coreboot-gerrit January 2017

coreboot-gerrit@coreboot.org

1 participants
852 discussions

Patch set updated for coreboot: nb/intel/x4x: Fix raminit on reset path
by Arthur Heymans 23 Jan '17

23 Jan '17

Arthur Heymans (arthur(a)aheymans.xyz) just uploaded a new patch set to gerrit, which you can find at https://review.coreboot.org/18009 -gerrit commit c96328b54edda931eaaf60bacf55419320a52592 Author: Arthur Heymans <arthur(a)aheymans.xyz> Date: Wed Nov 30 18:40:38 2016 +0100 nb/intel/x4x: Fix raminit on reset path Previously the raminit failed on hot reset and to work around this issue it unconditionally did a cold reset. This has the following issues: * it's slow; * when the OS issues a hot reset some disk drives expect their 5V power supply to remain on, which gets cut off by a cold reset, causing data corruption. To fix this some steps in raminit must be ommited on the reset path. This includes searching for receive enable. To achieve this it stores receive enable results in nvram (which is also needed when implementing S3 suspend/resume from S3). Calling a hot reset after raminit "outb(0x6, 0cf9)" works. Change-Id: I6601dd90aebd071a0de7cec070487b0f9845bc30 Signed-off-by: Arthur Heymans <arthur(a)aheymans.xyz> --- src/mainboard/gigabyte/ga-g41m-es2l/cmos.layout | 1 + src/mainboard/gigabyte/ga-g41m-es2l/romstage.c | 7 +- src/northbridge/intel/x4x/raminit_ddr2.c | 165 ++++++++++++++++++------ src/northbridge/intel/x4x/x4x.h | 7 +- 4 files changed, 139 insertions(+), 41 deletions(-) diff --git a/src/mainboard/gigabyte/ga-g41m-es2l/cmos.layout b/src/mainboard/gigabyte/ga-g41m-es2l/cmos.layout index 3138479..fac9d35 100644 --- a/src/mainboard/gigabyte/ga-g41m-es2l/cmos.layout +++ b/src/mainboard/gigabyte/ga-g41m-es2l/cmos.layout @@ -68,6 +68,7 @@ entries # coreboot config options: check sums 984 16 h 0 check_sum +1024 144 r 0 recv_enable_results # ----------------------------------------------------------------- enumerations diff --git a/src/mainboard/gigabyte/ga-g41m-es2l/romstage.c b/src/mainboard/gigabyte/ga-g41m-es2l/romstage.c index 0f43795..d76fbb2 100644 --- a/src/mainboard/gigabyte/ga-g41m-es2l/romstage.c +++ b/src/mainboard/gigabyte/ga-g41m-es2l/romstage.c @@ -30,6 +30,7 @@ #include <lib.h> #include <arch/stages.h> #include <cbmem.h> +#include <northbridge/intel/x4x/iomap.h> #define SERIAL_DEV PNP_DEV(0x2e, IT8718F_SP1) #define GPIO_DEV PNP_DEV(0x2e, IT8718F_GPIO) @@ -130,6 +131,7 @@ void mainboard_romstage_entry(unsigned long bist) { // ch0 ch1 const u8 spd_addrmap[4] = { 0x50, 0, 0x52, 0 }; + u8 boot_path = 0; /* Disable watchdog timer */ RCBA32(0x3410) = RCBA32(0x3410) | 0x20; @@ -149,8 +151,11 @@ void mainboard_romstage_entry(unsigned long bist) x4x_early_init(); + if (MCHBAR32(PMSTS_MCHBAR) & PMSTS_WARM_RESET) + boot_path = BOOT_PATH_WARM_RESET; + printk(BIOS_DEBUG, "Initializing memory\n"); - sdram_initialize(0, spd_addrmap); + sdram_initialize(boot_path, spd_addrmap); quick_ram_check(); cbmem_initialize_empty(); printk(BIOS_DEBUG, "Memory initialized\n"); diff --git a/src/northbridge/intel/x4x/raminit_ddr2.c b/src/northbridge/intel/x4x/raminit_ddr2.c index b3ee34a..48a46fa 100644 --- a/src/northbridge/intel/x4x/raminit_ddr2.c +++ b/src/northbridge/intel/x4x/raminit_ddr2.c @@ -20,6 +20,11 @@ #include <console/console.h> #include <commonlib/helpers.h> #include <delay.h> +#include <pc80/mc146818rtc.h> +/* This northbridge can also occur with ICH10 */ +#if IS_ENABLED(CONFIG_SOUTHBRIDGE_INTEL_I82801GX) +#include <southbridge/intel/i82801gx/i82801gx.h> +#endif #include "iomap.h" #include "x4x.h" @@ -257,26 +262,25 @@ static void clkcross_ddr2(struct sysinfo *s) static void checkreset_ddr2(struct sysinfo *s) { u8 pmcon2; - u8 reset = 0; pmcon2 = pci_read_config8(PCI_DEV(0, 0x1f, 0), 0xa2); - if (!(pmcon2 & 0x80)) { - pmcon2 |= 0x80; + + if (pmcon2 & 0x80) { + pmcon2 &= ~0x80; pci_write_config8(PCI_DEV(0, 0x1f, 0), 0xa2, pmcon2); - reset = 1; /* do magic 0xf0 thing. */ u8 reg8 = pci_read_config8(PCI_DEV(0, 0, 0), 0xf0); pci_write_config8(PCI_DEV(0, 0, 0), 0xf0, reg8 & ~(1 << 2)); reg8 = pci_read_config8(PCI_DEV(0, 0, 0), 0xf0); pci_write_config8(PCI_DEV(0, 0, 0), 0xf0, reg8 | (1 << 2)); - } - if (reset) { + printk(BIOS_DEBUG, "Reset...\n"); - outb(0xe, 0xcf9); + outb(0x6, 0xcf9); asm ("hlt"); } - pci_write_config8(PCI_DEV(0, 0x1f, 0), 0xa2, pmcon2 | 0x80); + pmcon2 |= 0x80; + pci_write_config8(PCI_DEV(0, 0x1f, 0), 0xa2, pmcon2); } static void setioclk_ddr2(struct sysinfo *s) @@ -1486,6 +1490,80 @@ static void rcven_ddr2(struct sysinfo *s) printk(BIOS_DEBUG, "End rcven\n"); } +static void sdram_save_receive_enable(void) +{ + int i = 0, uneven; + u16 reg16; + u8 values[18]; + u8 lane, ch; + + FOR_EACH_CHANNEL(ch) { + for (lane = 0; lane < 8; lane++) { + uneven = lane % 2; + values[i] |= (MCHBAR8(0x400*ch + 0x560 + lane * 4) & 0xf) + << uneven * 4; + if (uneven) + i++; + } + values[i++] = (MCHBAR32(0x400*ch + 0x248) >> 16) & 0xf; + reg16 = MCHBAR16(0x400*ch + 0x5fa); + values[i++] = reg16 & 0xff; + values[i++] = (reg16 >> 8) & 0xff; + reg16 = MCHBAR16(0x400*ch + 0x58c); + values[i++] = reg16 & 0xff; + values[i++] = (reg16 >> 8) & 0xff; + } + + for (i = 0; i < ARRAY_SIZE(values); i++) + cmos_write(values[i], 128 + i); +} + +static void sdram_recover_receive_enable(void) +{ + u8 i, uneven; + u32 reg32 = 0; + u16 reg16 = 0; + u8 values[18]; + u8 ch, lane; + + for (i = 0; i < ARRAY_SIZE(values); i++) + values[i] = cmos_read(128 + i); + + i = 0; + FOR_EACH_CHANNEL(ch) { + for (lane = 0; lane < 8; lane++) { + uneven = lane % 2; + MCHBAR8(0x400*ch + 0x560 + (lane*4)) = 0x70 + | ((values[i] >> (4 * uneven)) & 0xf); + if (uneven) + i++; + } + reg32 = (MCHBAR32(0x400*ch + 0x248) & ~0xf0000) + | ((values[i++] & 0xf) << 16); + MCHBAR32(0x400*ch + 0x248) = reg32; + reg16 = values[i++]; + reg16 |= values[i++] << 8; + MCHBAR16(0x400*ch + 0x5fa) = reg16; + reg16 = values[i++]; + reg16 |= values[i++] << 8; + MCHBAR16(0x400*ch + 0x58c) = reg16; + } +} + +static void sdram_program_receive_enable(struct sysinfo *s) +{ + /* enable upper CMOS */ + RCBA32(0x3400) = (1 << 2); + + /* Program Receive Enable Timings */ + if (s->boot_path == BOOT_PATH_WARM_RESET) { + sdram_recover_receive_enable(); + } else { + rcven_ddr2(s); + sdram_save_receive_enable(); + } +} + static void dradrb_ddr2(struct sysinfo *s) { u8 map, i, ch, r, rankpop0, rankpop1; @@ -1859,23 +1937,25 @@ void raminit_ddr2(struct sysinfo *s) // Reset if required checkreset_ddr2(s); - // Clear self refresh - MCHBAR32(0xf14) = MCHBAR32(0xf14) | 0x3; + if (s->boot_path != BOOT_PATH_WARM_RESET) { + // Clear self refresh + MCHBAR32(PMSTS_MCHBAR) = MCHBAR32(PMSTS_MCHBAR) + | PMSTS_BOTH_SELFREFRESH; - // Clear host clk gate reg - MCHBAR32(0x1c) = MCHBAR32(0x1c) | 0xffffffff; + // Clear host clk gate reg + MCHBAR32(0x1c) = MCHBAR32(0x1c) | 0xffffffff; - // Select DDR2 - MCHBAR8(0x1a8) = MCHBAR8(0x1a8) & ~0x4; + // Select DDR2 + MCHBAR8(0x1a8) = MCHBAR8(0x1a8) & ~0x4; - // Set freq - MCHBAR32(0xc00) = (MCHBAR32(0xc00) & ~0x70) | - (s->selected_timings.mem_clk << 4) | (1 << 10); + // Set freq + MCHBAR32(0xc00) = (MCHBAR32(0xc00) & ~0x70) | + (s->selected_timings.mem_clk << 4) | (1 << 10); - // Overwrite freq if chipset rejects it - s->selected_timings.mem_clk = (MCHBAR8(0xc00) & 0x70) >> 4; - if (s->selected_timings.mem_clk > (s->max_fsb + 3)) { - die("Error: DDR is faster than FSB, halt\n"); + // Overwrite freq if chipset rejects it + s->selected_timings.mem_clk = (MCHBAR8(0xc00) & 0x70) >> 4; + if (s->selected_timings.mem_clk > (s->max_fsb + 3)) + die("Error: DDR is faster than FSB, halt\n"); } udelay(250000); @@ -1885,8 +1965,10 @@ void raminit_ddr2(struct sysinfo *s) printk(BIOS_DEBUG, "Done clk crossing\n"); // DDR2 IO - setioclk_ddr2(s); - printk(BIOS_DEBUG, "Done I/O clk\n"); + if (s->boot_path != BOOT_PATH_WARM_RESET) { + setioclk_ddr2(s); + printk(BIOS_DEBUG, "Done I/O clk\n"); + } // Grant to launch launch_ddr2(s); @@ -1900,16 +1982,21 @@ void raminit_ddr2(struct sysinfo *s) dll_ddr2(s); // RCOMP - rcomp_ddr2(s); - printk(BIOS_DEBUG, "RCOMP\n"); + if (s->boot_path != BOOT_PATH_WARM_RESET) { + rcomp_ddr2(s); + printk(BIOS_DEBUG, "RCOMP\n"); + } // ODT odt_ddr2(s); printk(BIOS_DEBUG, "Done ODT\n"); // RCOMP update - while ((MCHBAR8(0x130) & 1) != 0 ); - printk(BIOS_DEBUG, "Done RCOMP update\n"); + if (s->boot_path != BOOT_PATH_WARM_RESET) { + while ((MCHBAR8(0x130) & 1) != 0) + ; + printk(BIOS_DEBUG, "Done RCOMP update\n"); + } // Set defaults MCHBAR32(0x260) = (MCHBAR32(0x260) & ~1) | 0xf00000; @@ -1989,7 +2076,7 @@ void raminit_ddr2(struct sysinfo *s) } // Receive enable - rcven_ddr2(s); + sdram_program_receive_enable(s); printk(BIOS_DEBUG, "Done rcven\n"); // Finish rcven @@ -2004,16 +2091,18 @@ void raminit_ddr2(struct sysinfo *s) MCHBAR8(0x5dc) = MCHBAR8(0x5dc) | 0x80; // Dummy writes / reads - volatile u32 data; - FOR_EACH_POPULATED_RANK(s->dimms, ch, r) { - for (bank = 0; bank < 4; bank++) { - reg32 = (ch << 29) | (r*0x8000000) | (bank << 12); - write32((u32 *)reg32, 0xffffffff); - data = read32((u32 *)reg32); - printk(BIOS_DEBUG, "Wrote ones, Read: [0x%08x]=0x%08x\n", reg32, data); - write32((u32 *)reg32, 0x00000000); - data = read32((u32 *)reg32); - printk(BIOS_DEBUG, "Wrote zeros, Read: [0x%08x]=0x%08x\n", reg32, data); + if (s->boot_path == BOOT_PATH_NORMAL) { + volatile u32 data; + FOR_EACH_POPULATED_RANK(s->dimms, ch, r) { + for (bank = 0; bank < 4; bank++) { + reg32 = (ch << 29) | (r*0x8000000) | (bank << 12); + write32((u32 *)reg32, 0xffffffff); + data = read32((u32 *)reg32); + printk(BIOS_DEBUG, "Wrote ones, Read: [0x%08x]=0x%08x\n", reg32, data); + write32((u32 *)reg32, 0x00000000); + data = read32((u32 *)reg32); + printk(BIOS_DEBUG, "Wrote zeros, Read: [0x%08x]=0x%08x\n", reg32, data); + } } } printk(BIOS_DEBUG, "Done dummy reads\n"); diff --git a/src/northbridge/intel/x4x/x4x.h b/src/northbridge/intel/x4x/x4x.h index 7ca634f..66d765a 100644 --- a/src/northbridge/intel/x4x/x4x.h +++ b/src/northbridge/intel/x4x/x4x.h @@ -87,8 +87,8 @@ #define MCHBAR32(x) *((volatile u32 *)(DEFAULT_MCHBAR + x)) #define PMSTS_MCHBAR 0x0f14 /* Self refresh channel status */ -#define PMSTS_WARM_RESET (1 << 1) -#define PMSTS_BOTH_SELFREFRESH (1 << 0) +#define PMSTS_WARM_RESET (1 << 8) +#define PMSTS_BOTH_SELFREFRESH (3 << 0) #define CLKCFG_MCHBAR 0x0c00 #define CLKCFG_FSBCLK_SHIFT 0 @@ -290,6 +290,9 @@ struct sysinfo { struct dimminfo dimms[4]; u8 spd_map[4]; }; +#define BOOT_PATH_NORMAL 0 +#define BOOT_PATH_WARM_RESET 1 +#define BOOT_PATH_RESUME 2 enum ddr2_signals { CLKSET0 = 0,

