Intel Management Engine: Difference between revisions
Jump to navigation
Jump to search
(23 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
== Uses of the Management Engine == | == Uses of the Management Engine == | ||
The management engine(Often abreviated ME) is a CPU which permits [https://en.wikipedia.org/wiki/Out-of-band_management Out of band] management of the computer. | The management engine(Often abreviated ME) is a CPU which permits [https://en.wikipedia.org/wiki/Out-of-band_management Out of band] management of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases. | ||
== Freedom and security issues == | == Freedom and security issues == | ||
Line 13: | Line 13: | ||
! ME location and physical capabilities | ! ME location and physical capabilities | ||
! ME restrictions | ! ME restrictions | ||
|- | |||
| Lenovo X60/X60s/X60T | |||
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref> | |||
| rowspan="2"| I945 + ICH7 | |||
| rowspan="2"| | |||
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref> | |||
| rowspan="2"| | |||
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref> | |||
|- | |||
| Lenovo T60 | |||
|- | |- | ||
| [[Board:lenovo/x201|Lenovo x201]] | | [[Board:lenovo/x201|Lenovo x201]] | ||
Line 19: | Line 29: | ||
| rowspan="2" | | | rowspan="2" | | ||
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it: | The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it: | ||
* Has access to the memory | * Has access to the computer's memory/RAM | ||
* Controls the computer's original networking adapters | * Controls the computer's original networking adapters | ||
| rowspan="2" | | | rowspan="2" | | ||
Line 33: | Line 43: | ||
| rowspan="3" | | | rowspan="3" | | ||
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it: | The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it: | ||
* Has access to the memory | * Has access to the computer's memory/RAM | ||
* Controls the computer's original networking adapters | * Controls the computer's original networking adapters | ||
| rowspan="3" | | | rowspan="3" | | ||
Line 49: | Line 59: | ||
| rowspan="7" | | | rowspan="7" | | ||
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it: | The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it: | ||
* Has access to the memory | * Has access to the computer's memory/RAM | ||
* Controls the computer's original networking adapters | * Controls the computer's original networking adapters | ||
| rowspan="7" | | | rowspan="7" | | ||
Line 77: | Line 87: | ||
| rowspan="2" | | | rowspan="2" | | ||
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it: | The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it: | ||
* Has access to the memory | * Has access to the computer's memory/RAM | ||
* Controls the computer's original networking adapters | * Controls the computer's original networking adapters | ||
| rowspan="2" | | | rowspan="2" | | ||
Line 89: | Line 99: | ||
== Why there is no replacement for it yet == | == Why there is no replacement for it yet == | ||
Replacing the ME firmware is not that easy because: | Replacing the ME firmware is not that easy because: | ||
* | * The ME bootrom checks the firmware signature. | ||
* On recent chipset its RAM | * On recent chipset its RAM region is locked while it is allocated. | ||
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable. | |||
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day. | So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day. | ||
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them. | |||
* Some of theses don't have a management engine. | |||
* Some ships without it enabled(that means that the hardware is not used). | |||
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]]. | |||
== See also == | == See also == | ||
* http://me.bios.io/ME:About | * http://me.bios.io/ME:About | ||
* http://me.bios.io/ME | |||
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME] | |||
* [http://io.smashthestack.org:84/me/ decompress ME v6.x (5 series / ironlake)] | |||
* [http://flashrom.org/ME The respective flashrom page] | |||
== References == | |||
<references/> | |||
[[Category:Blobs|Blobs]] |
Revision as of 21:30, 26 January 2015
Uses of the Management Engine
The management engine(Often abreviated ME) is a CPU which permits Out of band management of the computer. See the Wikipedia AMT article for example use cases.
Freedom and security issues
- The code that is running inside the management engine is proprietary and signed
- The management engine CPU has access to a lot of things, see "ME physical capabilities" for more details.
Where
Board | Firmware | Microarchitecture | ME location and physical capabilities | ME restrictions |
---|---|---|---|---|
Lenovo X60/X60s/X60T | None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like AMT 1.0), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See Intel_82573_Ethernet_controller for more details.</ref> | I945 + ICH7 |
|
|
Lenovo T60 | ||||
Lenovo x201 | AMT | Nehalem |
The ME is inside the PCH, it:
|
|
Packard Bell EasyNote LM85 (MS2290) | AMT? | |||
Samsung Series 5 550 Chromebook | me.bin | Sandy Bridge |
The ME is inside the PCH, it:
|
|
Samsung Series 3 Chromebox | me.bin | |||
Lenovo t520 | AMT | |||
Google/HP Pavilion Chromebook 14 | me.bin | Ivy Bridge |
The ME is inside the PCH, it:
|
|
Google Chromebook Pixel | me.bin | |||
Google/Acer C7 Chromebook | me.bin | |||
Google/Lenovo Thinkpad X131e Chromebook | me.bin | |||
Lenovo t530 | AMT | |||
Lenovo x230 | AMT | |||
Kotron KTQM77/mITX | AMT? | |||
Google/Acer C720 Chromebook | ? | Haswell |
The ME is inside the PCH, it:
|
|
Google/HP Chromebook 14 | ? |
Why there is no replacement for it yet
Replacing the ME firmware is not that easy because:
- The ME bootrom checks the firmware signature.
- On recent chipset its RAM region is locked while it is allocated.
- Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.
So even if some people partially documented some ME firmware format, there is very few probability of having a free software replacement for it one day.
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The List of supported mainboard list some of them.
- Some of theses don't have a management engine.
- Some ships without it enabled(that means that the hardware is not used).
- Some ships with it enabled, but it can be disabled not to use it at all, like on the Lenovo x200.
See also
- http://me.bios.io/ME:About
- http://me.bios.io/ME
- Igor Skochinsky Paper very good and detailed presentation about ME
- decompress ME v6.x (5 series / ironlake)
- The respective flashrom page
References
<references/>