https://www.coreboot.org/api.php?action=feedcontributions&user=Bla&feedformat=atomcoreboot - User contributions [en]2024-03-28T17:13:46ZUser contributionsMediaWiki 1.40.0https://www.coreboot.org/index.php?title=Intel_Management_Engine&diff=18217Intel Management Engine2016-04-13T05:57:32Z<p>Bla: update link, and status of decompress tool.</p>
<hr />
<div>== Uses of the Management Engine ==<br />
The management engine(Often abreviated ME) is a CPU which permits [https://en.wikipedia.org/wiki/Out-of-band_management Out of band] management of the computer. See the [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT Wikipedia AMT article] for example use cases.<br />
<br />
== Freedom and security issues ==<br />
* The code that is running inside the management engine is proprietary and signed<br />
* The management engine CPU has access to a lot of things, see "ME physical capabilities" for more details.<br />
<br />
== Where ==<br />
{| class="wikitable" border="1"<br />
! Board<br />
! Firmware<br />
! Microarchitecture<br />
! ME location and physical capabilities<br />
! ME restrictions<br />
|-<br />
| Lenovo X60/X60s/X60T<br />
| rowspan="2"| None. <ref name="nic-amt">The Ethernet controller is capable of running some fimrwares( like [https://en.wikipedia.org/wiki/Intel_AMT_versions#Versions AMT 1.0]), but the hardware is not configured to do it on that machine. So no firmwares are loaded. See [[Intel_82573_Ethernet_controller]] for more details.</ref><br />
| rowspan="2"| I945 + ICH7<br />
| rowspan="2"|<br />
* Inside the ethernet controller, disabled: no Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
| rowspan="2"|<br />
* Disabled: No Ethernet controller fimrware. <ref name="nic-amt"></ref><br />
|-<br />
| Lenovo T60<br />
|-<br />
| [[Board:lenovo/x201|Lenovo x201]]<br />
| [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT]<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Nehalem_%28microarchitecture%29 Nehalem]<br />
| rowspan="2" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="2" | <br />
* Signed firmware<br />
* If ME firmware is absent, the computer freezes about 30min after boot.<br />
|-<br />
| [[Board:packardbell/ms2290|Packard Bell EasyNote LM85 (MS2290)]]<br />
| AMT?<br />
|-<br />
| [[Board:samsung/lumpy| Samsung Series 5 550 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/lumpy;h=b4c159f20789c0eacdf5a25135a3275d277cf256;hb=HEAD me.bin]<br />
| rowspan="3" | [https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29 Sandy Bridge]<br />
| rowspan="3" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="3" | <br />
* Signed firmware<br />
|-<br />
| [[Board:samsung/stumpy|Samsung Series 3 Chromebox]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/samsung/stumpy;h=ede43b2bda02cd574646e16cdd224b1d0ffad786;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t520| Lenovo t520]]<br />
| [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT]<br />
|-<br />
| [[Board:google/butterfly| Google/HP Pavilion Chromebook 14]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/butterfly;h=8b288bd915906a18379718be4b6080a3fd2cc554;hb=HEAD me.bin]<br />
| rowspan="7" | [https://en.wikipedia.org/wiki/Ivy_Bridge_%28microarchitecture%29 Ivy Bridge]<br />
| rowspan="7" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="7" | <br />
* Signed firmware<br />
|-<br />
| [[Board:google/link|Google Chromebook Pixel]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/link;h=ea8c42b0890aee9b2e20bd2c10edab547d4d69c5;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/parrot|Google/Acer C7 Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/parrot;h=880f5e52eadb1af9ab3cce568e70770682780383;hb=HEAD me.bin]<br />
|-<br />
| [[Board:google/stout|Google/Lenovo Thinkpad X131e Chromebook]]<br />
| [http://review.coreboot.org/gitweb?p=blobs.git;a=tree;f=mainboard/google/stout;h=73defa57f190949004ef85942c403136726c5c6a;hb=HEAD me.bin]<br />
|-<br />
| [[Board:lenovo/t530| Lenovo t530]]<br />
| [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT]<br />
|-<br />
| [[Board:lenovo/x230| Lenovo x230]]<br />
| [https://en.wikipedia.org/wiki/Intel_Active_Management_Technology AMT]<br />
|-<br />
| [[Board:kontron/ktqm77| Kotron KTQM77/mITX]]<br />
| AMT?<br />
|-<br />
| [[Board:google/peppy|Google/Acer C720 Chromebook]]<br />
| ?<br />
| rowspan="2" | [https://en.wikipedia.org/wiki/Haswell_%28microarchitecture%29 Haswell]<br />
| rowspan="2" |<br />
The ME is inside the [https://en.wikipedia.org/wiki/Platform_Controller_Hub PCH], it:<br />
* Has access to the computer's memory/RAM<br />
* Controls the computer's original networking adapters <br />
| rowspan="2" |<br />
* Signed firmware<br />
|-<br />
| [[Board:google/falco| Google/HP Chromebook 14]]<br />
| ?<br />
|-<br />
|}<br />
<br />
== Why there is no replacement for it yet ==<br />
Replacing the ME firmware is not that easy because:<br />
* The ME bootrom checks the firmware signature.<br />
* On recent chipset its RAM region is locked while it is allocated.<br />
* Power glitches(by the ec) while the ME is checking its firmware is probably not practically doable.<br />
<br />
So even if some people partially documented [http://me.bios.io/ME_blob_format some ME firmware format], there is very few probability of having a free software replacement for it one day.<br />
<br />
However coreboot also support other systems than the ones with recent intel CPU/chipsets. The [[Supported_Motherboards#Motherboards_supported_in_coreboot|List of supported mainboard]] list some of them.<br />
* Some of theses don't have a management engine.<br />
* Some ships without it enabled(that means that the hardware is not used).<br />
* Some ships with it enabled, but it can be disabled not to use it at all, like on the [[Board:lenovo/x200|Lenovo x200]].<br />
<br />
== Replacing ME with smaller versions ==<br />
Most PCs ship a 5MiB version of ME firmware. It is possible to use a smaller version (2MiB), but you have to make sure that it matches the chipset you are running on.<br />
You may want to use a smaller version to increase the maximum payload size by 3MiB.<br />
Search on the web for BIOS updates of different vendors with the '''same chipset''' and extract the ME using available tools.<br />
Once you found a smaller ME, you have to update your Intel flash descriptor and decrease the region that is used for ME.<br />
<br />
== See also ==<br />
* http://me.bios.io/ME:About<br />
* http://me.bios.io/ME<br />
* [https://github.com/skochinsky/papers/raw/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf Igor Skochinsky Paper very good and detailed presentation about ME]<br />
* [http://io.netgarage.org/me/ decompress ME v6.x through ME v10 (prior to skylake)]<br />
* [http://flashrom.org/ME The respective flashrom page]<br />
<br />
== References ==<br />
<references/><br />
<br />
[[Category:Blobs|Blobs]]</div>Bla