1 0

New patch to review for coreboot: google/eve: Enable PD MCU device
by Duncan Laurie 23 Jan '17

23 Jan '17

Duncan Laurie (dlaurie(a)chromium.org) just uploaded a new patch set to gerrit, which you can find at https://review.coreboot.org/18209 -gerrit commit f1c93f01595ebada08e6f0c22bbd71cfaf745ba8 Author: Duncan Laurie <dlaurie(a)chromium.org> Date: Fri Jan 20 14:16:55 2017 -0800 google/eve: Enable PD MCU device In order for PD charge events to properly notify the OS when a charger is attached we need to enable the PD MCU device and event source from the EC. Without this change the charging still happens, but the OS does not notice and update the charge state icon in the Chrome OS UI. BUG=chrome-os-partner:62206 BRANCH=none TEST=plug in a charger to either port and see charge status updated to indicate charging in the power_supply_info tool and the Chrome OS UI. Change-Id: Ia6f63ac719b739326d313f657a68005c32f45b8d Signed-off-by: Duncan Laurie <dlaurie(a)chromium.org> --- src/mainboard/google/eve/ec.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/mainboard/google/eve/ec.h b/src/mainboard/google/eve/ec.h index 25fddfc..d0e59e1 100644 --- a/src/mainboard/google/eve/ec.h +++ b/src/mainboard/google/eve/ec.h @@ -34,7 +34,8 @@ EC_HOST_EVENT_MASK(EC_HOST_EVENT_THERMAL_OVERLOAD) |\ EC_HOST_EVENT_MASK(EC_HOST_EVENT_THROTTLE_START) |\ EC_HOST_EVENT_MASK(EC_HOST_EVENT_THROTTLE_STOP) |\ - EC_HOST_EVENT_MASK(EC_HOST_EVENT_MKBP)) + EC_HOST_EVENT_MASK(EC_HOST_EVENT_MKBP) |\ + EC_HOST_EVENT_MASK(EC_HOST_EVENT_PD_MCU)) #define MAINBOARD_EC_SMI_EVENTS \ (EC_HOST_EVENT_MASK(EC_HOST_EVENT_LID_CLOSED)) @@ -65,6 +66,9 @@ /* Enable EC backed Keyboard Backlight in ACPI */ #define EC_ENABLE_KEYBOARD_BACKLIGHT +/* Enable EC backed PD MCU device in ACPI */ +#define EC_ENABLE_PD_MCU_DEVICE + /* Enable LID switch and provide wake pin for EC */ #define EC_ENABLE_LID_SWITCH #define EC_ENABLE_WAKE_PIN GPE_EC_WAKE

1 0

Patch set updated for coreboot: sb/intel/common: Hook up me_cleaner
by Nicola Corna 23 Jan '17

