttilty (same uttility, but it's available in both git repositories)<br />
|-<br />
! [[Network console]]<br />
(sends coreboot logs over the network)<br />
|<br />
* output<br />
* probably no input<br />
|<br />
* A ne2k compatible ethernet card on the coreboot target system.<br />
* A network between the coreboot computer and the computer receiving the logs.<br />
|<br />
For sending the logs:<br />
* the linux kernel<br />
For receiving the logs:<br />
* nc and similar networking uttilities.<br />
|-<br />
! [[Cbmem console]]<br />
(Ram buffer, like dmesg)<br />
|<br />
* output only for coreboot.<br />
* output for grub. Can also print cbmem console content.<br />
* It requires the computer to be booted to retrive the logs.<br />
|<br />
* To be able to boot the computer to retrieve the logs, or to extract them from the RAM.<br />
|<br />
For writting to the buffer which is in the coreboot target computer:<br />
* coreboot console output<br />
* grub console output<br />
* seabios<br />
For reading the buffer on the coreboot target computer, after coreboot booted:<br />
* grub with the cbmemc command<br />
* coreboot's userspace cbmem -c uttility<br />
|-<br />
<br />
|-<br />
! [[POST card]]<br />
|<br />
* output only.<br />
|<br />
|<br />
|-<br />
|}<br />
<br />
If none of the above works for your case, you might consider:<br />
* Trying [[Developer_Manual/Tools#Flash_emulators_.28used_to_flash_and_debug.29 | Flash emulators]] to trace the code being accessed.<br />
* [[Developer_Manual/Tools#Oscilloscope| Osciloscopes]] for hardware related lower level debuging.<br />
* [https://www.serialice.com SerialICE] if you can add support for your board serial or [[EHCI Debug Port]] in [https://www.serialice.com SerialICE]</div>GNUtoohttps://www.coreboot.org/index.php?title=Console_and_outputs&diff=32860Console and outputs2018-02-24T16:59:01Z<p>GNUtoo: </p>
<hr />
<div>Coreboot has various possible consoles:<br />
{| class="wikitable" border="1"<br />
! Output name<br />
! direction (from the coreboot target machine point of view)<br />
! Requirements<br />
! Compatibility with software loaded after coreboot, like OS and payloads<br />
|-<br />
! [[Serial console]]<br />
(sends coreboot logs over the serial port)<br />
|<br />
* input<br />
* output<br />
|<br />
* A supported serial port:<br />
** it can be on the mainboard<br />
** it can also be a PCIe OXPCIe952 card with the 0x1415 and 0xc158 vendor and device ID (respectively).<br />
** USB serial ports are not supported by this driver, see EHCI debug port for that.<br />
|<br />
* seabios<br />
* grub as a payload<br />
* grub running after seabios<br />
* libpayload<br />
* linux kernel (loaded after the payload)<br />
* most GNU/Linux init systems(sysvinit, systemd, upstart etc...)<br />
|-<br />
! [[EHCI Debug Port| Console Over EHCI debug port]]<br />
(sends coreboot logs over the usb debug port)<br />
|<br />
* input?<br />
* output<br />
|<br />
* An USB debug port supported by coreboot.<br />
* To find on which usb connector it goes.<br />
* A supported dongle:<br />
** A GNU/Linux computer with usb peripheral or OTG and the g_dbpg driver. Single Board computers typically have that.<br />
** FTDI FT232H Serial adapter<br />
|<br />
* grub<br />
* linux kernel in its early initialisation (I'm not sure that it can be kept afterward, because, after the early initialisation, by default it tries to initialise the USB port normally)<br />
|-<br />
! [[Spkmodem| Console trough spkmodem]]<br />
(sends coreboot logs over the sound card)<br />
|<br />
* output only<br />
|<br />
* A working sound card that can emmit beeps boot.<br />
* On some laptops it's necessary to make sure the sound is enabled and the volume is correct to work:<br />
** On many laptops it can be done beforehand in GNU/Linux.<br />
|<br />
For writting to it from the coreboot target computer:<br />
* coreboot's console<br />
* grub's console<br />
For reading it from a remote computer:<br />
* coreboot's/grub's spkmodem_recv uttilty (same uttility, but it's available in both git repositories)<br />
|-<br />
! [[Network console]]<br />
(sends coreboot logs over the network)<br />
|<br />
* output<br />
* probably no input<br />
|<br />
* A ne2k compatible ethernet card on the coreboot target system.<br />
* A network between the coreboot computer and the computer receiving the logs.<br />
|<br />
For sending the logs:<br />
* the linux kernel<br />
For receiving the logs:<br />
* nc and similar networking uttilities.<br />
|-<br />
! [[Cbmem console]]<br />
(Ram buffer, like dmesg)<br />
|<br />
* output only for coreboot.<br />
* output for grub. Can also print cbmem console content.<br />
* It requires the computer to be booted to retrive the logs.<br />
|<br />
* To be able to boot the computer to retrieve the logs, or to extract them from the RAM.<br />
|<br />
For writting to the buffer which is in the coreboot target computer:<br />
* coreboot console output<br />
* grub console output<br />
* seabios<br />
For reading the buffer on the coreboot target computer, after coreboot booted:<br />
* grub with the cbmemc command<br />
* coreboot's userspace cbmem -c uttility<br />
|-<br />
<br />
|-<br />
! [[POST card]]<br />
|<br />
* output only.<br />
|<br />
|<br />
|-<br />
|}<br />
<br />
If none of the above works for your case, you might consider:<br />
* Trying [[Developer_Manual/Tools#Flash_emulators_.28used_to_flash_and_debug.29 | Flash emulators]] to trace the code being accessed.<br />
* [[Developer_Manual/Tools#Oscilloscope| Osciloscopes]] for hardware related lower level debuging.<br />
* [https://www.serialice.com SerialICE] if you can add support for your board serial or [[EHCI Debug Port]] in [https://www.serialice.com SerialICE]</div>GNUtoohttps://www.coreboot.org/index.php?title=Console_and_outputs&diff=32859Console and outputs2018-02-24T16:56:54Z<p>GNUtoo: </p>
<hr />
<div>Coreboot has various possible consoles:<br />
{| class="wikitable" border="1"<br />
! Output name<br />
! direction (from the coreboot target machine point of view)<br />
! Requirements<br />
! Compatibility with software loaded after coreboot, like OS and payloads<br />
|-<br />
! [[Serial console]]<br />
(sends coreboot logs over the serial port)<br />
|<br />
* input<br />
* output<br />
|<br />
* A supported serial port:<br />
** it can be on the mainboard<br />
** it can also be a PCIe OXPCIe952 card with the 0x1415 and 0xc158 vendor and device ID (respectively).<br />
** USB serial ports are not supported by this driver, see EHCI debug port for that.<br />
|<br />
* seabios<br />
* grub as a payload<br />
* grub running after seabios<br />
* libpayload<br />
* linux kernel (loaded after the payload)<br />
* most GNU/Linux init systems(sysvinit, systemd, upstart etc...)<br />
|-<br />
! [[EHCI Debug Port| Console Over EHCI debug port]]<br />
(sends coreboot logs over the usb debug port)<br />
|<br />
* input?<br />
* output<br />
|<br />
* An USB debug port supported by coreboot.<br />
* To find on which usb connector it goes.<br />
* A supported dongle:<br />
** A GNU/Linux computer with usb peripheral or OTG and the g_dbpg driver. Single Board computers typically have that.<br />
** FTDI FT232H Serial adapter<br />
|<br />
* grub<br />
* linux kernel in its early initialisation (I'm not sure that it can be kept afterward, because, after the early initialisation, by default it tries to initialise the USB port normally)<br />
|-<br />
! [[Spkmodem| Console trough spkmodem]]<br />
(sends coreboot logs over the sound card)<br />
|<br />
* output only<br />
|<br />
* A working "beep" sound card at boot.<br />
* On some laptops it's necessary to tell the embedded controller to enable sound output to get it working.<br />
|<br />
For writting to it from the coreboot target computer:<br />
* coreboot's console<br />
* grub's console<br />
For reading it from a remote computer:<br />
* coreboot's/grub's spkmodem_recv uttilty (same uttility, but it's available in both git repositories)<br />
|-<br />
! [[Network console]]<br />
(sends coreboot logs over the network)<br />
|<br />
* output<br />
* probably no input<br />
|<br />
* A ne2k compatible ethernet card on the coreboot target system.<br />
* A network between the coreboot computer and the computer receiving the logs.<br />
|<br />
For sending the logs:<br />
* the linux kernel<br />
For receiving the logs:<br />
* nc and similar networking uttilities.<br />
|-<br />
! [[Cbmem console]]<br />
(Ram buffer, like dmesg)<br />
|<br />
* output only for coreboot.<br />
* output for grub. Can also print cbmem console content.<br />
* It requires the computer to be booted to retrive the logs.<br />
|<br />
* To be able to boot the computer to retrieve the logs, or to extract them from the RAM.<br />
|<br />
For writting to the buffer which is in the coreboot target computer:<br />
* coreboot console output<br />
* grub console output<br />
* seabios<br />
For reading the buffer on the coreboot target computer, after coreboot booted:<br />
* grub with the cbmemc command<br />
* coreboot's userspace cbmem -c uttility<br />
|-<br />
<br />
|-<br />
! [[POST card]]<br />
|<br />
* output only.<br />
|<br />
|<br />
|-<br />
|}<br />
<br />
If none of the above works for your case, you might consider:<br />
* Trying [[Developer_Manual/Tools#Flash_emulators_.28used_to_flash_and_debug.29 | Flash emulators]] to trace the code being accessed.<br />
* [[Developer_Manual/Tools#Oscilloscope| Osciloscopes]] for hardware related lower level debuging.<br />
* [https://www.serialice.com SerialICE] if you can add support for your board serial or [[EHCI Debug Port]] in [https://www.serialice.com SerialICE]</div>GNUtoohttps://www.coreboot.org/index.php?title=Console_and_outputs&diff=32858Console and outputs2018-02-24T16:55:54Z<p>GNUtoo: </p>
<hr />
<div>Coreboot has various possible consoles:<br />
{| class="wikitable" border="1"<br />
! Output name<br />
! direction (from the coreboot target machine point of view)<br />
! Requirements<br />
! Compatibility with software loaded after coreboot, like OS and payloads<br />
|-<br />
! [[Serial console]]<br />
(sends coreboot logs over the serial port)<br />
|<br />
* input<br />
* output<br />
|<br />
* A supported serial port:<br />
** it can be on the mainboard<br />
** it can also be a PCIe OXPCIe952 card with the 0x1415 and 0xc158 vendor and device ID (respectively).<br />
** USB serial ports are not supported by this driver, see EHCI debug port for that.<br />
|<br />
* seabios<br />
* grub as a payload<br />
* grub running after seabios<br />
* libpayload<br />
* linux kernel (loaded after the payload)<br />
* most GNU/Linux init systems(sysvinit, systemd, upstart etc...)<br />
|-<br />
! [[EHCI Debug Port| Console Over EHCI debug port]]<br />
(sends coreboot logs over the usb debug port)<br />
|<br />
* input?<br />
* output<br />
|<br />
* An USB debug port supported by coreboot.<br />
* To find on which usb connector it goes.<br />
* A supported dongle:<br />
** A GNU/Linux device with usb peripheral or OTG and the g_dbpg driver<br />
** FTDI FT232H Serial adapter<br />
|<br />
* grub<br />
* linux kernel in its early initialisation (I'm not sure that it can be kept afterward, because, after the early initialisation, by default it tries to initialise the USB port normally)<br />
|-<br />
! [[Spkmodem| Console trough spkmodem]]<br />
(sends coreboot logs over the sound card)<br />
|<br />
* output only<br />
|<br />
* A working "beep" sound card at boot.<br />
* On some laptops it's necessary to tell the embedded controller to enable sound output to get it working.<br />
|<br />
For writting to it from the coreboot target computer:<br />
* coreboot's console<br />
* grub's console<br />
For reading it from a remote computer:<br />
* coreboot's/grub's spkmodem_recv uttilty (same uttility, but it's available in both git repositories)<br />
|-<br />
! [[Network console]]<br />
(sends coreboot logs over the network)<br />
|<br />
* output<br />
* probably no input<br />
|<br />
* A ne2k compatible ethernet card on the coreboot target system.<br />
* A network between the coreboot computer and the computer receiving the logs.<br />
|<br />
For sending the logs:<br />
* the linux kernel<br />
For receiving the logs:<br />
* nc and similar networking uttilities.<br />
|-<br />
! [[Cbmem console]]<br />
(Ram buffer, like dmesg)<br />
|<br />
* output only for coreboot.<br />
* output for grub. Can also print cbmem console content.<br />
* It requires the computer to be booted to retrive the logs.<br />
|<br />
* To be able to boot the computer to retrieve the logs, or to extract them from the RAM.<br />
|<br />
For writting to the buffer which is in the coreboot target computer:<br />
* coreboot console output<br />
* grub console output<br />
* seabios<br />
