Hello Nico,
thanks for your patience and your great answer! That helped a lot.
If you want to do all of that in one go and let the coreboot `make` do the ME cleaning, yes.
Just to be sure, is the following a good way for flashing coreboot? 1. Update the original BIOS with an update of the Embedded Controller 2. Make a backup of the original BIOS 3. I will do 'make' with disabled me_cleaner and without any blob, so no GbE, IFD and ME blob. I will flash it to the first BIOS chip and test if everything works. If everything works, I will do the next step 4. I will do 'make' with enabled me_cleaner and with the blobs GbE, IFD and ME. I will flash it to both chips 5. If necessary, I will add a VGA Option ROM and flash it again
Regarding to number 4, on the coreboot documentation website I read: "The second flash ICs is behind the case frame, but can be flashed by using a simple trick. Connect every pin of the first flash IC, but tie /CS to Vcc. Connect /CS of the second flash IC to the programmer. As all lines except /CS are shared between the flash ICs you can access both with an external programmer." Could you please explain that to me in more detail? I'm not sure about it and I'm afraid of bricking the BIOS if I connect it the wrong way.
Greetings
Am Do. 17. Januar 2019 19:27 CET, Nico Huber nico.h@gmx.de schrieb: Hi Yannik,
On 17.01.19 13:46, Yannik Catalinac wrote:
Being a closed source this firmware may contain the backdoors or help the backdoor-like functionality of intel me. So yes, this is a privacy concerning thing.
Well, don't use modern controllers (ethernet, USB, etc.) if you don't want proprietary firmware in them. But that's far from the original question...
To sum it up, I have 4 possibilities:
- Live without ethernet firmware and without internet
the ethernet firmware, if any, is part of the chipset and can't be removed. You can only remove its configuration data.
- Use the untrusted ethernet firmware with a small risk in terms of security/privacy
The bigger risk wrt. Intel's integrated ethernet is that the ME has a device driver for it. me_cleaner can remedy this, in theory (it still leaves unerasable ME firmware in a ROM where it's unknown if it contains an ethernet driver.
- Don't use the ethernet firmware and only use a free miniPCIe Wifi card? Is this possible?
I'm not sure if such a card exists. There are WiFi cards with free OS drivers (e.g. ath9k), but I would expect them to run some sort of firm- ware, too. Though, I don't see how that matters. The hardware vendors can deceive you; while it makes it easier, they don't need firmware for that.
- Don't use the ethernet firmware and only use a free USB Wifi stick
USB at least doesn't give the WiFi full memory access by default. But regarding firmware see 3.
Also worth to mention, you don't have to add this file or any related file (ME, IFD) into coreboot. This option is only for people that want to put everything into a single file to flash at once. You can instead just write coreboot only, to the respective BIOS region in flash. And leave everything else intact.
But than I can't disable Intel ME and can't use me_cleaner? If I read correctly: when you disable Intel ME, you have to insert IFD and GbE into coreboot?
If you want to do all of that in one go and let the coreboot `make` do the ME cleaning, yes.
Btw, do I also have to insert EC firmware than?
No, the T530 has its EC firmware in a separate flash.
Nico _______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org