23 Jan '17

Nicola Corna (nicola(a)corna.info) just uploaded a new patch set to gerrit, which you can find at https://review.coreboot.org/18206 -gerrit commit 01b9f87d71543d844baa4b636d119848f25498bb Author: Nicola Corna <nicola(a)corna.info> Date: Mon Jan 23 15:29:03 2017 +0100 sb/intel/common: Hook up me_cleaner The me_cleaner option is available on multiple platforms: * Sandy and Ivy Bridge (well tested by multiple users) * Skylake and Braswell (tested) * Haswell, Broadwell and Bay Trail (untested) The untested platforms have been included anyways because all the firmwares are very similar and Intel ME/TXE probably behaves in the same way. Change-Id: I46f461a1a7e058d57259f313142b00146f0196aa Signed-off-by: Nicola Corna <nicola(a)corna.info> --- src/southbridge/intel/common/firmware/Kconfig | 26 ++++++++++++++++++++++ src/southbridge/intel/common/firmware/Makefile.inc | 5 +++++ 2 files changed, 31 insertions(+) diff --git a/src/southbridge/intel/common/firmware/Kconfig b/src/southbridge/intel/common/firmware/Kconfig index c36b235..d049383 100644 --- a/src/southbridge/intel/common/firmware/Kconfig +++ b/src/southbridge/intel/common/firmware/Kconfig @@ -58,6 +58,32 @@ config ME_BIN_PATH default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/me.bin" depends on HAVE_ME_BIN +config USE_ME_CLEANER + bool "Strip down the Intel ME/TXE firmware" + depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_SANDYBRIDGE || \ + NORTHBRIDGE_INTEL_IVYBRIDGE || NORTHBRIDGE_INTEL_HASWELL || \ + SOC_INTEL_BROADWELL || SOC_INTEL_SKYLAKE || \ + SOC_INTEL_BAYTRAIL || SOC_INTEL_BRASWELL) + help + Use me_cleaner.py to partially deblob the Intel ME/TXE firmware. + The resulting Intel ME/TXE firmware has only the code responsible for + the very basic hardware initialization, leaving the ME/TXE subsystem + essentially in a disabled state, but still allowing the system to + power on correctly. + + WARNING: this tool isn't based on any official Intel documentation but + only on reverse engineering and trial & error. Even if this tool seems + stable on multiple platforms and architectures, it still might lead to + unexpected behaviours. + See the project's page + https://github.com/corna/me_cleaner + or the wiki + https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F + https://github.com/corna/me_cleaner/wiki/me_cleaner-status + for more info about this tool + + If unsure, say N. + config HAVE_GBE_BIN bool "Add gigabit ethernet firmware" depends on HAVE_IFD_BIN diff --git a/src/southbridge/intel/common/firmware/Makefile.inc b/src/southbridge/intel/common/firmware/Makefile.inc index 17e53b5..98a36d3 100644 --- a/src/southbridge/intel/common/firmware/Makefile.inc +++ b/src/southbridge/intel/common/firmware/Makefile.inc @@ -58,6 +58,11 @@ ifeq ($(CONFIG_HAVE_ME_BIN),y) $(obj)/coreboot.pre mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre endif +ifeq ($(CONFIG_USE_ME_CLEANER),y) + printf " ME_CLEANER coreboot.pre\n" + util/me_cleaner/me_cleaner.py $(obj)/coreboot.pre > \ + $(obj)/me_cleaner.log +endif ifeq ($(CONFIG_HAVE_GBE_BIN),y) printf " IFDTOOL gbe.bin -> coreboot.pre\n" $(objutil)/ifdtool/ifdtool \

1 0

New patch to review for coreboot: amd/amdht: Fix format security errors
by Paul Menzel 23 Jan '17

23 Jan '17

Paul Menzel (paulepanter(a)users.sourceforge.net) just uploaded a new patch set to gerrit, which you can find at https://review.coreboot.org/18208 -gerrit commit 86d45d8f624b358e5a6cb7a74291c827db3e6ef7 Author: Paul Menzel <pmenzel(a)molgen.mpg.de> Date: Fri Jan 20 14:49:35 2017 +0100 amd/amdht: Fix format security errors Ubuntu’s default compiler flags for GCC [1][2] include `-Wformat -Wformat-security`, causing errors similar like the one below. ``` CC romstage/northbridge/amd/amdht/ht_wrapper.o src/northbridge/amd/amdht/ht_wrapper.c: In function 'AMD_CB_EventNotify': src/northbridge/amd/amdht/ht_wrapper.c:124:4: error: format not a string literal and no format arguments [-Werror=format-security] printk(log_level, event_class_string_decodes[evtClass]); ^ […] ``` Fix that, by explicitly using a format string. TEST=Built and booted on ASUS KGPE-D16. [1] https://stackoverflow.com/questions/17260409/fprintf-error-format-not-a-str… [2] I tested with gcc (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609. Change-Id: Iabe60deeffa441146eab31dac4416846ce95c32a Signed-off-by: Paul Menzel <pmenzel(a)molgen.mpg.de> --- src/northbridge/amd/amdht/ht_wrapper.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/northbridge/amd/amdht/ht_wrapper.c b/src/northbridge/amd/amdht/ht_wrapper.c index 8a25993..8babb47 100644 --- a/src/northbridge/amd/amdht/ht_wrapper.c +++ b/src/northbridge/amd/amdht/ht_wrapper.c @@ -121,7 +121,7 @@ static void AMD_CB_EventNotify (u8 evtClass, u16 event, const u8 *pEventData0) case HT_EVENT_CLASS_WARNING: case HT_EVENT_CLASS_INFO: log_level = BIOS_DEBUG; - printk(log_level, event_class_string_decodes[evtClass]); + printk(log_level, "%s", event_class_string_decodes[evtClass]); break; default: log_level = BIOS_DEBUG; @@ -135,7 +135,7 @@ static void AMD_CB_EventNotify (u8 evtClass, u16 event, const u8 *pEventData0) case HT_EVENT_COH_NO_TOPOLOGY: case HT_EVENT_COH_LINK_EXCEED: case HT_EVENT_COH_FAMILY_FEUD: - printk(log_level, event_string_decode(event)); + printk(log_level, "%s", event_string_decode(event)); break; case HT_EVENT_COH_NODE_DISCOVERED: { @@ -152,11 +152,11 @@ static void AMD_CB_EventNotify (u8 evtClass, u16 event, const u8 *pEventData0) case HT_EVENT_NCOH_LINK_EXCEED: case HT_EVENT_NCOH_BUS_MAX_EXCEED: case HT_EVENT_NCOH_CFG_MAP_EXCEED: - printk(log_level, event_string_decode(event)); + printk(log_level, "%s", event_string_decode(event)); break; case HT_EVENT_NCOH_DEVICE_FAILED: { - printk(log_level, event_string_decode(event)); + printk(log_level, "%s", event_string_decode(event)); sHtEventNcohDeviceFailed *evt = (sHtEventNcohDeviceFailed*)pEventData0; printk(log_level, ": node %d link %d depth: %d attemptedBUID: %d", evt->node, evt->link, evt->depth, evt->attemptedBUID); @@ -165,7 +165,7 @@ static void AMD_CB_EventNotify (u8 evtClass, u16 event, const u8 *pEventData0) } case HT_EVENT_NCOH_AUTO_DEPTH: { - printk(log_level, event_string_decode(event)); + printk(log_level, "%s", event_string_decode(event)); sHtEventNcohAutoDepth *evt = (sHtEventNcohAutoDepth*)pEventData0; printk(log_level, ": node %d link %d depth: %d", evt->node, evt->link, evt->depth); @@ -178,7 +178,7 @@ static void AMD_CB_EventNotify (u8 evtClass, u16 event, const u8 *pEventData0) case HT_EVENT_HW_EVENTS: case HT_EVENT_HW_SYNCHFLOOD: case HT_EVENT_HW_HTCRC: - printk(log_level, event_string_decode(event)); + printk(log_level, "%s", event_string_decode(event)); break; default: printk(log_level, "HT_EVENT_UNKNOWN");

1 0

Patch set updated for coreboot: nb/intel/x4x: Refactor dram freq and cas selection
by Arthur Heymans 23 Jan '17