For reading the buffer on the coreboot target computer, after coreboot booted:<br />
* grub with the cbmemc command<br />
* coreboot's userspace cbmem -c uttility<br />
|-<br />
<br />
|-<br />
! [[POST card]]<br />
|<br />
* output only.<br />
|<br />
|<br />
|-<br />
|}<br />
<br />
If none of the above works for your case, you might consider:<br />
* Trying [[Developer_Manual/Tools#Flash_emulators_.28used_to_flash_and_debug.29 | Flash emulators]] to trace the code being accessed.<br />
* [[Developer_Manual/Tools#Oscilloscope| Osciloscopes]] for hardware related lower level debuging.<br />
* [https://www.serialice.com SerialICE] if you can add support for your board serial or [[EHCI Debug Port]] in [https://www.serialice.com SerialICE]</div>GNUtoohttps://www.coreboot.org/index.php?title=Console_and_outputs&diff=32857Console and outputs2018-02-24T16:53:57Z<p>GNUtoo: Update to current status</p>
<hr />
<div>Coreboot has various possible consoles:<br />
{| class="wikitable" border="1"<br />
! Output name<br />
! direction (from the coreboot target machine point of view)<br />
! Requirements<br />
! Compatibility with software loaded after coreboot, like OS and payloads<br />
|-<br />
! [[Serial console]]<br />
(sends coreboot logs over the serial port)<br />
|<br />
* input<br />
* output<br />
|<br />
* A supported serial port:<br />
** it can be on the mainboard<br />
** it can also be a PCIe OXPCIe952 card with the 0x1415 and 0xc158 vendor and device ID (respectively).<br />
** USB serial ports are not supported by this driver, see EHCI debug port for that.<br />
|<br />
* seabios<br />
* grub as a payload<br />
* grub running after seabios<br />
* libpayload<br />
* linux kernel (loaded after the payload)<br />
* most GNU/Linux init systems(sysvinit, systemd, upstart etc...)<br />
|-<br />
! [[EHCI Debug Port| Console Over EHCI debug port]]<br />
(sends coreboot logs over the usb debug port)<br />
|<br />
* input?<br />
* output<br />
|<br />
* An USB debug port supported by coreboot.<br />
* To find on which usb connector it goes.<br />
|<br />
* grub<br />
* linux kernel in its early initialisation (I'm not sure that it can be kept afterward, because, after the early initialisation, by default it tries to initialise the USB port normally)<br />
|-<br />
! [[Spkmodem| Console trough spkmodem]]<br />
(sends coreboot logs over the sound card)<br />
|<br />
* output only<br />
|<br />
* A working "beep" sound card at boot.<br />
* On some laptops it's necessary to tell the embedded controller to enable sound output to get it working.<br />
|<br />
For writting to it from the coreboot target computer:<br />
* coreboot's console<br />
* grub's console<br />
For reading it from a remote computer:<br />
* coreboot's/grub's spkmodem_recv uttilty (same uttility, but it's available in both git repositories)<br />
|-<br />
! [[Network console]]<br />
(sends coreboot logs over the network)<br />
|<br />
* output<br />
* probably no input<br />
|<br />
* A ne2k compatible ethernet card on the coreboot target system.<br />
* A network between the coreboot computer and the computer receiving the logs.<br />
|<br />
For sending the logs:<br />
* the linux kernel<br />
For receiving the logs:<br />
* nc and similar networking uttilities.<br />
|-<br />
! [[Cbmem console]]<br />
(Ram buffer, like dmesg)<br />
|<br />
* output only for coreboot.<br />
* output for grub. Can also print cbmem console content.<br />
* It requires the computer to be booted to retrive the logs.<br />
|<br />
* To be able to boot the computer to retrieve the logs, or to extract them from the RAM.<br />
|<br />
For writting to the buffer which is in the coreboot target computer:<br />
* coreboot console output<br />
* grub console output<br />
* seabios<br />
For reading the buffer on the coreboot target computer, after coreboot booted:<br />
* grub with the cbmemc command<br />
* coreboot's userspace cbmem -c uttility<br />
|-<br />
<br />
|-<br />
! [[POST card]]<br />
|<br />
* output only.<br />
|<br />
|<br />
|-<br />
|}<br />
<br />
If none of the above works for your case, you might consider:<br />
* Trying [[Developer_Manual/Tools#Flash_emulators_.28used_to_flash_and_debug.29 | Flash emulators]] to trace the code being accessed.<br />
* [[Developer_Manual/Tools#Oscilloscope| Osciloscopes]] for hardware related lower level debuging.<br />
* [https://www.serialice.com SerialICE] if you can add support for your board serial or [[EHCI Debug Port]] in [https://www.serialice.com SerialICE]</div>GNUtoohttps://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=31722Intel Management Engine2018-01-12T16:00:24Z<p>GNUtoo: /* Versions */</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The Intel Management Engine (abbreviated "ME") is a CPU which:<br />
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
* on recent versions:<br />
** initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).<br />
** DRM<br />
** TPM<br />
** Other applications<br />
<br />
== Freedom and security issues ==<br />
<br />
* The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).<br />
* The ME has access to a lot of things, see "physical capabilities" column below for more details.<br />
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.<br />
<br />
== Versions ==<br />
{| class="wikitable" border="1"<br />
! ME firmware version<br />
! Microarchitecture<br />
! Chipset<br />
! AMT versions<br />
! ME firmware versions<br />
! Applications<br />
! Location<br />
! Required modules<br />
! Bit<br />
|-<br />
| N/A (ME predecessor)<br />
| <br />
| ICH7<br />
| 1.0<br />
|<br />
|<br />
* AMT<br />
| 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref><br />
| rowspan="3" | None<br />
| rowspan="3" | ?<br />
|-<br />
|<br />
|<br />
|Q963<ref name=amt-versions/><br />
| 2.0<br />
|<br />
|<br />
* AMT<br />
|-<br />
|<br />
|<br />
|Q965<ref name=amt-versions/><br />
| 2.0<br />
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref><br />
|<br />
* AMT<br />
* No TPM<br />
|-<br />
|-<br />
|<br />
* 6.0<ref name=Silent-Bob-is-Silent>https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075</ref><br />
* 6.1<ref name=Silent-Bob-is-Silent/><br />
* 6.2<ref name=Silent-Bob-is-Silent/><br />
| 1st Gen Core:<ref name=Silent-Bob-is-Silent/><br />
* Nehalem?<br />
* Other?<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="6"|<br />
* BUP<ref name=me_cleaner-how-does-it-work>https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F</ref><br />
| rowspan="6"|<br />
* AltMeDisable<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|-<br />
|<br />
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref><br />
| Q57<br />
| 6.0<ref name=amt-versions/><br />
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref><br />
|<br />
|-<br />
|<br />
* 7.0<ref name=Silent-Bob-is-Silent/><br />
* 7.1<ref name=Silent-Bob-is-Silent/><br />
| 2nd Gen Core<ref name=Silent-Bob-is-Silent/><br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
* 8.0<ref name=Silent-Bob-is-Silent/><br />
* 8.1<ref name=Silent-Bob-is-Silent/><br />
| 3rd Gen Core<ref name=Silent-Bob-is-Silent/><br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
* 9.0<ref name=Silent-Bob-is-Silent/><br />
* 9.1<ref name=Silent-Bob-is-Silent/><br />
* 9.5<ref name=Silent-Bob-is-Silent/><br />
| 4th Gen Core<ref name=Silent-Bob-is-Silent/><br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
* 10.0<ref name=Silent-Bob-is-Silent/><br />
| 5th Gen Core:<ref name=Silent-Bob-is-Silent/><br />
* Broadwell<br />
* Other?<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| <br />
* 11.x<ref name=me_cleaner-how-does-it-work/><br />
| Skylake<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="3"|<br />
* RBE<br />
* BUP<br />
* KERNEL<br />
* SYSLIB<ref name=me_cleaner-how-does-it-work/><br />
|<br />
* HAP<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|-<br />
|<br />
* 11.0<ref name=Silent-Bob-is-Silent/><br />
| 6th Gen Core<ref name=Silent-Bob-is-Silent/><br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
<br />
|-<br />
|<br />
* 11.5<ref name=Silent-Bob-is-Silent/><br />
* 11.6<ref name=Silent-Bob-is-Silent/><br />
| 7th Gen Core<ref name=Silent-Bob-is-Silent/><br />
|<br />
|<br />
|<br />
|<br />
|<br />
|}<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x200|Lenovo x200]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="1" | GM45/GS45<br />
| rowspan="15" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="1" | <br />
* Signed firmware<br />
* The ME can be disabled (no Fimrware is run by it).<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| ?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| ?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Neutralizing the ME ==<br />
<br />
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).<br />
<br />
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here].<br />
<br />
== Using a smaller version of the Intel ME ==<br />
<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT]<br />
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions]<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>GNUtoohttps://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=31721Intel Management Engine2018-01-12T15:58:40Z<p>GNUtoo: /* Versions */</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The Intel Management Engine (abbreviated "ME") is a CPU which:<br />
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
* on recent versions:<br />
** initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).<br />
** DRM<br />
** TPM<br />
** Other applications<br />
<br />
== Freedom and security issues ==<br />
<br />
* The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).<br />
* The ME has access to a lot of things, see "physical capabilities" column below for more details.<br />
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.<br />
<br />
== Versions ==<br />
{| class="wikitable" border="1"<br />
! ME firmware version<br />
! Microarchitecture<br />
! Chipset<br />
! AMT versions<br />
! ME firmware versions<br />
! Applications<br />
! Location<br />
! Required modules<br />
! Bit<br />
|-<br />
| N/A (ME predecessor)<br />
| <br />
| ICH7<br />
| 1.0<br />
|<br />
|<br />
* AMT<br />
| 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref><br />
| rowspan="3" | None<br />
| rowspan="3" | ?<br />
|-<br />
|<br />
|<br />
|Q963<ref name=amt-versions/><br />
| 2.0<br />
|<br />
|<br />
* AMT<br />
|-<br />
|<br />
|<br />
|Q965<ref name=amt-versions/><br />
| 2.0<br />
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref><br />
|<br />
* AMT<br />
* No TPM<br />
|-<br />
|-<br />
|<br />
* 6.0<ref name=Silent-Bob-is-Silent>https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075</ref><br />
* 6.1<ref name=Silent-Bob-is-Silent/><br />
* 6.2<ref name=Silent-Bob-is-Silent/><br />
| 1st Gen Core:<ref name=Silent-Bob-is-Silent/><br />
* Nehalem?<br />
* Other?<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="6"|<br />
* BUP<ref name=me_cleaner-how-does-it-work/><br />
| rowspan="6"|<br />
* AltMeDisable<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|-<br />
|<br />
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref><br />
| Q57<br />
| 6.0<ref name=amt-versions/><br />
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref><br />
|<br />
|-<br />
|<br />
* 7.0<ref name=Silent-Bob-is-Silent/><br />
* 7.1<ref name=Silent-Bob-is-Silent/><br />
| 2nd Gen Core<ref name=Silent-Bob-is-Silent/><br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
* 8.0<ref name=Silent-Bob-is-Silent/><br />
* 8.1<ref name=Silent-Bob-is-Silent/><br />
| 3rd Gen Core<ref name=Silent-Bob-is-Silent/><br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
* 9.0<ref name=Silent-Bob-is-Silent/><br />
* 9.1<ref name=Silent-Bob-is-Silent/><br />
* 9.5<ref name=Silent-Bob-is-Silent/><br />
| 4th Gen Core<ref name=Silent-Bob-is-Silent/><br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
* 10.0<ref name=Silent-Bob-is-Silent/><br />
| 5th Gen Core:<ref name=Silent-Bob-is-Silent/><br />
* Broadwell<br />
* Other?<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| <br />
* 11.x<ref name=me_cleaner-how-does-it-work/><br />
| Skylake<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="3"|<br />
* RBE<br />
* BUP<br />
* KERNEL<br />
* SYSLIB<ref name=me_cleaner-how-does-it-work/><br />
|<br />
* HAP<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|-<br />
|<br />
* 11.0<ref name=Silent-Bob-is-Silent/><br />
| 6th Gen Core<ref name=Silent-Bob-is-Silent/><br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
<br />
|-<br />
|<br />
* 11.5<ref name=Silent-Bob-is-Silent/><br />
* 11.6<ref name=Silent-Bob-is-Silent/><br />
| 7th Gen Core<ref name=Silent-Bob-is-Silent/><br />
|<br />
|<br />
|<br />
|<br />
|<br />
