Intel Management Engine: Difference between revisions

From coreboot
Jump to navigation Jump to search
No edit summary
(39 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Uses of the Management Engine ==
== Uses of the Management Engine ==
The management engine(Often abreviated ME) is a CPU which permits [https://en.wikipedia.org/wiki/Out-of-band_management Out of band] management of the computer.
The management engine(Often abreviated ME) is a CPU which permits [https://en.wikipedia.org/wiki/Out-of-band_management Out of band] management of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.
 
== Freedom and security issues ==
* The code that is running inside the management engine is proprietary and signed
* The management engine CPU has access to a lot of things, see "ME physical capabilities" for more details.


== Where ==
== Where ==
Line 7: Line 11:
! Firmware
! Firmware
! Microarchitecture
! Microarchitecture
! Chipset
! ME location and physical capabilities
! ME location
! ME physical capabilities
! ME restrictions
! ME restrictions
|-
|-
Line 15: Line 17:
| [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT]
| [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT]
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]
| rowspan="2" | [https://en.wikipedia.org/wiki/Platform_Controller_Hub#Ibex_Peak Ibex Peak]
| rowspan="2" |
| rowspan="2" | Inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH]
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:
* Has access to the computer's memory/RAM
* Controls the computer's original networking adapters
| rowspan="2" |  
| rowspan="2" |  
| rowspan="2" |
* Signed firmware
* The ME firmware is signed.
* If ME firmware is absent, the computer freezes about 30min after boot.
|-
|-
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]
|  
| AMT?
|-
|-
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]
|  
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]
| rowspan="2" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]
| rowspan="2" |  
| rowspan="3" |
| rowspan="2" | Inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH]
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:
| rowspan="2" |
* Has access to the computer's memory/RAM
| rowspan="2" |  
* Controls the computer's original networking adapters
* The ME firmware is signed.
| rowspan="3" |  
* Signed firmware
|-
|-
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]
|
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]
|-
|-
| [[Board:lenovo/t520| Lenovo t520]]
| [[Board:lenovo/t520| Lenovo t520]]
| [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT]
| [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT]
|-
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]
| rowspan="7" |
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:
* Has access to the computer's memory/RAM
* Controls the computer's original networking adapters
| rowspan="7" |
* Signed firmware
|-
| [[Board:google/link|Google Chromebook Pixel]]
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]
|-
| [[Board:google/parrot|Google/Acer C7 Chromebook]]
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]
|-
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]
|-
| [[Board:lenovo/t530| Lenovo t530]]
| [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT]
|-
| [[Board:lenovo/x230| Lenovo x230]]
| [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT]
|-
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]
| AMT?
|-
| [[Board:google/peppy|Google/Acer C720 Chromebook]]
| ?
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]
| rowspan="2" |
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:
* Has access to the computer's memory/RAM
* Controls the computer's original networking adapters
| rowspan="2" |
* Signed firmware
|-
| [[Board:google/falco| Google/HP Chromebook 14]]
| ?
|-
|}
|}


== Issues ==
== Why there is no replacement for it yet ==
Replacing the ME firmware is not that easy because:
* The ME bootrom checks the firmware signature.
* On recent chipset its RAM reagion is locked while it is allocated.
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.
 
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.


=== Firmware signature ===
Coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.
=== RAM reagion is locked ===


== See also ==
== See also ==
* http://me.bios.io/ME:About
* http://me.bios.io/ME:About
* http://me.bios.io/ME

Revision as of 18:56, 13 August 2014

Uses of the Management Engine

The management engine(Often abreviated ME) is a CPU which permits Out of band management of the computer. See the Wikipedia AMT article for example use cases.

Freedom and security issues

  • The code that is running inside the management engine is proprietary and signed
  • The management engine CPU has access to a lot of things, see "ME physical capabilities" for more details.

Where

Board Firmware Microarchitecture ME location and physical capabilities ME restrictions
Lenovo x201 AMT Nehalem

The ME is inside the PCH, it:

  • Has access to the computer's memory/RAM
  • Controls the computer's original networking adapters
  • Signed firmware
  • If ME firmware is absent, the computer freezes about 30min after boot.
Packard Bell EasyNote LM85 (MS2290) AMT?
Samsung Series 5 550 Chromebook me.bin Sandy Bridge

The ME is inside the PCH, it:

  • Has access to the computer's memory/RAM
  • Controls the computer's original networking adapters
  • Signed firmware
Samsung Series 3 Chromebox me.bin
Lenovo t520 AMT
Google/HP Pavilion Chromebook 14 me.bin Ivy Bridge

The ME is inside the PCH, it:

  • Has access to the computer's memory/RAM
  • Controls the computer's original networking adapters
  • Signed firmware
Google Chromebook Pixel me.bin
Google/Acer C7 Chromebook me.bin
Google/Lenovo Thinkpad X131e Chromebook me.bin
Lenovo t530 AMT
Lenovo x230 AMT
Kotron KTQM77/mITX AMT?
Google/Acer C720 Chromebook ? Haswell

The ME is inside the PCH, it:

  • Has access to the computer's memory/RAM
  • Controls the computer's original networking adapters
  • Signed firmware
Google/HP Chromebook 14 ?

Why there is no replacement for it yet

Replacing the ME firmware is not that easy because:

  • The ME bootrom checks the firmware signature.
  • On recent chipset its RAM reagion is locked while it is allocated.
  • Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.

So even if some people partially documented some ME firmware format, there is very few probability of having a free software replacement for it one day.

Coreboot also support other systems than the ones with recent intel CPU/chipsets. The List of supported mainboard list some of them.

See also