23 Jan '17

Arthur Heymans (arthur(a)aheymans.xyz) just uploaded a new patch set to gerrit, which you can find at https://review.coreboot.org/18156 -gerrit commit 2c989a350eed065814750b02a0d8b12976e821ac Author: Arthur Heymans <arthur(a)aheymans.xyz> Date: Mon Jan 16 23:32:02 2017 +0100 nb/intel/x4x: Refactor dram freq and cas selection Inspired by i945 code. The code did not check for tAC and for tCLK potentially selected the wrong spd offset for minimum cycle time. Adds some debugging output for freq and cas selection. The code is also written to be easily extendable for officially unsported dram frequencies like 533MHz and 400MHz which some vendor bios seem to support. Change-Id: Ie0d8326af50d3125bf35918ba645a6df27dd2ee4 Signed-off-by: Arthur Heymans <arthur(a)aheymans.xyz> --- src/northbridge/intel/x4x/raminit.c | 111 ++++++++++++++++++++++-------------- 1 file changed, 68 insertions(+), 43 deletions(-) diff --git a/src/northbridge/intel/x4x/raminit.c b/src/northbridge/intel/x4x/raminit.c index 86f63f1..d604783 100644 --- a/src/northbridge/intel/x4x/raminit.c +++ b/src/northbridge/intel/x4x/raminit.c @@ -160,13 +160,6 @@ static void sdram_read_spds(struct sysinfo *s) } } -static u8 msbpos(u8 val) //Reverse -{ - u8 i; - for (i = 7; (i >= 0) && ((val & (1 << i)) == 0); i--); - return i; -} - static void mchinfo_ddr2(struct sysinfo *s) { const u32 eax = cpuid_ext(0x04, 0).eax; @@ -199,13 +192,29 @@ static void sdram_detect_ram_speed(struct sysinfo *s) { u8 i; u8 commoncas = 0; + u8 highest_commoncas; u8 currcas; u8 currfreq; u8 maxfreq; u8 freq = 0; + u8 highest_supported_cas[TOTAL_DIMMS]; + u8 idx; + u8 tclk, tclk_target; + u8 tac, tac_target; + + const u8 ddr2_speeds_table[] = { + 0x50, 0x60, /* DDR2 400: tCLK = 5.0ns tAC = 0.6ns */ + 0x3d, 0x50, /* DDR2 533: tCLK = 3.75ns tAC = 0.5ns */ + 0x30, 0x45, /* DDR2 667: tCLK = 3.0ns tAC = 0.45ns */ + 0x25, 0x40, /* DDR2 800: tCLK = 2.5ns tAC = 0.40ns */ + }; + + const u8 spd_lookup_table[] = { + SPD_MIN_CYCLE_TIME_AT_CAS_MAX, SPD_ACCESS_TIME_FROM_CLOCK, + SPD_SDRAM_CYCLE_TIME_2ND, SPD_ACCESS_TIME_FROM_CLOCK_2ND, + SPD_SDRAM_CYCLE_TIME_3RD, SPD_ACCESS_TIME_FROM_CLOCK_3RD, + }; - // spdidx,cycletime @CAS 5 6 - u8 idx800[7][2] = {{0,0}, {0,0}, {0,0}, {0,0}, {0,0}, {23,0x30}, {9,0x25}}; int found = 0; // Find max FSB speed @@ -225,57 +234,73 @@ static void sdram_detect_ram_speed(struct sysinfo *s) break; } - // Max RAM speed if (s->spd_type == DDR2) { - - maxfreq = MEM_CLOCK_800MHz; - - // Choose common CAS latency from {6,5}, 4 does not work - commoncas = 0x60; - + /* Only CAS 5 and 6 are supported */ + commoncas = SPD_CAS_LATENCY_DDR2_6 | SPD_CAS_LATENCY_DDR2_5; FOR_EACH_POPULATED_DIMM(s->dimms, i) { + if (s->dimms[i].cas_latencies & SPD_CAS_LATENCY_DDR2_7) { + highest_supported_cas[i] = 7; + } else if (s->dimms[i].cas_latencies & SPD_CAS_LATENCY_DDR2_6) { + highest_supported_cas[i] = 6; + } else if (s->dimms[i].cas_latencies & SPD_CAS_LATENCY_DDR2_5) { + highest_supported_cas[i] = 5; + } /* Don't check for lower CAS since not supported */ commoncas &= s->dimms[i].cas_latencies; } - if (commoncas == 0) { + if (commoncas == 0) die("No common CAS among dimms\n"); - } + else if (commoncas & SPD_CAS_LATENCY_DDR2_6) + highest_commoncas = 6; + else + highest_commoncas = 5; + + /* + * FIXME: datasheets say only 667MHz and 800MHz are supported + * but vendor bios also supports 533MHz and possibly 400MHz + */ + /* Test from higher to lower frequency, from lower to higher CAS latency */ + for (currfreq = MEM_CLOCK_800MHz; currfreq >= MEM_CLOCK_667MHz; currfreq--) { + printk(BIOS_DEBUG, "Trying DDR2: "); + switch (currfreq) { + case MEM_CLOCK_400MHz: + printk(BIOS_DEBUG, "%dMHz\n", 400); + case MEM_CLOCK_533MHz: + printk(BIOS_DEBUG, "%dMHz\n", 533); + case MEM_CLOCK_667MHz: + printk(BIOS_DEBUG, "%dMHz\n", 667); + case MEM_CLOCK_800MHz: + printk(BIOS_DEBUG, "%dMHz\n", 800); + } - // Working from fastest to slowest, - // fast->slow 5@800 6@800 5@667 - found = 0; - for (currcas = 5; currcas <= msbpos(commoncas); currcas++) { - currfreq = maxfreq; - if (currfreq == MEM_CLOCK_800MHz) { + for (currcas = 5; currcas <= highest_commoncas; currcas++) { + printk(BIOS_DEBUG, " Trying CAS: %d\n", currcas); found = 1; FOR_EACH_POPULATED_DIMM(s->dimms, i) { - if (s->dimms[i].spd_data[idx800[currcas][0]] > idx800[currcas][1]) { - // this is too fast + idx = highest_supported_cas[i] - currcas; + printk(BIOS_DEBUG, " dimm: %d, idx: %d\n", i, idx); + + tclk = s->dimms[i].spd_data[spd_lookup_table[2 * idx]]; + tclk_target = ddr2_speeds_table[2 * currfreq]; + tac = s->dimms[i].spd_data[spd_lookup_table[2 * idx + 1]]; + tac_target = ddr2_speeds_table[2 * currfreq + 1]; + printk(BIOS_DEBUG, " tCLK: 0x%x , tCLK_target: 0x%x\n", tclk, tclk_target); + printk(BIOS_DEBUG, " tAC: 0x%x , tAC_target: 0x%x\n", tac, tac_target); + if ((tclk > tclk_target) && (tac > tac_target)) { + printk(BIOS_DEBUG, " Timing too fast\n"); found = 0; + break; /* No need to check other dimms for these timings */ } } - if (found) - break; - } - } - - if (!found) { - currcas = 5; - currfreq = MEM_CLOCK_667MHz; - found = 1; - FOR_EACH_POPULATED_DIMM(s->dimms, i) { - if (s->dimms[i].spd_data[9] > 0x30) { - // this is too fast - found = 0; + if (found) { + s->selected_timings.mem_clk = currfreq; + s->selected_timings.CAS = currcas; + return; } } } - if (!found) die("No valid CAS/frequencies detected\n"); - s->selected_timings.mem_clk = currfreq; - s->selected_timings.CAS = currcas; - } else { // DDR3 // Limit frequency for MCH maxfreq = (s->max_ddr2_mhz == 800) ? MEM_CLOCK_800MHz : MEM_CLOCK_667MHz;

1 0

Patch set updated for coreboot: sb/intel/common: Hook up me_cleaner
by Nicola Corna 23 Jan '17

23 Jan '17

Nicola Corna (nicola(a)corna.info) just uploaded a new patch set to gerrit, which you can find at https://review.coreboot.org/18206 -gerrit commit f3f2f8548785d78bad62005b31824ab67901fb40 Author: Nicola Corna <nicola(a)corna.info> Date: Mon Jan 23 15:29:03 2017 +0100 sb/intel/common: Hook up me_cleaner Change-Id: I46f461a1a7e058d57259f313142b00146f0196aa Signed-off-by: Nicola Corna <nicola(a)corna.info> --- src/southbridge/intel/common/firmware/Kconfig | 26 ++++++++++++++++++++++ src/southbridge/intel/common/firmware/Makefile.inc | 5 +++++ 2 files changed, 31 insertions(+) diff --git a/src/southbridge/intel/common/firmware/Kconfig b/src/southbridge/intel/common/firmware/Kconfig index c36b235..d049383 100644 --- a/src/southbridge/intel/common/firmware/Kconfig +++ b/src/southbridge/intel/common/firmware/Kconfig @@ -58,6 +58,32 @@ config ME_BIN_PATH default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/me.bin" depends on HAVE_ME_BIN +config USE_ME_CLEANER + bool "Strip down the Intel ME/TXE firmware" + depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_SANDYBRIDGE || \ + NORTHBRIDGE_INTEL_IVYBRIDGE || NORTHBRIDGE_INTEL_HASWELL || \ + SOC_INTEL_BROADWELL || SOC_INTEL_SKYLAKE || \ + SOC_INTEL_BAYTRAIL || SOC_INTEL_BRASWELL) + help + Use me_cleaner.py to partially deblob the Intel ME/TXE firmware. + The resulting Intel ME/TXE firmware has only the code responsible for + the very basic hardware initialization, leaving the ME/TXE subsystem + essentially in a disabled state, but still allowing the system to + power on correctly. + + WARNING: this tool isn't based on any official Intel documentation but + only on reverse engineering and trial & error. Even if this tool seems + stable on multiple platforms and architectures, it still might lead to + unexpected behaviours. + See the project's page + https://github.com/corna/me_cleaner + or the wiki + https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F + https://github.com/corna/me_cleaner/wiki/me_cleaner-status + for more info about this tool + + If unsure, say N. + config HAVE_GBE_BIN bool "Add gigabit ethernet firmware" depends on HAVE_IFD_BIN diff --git a/src/southbridge/intel/common/firmware/Makefile.inc b/src/southbridge/intel/common/firmware/Makefile.inc index 17e53b5..98a36d3 100644 --- a/src/southbridge/intel/common/firmware/Makefile.inc +++ b/src/southbridge/intel/common/firmware/Makefile.inc @@ -58,6 +58,11 @@ ifeq ($(CONFIG_HAVE_ME_BIN),y) $(obj)/coreboot.pre mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre endif +ifeq ($(CONFIG_USE_ME_CLEANER),y) + printf " ME_CLEANER coreboot.pre\n" + util/me_cleaner/me_cleaner.py $(obj)/coreboot.pre > \ + $(obj)/me_cleaner.log +endif ifeq ($(CONFIG_HAVE_GBE_BIN),y) printf " IFDTOOL gbe.bin -> coreboot.pre\n" $(objutil)/ifdtool/ifdtool \