|}<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x200|Lenovo x200]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="1" | GM45/GS45<br />
| rowspan="15" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="1" | <br />
* Signed firmware<br />
* The ME can be disabled (no Fimrware is run by it).<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| ?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| ?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Neutralizing the ME ==<br />
<br />
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).<br />
<br />
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here].<br />
<br />
== Using a smaller version of the Intel ME ==<br />
<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT]<br />
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions]<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>GNUtoohttps://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=31720Intel Management Engine2018-01-12T15:58:17Z<p>GNUtoo: /* Versions */</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The Intel Management Engine (abbreviated "ME") is a CPU which:<br />
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
* on recent versions:<br />
** initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).<br />
** DRM<br />
** TPM<br />
** Other applications<br />
<br />
== Freedom and security issues ==<br />
<br />
* The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).<br />
* The ME has access to a lot of things, see "physical capabilities" column below for more details.<br />
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.<br />
<br />
== Versions ==<br />
{| class="wikitable" border="1"<br />
! ME firmware version<br />
! Microarchitecture<br />
! Chipset<br />
! AMT versions<br />
! ME firmware versions<br />
! Applications<br />
! Location<br />
! Required modules<br />
! Bit<br />
|-<br />
| N/A (ME predecessor)<br />
| <br />
| ICH7<br />
| 1.0<br />
|<br />
|<br />
* AMT<br />
| 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref><br />
| rowspan="3" | None<br />
| rowspan="3" | ?<br />
|-<br />
|<br />
|<br />
|Q963<ref name=amt-versions/><br />
| 2.0<br />
|<br />
|<br />
* AMT<br />
|-<br />
|<br />
|<br />
|Q965<ref name=amt-versions/><br />
| 2.0<br />
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref><br />
|<br />
* AMT<br />
* No TPM<br />
|-<br />
|-<br />
|<br />
* 6.0<ref name=Silent-Bob-is-Silent>https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075</ref><br />
* 6.1<ref name=Silent-Bob-is-Silent/><br />
* 6.2<ref name=Silent-Bob-is-Silent/><br />
| 1st Gen Core:<ref name=Silent-Bob-is-Silent/><br />
* Nehalem?<br />
* Other?<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="6"|<br />
* BUP<ref name=me_cleaner-how-does-it-work/><br />
| rowspan="6"|<br />
* AltMeDisable<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|-<br />
|<br />
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref><br />
| Q57<br />
| 6.0<ref name=amt-versions/><br />
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref><br />
|<br />
|-<br />
|<br />
* 7.0<ref name=Silent-Bob-is-Silent/><br />
* 7.1<ref name=Silent-Bob-is-Silent/><br />
| 2nd Gen Core<ref name=Silent-Bob-is-Silent/><br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
* 8.0<ref name=Silent-Bob-is-Silent/><br />
* 8.1<ref name=Silent-Bob-is-Silent/><br />
| 3rd Gen Core<ref name=Silent-Bob-is-Silent/><br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
* 9.0<ref name=Silent-Bob-is-Silent/><br />
* 9.1<ref name=Silent-Bob-is-Silent/><br />
* 9.5<ref name=Silent-Bob-is-Silent/><br />
| 4th Gen Core<ref name=Silent-Bob-is-Silent/><br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
* 10.0<ref name=Silent-Bob-is-Silent/><br />
| 5th Gen Core:<ref name=Silent-Bob-is-Silent/><br />
* Broadwell<br />
* Other?<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 11.x<ref name=me_cleaner-how-does-it-work/><br />
| Skylake<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="3"|<br />
* RBE<br />
* BUP<br />
* KERNEL<br />
* SYSLIB<ref name=me_cleaner-how-does-it-work/><br />
|<br />
* HAP<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|-<br />
|<br />
* 11.0<ref name=Silent-Bob-is-Silent/><br />
| 6th Gen Core<ref name=Silent-Bob-is-Silent/><br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
<br />
|-<br />
|<br />
* 11.5<ref name=Silent-Bob-is-Silent/><br />
* 11.6<ref name=Silent-Bob-is-Silent/><br />
| 7th Gen Core<ref name=Silent-Bob-is-Silent/><br />
|<br />
|<br />
|<br />
|<br />
|<br />
|}<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x200|Lenovo x200]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="1" | GM45/GS45<br />
| rowspan="15" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="1" | <br />
* Signed firmware<br />
* The ME can be disabled (no Fimrware is run by it).<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| ?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| ?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Neutralizing the ME ==<br />
<br />
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).<br />
<br />
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here].<br />
<br />
== Using a smaller version of the Intel ME ==<br />
<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT]<br />
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions]<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>GNUtoohttps://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=31719Intel Management Engine2018-01-12T15:54:57Z<p>GNUtoo: /* Versions */</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The Intel Management Engine (abbreviated "ME") is a CPU which:<br />
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
* on recent versions:<br />
** initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).<br />
** DRM<br />
** TPM<br />
** Other applications<br />
<br />
== Freedom and security issues ==<br />
<br />
* The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).<br />
* The ME has access to a lot of things, see "physical capabilities" column below for more details.<br />
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.<br />
<br />
== Versions ==<br />
{| class="wikitable" border="1"<br />
! ME firmware version<br />
! Microarchitecture<br />
! Chipset<br />
! AMT versions<br />
! ME firmware versions<br />
! Applications<br />
! Location<br />
! Required modules<br />
! Bit<br />
|-<br />
| N/A (ME predecessor)<br />
| <br />
| ICH7<br />
| 1.0<br />
|<br />
|<br />
* AMT<br />
| 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref><br />
| rowspan="3" | None<br />
| rowspan="3" | ?<br />
|-<br />
|<br />
|<br />
|Q963<ref name=amt-versions/><br />
| 2.0<br />
|<br />
|<br />
* AMT<br />
|-<br />
|<br />
|<br />
|Q965<ref name=amt-versions/><br />
| 2.0<br />
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref><br />
|<br />
* AMT<br />
* No TPM<br />
|-<br />
|-<br />
|<br />
* 6.0<ref name=Silent-Bob-is-Silent>https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075</ref><br />
* 6.1<br />
* 6.2<br />
| 1st Gen Core:<br />
* Nehalem?<br />
* Other?<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="6"|<br />
* BUP<ref name=me_cleaner-how-does-it-work/><br />
| rowspan="6"|<br />
* AltMeDisable<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|-<br />
|<br />
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref><br />
| Q57<br />
| 6.0<ref name=amt-versions/><br />
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref><br />
|<br />
|-<br />
|<br />
* 7.0<ref name=Silent-Bob-is-Silent/><br />
* 7.1<br />
| 2nd Gen Core<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
* 8.0<ref name=Silent-Bob-is-Silent/><br />
* 8.1<br />
| 3rd Gen Core<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
* 9.0<ref name=Silent-Bob-is-Silent/><br />
* 9.1<br />
* 9.5<br />
| 4th Gen Core<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
* 10.0<ref name=Silent-Bob-is-Silent/><br />
| 5th Gen Core:<br />
* Broadwell<br />
* Other?<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 11.x<ref name=me_cleaner-how-does-it-work/><br />
| Skylake<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
* RBE<br />
* BUP<br />
* KERNEL<br />
* SYSLIB<ref name=me_cleaner-how-does-it-work/><br />
|<br />
* HAP<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|}<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x200|Lenovo x200]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="1" | GM45/GS45<br />
| rowspan="15" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="1" | <br />
* Signed firmware<br />
* The ME can be disabled (no Fimrware is run by it).<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| ?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| ?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Neutralizing the ME ==<br />
<br />
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).<br />
<br />
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here].<br />
<br />
== Using a smaller version of the Intel ME ==<br />
<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT]<br />
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions]<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>GNUtoohttps://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=31718Intel Management Engine2018-01-12T15:54:25Z<p>GNUtoo: /* Versions */</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The Intel Management Engine (abbreviated "ME") is a CPU which:<br />
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
* on recent versions:<br />
** initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).<br />
** DRM<br />
** TPM<br />
** Other applications<br />
<br />
== Freedom and security issues ==<br />
<br />
* The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).<br />
* The ME has access to a lot of things, see "physical capabilities" column below for more details.<br />
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.<br />
<br />
== Versions ==<br />
{| class="wikitable" border="1"<br />
! ME firmware version<br />
! Microarchitecture<br />
! Chipset<br />
! AMT versions<br />
! ME firmware versions<br />
! Applications<br />
! Location<br />
! Required modules<br />
! Bit<br />
|-<br />
| N/A (ME predecessor)<br />
| <br />
| ICH7<br />
| 1.0<br />
|<br />
|<br />
* AMT<br />
| 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref><br />
| rowspan="3" | None<br />
| rowspan="3" | ?<br />
|-<br />
|<br />
|<br />
|Q963<ref name=amt-versions/><br />
| 2.0<br />
|<br />
|<br />
* AMT<br />
|-<br />
|<br />
|<br />
|Q965<ref name=amt-versions/><br />
| 2.0<br />
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref><br />
|<br />
* AMT<br />
* No TPM<br />
|-<br />
|-<br />
|<br />
* 6.0<ref name=Silent-Bob-is-Silent>https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075</ref><br />
* 6.1<br />
* 6.2<br />
| 1st Gen Core:<br />
* Nehalem?<br />
* Other?<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="5"|<br />
* BUP<ref name=me_cleaner-how-does-it-work/><br />
| rowspan="5"|<br />
* AltMeDisable<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|-<br />
|<br />
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref><br />
| Q57<br />
| 6.0<ref name=amt-versions/><br />
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref><br />
|<br />
|-<br />
|<br />
* 7.0<ref name=Silent-Bob-is-Silent/><br />
* 7.1<br />
| 2nd Gen Core<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
* 8.0<ref name=Silent-Bob-is-Silent/><br />
* 8.1<br />
| 3rd Gen Core<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
* 9.0<ref name=Silent-Bob-is-Silent/><br />
* 9.1<br />
* 9.5<br />
| 4th Gen Core<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
* 10.0<ref name=Silent-Bob-is-Silent/><br />
| 5th Gen Core:<br />
* Broadwell<br />
* Other?<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 11.x<ref name=me_cleaner-how-does-it-work/><br />
| Skylake<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
* RBE<br />
* BUP<br />
* KERNEL<br />
* SYSLIB<ref name=me_cleaner-how-does-it-work/><br />
|<br />
* HAP<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|}<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x200|Lenovo x200]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="1" | GM45/GS45<br />
| rowspan="15" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="1" | <br />
* Signed firmware<br />
* The ME can be disabled (no Fimrware is run by it).<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| ?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| ?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Neutralizing the ME ==<br />
<br />
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).<br />
<br />
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here].<br />
<br />
