Intel Management Engine: Difference between revisions

From coreboot
Jump to navigation Jump to search
(+ replace ME with smaller version)
(10 intermediate revisions by 2 users not shown)
Line 14: Line 14:
! ME restrictions
! ME restrictions
|-
|-
| Lenovo X60
| Lenovo X60/X60s/X60T
| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded.</ref>
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref>
| I945 + ICH7
| rowspan="2"| I945 + ICH7
|
| rowspan="2"|
* There is no ME but the the The Ethernet controller is capable of running some firmwares.<ref name="nic-amt"/>
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref>
* The NIC has DMA <nowiki>[[citation needed]]</nowiki>
| rowspan="2"|
|
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref>
* The X60 NIC has no firmware.
|-
* The NIC has a bootrom.<ref name="nic-bootrom">"ROM code" is mentioned inside "B.2.7 Intel AMT Patches" in the [http://www.intel.com/content/dam/doc/application-note/82573-nvm-map-appl-note.pdf Intel 82573 Ethernet controller non volatile memory(NVM) documentation]</ref>
| Lenovo T60
|-
|-
| [[Board:lenovo/x201|Lenovo x201]]
| [[Board:lenovo/x201|Lenovo x201]]
Line 100: Line 100:
Replacing the ME firmware is not that easy because:
Replacing the ME firmware is not that easy because:
* The ME bootrom checks the firmware signature.
* The ME bootrom checks the firmware signature.
* On recent chipset its RAM reagion is locked while it is allocated.
* On recent chipset its RAM region is locked while it is allocated.
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.


So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.


Coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.
* Some of theses don't have a management engine.
* Some ships without it enabled(that means that the hardware is not used).
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].
 
== Replacing ME with smaller versions ==
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on.
You may want to use a smaller version to increase the maximum payload size by 3MiB.
Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools.
Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.


== See also ==
== See also ==
* http://me.bios.io/ME:About
* http://me.bios.io/ME:About
* http://me.bios.io/ME
* http://me.bios.io/ME
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]
* [http://io.smashthestack.org:84/me/ decompress ME v6.x (5 series / ironlake)]
* [http://flashrom.org/ME The respective flashrom page]


== References ==
== References ==
<references/>
<references/>
[[Category:Blobs|Blobs]]

Revision as of 21:58, 20 November 2015

Uses of the Management Engine

The management engine(Often abreviated ME) is a CPU which permits Out of band management of the computer. See the Wikipedia AMT article for example use cases.

Freedom and security issues

  • The code that is running inside the management engine is proprietary and signed
  • The management engine CPU has access to a lot of things, see "ME physical capabilities" for more details.

Where

Board Firmware Microarchitecture ME location and physical capabilities ME restrictions
Lenovo X60/X60s/X60T None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like AMT 1.0), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See Intel_82573_Ethernet_controller for more details.</ref> I945 + ICH7
  • Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref>
  • Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref>
Lenovo T60
Lenovo x201 AMT Nehalem

The ME is inside the PCH, it:

  • Has access to the computer's memory/RAM
  • Controls the computer's original networking adapters
  • Signed firmware
  • If ME firmware is absent, the computer freezes about 30min after boot.
Packard Bell EasyNote LM85 (MS2290) AMT?
Samsung Series 5 550 Chromebook me.bin Sandy Bridge

The ME is inside the PCH, it:

  • Has access to the computer's memory/RAM
  • Controls the computer's original networking adapters
  • Signed firmware
Samsung Series 3 Chromebox me.bin
Lenovo t520 AMT
Google/HP Pavilion Chromebook 14 me.bin Ivy Bridge

The ME is inside the PCH, it:

  • Has access to the computer's memory/RAM
  • Controls the computer's original networking adapters
  • Signed firmware
Google Chromebook Pixel me.bin
Google/Acer C7 Chromebook me.bin
Google/Lenovo Thinkpad X131e Chromebook me.bin
Lenovo t530 AMT
Lenovo x230 AMT
Kotron KTQM77/mITX AMT?
Google/Acer C720 Chromebook ? Haswell

The ME is inside the PCH, it:

  • Has access to the computer's memory/RAM
  • Controls the computer's original networking adapters
  • Signed firmware
Google/HP Chromebook 14 ?

Why there is no replacement for it yet

Replacing the ME firmware is not that easy because:

  • The ME bootrom checks the firmware signature.
  • On recent chipset its RAM region is locked while it is allocated.
  • Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.

So even if some people partially documented some ME firmware format, there is very few probability of having a free software replacement for it one day.

However coreboot also support other systems than the ones with recent intel CPU/chipsets. The List of supported mainboard list some of them.

  • Some of theses don't have a management engine.
  • Some ships without it enabled(that means that the hardware is not used).
  • Some ships with it enabled, but it can be disabled not to use it at all, like on the Lenovo x200.

Replacing ME with smaller versions

Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on. You may want to use a smaller version to increase the maximum payload size by 3MiB. Search on the web for BIOS updates of different vendors with the same chipset and extract the ME using available tools. Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.

See also

References

<references/>