1 0

Patch set updated for coreboot: util: Add me_cleaner
by Nicola Corna 23 Jan '17

23 Jan '17

Nicola Corna (nicola(a)corna.info) just uploaded a new patch set to gerrit, which you can find at https://review.coreboot.org/18203 -gerrit commit 45d0f68ac0a30090b06b25dee786cc637181455b Author: Nicola Corna <nicola(a)corna.info> Date: Mon Jan 23 15:28:24 2017 +0100 util: Add me_cleaner me_cleaner is a tool to strip down Intel ME/TXE images by removing all the non-fundamental code, while keeping the ME/TXE image valid and suitable for booting the system. The remaining code (ROMP and BUP modules) is the one responsible for the very basic initialization of the ME/TXE subsystem and can't be removed. This tool exploits the fact that: * Each ME/TXE partition is signed individually and it is possible to remove both the partition and the signature. * The ME/TXE modules are not signed directly, instead they are hashed and the list of their hashes is hashed again and signed: this means that modifying a module doesn't invalidate the signature, but only the hash of that single module. * The modules hashes are checked only when the corresponding module needs to be executed. * The system can boot after the execution of the first module (BUP, inside the FTPR partition), even if the subsequent stages fail. Currently me_cleaner works on every Intel platform with Intel ME or Intel TXE with the following limitations: * Doesn't work when Intel Boot Guard is set in Verified Boot mode. * Doesn't fully work on Nehalem yet. * On Skylake and later generations, since the partitions' internal structure has changed, me_cleaner leaves intact the FTPR partition, removing all the the other partitions. This tool has been tested on multiple platforms and architectures by different users, and seems to be stable. The reports are available here: https://github.com/corna/me_cleaner/issues/3 A more in-depth description of me_cleaner is available here: https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F Change-Id: I9013799e9adea0dea0775b9afe718de5fc4ca748 Signed-off-by: Nicola Corna <nicola(a)corna.info> --- util/me_cleaner/README.md | 25 ++++ util/me_cleaner/me_cleaner.py | 313 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 338 insertions(+) diff --git a/util/me_cleaner/README.md b/util/me_cleaner/README.md new file mode 100644 index 0000000..9a09b55 --- /dev/null +++ b/util/me_cleaner/README.md @@ -0,0 +1,25 @@ +# ME cleaner + +A cleaner for Intel ME/TXE images. + +This tools removes any unnecessary partition from an Intel ME/TXE firmware, reducing +its size and its ability to interact with the system. +It should work both with coreboot and with the factory firmware. + +Currently this tool: + * Scans the FPT (partition table) and checks that everything is correct + * Removes any partition entry (except for FTPR) from FPT + * Removes any partition except for the fundamental one (FTPR) + * Removes the EFFS presence flag + * Corrects the FPT checksum + * Removes any non-essential LZMA or Huffman compressed module (pre-Skylake only) + * Checks the validity of the RSA signature of the FTPR partition + +Don't forget to power cycle your PC after flashing the modified ME/TXE image +(power off and power on, not just reboot). + +See the [current status](https://github.com/corna/me_cleaner/wiki/me_cleaner-status) +or [a more detailed description](https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F) +of me_cleaner. + +Special thanks to Federico Amedeo Izzo for his help during the study of Intel ME. diff --git a/util/me_cleaner/me_cleaner.py b/util/me_cleaner/me_cleaner.py new file mode 100755 index 0000000..2ad5898 --- /dev/null +++ b/util/me_cleaner/me_cleaner.py @@ -0,0 +1,313 @@ +#!/usr/bin/python + +# me_cleaner - Tool for partial deblobbing of Intel ME/TXE firmware images +# Copyright (C) 2016, 2017 Nicola Corna <nicola(a)corna.info> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# + +import sys +import itertools +import binascii +import hashlib +from struct import pack, unpack + + +unremovable_modules = ("BUP", "ROMP") + + +def get_chunks_offsets(llut, me_start): + chunk_count = unpack("<I", llut[0x04:0x08])[0] + huffman_stream_end = sum(unpack("<II", llut[0x10:0x18])) + me_start + nonzero_offsets = [huffman_stream_end] + offsets = [] + + for i in range(0, chunk_count): + chunk = llut[0x40 + i * 4:0x44 + i * 4] + offset = 0 + + if chunk[3] != 0x80: + offset = unpack("<I", chunk[0:3] + b"\x00")[0] + me_start + + offsets.append([offset, 0]) + if offset != 0: + nonzero_offsets.append(offset) + + nonzero_offsets.sort() + + for i in offsets: + if i[0] != 0: + i[1] = nonzero_offsets[nonzero_offsets.index(i[0]) + 1] + + return offsets + + +def fill_range(f, start, end, fill): + block = fill * 4096 + f.seek(start) + f.writelines(itertools.repeat(block, (end - start) // 4096)) + f.write(block[:(end - start) % 4096]) + + +def remove_modules(f, mod_headers, ftpr_offset): + comp_str = ("Uncomp.", "Huffman", "LZMA") + unremovable_huff_chunks = [] + chunks_offsets = [] + base = 0 + chunk_size = 0 + + for mod_header in mod_headers: + name = mod_header[0x04:0x14].rstrip(b"\x00").decode("ascii") + offset = unpack("<I", mod_header[0x38:0x3C])[0] + ftpr_offset + size = unpack("<I", mod_header[0x40:0x44])[0] + flags = unpack("<I", mod_header[0x50:0x54])[0] + comp_type = (flags >> 4) & 7 + + sys.stdout.write(" {:<16} ({:<7}, ".format(name, comp_str[comp_type])) + + if comp_type == 0x00 or comp_type == 0x02: + sys.stdout.write("0x{:06x} - 0x{:06x}): " + .format(offset, offset + size)) + + if name in unremovable_modules: + print("NOT removed, essential") + else: + fill_range(f, offset, offset + size, b"\xff") + print("removed") + + elif comp_type == 0x01: + sys.stdout.write("fragmented data ): ") + if not chunks_offsets: + f.seek(offset) + llut = f.read(4) + if llut == b"LLUT": + llut += f.read(0x3c) + + chunk_count = unpack("<I", llut[0x4:0x8])[0] + base = unpack("<I", llut[0x8:0xc])[0] + 0x10000000 + huff_data_len = unpack("<I", llut[0x10:0x14])[0] + chunk_size = unpack("<I", llut[0x30:0x34])[0] + + llut += f.read(chunk_count * 4 + huff_data_len) + chunks_offsets = get_chunks_offsets(llut, me_start) + else: + sys.exit("Huffman modules found, but LLUT is not present") + + if name in unremovable_modules: + print("NOT removed, essential") + module_base = unpack("<I", mod_header[0x34:0x38])[0] + module_size = unpack("<I", mod_header[0x3c:0x40])[0] + first_chunk_num = (module_base - base) // chunk_size + last_chunk_num = first_chunk_num + module_size // chunk_size + + unremovable_huff_chunks += \ + [x for x in chunks_offsets[first_chunk_num: + last_chunk_num + 1] if x[0] != 0] + else: + print("removed") + + else: + sys.stdout.write("0x{:06x} - 0x{:06x}): unknown compression, " + "skipping".format(offset, offset + size)) + + if chunks_offsets: + removable_huff_chunks = [] + + for chunk in chunks_offsets: + if all(not(unremovable_chk[0] <= chunk[0] < unremovable_chk[1] or + unremovable_chk[0] < chunk[1] <= unremovable_chk[1]) + for unremovable_chk in unremovable_huff_chunks): + removable_huff_chunks.append(chunk) + + for removable_chunk in removable_huff_chunks: + if removable_chunk[1] > removable_chunk[0]: + fill_range(f, removable_chunk[0], removable_chunk[1], b"\xff") + + +def check_partition_signature(f, offset): + f.seek(offset) + header = f.read(0x80) + modulus = int(binascii.hexlify(f.read(0x100)[::-1]), 16) + public_exponent = int(binascii.hexlify(f.read(0x4)[::-1]), 16) + signature = int(binascii.hexlify(f.read(0x100)[::-1]), 16) + + header_len = unpack("<I", header[0x4:0x8])[0] * 4 + manifest_len = unpack("<I", header[0x18:0x1c])[0] * 4 + f.seek(offset + header_len) + + sha256 = hashlib.sha256() + sha256.update(header) + sha256.update(f.read(manifest_len - header_len)) + + decrypted_sig = pow(signature, public_exponent, modulus) + + return "{:#x}".format(decrypted_sig).endswith(sha256.hexdigest()) # FIXME + + +if len(sys.argv) != 2 or sys.argv[1] == "-h" or sys.argv[1] == "--help": + print("Usage: \n" + " me_cleaner.py me_or_txe_image.bin\n" + "or\n" + " me_cleaner.py full_dump.bin") +else: + with open(sys.argv[1], "r+b") as f: + f.seek(0x10) + magic = f.read(4) + + if magic == b"$FPT": + print("ME/TXE image detected") + me_start = 0 + f.seek(0, 2) + me_end = f.tell() + + elif magic == b"\x5a\xa5\xf0\x0f": + print("Full image detected") + f.seek(0x14) + flmap0 = unpack("<I", f.read(4))[0] + nr = flmap0 >> 24 & 0x7 + frba = flmap0 >> 12 & 0xff0 + if nr >= 2: + f.seek(frba + 0x8) + flreg2 = unpack("<I", f.read(4))[0] + me_start = (flreg2 & 0x1fff) << 12 + me_end = flreg2 >> 4 & 0x1fff000 | 0xfff + + if me_start >= me_end: + sys.exit("The ME/TXE region in this image has been " + "disabled") + + f.seek(me_start + 0x10) + if f.read(4) != b"$FPT": + sys.exit("The ME/TXE region is corrupted or missing") + + print("The ME/TXE region goes from {:#x} to {:#x}" + .format(me_start, me_end)) + else: + sys.exit("This image does not contains a ME/TXE firmware " + "(NR = {})".format(nr)) + else: + sys.exit("Unknown image") + + print("Found FPT header at {:#x}".format(me_start + 0x10)) + + f.seek(me_start + 0x14) + entries = unpack("<I", f.read(4))[0] + print("Found {} partition(s)".format(entries)) + + f.seek(me_start + 0x14) + header_len = unpack("B", f.read(1))[0] + + f.seek(me_start + 0x30) + partitions = f.read(entries * 0x20) + + ftpr_header = b"" + + for i in range(entries): + if partitions[i * 0x20:(i * 0x20) + 4] == b"FTPR": + ftpr_header = partitions[i * 0x20:(i + 1) * 0x20] + break + + if ftpr_header == b"": + sys.exit("FTPR header not found, this image doesn't seem to be " + "valid") + + ftpr_offset, ftpr_lenght = unpack("<II", ftpr_header[0x08:0x10]) + ftpr_offset += me_start + print("Found FTPR header: FTPR partition spans from {:#x} to {:#x}" + .format(ftpr_offset, ftpr_offset + ftpr_lenght)) + print("Removing extra partitions...") + + fill_range(f, me_start + 0x30, ftpr_offset, b"\xff") + fill_range(f, ftpr_offset + ftpr_lenght, me_end, b"\xff") + + print("Removing extra partition entries in FPT...") + f.seek(me_start + 0x30) + f.write(ftpr_header) + f.seek(me_start + 0x14) + f.write(pack("<I", 1)) + + print("Removing EFFS presence flag...") + f.seek(me_start + 0x24) + flags = unpack("<I", f.read(4))[0] + flags &= ~(0x00000001) + f.seek(me_start + 0x24) + f.write(pack("<I", flags)) + + f.seek(me_start, 0) + header = bytearray(f.read(0x30)) + checksum = (0x100 - (sum(header) - header[0x1b]) & 0xff) & 0xff + + print("Correcting checksum (0x{:02x})...".format(checksum)) + # The checksum is just the two's complement of the sum of the first + # 0x30 bytes (except for 0x1b, the checksum itself). In other words, + # the sum of the first 0x30 bytes must be always 0x00. + f.seek(me_start + 0x1b) + f.write(pack("B", checksum)) + + f.seek(ftpr_offset) + if f.read(4) == b"$CPD": + me11 = True + num_entries = unpack("<I", f.read(4))[0] + f.seek(ftpr_offset + 0x10 + num_entries * 0x18 + 0x24) + else: + me11 = False + f.seek(ftpr_offset + 0x24) + + version = unpack("<HHHH", f.read(0x08)) + print("ME/TXE firmware version {}" + .format('.'.join(str(i) for i in version))) + + if not me11: + print("Reading FTPR modules list...") + f.seek(ftpr_offset + 0x1c) + tag = f.read(4) + + if tag == b"$MN2": + f.seek(ftpr_offset + 0x20) + num_modules = unpack("<I", f.read(4))[0] + f.seek(ftpr_offset + 0x290) + data = f.read(0x84) + + module_header_size = 0 + if data[0x0:0x4] == b"$MME": + if data[0x60:0x64] == b"$MME": + module_header_size = 0x60 + elif data[0x80:0x84] == b"$MME": + module_header_size = 0x80 + + if module_header_size != 0: + f.seek(ftpr_offset + 0x290) + mod_headers = [f.read(module_header_size) + for i in range(0, num_modules)] + + if all(mod_h.startswith(b"$MME") for mod_h in mod_headers): + remove_modules(f, mod_headers, ftpr_offset) + else: + print("Found less modules than expected in the FTPR " + "partition; skipping modules removal") + else: + print("Can't find the module header size; skipping " + "modules removal") + else: + print("Wrong FTPR partition tag ({}); skipping modules removal" + .format(tag)) + else: + print("Modules removal in ME v11 or greater is not yet supported") + + sys.stdout.write("Checking FTPR RSA signature... ") + if check_partition_signature(f, ftpr_offset): + print("VALID") + else: + print("INVALID!!") + sys.exit("The FTPR partition signature is not valid. Is the input " + "ME/TXE image valid?") + + print("Done! Good luck!")