== Using a smaller version of the Intel ME ==<br />
<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT]<br />
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions]<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>GNUtoohttps://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=31717Intel Management Engine2018-01-12T15:53:02Z<p>GNUtoo: /* Versions */</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The Intel Management Engine (abbreviated "ME") is a CPU which:<br />
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
* on recent versions:<br />
** initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).<br />
** DRM<br />
** TPM<br />
** Other applications<br />
<br />
== Freedom and security issues ==<br />
<br />
* The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).<br />
* The ME has access to a lot of things, see "physical capabilities" column below for more details.<br />
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.<br />
<br />
== Versions ==<br />
{| class="wikitable" border="1"<br />
! ME firmware version<br />
! Microarchitecture<br />
! Chipset<br />
! AMT versions<br />
! ME firmware versions<br />
! Applications<br />
! Location<br />
! Required modules<br />
! Bit<br />
|-<br />
| N/A (ME predecessor)<br />
| <br />
| ICH7<br />
| 1.0<br />
|<br />
|<br />
* AMT<br />
| 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref><br />
| rowspan="3" | None<br />
| rowspan="3" | ?<br />
|-<br />
|<br />
|<br />
|Q963<ref name=amt-versions/><br />
| 2.0<br />
|<br />
|<br />
* AMT<br />
|-<br />
|<br />
|<br />
|Q965<ref name=amt-versions/><br />
| 2.0<br />
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref><br />
|<br />
* AMT<br />
* No TPM<br />
|-<br />
|-<br />
|<br />
* 6.0<ref name=Silent-Bob-is-Silent>https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075</ref><br />
* 6.1<br />
* 6.2<br />
| 1st Gen Core:<br />
* Nehalem?<br />
* Other?<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="5"|<br />
* BUP<ref name=me_cleaner-how-does-it-work/><br />
| rowspan="5"|<br />
* AltMeDisable<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|-<br />
|<br />
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref><br />
| Q57<br />
| 6.0<ref name=amt-versions/><br />
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref><br />
|<br />
|-<br />
|<br />
* 7.0<ref name=Silent-Bob-is-Silent/><br />
* 7.1<br />
| 2nd Gen Core<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
* 8.0<ref name=Silent-Bob-is-Silent/><br />
* 8.1<br />
| 3rd Gen Core<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
* 9.0<ref name=Silent-Bob-is-Silent/><br />
* 9.1<br />
* 9.5<br />
| 4th Gen Core<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 10.x<ref name=me_cleaner-how-does-it-work/><br />
| Broadwell<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 11.x<ref name=me_cleaner-how-does-it-work/><br />
| Skylake<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
* RBE<br />
* BUP<br />
* KERNEL<br />
* SYSLIB<ref name=me_cleaner-how-does-it-work/><br />
|<br />
* HAP<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|}<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x200|Lenovo x200]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="1" | GM45/GS45<br />
| rowspan="15" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="1" | <br />
* Signed firmware<br />
* The ME can be disabled (no Fimrware is run by it).<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| ?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| ?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Neutralizing the ME ==<br />
<br />
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).<br />
<br />
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here].<br />
<br />
== Using a smaller version of the Intel ME ==<br />
<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT]<br />
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions]<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>GNUtoohttps://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=31716Intel Management Engine2018-01-12T15:51:57Z<p>GNUtoo: /* Versions */</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The Intel Management Engine (abbreviated "ME") is a CPU which:<br />
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
* on recent versions:<br />
** initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).<br />
** DRM<br />
** TPM<br />
** Other applications<br />
<br />
== Freedom and security issues ==<br />
<br />
* The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).<br />
* The ME has access to a lot of things, see "physical capabilities" column below for more details.<br />
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.<br />
<br />
== Versions ==<br />
{| class="wikitable" border="1"<br />
! ME firmware version<br />
! Microarchitecture<br />
! Chipset<br />
! AMT versions<br />
! ME firmware versions<br />
! Applications<br />
! Location<br />
! Required modules<br />
! Bit<br />
|-<br />
| N/A (ME predecessor)<br />
| <br />
| ICH7<br />
| 1.0<br />
|<br />
|<br />
* AMT<br />
| 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref><br />
| rowspan="3" | None<br />
| rowspan="3" | ?<br />
|-<br />
|<br />
|<br />
|Q963<ref name=amt-versions/><br />
| 2.0<br />
|<br />
|<br />
* AMT<br />
|-<br />
|<br />
|<br />
|Q965<ref name=amt-versions/><br />
| 2.0<br />
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref><br />
|<br />
* AMT<br />
* No TPM<br />
|-<br />
|-<br />
|<br />
* 6.0<ref name=Silent-Bob-is-Silent>https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075</ref><br />
* 6.1<br />
* 6.2<br />
| 1st Gen Core:<br />
* Nehalem?<br />
* Other?<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="5"|<br />
* BUP<ref name=me_cleaner-how-does-it-work/><br />
| rowspan="5"|<br />
* AltMeDisable<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|-<br />
|<br />
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref><br />
| Q57<br />
| 6.0<ref name=amt-versions/><br />
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref><br />
|<br />
|-<br />
|<br />
* 7.0<ref name=Silent-Bob-is-Silent/><br />
* 7.1<br />
| 2nd Gen Core<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
* 8.0<ref name=Silent-Bob-is-Silent/><br />
* 8.1<br />
| 3rd Gen Core<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 10.x<ref name=me_cleaner-how-does-it-work/><br />
| Broadwell<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 11.x<ref name=me_cleaner-how-does-it-work/><br />
| Skylake<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
* RBE<br />
* BUP<br />
* KERNEL<br />
* SYSLIB<ref name=me_cleaner-how-does-it-work/><br />
|<br />
* HAP<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|}<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x200|Lenovo x200]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="1" | GM45/GS45<br />
| rowspan="15" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="1" | <br />
* Signed firmware<br />
* The ME can be disabled (no Fimrware is run by it).<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| ?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| ?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Neutralizing the ME ==<br />
<br />
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).<br />
<br />
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here].<br />
<br />
== Using a smaller version of the Intel ME ==<br />
<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT]<br />
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions]<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>GNUtoohttps://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=31715Intel Management Engine2018-01-12T15:51:31Z<p>GNUtoo: /* Versions */</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The Intel Management Engine (abbreviated "ME") is a CPU which:<br />
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
* on recent versions:<br />
** initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).<br />
** DRM<br />
** TPM<br />
** Other applications<br />
<br />
== Freedom and security issues ==<br />
<br />
* The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).<br />
* The ME has access to a lot of things, see "physical capabilities" column below for more details.<br />
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.<br />
<br />
== Versions ==<br />
{| class="wikitable" border="1"<br />
! ME version<br />
! Microarchitecture<br />
! Chipset<br />
! AMT versions<br />
! ME firmware versions<br />
! Applications<br />
! Location<br />
! Required modules<br />
! Bit<br />
|-<br />
| N/A (ME predecessor)<br />
| <br />
| ICH7<br />
| 1.0<br />
|<br />
|<br />
* AMT<br />
| 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref><br />
| rowspan="3" | None<br />
| rowspan="3" | ?<br />
|-<br />
|<br />
|<br />
|Q963<ref name=amt-versions/><br />
| 2.0<br />
|<br />
|<br />
* AMT<br />
|-<br />
|<br />
|<br />
|Q965<ref name=amt-versions/><br />
| 2.0<br />
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref><br />
|<br />
* AMT<br />
* No TPM<br />
|-<br />
|-<br />
|<br />
* 6.0<ref name=Silent-Bob-is-Silent>https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075</ref><br />
* 6.1<br />
* 6.2<br />
| 1st Gen Core:<br />
* Nehalem?<br />
* Other?<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="5"|<br />
* BUP<ref name=me_cleaner-how-does-it-work/><br />
| rowspan="5"|<br />
* AltMeDisable<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|-<br />
|<br />
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref><br />
| Q57<br />
| 6.0<ref name=amt-versions/><br />
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref><br />
|<br />
|-<br />
|<br />
* 7.0<ref name=Silent-Bob-is-Silent/><br />
* 7.1<br />
| 2nd Gen Core<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
* 8.0<ref name=Silent-Bob-is-Silent/><br />
* 8.1<br />
| 3rd Gen Core<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 10.x<ref name=me_cleaner-how-does-it-work/><br />
| Broadwell<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 11.x<ref name=me_cleaner-how-does-it-work/><br />
| Skylake<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
* RBE<br />
* BUP<br />
* KERNEL<br />
* SYSLIB<ref name=me_cleaner-how-does-it-work/><br />
|<br />
* HAP<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|}<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x200|Lenovo x200]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="1" | GM45/GS45<br />
| rowspan="15" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="1" | <br />
* Signed firmware<br />
* The ME can be disabled (no Fimrware is run by it).<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| ?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| ?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Neutralizing the ME ==<br />
<br />
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).<br />
<br />
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here].<br />
<br />
== Using a smaller version of the Intel ME ==<br />
<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT]<br />
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions]<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>GNUtoohttps://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=31714Intel Management Engine2018-01-12T15:50:05Z<p>GNUtoo: /* Versions */</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The Intel Management Engine (abbreviated "ME") is a CPU which:<br />
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
* on recent versions:<br />
** initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).<br />
** DRM<br />
** TPM<br />
** Other applications<br />
<br />
== Freedom and security issues ==<br />
<br />
* The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).<br />
* The ME has access to a lot of things, see "physical capabilities" column below for more details.<br />
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.<br />
<br />
== Versions ==<br />
{| class="wikitable" border="1"<br />
! ME version<br />
! Microarchitecture<br />
! Chipset<br />
! AMT versions<br />
! ME firmware versions<br />
! Applications<br />
! Location<br />
! Required modules<br />
! Bit<br />
|-<br />
| N/A (ME predecessor)<br />
| <br />
| ICH7<br />
| 1.0<br />
|<br />
|<br />
* AMT<br />
| 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref><br />
| rowspan="3" | None<br />
| rowspan="3" | ?<br />
|-<br />
|<br />
|<br />
|Q963<ref name=amt-versions/><br />
| 2.0<br />
|<br />
|<br />
* AMT<br />
|-<br />
|<br />
|<br />
|Q965<ref name=amt-versions/><br />
| 2.0<br />
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref><br />
|<br />
* AMT<br />
* No TPM<br />
|-<br />
|-<br />
|<br />
* 6.0<ref name=Silent-Bob-is-Silent>https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075</ref><br />