1 0

Patch set updated for coreboot: sb/intel/common: Hook up me_cleaner
by Nicola Corna 23 Jan '17

23 Jan '17

Nicola Corna (nicola(a)corna.info) just uploaded a new patch set to gerrit, which you can find at https://review.coreboot.org/18206 -gerrit commit 3c9e88fb18168fdf8f3e2fb0297f0e58e822baee Author: Nicola Corna <nicola(a)corna.info> Date: Mon Jan 23 15:29:03 2017 +0100 sb/intel/common: Hook up me_cleaner Change-Id: I46f461a1a7e058d57259f313142b00146f0196aa Signed-off-by: Nicola Corna <nicola(a)corna.info> --- src/southbridge/intel/common/firmware/Kconfig | 26 ++++++++++++++++++++++ src/southbridge/intel/common/firmware/Makefile.inc | 5 +++++ 2 files changed, 31 insertions(+) diff --git a/src/southbridge/intel/common/firmware/Kconfig b/src/southbridge/intel/common/firmware/Kconfig index c36b235..d049383 100644 --- a/src/southbridge/intel/common/firmware/Kconfig +++ b/src/southbridge/intel/common/firmware/Kconfig @@ -58,6 +58,32 @@ config ME_BIN_PATH default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/me.bin" depends on HAVE_ME_BIN +config USE_ME_CLEANER + bool "Strip down the Intel ME/TXE firmware" + depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_SANDYBRIDGE || \ + NORTHBRIDGE_INTEL_IVYBRIDGE || NORTHBRIDGE_INTEL_HASWELL || \ + SOC_INTEL_BROADWELL || SOC_INTEL_SKYLAKE || \ + SOC_INTEL_BAYTRAIL || SOC_INTEL_BRASWELL) + help + Use me_cleaner.py to partially deblob the Intel ME/TXE firmware. + The resulting Intel ME/TXE firmware has only the code responsible for + the very basic hardware initialization, leaving the ME/TXE subsystem + essentially in a disabled state, but still allowing the system to + power on correctly. + + WARNING: this tool isn't based on any official Intel documentation but + only on reverse engineering and trial & error. Even if this tool seems + stable on multiple platforms and architectures, it still might lead to + unexpected behaviours. + See the project's page + https://github.com/corna/me_cleaner + or the wiki + https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F + https://github.com/corna/me_cleaner/wiki/me_cleaner-status + for more info about this tool + + If unsure, say N. + config HAVE_GBE_BIN bool "Add gigabit ethernet firmware" depends on HAVE_IFD_BIN diff --git a/src/southbridge/intel/common/firmware/Makefile.inc b/src/southbridge/intel/common/firmware/Makefile.inc index 17e53b5..98a36d3 100644 --- a/src/southbridge/intel/common/firmware/Makefile.inc +++ b/src/southbridge/intel/common/firmware/Makefile.inc @@ -58,6 +58,11 @@ ifeq ($(CONFIG_HAVE_ME_BIN),y) $(obj)/coreboot.pre mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre endif +ifeq ($(CONFIG_USE_ME_CLEANER),y) + printf " ME_CLEANER coreboot.pre\n" + util/me_cleaner/me_cleaner.py $(obj)/coreboot.pre > \ + $(obj)/me_cleaner.log +endif ifeq ($(CONFIG_HAVE_GBE_BIN),y) printf " IFDTOOL gbe.bin -> coreboot.pre\n" $(objutil)/ifdtool/ifdtool \

1 0

New patch to review for coreboot: sb/intel/common: Hook up me_cleaner
by Nicola Corna 23 Jan '17

23 Jan '17

Nicola Corna (nicola(a)corna.info) just uploaded a new patch set to gerrit, which you can find at https://review.coreboot.org/18206 -gerrit commit c291e3c9f3f1f87b2078dbb2c0b65f7b37e36360 Author: Nicola Corna <nicola(a)corna.info> Date: Mon Jan 23 15:29:03 2017 +0100 sb/intel/common: Hook up me_cleaner Change-Id: I46f461a1a7e058d57259f313142b00146f0196aa --- src/southbridge/intel/common/firmware/Kconfig | 26 ++++++++++++++++++++++ src/southbridge/intel/common/firmware/Makefile.inc | 5 +++++ 2 files changed, 31 insertions(+) diff --git a/src/southbridge/intel/common/firmware/Kconfig b/src/southbridge/intel/common/firmware/Kconfig index c36b235..d049383 100644 --- a/src/southbridge/intel/common/firmware/Kconfig +++ b/src/southbridge/intel/common/firmware/Kconfig @@ -58,6 +58,32 @@ config ME_BIN_PATH default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/me.bin" depends on HAVE_ME_BIN +config USE_ME_CLEANER + bool "Strip down the Intel ME/TXE firmware" + depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_SANDYBRIDGE || \ + NORTHBRIDGE_INTEL_IVYBRIDGE || NORTHBRIDGE_INTEL_HASWELL || \ + SOC_INTEL_BROADWELL || SOC_INTEL_SKYLAKE || \ + SOC_INTEL_BAYTRAIL || SOC_INTEL_BRASWELL) + help + Use me_cleaner.py to partially deblob the Intel ME/TXE firmware. + The resulting Intel ME/TXE firmware has only the code responsible for + the very basic hardware initialization, leaving the ME/TXE subsystem + essentially in a disabled state, but still allowing the system to + power on correctly. + + WARNING: this tool isn't based on any official Intel documentation but + only on reverse engineering and trial & error. Even if this tool seems + stable on multiple platforms and architectures, it still might lead to + unexpected behaviours. + See the project's page + https://github.com/corna/me_cleaner + or the wiki + https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F + https://github.com/corna/me_cleaner/wiki/me_cleaner-status + for more info about this tool + + If unsure, say N. + config HAVE_GBE_BIN bool "Add gigabit ethernet firmware" depends on HAVE_IFD_BIN diff --git a/src/southbridge/intel/common/firmware/Makefile.inc b/src/southbridge/intel/common/firmware/Makefile.inc index 17e53b5..98a36d3 100644 --- a/src/southbridge/intel/common/firmware/Makefile.inc +++ b/src/southbridge/intel/common/firmware/Makefile.inc @@ -58,6 +58,11 @@ ifeq ($(CONFIG_HAVE_ME_BIN),y) $(obj)/coreboot.pre mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre endif +ifeq ($(CONFIG_USE_ME_CLEANER),y) + printf " ME_CLEANER coreboot.pre\n" + util/me_cleaner/me_cleaner.py $(obj)/coreboot.pre > \ + $(obj)/me_cleaner.log +endif ifeq ($(CONFIG_HAVE_GBE_BIN),y) printf " IFDTOOL gbe.bin -> coreboot.pre\n" $(objutil)/ifdtool/ifdtool \