* 6.1<br />
* 6.2<br />
| 1st Gen Core:<br />
* Nehalem?<br />
* Other?<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="4"|<br />
* BUP<ref name=me_cleaner-how-does-it-work/><br />
| rowspan="4"|<br />
* AltMeDisable<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|-<br />
|<br />
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref><br />
| Q57<br />
| 6.0<ref name=amt-versions/><br />
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref><br />
|<br />
|-<br />
|<br />
* 7.0<ref name=Silent-Bob-is-Silent/><br />
* 7.1<br />
| 2nd Gen Core<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 10.x<ref name=me_cleaner-how-does-it-work/><br />
| Broadwell<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 11.x<ref name=me_cleaner-how-does-it-work/><br />
| Skylake<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
* RBE<br />
* BUP<br />
* KERNEL<br />
* SYSLIB<ref name=me_cleaner-how-does-it-work/><br />
|<br />
* HAP<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|}<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x200|Lenovo x200]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="1" | GM45/GS45<br />
| rowspan="15" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="1" | <br />
* Signed firmware<br />
* The ME can be disabled (no Fimrware is run by it).<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| ?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| ?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Neutralizing the ME ==<br />
<br />
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).<br />
<br />
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here].<br />
<br />
== Using a smaller version of the Intel ME ==<br />
<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT]<br />
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions]<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>GNUtoohttps://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=31713Intel Management Engine2018-01-12T15:44:23Z<p>GNUtoo: /* Versions */</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The Intel Management Engine (abbreviated "ME") is a CPU which:<br />
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
* on recent versions:<br />
** initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).<br />
** DRM<br />
** TPM<br />
** Other applications<br />
<br />
== Freedom and security issues ==<br />
<br />
* The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).<br />
* The ME has access to a lot of things, see "physical capabilities" column below for more details.<br />
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.<br />
<br />
== Versions ==<br />
{| class="wikitable" border="1"<br />
! ME version<br />
! Microarchitecture<br />
! Chipset<br />
! AMT versions<br />
! ME firmware versions<br />
! Applications<br />
! Location<br />
! Required modules<br />
! Bit<br />
|-<br />
| N/A (ME predecessor)<br />
| <br />
| ICH7<br />
| 1.0<br />
|<br />
|<br />
* AMT<br />
| 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref><br />
| rowspan="3" | None<br />
| rowspan="3" | ?<br />
|-<br />
|<br />
|<br />
|Q963<ref name=amt-versions/><br />
| 2.0<br />
|<br />
|<br />
* AMT<br />
|-<br />
|<br />
|<br />
|Q965<ref name=amt-versions/><br />
| 2.0<br />
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref><br />
|<br />
* AMT<br />
* No TPM<br />
|-<br />
|-<br />
|<br />
* 6.0<ref name=Silent-Bob-is-Silent>https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075</ref><br />
* 6.1<br />
* 6.2<br />
| 1st Gen Core:<br />
* Nehalem<br />
* Other?<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="3"|<br />
* BUP<ref name=me_cleaner-how-does-it-work/><br />
| rowspan="3"|<br />
* AltMeDisable<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|-<br />
|<br />
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref><br />
| Q57<br />
| 6.0<ref name=amt-versions/><br />
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref><br />
|<br />
|-<br />
| 10.x<ref name=me_cleaner-how-does-it-work/><br />
| Broadwell<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 11.x<ref name=me_cleaner-how-does-it-work/><br />
| Skylake<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
* RBE<br />
* BUP<br />
* KERNEL<br />
* SYSLIB<ref name=me_cleaner-how-does-it-work/><br />
|<br />
* HAP<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|}<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x200|Lenovo x200]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="1" | GM45/GS45<br />
| rowspan="15" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="1" | <br />
* Signed firmware<br />
* The ME can be disabled (no Fimrware is run by it).<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| ?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| ?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Neutralizing the ME ==<br />
<br />
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).<br />
<br />
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here].<br />
<br />
== Using a smaller version of the Intel ME ==<br />
<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT]<br />
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions]<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>GNUtoohttps://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=31712Intel Management Engine2018-01-12T15:43:42Z<p>GNUtoo: /* Versions */</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The Intel Management Engine (abbreviated "ME") is a CPU which:<br />
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
* on recent versions:<br />
** initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).<br />
** DRM<br />
** TPM<br />
** Other applications<br />
<br />
== Freedom and security issues ==<br />
<br />
* The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).<br />
* The ME has access to a lot of things, see "physical capabilities" column below for more details.<br />
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.<br />
<br />
== Versions ==<br />
{| class="wikitable" border="1"<br />
! ME version<br />
! Microarchitecture<br />
! Chipset<br />
! AMT versions<br />
! ME firmware versions<br />
! Applications<br />
! Location<br />
! Required modules<br />
! Bit<br />
|-<br />
| N/A (ME predecessor)<br />
| <br />
| ICH7<br />
| 1.0<br />
|<br />
|<br />
* AMT<br />
| 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref><br />
| rowspan="3" | None<br />
| rowspan="3" | ?<br />
|-<br />
|<br />
|<br />
|Q963<ref name=amt-versions/><br />
| 2.0<br />
|<br />
|<br />
* AMT<br />
|-<br />
|<br />
|<br />
|Q965<ref name=amt-versions/><br />
| 2.0<br />
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref><br />
|<br />
* AMT<br />
* No TPM<br />
|-<br />
|-<br />
|<br />
* 6.0<ref name=Silent-Bob-is-Silent>https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075</ref><br />
* 6.1<br />
* 6.2<br />
| 1st Gen Core (Includes Nehalem)<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="4"|<br />
* BUP<ref name=me_cleaner-how-does-it-work/><br />
| rowspan="4"|<br />
* AltMeDisable<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|-<br />
|<br />
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref><br />
| Q57<br />
| 6.0<ref name=amt-versions/><br />
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref><br />
|<br />
|-<br />
| 10.x<ref name=me_cleaner-how-does-it-work/><br />
| Broadwell<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 11.x<ref name=me_cleaner-how-does-it-work/><br />
| Skylake<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
* RBE<br />
* BUP<br />
* KERNEL<br />
* SYSLIB<ref name=me_cleaner-how-does-it-work/><br />
|<br />
* HAP<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|}<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x200|Lenovo x200]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="1" | GM45/GS45<br />
| rowspan="15" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="1" | <br />
* Signed firmware<br />
* The ME can be disabled (no Fimrware is run by it).<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| ?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| ?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Neutralizing the ME ==<br />
<br />
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).<br />
<br />
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here].<br />
<br />
== Using a smaller version of the Intel ME ==<br />
<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT]<br />
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions]<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>GNUtoohttps://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=31711Intel Management Engine2018-01-12T15:42:27Z<p>GNUtoo: /* Versions */</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The Intel Management Engine (abbreviated "ME") is a CPU which:<br />
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
* on recent versions:<br />
** initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).<br />
** DRM<br />
** TPM<br />
** Other applications<br />
<br />
== Freedom and security issues ==<br />
<br />
* The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).<br />
* The ME has access to a lot of things, see "physical capabilities" column below for more details.<br />
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.<br />
<br />
== Versions ==<br />
{| class="wikitable" border="1"<br />
! ME version<br />
! Microarchitecture<br />
! Chipset<br />
! AMT versions<br />
! ME firmware versions<br />
! Applications<br />
! Location<br />
! Required modules<br />
! Bit<br />
|-<br />
| N/A (ME predecessor)<br />
| <br />
| ICH7<br />
| 1.0<br />
|<br />
|<br />
* AMT<br />
| 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref><br />
| rowspan="3" | None<br />
| rowspan="3" | ?<br />
|-<br />
|<br />
|<br />
|Q963<ref name=amt-versions/><br />
| 2.0<br />
|<br />
|<br />
* AMT<br />
|-<br />
|<br />
|<br />
|Q965<ref name=amt-versions/><br />
| 2.0<br />
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref><br />
|<br />
* AMT<br />
* No TPM<br />
|-<br />
| 6.0<ref name=me_cleaner-how-does-it-work>https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F</ref><br />
| Nehalem<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="4"|<br />
* BUP<ref name=me_cleaner-how-does-it-work/><br />
| rowspan="4"|<br />
* AltMeDisable<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|-<br />
|<br />
* 6.0<ref name=Silent-Bob-is-Silent>https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075</ref><br />
* 6.1<br />
* 6.2<br />
| 1st Gen Core (Nehalem?)<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref><br />
| Q57<br />
| 6.0<ref name=amt-versions/><br />
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref><br />
|<br />
|-<br />
| 10.x<ref name=me_cleaner-how-does-it-work/><br />
| Broadwell<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 11.x<ref name=me_cleaner-how-does-it-work/><br />
| Skylake<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
* RBE<br />
* BUP<br />
* KERNEL<br />
* SYSLIB<ref name=me_cleaner-how-does-it-work/><br />
|<br />
* HAP<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|}<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x200|Lenovo x200]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="1" | GM45/GS45<br />
| rowspan="15" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="1" | <br />
* Signed firmware<br />
* The ME can be disabled (no Fimrware is run by it).<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| ?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| ?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Neutralizing the ME ==<br />
<br />
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).<br />
<br />
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here].<br />
<br />
== Using a smaller version of the Intel ME ==<br />
<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT]<br />
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions]<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>GNUtoohttps://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=31609Intel Management Engine2018-01-08T20:27:21Z<p>GNUtoo: /* Versions */</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The Intel Management Engine (abbreviated "ME") is a CPU which:<br />
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
* on recent versions:<br />
** initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).<br />
** DRM<br />
** TPM<br />
** Other applications<br />
<br />
== Freedom and security issues ==<br />
<br />
* The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).<br />
* The ME has access to a lot of things, see "physical capabilities" column below for more details.<br />
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.<br />
<br />
== Versions ==<br />
{| class="wikitable" border="1"<br />
! ME version<br />
! Microarchitecture<br />
! Chipset<br />
! AMT versions<br />
! ME firmware versions<br />
! Applications<br />
! Location<br />
! Required modules<br />
! Bit<br />
|-<br />
| N/A (ME predecessor)<br />
| <br />
| ICH7<br />
| 1.0<br />
|<br />
|<br />
* AMT<br />
| 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref><br />
| rowspan="3" | None<br />
| rowspan="3" | ?<br />
|-<br />
|<br />
|<br />
|Q963<ref name=amt-versions/><br />
| 2.0<br />
|<br />
|<br />
* AMT<br />
|-<br />
|<br />
|<br />
|Q965<ref name=amt-versions/><br />
| 2.0<br />
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref><br />
|<br />
* AMT<br />
* No TPM<br />
|-<br />
| 6.0<ref name=me_cleaner-how-does-it-work>https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F</ref><br />
| Nehalem<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="3"|<br />
* BUP<ref name=me_cleaner-how-does-it-work/><br />
| rowspan="3"|<br />
* AltMeDisable<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|-<br />
|<br />
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref><br />
| Q57<br />
| 6.0<ref name=amt-versions/><br />
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref><br />
|<br />
|-<br />
| 10.x<ref name=me_cleaner-how-does-it-work/><br />
| Broadwell<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 11.x<ref name=me_cleaner-how-does-it-work/><br />
| Skylake<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
* RBE<br />
* BUP<br />
* KERNEL<br />
* SYSLIB<ref name=me_cleaner-how-does-it-work/><br />
|<br />
* HAP<ref name=me_cleaner-HAP-AltMeDisable-bit>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|}<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x200|Lenovo x200]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="1" | GM45/GS45<br />
| rowspan="15" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="1" | <br />
* Signed firmware<br />
* The ME can be disabled (no Fimrware is run by it).<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| ?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| ?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Neutralizing the ME ==<br />
<br />
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).<br />
<br />
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here].<br />
<br />
== Using a smaller version of the Intel ME ==<br />
<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT]<br />
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions]<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>GNUtoohttps://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=31608Intel Management Engine2018-01-08T20:26:31Z<p>GNUtoo: /* Versions */</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The Intel Management Engine (abbreviated "ME") is a CPU which:<br />
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
* on recent versions:<br />
** initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).<br />
** DRM<br />
** TPM<br />
** Other applications<br />
<br />
== Freedom and security issues ==<br />
<br />
* The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).<br />
* The ME has access to a lot of things, see "physical capabilities" column below for more details.<br />
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.<br />
<br />
== Versions ==<br />
{| class="wikitable" border="1"<br />
! ME version<br />
! Microarchitecture<br />
! Chipset<br />
! AMT versions<br />
! ME firmware versions<br />
! Applications<br />
! Location<br />
! Required modules<br />
! Bit<br />
|-<br />
| N/A (ME predecessor)<br />
| <br />
| ICH7<br />
| 1.0<br />
|<br />
|<br />
* AMT<br />
| 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref><br />
| rowspan="3" | None<br />
| rowspan="3" | ?<br />
|-<br />
|<br />
|<br />
|Q963<ref name=amt-versions/><br />
| 2.0<br />
|<br />
|<br />
* AMT<br />
|-<br />
|<br />
|<br />
|Q965<ref name=amt-versions/><br />
| 2.0<br />
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref><br />
|<br />
* AMT<br />
* No TPM<br />
|-<br />
| 6.0<ref name=me_cleaner-how-does-it-work>https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F</ref><br />
| Nehalem<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="3"|<br />
* BUP<ref name=me_cleaner-how-does-it-work/><br />
| rowspan="3"|<br />
* AltMeDisable<ref name=me_cleaner-HAP-AltMeDisable-bit/>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|-<br />
|<br />
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref><br />
| Q57<br />
| 6.0<ref name=amt-versions/><br />
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref><br />
|<br />
|-<br />
| 10.x<ref name=me_cleaner-how-does-it-work/><br />
| Broadwell<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 11.x<ref name=me_cleaner-how-does-it-work/><br />
| Skylake<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
* RBE<br />
* BUP<br />
* KERNEL<br />
* SYSLIB<ref name=me_cleaner-how-does-it-work/><br />
|<br />
* HAP<ref name=me_cleaner-HAP-AltMeDisable-bit/>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|}<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x200|Lenovo x200]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="1" | GM45/GS45<br />
| rowspan="15" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="1" | <br />
* Signed firmware<br />
* The ME can be disabled (no Fimrware is run by it).<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| ?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| ?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Neutralizing the ME ==<br />
<br />
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).<br />
<br />
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here].<br />
<br />
== Using a smaller version of the Intel ME ==<br />
<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT]<br />
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions]<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>GNUtoohttps://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=31607Intel Management Engine2018-01-08T20:25:02Z<p>GNUtoo: /* Versions */</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The Intel Management Engine (abbreviated "ME") is a CPU which:<br />
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
* on recent versions:<br />
** initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).<br />
** DRM<br />
** TPM<br />
** Other applications<br />
<br />
== Freedom and security issues ==<br />
<br />
* The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).<br />
* The ME has access to a lot of things, see "physical capabilities" column below for more details.<br />
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.<br />
<br />
== Versions ==<br />
{| class="wikitable" border="1"<br />
! ME version<br />
! Microarchitecture<br />
! Chipset<br />
! AMT versions<br />
! ME firmware versions<br />
! Applications<br />
! Location<br />
! Required modules<br />
! Bit<br />
|-<br />
| N/A (ME predecessor)<br />
| <br />
| ICH7<br />
| 1.0<br />
|<br />
|<br />
* AMT<br />
| 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref><br />
| rowspan="3" | None<br />
| rowspan="3" | ?<br />
|-<br />
|<br />
|<br />
|Q963<ref name=amt-versions/><br />
| 2.0<br />
|<br />
|<br />
* AMT<br />
|<br />
|<br />
|-<br />
|<br />
|<br />
|Q965<ref name=amt-versions/><br />
| 2.0<br />
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref><br />
|<br />
* AMT<br />
* No TPM<br />
|-<br />
| 6.0<ref name=me_cleaner-how-does-it-work>https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F</ref><br />
| Nehalem<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="3"|<br />
* BUP<ref name=me_cleaner-how-does-it-work/><br />
| rowspan="3"|<br />
* AltMeDisable<ref name=me_cleaner-HAP-AltMeDisable-bit/>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|-<br />
|<br />
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref><br />
| Q57<br />
| 6.0<ref name=amt-versions/><br />
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref><br />
|<br />
|-<br />
| 10.x<ref name=me_cleaner-how-does-it-work/><br />
| Broadwell<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 11.x<ref name=me_cleaner-how-does-it-work/><br />
| Skylake<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
* RBE<br />
* BUP<br />
* KERNEL<br />
* SYSLIB<ref name=me_cleaner-how-does-it-work/><br />
|<br />
* HAP<ref name=me_cleaner-HAP-AltMeDisable-bit/>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|}<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x200|Lenovo x200]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="1" | GM45/GS45<br />
| rowspan="15" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="1" | <br />
* Signed firmware<br />
* The ME can be disabled (no Fimrware is run by it).<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| ?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| ?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Neutralizing the ME ==<br />
<br />
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).<br />
<br />
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here].<br />
<br />
== Using a smaller version of the Intel ME ==<br />
<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT]<br />
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions]<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>GNUtoohttps://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=31606Intel Management Engine2018-01-08T20:23:39Z<p>GNUtoo: /* Versions */</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The Intel Management Engine (abbreviated "ME") is a CPU which:<br />
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
* on recent versions:<br />
** initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).<br />
** DRM<br />
** TPM<br />
** Other applications<br />
<br />
== Freedom and security issues ==<br />
<br />
* The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).<br />
* The ME has access to a lot of things, see "physical capabilities" column below for more details.<br />
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.<br />
<br />
== Versions ==<br />
{| class="wikitable" border="1"<br />
! ME version<br />
! Microarchitecture<br />
! Chipset<br />
! AMT versions<br />
! ME firmware versions<br />
! Applications<br />
! Location<br />
! Required modules<br />
! Bit<br />
|-<br />
| N/A (ME predecessor)<br />
| <br />
| ICH7<br />
| 1.0<br />
|<br />
|<br />
* AMT<br />
| 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref><br />
| rowspan="3" | None<br />
|<br />
|-<br />
|<br />
|<br />
|Q963<ref name=amt-versions/><br />
| 2.0<br />
|<br />
|<br />
* AMT<br />
|<br />
|<br />
|-<br />
|<br />
|<br />
|Q965<ref name=amt-versions/><br />
| 2.0<br />
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref><br />
|<br />
* AMT<br />
* No TPM<br />
|<br />
|-<br />
| 6.0<ref name=me_cleaner-how-does-it-work>https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F</ref><br />
| Nehalem<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="3"|<br />
* BUP<ref name=me_cleaner-how-does-it-work/><br />
| rowspan="3"|<br />
* AltMeDisable<ref name=me_cleaner-HAP-AltMeDisable-bit/>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|-<br />
|<br />
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref><br />
| Q57<br />
| 6.0<ref name=amt-versions/><br />
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref><br />
|<br />
|-<br />
| 10.x<ref name=me_cleaner-how-does-it-work/><br />
| Broadwell<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 11.x<ref name=me_cleaner-how-does-it-work/><br />
| Skylake<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
* RBE<br />
* BUP<br />
* KERNEL<br />
* SYSLIB<ref name=me_cleaner-how-does-it-work/><br />
* HAP<ref name=me_cleaner-HAP-AltMeDisable-bit/>https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit</ref><br />
|}<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x200|Lenovo x200]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="1" | GM45/GS45<br />
| rowspan="15" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="1" | <br />
* Signed firmware<br />
* The ME can be disabled (no Fimrware is run by it).<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| ?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| ?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Neutralizing the ME ==<br />
<br />
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).<br />
<br />
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here].<br />
<br />
== Using a smaller version of the Intel ME ==<br />
<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT]<br />