1 0

Patch set updated for coreboot: util: Add me_cleaner
by Nicola Corna 23 Jan '17

23 Jan '17

Nicola Corna (nicola(a)corna.info) just uploaded a new patch set to gerrit, which you can find at https://review.coreboot.org/18203 -gerrit commit 32f6eb8ae6fdb6d7444347ea3f7b06e645d19859 Author: Nicola Corna <nicola(a)corna.info> Date: Mon Jan 23 15:28:24 2017 +0100 util: Add me_cleaner me_cleaner is a tool to strip down Intel ME/TXE images by removing all the non-fundamental code, while keeping the ME/TXE image valid and suitable for booting the system. The remaining code (ROMP and BUP modules) is the one responsible for the very basic initialization of the ME/TXE subsystem and can't be removed. This tool exploits the fact that: * Each ME/TXE partition is signed individually and it is possible to remove both the partition and the signature * The ME/TXE modules are not signed directly, instead they are hashed and the list of their hashes is hashed again and signed: this means that modify a module doesn't invalidate the signature, but only the hash of that single module * The modules hashes are checked only when the corresponding module needs to be executed * The system can boot after the execution of the first module (BUP, inside the FTPR partition), even if the subsequents stages fail Currently me_cleaner works on every Intel platform with Intel ME or Intel TXE with the following limitations: * Doesn't work when Intel Boot Guard is set in Verified Boot mode * Doesn't fully work on Nehalem yet * On Skylake and later generations, since the partitions' internal structure has changed, me_cleaner leaves intact the FTPR partition, removing all the the other partitions This tool has been tested on multiple platforms and architectures by different users, and seems to be stable. The reports are available here: https://github.com/corna/me_cleaner/issues/3 A more in-depth description of me_cleaner is available here: https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F Change-Id: I9013799e9adea0dea0775b9afe718de5fc4ca748 Signed-off-by: Nicola Corna <nicola(a)corna.info> --- util/me_cleaner/README.md | 25 ++++ util/me_cleaner/me_cleaner.py | 314 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 339 insertions(+) diff --git a/util/me_cleaner/README.md b/util/me_cleaner/README.md new file mode 100644 index 0000000..9a09b55 --- /dev/null +++ b/util/me_cleaner/README.md @@ -0,0 +1,25 @@ +# ME cleaner + +A cleaner for Intel ME/TXE images. + +This tools removes any unnecessary partition from an Intel ME/TXE firmware, reducing +its size and its ability to interact with the system. +It should work both with coreboot and with the factory firmware. + +Currently this tool: + * Scans the FPT (partition table) and checks that everything is correct + * Removes any partition entry (except for FTPR) from FPT + * Removes any partition except for the fundamental one (FTPR) + * Removes the EFFS presence flag + * Corrects the FPT checksum + * Removes any non-essential LZMA or Huffman compressed module (pre-Skylake only) + * Checks the validity of the RSA signature of the FTPR partition + +Don't forget to power cycle your PC after flashing the modified ME/TXE image +(power off and power on, not just reboot). + +See the [current status](https://github.com/corna/me_cleaner/wiki/me_cleaner-status) +or [a more detailed description](https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F) +of me_cleaner. + +Special thanks to Federico Amedeo Izzo for his help during the study of Intel ME. diff --git a/util/me_cleaner/me_cleaner.py b/util/me_cleaner/me_cleaner.py new file mode 100755 index 0000000..de2557b --- /dev/null +++ b/util/me_cleaner/me_cleaner.py @@ -0,0 +1,314 @@ +#!/usr/bin/python + +# me_cleaner - Tool for partial deblobbing of Intel ME/TXE firmware images +# Copyright (C) 2016, 2017 Nicola Corna <nicola(a)corna.info> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# + +import sys +import itertools +import binascii +import hashlib +from struct import pack, unpack + + +unremovable_modules = ("BUP", "ROMP") + + +def get_chunks_offsets(llut, me_start): + chunk_count = unpack("<I", llut[0x04:0x08])[0] + huffman_stream_end = sum(unpack("<II", llut[0x10:0x18])) + me_start + nonzero_offsets = [huffman_stream_end] + offsets = [] + + for i in range(0, chunk_count): + chunk = llut[0x40 + i * 4:0x44 + i * 4] + offset = 0 + + if chunk[3] != 0x80: + offset = unpack("<I", chunk[0:3] + b"\x00")[0] + me_start + + offsets.append([offset, 0]) + if offset != 0: + nonzero_offsets.append(offset) + + nonzero_offsets.sort() + + for i in offsets: + if i[0] != 0: + i[1] = nonzero_offsets[nonzero_offsets.index(i[0]) + 1] + + return offsets + + +def fill_range(f, start, end, fill): + block = fill * 4096 + f.seek(start) + f.writelines(itertools.repeat(block, (end - start) // 4096)) + f.write(block[:(end - start) % 4096]) + + +def remove_modules(f, mod_headers, ftpr_offset): + comp_str = ("Uncomp.", "Huffman", "LZMA") + unremovable_huff_chunks = [] + chunks_offsets = [] + base = 0 + chunk_size = 0 + + for mod_header in mod_headers: + name = mod_header[0x04:0x14].rstrip(b"\x00").decode("ascii") + offset = unpack("<I", mod_header[0x38:0x3C])[0] + ftpr_offset + size = unpack("<I", mod_header[0x40:0x44])[0] + flags = unpack("<I", mod_header[0x50:0x54])[0] + comp_type = (flags >> 4) & 7 + + sys.stdout.write(" {:<16} ({:<7}, ".format(name, comp_str[comp_type])) + + if comp_type == 0x00 or comp_type == 0x02: + sys.stdout.write("0x{:06x} - 0x{:06x}): " + .format(offset, offset + size)) + + if name in unremovable_modules: + print("NOT removed, essential") + else: + fill_range(f, offset, offset + size, b"\xff") + print("removed") + + elif comp_type == 0x01: + sys.stdout.write("fragmented data ): ") + if not chunks_offsets: + f.seek(offset) + llut = f.read(4) + if llut == b"LLUT": + llut += f.read(0x3c) + + chunk_count = unpack("<I", llut[0x4:0x8])[0] + base = unpack("<I", llut[0x8:0xc])[0] + 0x10000000 + huff_data_len = unpack("<I", llut[0x10:0x14])[0] + chunk_size = unpack("<I", llut[0x30:0x34])[0] + + llut += f.read(chunk_count * 4 + huff_data_len) + chunks_offsets = get_chunks_offsets(llut, me_start) + else: + sys.exit("Huffman modules found, but LLUT is not present") + + if name in unremovable_modules: + print("NOT removed, essential") + module_base = unpack("<I", mod_header[0x34:0x38])[0] + module_size = unpack("<I", mod_header[0x3c:0x40])[0] + first_chunk_num = (module_base - base) // chunk_size + last_chunk_num = first_chunk_num + module_size // chunk_size + + unremovable_huff_chunks += \ + [x for x in chunks_offsets[first_chunk_num: + last_chunk_num + 1] if x[0] != 0] + else: + print("removed") + + else: + sys.stdout.write("0x{:06x} - 0x{:06x}): unknown compression, " + "skipping".format(offset, offset + size)) + + if chunks_offsets: + removable_huff_chunks = [] + + for chunk in chunks_offsets: + if all(not(unremovable_chk[0] <= chunk[0] < unremovable_chk[1] or + unremovable_chk[0] < chunk[1] <= unremovable_chk[1]) + for unremovable_chk in unremovable_huff_chunks): + removable_huff_chunks.append(chunk) + + for removable_chunk in removable_huff_chunks: + if removable_chunk[1] > removable_chunk[0]: + fill_range(f, removable_chunk[0], removable_chunk[1], b"\xff") + + +def check_partition_signature(f, offset): + f.seek(offset) + header = f.read(0x80) + modulus = int(binascii.hexlify(f.read(0x100)[::-1]), 16) + public_exponent = int(binascii.hexlify(f.read(0x4)[::-1]), 16) + signature = int(binascii.hexlify(f.read(0x100)[::-1]), 16) + + header_len = unpack("<I", header[0x4:0x8])[0] * 4 + manifest_len = unpack("<I", header[0x18:0x1c])[0] * 4 + f.seek(offset + header_len) + + sha256 = hashlib.sha256() + sha256.update(header) + sha256.update(f.read(manifest_len - header_len)) + + decrypted_sig = pow(signature, public_exponent, modulus) + + return "{:#x}".format(decrypted_sig).endswith(sha256.hexdigest()) # FIXME + + +if len(sys.argv) != 2 or sys.argv[1] == "-h" or sys.argv[1] == "--help": + print("Usage: \n" + " me_cleaner.py me_or_txe_image.bin\n" + "or\n" + " me_cleaner.py full_dump.bin") +else: + with open(sys.argv[1], "r+b") as f: + f.seek(0x10) + magic = f.read(4) + + if magic == b"$FPT": + print("ME/TXE image detected") + me_start = 0 + f.seek(0, 2) + me_end = f.tell() + + elif magic == b"\x5a\xa5\xf0\x0f": + print("Full image detected") + f.seek(0x14) + flmap0 = unpack("<I", f.read(4))[0] + nr = flmap0 >> 24 & 0x7 + frba = flmap0 >> 12 & 0xff0 + if nr >= 2: + f.seek(frba + 0x8) + flreg2 = unpack("<I", f.read(4))[0] + me_start = (flreg2 & 0x1fff) << 12 + me_end = flreg2 >> 4 & 0x1fff000 | 0xfff + + if me_start >= me_end: + sys.exit("The ME/TXE region in this image has been " + "disabled") + + f.seek(me_start + 0x10) + if f.read(4) != b"$FPT": + sys.exit("The ME/TXE region is corrupted or missing") + + print("The ME/TXE region goes from {:#x} to {:#x}" + .format(me_start, me_end)) + else: + sys.exit("This image does not contains a ME/TXE firmware " + "(NR = {})".format(nr)) + else: + sys.exit("Unknown image") + + print("Found FPT header at {:#x}".format(me_start + 0x10)) + + f.seek(me_start + 0x14) + entries = unpack("<I", f.read(4))[0] + print("Found {} partition(s)".format(entries)) + + f.seek(me_start + 0x14) + header_len = unpack("B", f.read(1))[0] + + f.seek(me_start + 0x30) + partitions = f.read(entries * 0x20) + + ftpr_header = b"" + + for i in range(entries): + if partitions[i * 0x20:(i * 0x20) + 4] == b"FTPR": + ftpr_header = partitions[i * 0x20:(i + 1) * 0x20] + break + + if ftpr_header == b"": + sys.exit("FTPR header not found, this image doesn't seem to be " + "valid") + + ftpr_offset, ftpr_lenght = unpack("<II", ftpr_header[0x08:0x10]) + ftpr_offset += me_start + print("Found FTPR header: FTPR partition spans from {:#x} to {:#x}" + .format(ftpr_offset, ftpr_offset + ftpr_lenght)) + print("Removing extra partitions...") + + fill_range(f, me_start + 0x30, ftpr_offset, b"\xff") + fill_range(f, ftpr_offset + ftpr_lenght, me_end, b"\xff") + + print("Removing extra partition entries in FPT...") + f.seek(me_start + 0x30) + f.write(ftpr_header) + f.seek(me_start + 0x14) + f.write(pack("<I", 1)) + + print("Removing EFFS presence flag...") + f.seek(me_start + 0x24) + flags = unpack("<I", f.read(4))[0] + flags &= ~(0x00000001) + f.seek(me_start + 0x24) + f.write(pack("<I", flags)) + + f.seek(me_start, 0) + header = bytearray(f.read(0x30)) + checksum = (0x100 - (sum(header) - header[0x1b]) & 0xff) & 0xff + + print("Correcting checksum (0x{:02x})...".format(checksum)) + # The checksum is just the two's complement of the sum of the first + # 0x30 bytes (except for 0x1b, the checksum itself). In other words, + # the sum of the first 0x30 bytes must be always 0x00. + f.seek(me_start + 0x1b) + f.write(pack("B", checksum)) + + f.seek(ftpr_offset) + if f.read(4) == b"$CPD": + me11 = True + num_entries = unpack("<I", f.read(4))[0] + f.seek(ftpr_offset + 0x10 + num_entries * 0x18 + 0x24) + else: + me11 = False + f.seek(ftpr_offset + 0x24) + + version = unpack("<HHHH", f.read(0x08)) + print("ME/TXE firmware version {}" + .format('.'.join(str(i) for i in version))) + + if not me11: + print("Reading FTPR modules list...") + f.seek(ftpr_offset + 0x1c) + tag = f.read(4) + + if tag == b"$MN2": + f.seek(ftpr_offset + 0x20) + num_modules = unpack("<I", f.read(4))[0] + f.seek(ftpr_offset + 0x290) + data = f.read(0x84) + + module_header_size = 0 + if data[0x0:0x4] == b"$MME": + if data[0x60:0x64] == b"$MME": + module_header_size = 0x60 + elif data[0x80:0x84] == b"$MME": + module_header_size = 0x80 + + if module_header_size != 0: + f.seek(ftpr_offset + 0x290) + mod_headers = [f.read(module_header_size) + for i in range(0, num_modules)] + + if all(mod_h.startswith(b"$MME") for mod_h in mod_headers): + remove_modules(f, mod_headers, ftpr_offset) + else: + print("Found less modules than expected in the FTPR " + "partition; skipping modules removal") + else: + print("Can't find the module header size; skipping " + "modules removal") + else: + print("Wrong FTPR partition tag ({}); skipping modules removal" + .format(tag)) + else: + print("Modules removal in ME v11 or greater is not yet supported") + + sys.stdout.write("Checking FTPR RSA signature... ") + if check_partition_signature(f, ftpr_offset): + print("VALID") + else: + print("INVALID!!") + sys.exit("The FTPR partition signature is not valid. Is the input " + "ME/TXE image valid?") + + print("Done! Good luck!") +

1 0

← Newer
1
...
20
21
22
23
24
25
26
...
86
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

coreboot-gerrit January 2017