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions]<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>GNUtoohttps://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=31475Intel Management Engine2018-01-03T11:08:32Z<p>GNUtoo: /* Uses of the Management Engine */</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The Intel Management Engine (abbreviated "ME") is a CPU which:<br />
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
* on recent versions:<br />
** initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).<br />
** DRM<br />
** TPM<br />
** Other applications<br />
<br />
== Freedom and security issues ==<br />
<br />
* The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).<br />
* The ME has access to a lot of things, see "physical capabilities" column below for more details.<br />
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.<br />
<br />
== Versions ==<br />
{| class="wikitable" border="1"<br />
! ME version<br />
! Microarchitecture<br />
! Chipset<br />
! AMT versions<br />
! ME firmware versions<br />
! Applications<br />
! Location<br />
! Required modules<br />
|-<br />
| N/A (ME predecessor)<br />
| <br />
| ICH7<br />
| 1.0<br />
|<br />
|<br />
* AMT<br />
| 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref><br />
| rowspan="3" | None<br />
|-<br />
|<br />
|<br />
|Q963<ref name=amt-versions/><br />
| 2.0<br />
|<br />
|<br />
* AMT<br />
|<br />
|-<br />
|<br />
|<br />
|Q965<ref name=amt-versions/><br />
| 2.0<br />
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref><br />
|<br />
* AMT<br />
* No TPM<br />
|<br />
|-<br />
| 6.0<ref name=me_cleaner-how-does-it-work>https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F</ref><br />
| Nehalem<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="3"|<br />
* BUP<ref name=me_cleaner-how-does-it-work/><br />
|-<br />
|<br />
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref><br />
| Q57<br />
| 6.0<ref name=amt-versions/><br />
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref><br />
|<br />
|-<br />
| 10.x<ref name=me_cleaner-how-does-it-work/><br />
| Broadwell<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 11.x<ref name=me_cleaner-how-does-it-work/><br />
| Skylake<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
* RBE<br />
* BUP<br />
* KERNEL<br />
* SYSLIB<ref name=me_cleaner-how-does-it-work/><br />
|}<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x200|Lenovo x200]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="1" | GM45/GS45<br />
| rowspan="15" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="1" | <br />
* Signed firmware<br />
* The ME can be disabled (no Fimrware is run by it).<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| ?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| ?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Neutralizing the ME ==<br />
<br />
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).<br />
<br />
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here].<br />
<br />
== Using a smaller version of the Intel ME ==<br />
<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT]<br />
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions]<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>GNUtoohttps://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=31443Intel Management Engine2018-01-02T10:07:02Z<p>GNUtoo: /* Versions */</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The Intel Management Engine (abbreviated "ME") is a CPU which:<br />
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
* on recent versions, initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).<br />
<br />
== Freedom and security issues ==<br />
<br />
* The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).<br />
* The ME has access to a lot of things, see "physical capabilities" column below for more details.<br />
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.<br />
<br />
== Versions ==<br />
{| class="wikitable" border="1"<br />
! ME version<br />
! Microarchitecture<br />
! Chipset<br />
! AMT versions<br />
! ME firmware versions<br />
! Applications<br />
! Location<br />
! Required modules<br />
|-<br />
| N/A (ME predecessor)<br />
| <br />
| ICH7<br />
| 1.0<br />
|<br />
|<br />
* AMT<br />
| 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref><br />
| rowspan="3" | None<br />
|-<br />
|<br />
|<br />
|Q963<ref name=amt-versions/><br />
| 2.0<br />
|<br />
|<br />
* AMT<br />
|<br />
|-<br />
|<br />
|<br />
|Q965<ref name=amt-versions/><br />
| 2.0<br />
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref><br />
|<br />
* AMT<br />
* No TPM<br />
|<br />
|-<br />
| 6.0<ref name=me_cleaner-how-does-it-work>https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F</ref><br />
| Nehalem<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="3"|<br />
* BUP<ref name=me_cleaner-how-does-it-work/><br />
|-<br />
|<br />
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref><br />
| Q57<br />
| 6.0<ref name=amt-versions/><br />
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref><br />
|<br />
|-<br />
| 10.x<ref name=me_cleaner-how-does-it-work/><br />
| Broadwell<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 11.x<ref name=me_cleaner-how-does-it-work/><br />
| Skylake<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
* RBE<br />
* BUP<br />
* KERNEL<br />
* SYSLIB<ref name=me_cleaner-how-does-it-work/><br />
|}<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x200|Lenovo x200]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="1" | GM45/GS45<br />
| rowspan="15" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="1" | <br />
* Signed firmware<br />
* The ME can be disabled (no Fimrware is run by it).<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| ?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| ?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Neutralizing the ME ==<br />
<br />
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).<br />
<br />
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here].<br />
<br />
== Using a smaller version of the Intel ME ==<br />
<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT]<br />
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions]<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>GNUtoohttps://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=31442Intel Management Engine2018-01-02T10:06:16Z<p>GNUtoo: /* Versions */ shorten names</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The Intel Management Engine (abbreviated "ME") is a CPU which:<br />
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
* on recent versions, initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).<br />
<br />
== Freedom and security issues ==<br />
<br />
* The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).<br />
* The ME has access to a lot of things, see "physical capabilities" column below for more details.<br />
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.<br />
<br />
== Versions ==<br />
{| class="wikitable" border="1"<br />
! ME version<br />
! Microarchitecture<br />
! Chipset<br />
! AMT versions<br />
! ME firmware versions<br />
! Applications<br />
! Location<br />
! Required modules<br />
|-<br />
| N/A (ME predecessor)<br />
| <br />
| ICH7<br />
| 1.0<br />
|<br />
|<br />
* AMT<br />
| 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref><br />
| rowspan="3" | None<br />
|-<br />
|<br />
|<br />
|Q963<ref name=amt-versions/><br />
| 2.0<br />
|<br />
|<br />
* AMT<br />
|<br />
|-<br />
|<br />
|<br />
|Q965<ref name=amt-versions/><br />
| 2.0<br />
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref><br />
|<br />
|<br />
* AMT<br />
* No TPM<br />
|-<br />
| 6.0<ref name=me_cleaner-how-does-it-work>https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F</ref><br />
| Nehalem<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="3"|<br />
* BUP<ref name=me_cleaner-how-does-it-work/><br />
|-<br />
|<br />
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref><br />
| Q57<br />
| 6.0<ref name=amt-versions/><br />
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref><br />
|<br />
|-<br />
| 10.x<ref name=me_cleaner-how-does-it-work/><br />
| Broadwell<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 11.x<ref name=me_cleaner-how-does-it-work/><br />
| Skylake<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
* RBE<br />
* BUP<br />
* KERNEL<br />
* SYSLIB<ref name=me_cleaner-how-does-it-work/><br />
|}<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x200|Lenovo x200]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="1" | GM45/GS45<br />
| rowspan="15" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="1" | <br />
* Signed firmware<br />
* The ME can be disabled (no Fimrware is run by it).<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| ?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| ?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Neutralizing the ME ==<br />
<br />
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).<br />
<br />
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here].<br />
<br />
== Using a smaller version of the Intel ME ==<br />
<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT]<br />
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions]<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>GNUtoohttps://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=31441Intel Management Engine2018-01-02T10:05:07Z<p>GNUtoo: /* Versions */</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The Intel Management Engine (abbreviated "ME") is a CPU which:<br />
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
* on recent versions, initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).<br />
<br />
== Freedom and security issues ==<br />
<br />
* The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).<br />
* The ME has access to a lot of things, see "physical capabilities" column below for more details.<br />
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.<br />
<br />
== Versions ==<br />
{| class="wikitable" border="1"<br />
! ME version<br />
! Microarchitecture<br />
! Chipset<br />
! AMT versions<br />
! ME firmware versions<br />
! Applications<br />
! Location<br />
! Required modules<br />
|-<br />
| N/A (ME predecessor)<br />
| <br />
| ICH7<br />
| 1.0<br />
|<br />
|<br />
* AMT<br />
| Intel 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref><br />
| rowspan="3" | None<br />
|-<br />
|<br />
|<br />
|Intel Q963<ref name=amt-versions/><br />
| 2.0<br />
|<br />
|<br />
* AMT<br />
|<br />
|-<br />
|<br />
|<br />
|Intel Q965<ref name=amt-versions/><br />
| 2.0<br />
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref><br />
|<br />
|<br />
* AMT<br />
* No TPM<br />
|-<br />
| 6.0<ref name=me_cleaner-how-does-it-work>https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F</ref><br />
| Nehalem<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="3"|<br />
* BUP<ref name=me_cleaner-how-does-it-work/><br />
|-<br />
|<br />
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref><br />
| Q57 (Ibex peak Piketon)<br />
| 6.0<ref name=amt-versions/><br />
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref><br />
|<br />
|-<br />
| 10.x<ref name=me_cleaner-how-does-it-work/><br />
| Broadwell<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 11.x<ref name=me_cleaner-how-does-it-work/><br />
| Skylake<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
* RBE<br />
* BUP<br />
* KERNEL<br />
* SYSLIB<ref name=me_cleaner-how-does-it-work/><br />
|}<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x200|Lenovo x200]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="1" | GM45/GS45<br />
| rowspan="15" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="1" | <br />
* Signed firmware<br />
* The ME can be disabled (no Fimrware is run by it).<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| ?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| ?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Neutralizing the ME ==<br />
<br />
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).<br />
<br />
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here].<br />
<br />
== Using a smaller version of the Intel ME ==<br />
<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT]<br />
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions]<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>GNUtoohttps://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=31440Intel Management Engine2018-01-02T10:04:28Z<p>GNUtoo: /* Versions */</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The Intel Management Engine (abbreviated "ME") is a CPU which:<br />
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
* on recent versions, initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).<br />
<br />
== Freedom and security issues ==<br />
<br />
* The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).<br />
* The ME has access to a lot of things, see "physical capabilities" column below for more details.<br />
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.<br />
<br />
== Versions ==<br />
{| class="wikitable" border="1"<br />
! ME version<br />
! Microarchitecture<br />
! Chipset<br />
! AMT versions<br />
! ME firmware versions<br />
! Applications<br />
! Location<br />
! Required modules<br />
|-<br />
| N/A (ME predecessor)<br />
| <br />
| ICH7<br />
| 1.0<br />
|<br />
|<br />
* AMT<br />
| Intel 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref><br />
| rowspan="3" | None<br />
|-<br />
|<br />
|<br />
|Intel Q963<ref name=amt-versions/><br />
| 2.0<br />
|<br />
|<br />
* AMT<br />
|<br />
|-<br />
|<br />
|<br />
|Intel Q965<ref name=amt-versions/><br />
| 2.0<br />
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref><br />
|<br />
|<br />
* AMT<br />
* No TPM<br />
|-<br />
| 6.0<ref name=me_cleaner-how-does-it-work>https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F</ref><br />
| Nehalem<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="3"|<br />
* BUP<br />
|-<br />
|<br />
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref><br />
| Q57 (Ibex peak Piketon)<br />
| 6.0<ref name=amt-versions/><br />
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref><br />
|<br />
|-<br />
| 10.x<ref name=me_cleaner-how-does-it-work/><br />
| Broadwell<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 11.x<ref name=me_cleaner-how-does-it-work/><br />
| Skylake<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
* RBE<br />
* BUP<br />
* KERNEL<br />
* SYSLIB<ref name=me_cleaner-how-does-it-work/><br />
|}<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x200|Lenovo x200]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="1" | GM45/GS45<br />
| rowspan="15" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="1" | <br />
* Signed firmware<br />
* The ME can be disabled (no Fimrware is run by it).<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| ?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| ?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Neutralizing the ME ==<br />
<br />
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).<br />
<br />
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here].<br />
<br />
== Using a smaller version of the Intel ME ==<br />
<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT]<br />
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions]<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>GNUtoohttps://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=31438Intel Management Engine2018-01-02T09:59:33Z<p>GNUtoo: /* Versions */</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The Intel Management Engine (abbreviated "ME") is a CPU which:<br />
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
* on recent versions, initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).<br />
<br />
== Freedom and security issues ==<br />
<br />
* The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).<br />
* The ME has access to a lot of things, see "physical capabilities" column below for more details.<br />
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.<br />
<br />
== Versions ==<br />
{| class="wikitable" border="1"<br />
! ME version<br />
! Microarchitecture<br />
! Chipset<br />
! AMT versions<br />
! ME firmware versions<br />
! Applications<br />
! Location<br />
! Required modules<br />
|-<br />
| N/A (ME predecessor)<br />
| <br />
| ICH7<br />
| 1.0<br />
|<br />
|<br />
* AMT<br />
| Intel 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref><br />
| None<br />
|-<br />
|<br />
|<br />
|Intel Q963<ref name=amt-versions/><br />
| 2.0<br />
|<br />
|<br />
* AMT<br />
|<br />
| None<br />
|-<br />
|<br />
|<br />
|Intel Q965<ref name=amt-versions/><br />
| 2.0<br />
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref><br />
|<br />
|<br />
* AMT<br />
* No TPM<br />
| None<br />
|-<br />
| 6.0<ref name=me_cleaner-how-does-it-work>https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F</ref><br />
| Nehalem<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| rowspan="3"|<br />
* BUP<br />
|-<br />
|<br />
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref><br />
| Q57 (Ibex peak Piketon)<br />
| 6.0<ref name=amt-versions/><br />
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref><br />
|<br />
|-<br />
| 10.x<ref name=me_cleaner-how-does-it-work/><br />
| Broadwell<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 11.x<ref name=me_cleaner-how-does-it-work/><br />
| Skylake<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
* RBE<br />
* BUP<br />
* KERNEL<br />
* SYSLIB<ref name=me_cleaner-how-does-it-work/><br />
|}<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x200|Lenovo x200]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="1" | GM45/GS45<br />
| rowspan="15" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="1" | <br />
* Signed firmware<br />
* The ME can be disabled (no Fimrware is run by it).<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| ?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| ?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Neutralizing the ME ==<br />
<br />
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).<br />
<br />
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here].<br />
<br />
== Using a smaller version of the Intel ME ==<br />
<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT]<br />
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions]<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>GNUtoohttps://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=31437Intel Management Engine2018-01-02T09:58:06Z<p>GNUtoo: /* Versions */</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The Intel Management Engine (abbreviated "ME") is a CPU which:<br />
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
* on recent versions, initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).<br />
<br />
== Freedom and security issues ==<br />
<br />
* The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).<br />
* The ME has access to a lot of things, see "physical capabilities" column below for more details.<br />
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.<br />
<br />
== Versions ==<br />
{| class="wikitable" border="1"<br />
! ME version<br />
! Microarchitecture<br />
! Chipset<br />
! AMT versions<br />
! ME firmware versions<br />
! Applications<br />
! Location<br />
! Required modules<br />
|-<br />
| N/A (ME predecessor)<br />
| <br />
| ICH7<br />
| 1.0<br />
|<br />
|<br />
* AMT<br />
| Intel 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref><br />
| None<br />
|-<br />
|<br />
|<br />
|Intel Q963<ref name=amt-versions/><br />
| 2.0<br />
|<br />
|<br />
* AMT<br />
|<br />
| None<br />
|-<br />
|<br />
|<br />
|Intel Q965<ref name=amt-versions/><br />
| 2.0<br />
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref><br />
|<br />
|<br />
* AMT<br />
* No TPM<br />
| None<br />
|-<br />
| 6.0<ref name=me_cleaner-how-does-it-work>https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F</ref><br />
| Nehalem<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
* BUP<br />
|-<br />
|<br />
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref><br />
| Q57 (Ibex peak Piketon)<br />
| 6.0<ref name=amt-versions/><br />
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref><br />
|<br />
|<br />
|-<br />
| 10.x<ref name=me_cleaner-how-does-it-work/><br />
| Broadwell<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 11.x<ref name=me_cleaner-how-does-it-work/><br />
| Skylake<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
* RBE<br />
* BUP<br />
* KERNEL<br />
* SYSLIB<ref name=me_cleaner-how-does-it-work/><br />
|}<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x200|Lenovo x200]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="1" | GM45/GS45<br />
| rowspan="15" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="1" | <br />
* Signed firmware<br />
* The ME can be disabled (no Fimrware is run by it).<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| ?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| ?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Neutralizing the ME ==<br />
<br />
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).<br />
<br />
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here].<br />
<br />
== Using a smaller version of the Intel ME ==<br />
<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT]<br />
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions]<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>GNUtoohttps://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=31436Intel Management Engine2018-01-02T09:55:31Z<p>GNUtoo: /* Versions */</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The Intel Management Engine (abbreviated "ME") is a CPU which:<br />
* permits [https://en.wikipedia.org/wiki/Out-of-band_management out of band management] of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
* on recent versions, initializes the hardware, before the boot firmware(BIOS/EFI/UEFI/Coreboot/etc...).<br />
<br />
== Freedom and security issues ==<br />
<br />
* The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).<br />
* The ME has access to a lot of things, see "physical capabilities" column below for more details.<br />
* In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc), it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.<br />
<br />
== Versions ==<br />
{| class="wikitable" border="1"<br />
! ME version<br />
! Microarchitecture<br />
! Chipset<br />
! AMT versions<br />
! ME firmware versions<br />
! Applications<br />
! Location<br />
! Required modules<br />
|-<br />
| N/A (ME predecessor)<br />
| <br />
| ICH7<br />
| 1.0<br />
|<br />
|<br />
* AMT<br />
| Intel 82573E Gigabit Ethernet Controller<ref name=amt-versions>https://en.wikipedia.org/wiki/Intel_AMT_versions</ref><br />
| None<br />
|-<br />
|<br />
|<br />
|Intel Q963<ref name=amt-versions/><br />
| 2.0<br />
|<br />
|<br />
* AMT<br />
|<br />
| None<br />
|-<br />
|<br />
|<br />
|Intel Q965<ref name=amt-versions/><br />
| 2.0<br />
| 3.0<ref name=ark-DQ965GFE>https://ark.intel.com/products/41972/Intel-Desktop-Board-DQ965GFE</ref><br />
|<br />
|<br />
* AMT<br />
* No TPM<br />
| None<br />
|-<br />
| 6.0<ref name=me_cleaner-how-does-it-work>https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F</ref><br />
| Nehalem<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
| Nehalem<ref name=intel-5-series>https://en.wikipedia.org/wiki/Intel_5_Series#Ibex_Peak</ref><br />
| Q57 (Ibex peak Piketon)<br />
| 6.0<ref name=amt-versions/><br />
| 6.0, 6.1 <ref name=ark-q57>https://ark.intel.com/products/42706/Intel-Q57-Express-Chipset</ref><br />
|<br />
|<br />
|-<br />
| 10.x<ref name=me_cleaner-how-does-it-work/><br />
| Broadwell<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|-<br />
| 11.x<ref name=me_cleaner-how-does-it-work/><br />
| Skylake<br />
|<br />
|<br />
|<br />
|<br />
|<br />
|<br />
* RBE<br />
* BUP<br />
* KERNEL<br />
* SYSLIB<ref name=me_cleaner-how-does-it-work/><br />
|}<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x200|Lenovo x200]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="1" | GM45/GS45<br />
| rowspan="15" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="1" | <br />
* Signed firmware<br />
* The ME can be disabled (no Fimrware is run by it).<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| ?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| Me firmware with [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT] and other modules<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| ?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Neutralizing the ME ==<br />
<br />
A collaborative effort to neutralize the ME has found some success, see [https://github.com/corna/me_cleaner here]. This tool has been included in coreboot and can be enabled with the option "Strip down the Intel ME/TXE firmware" (CONFIG_USE_ME_CLEANER).<br />
<br />
This can free up most of the space used by ME, allowing you to use a larger [[CBFS]]. See [https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me here].<br />
<br />
== Using a smaller version of the Intel ME ==<br />
<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology The Wikipedia article on the Intel AMT]<br />
* [https://en.wikipedia.org/wiki/Intel_AMT_versions The Wikipedia article on the Intel AMT versions]<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Disabling Intel ME 11 via undocumented mode]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>GNUtoo