On Sat, Nov 12, 2016 at 03:41:17PM +0100, Federico Amedeo Izzo wrote:
Be careful whenever you try changing ME blob to poweroff completely the computer, and start again, because apparently if you don't reboot the ME won't load the new firmware from the flash.
I've also found that the PCH sometimes keeps the SPI flash lines occupied on some platforms if there is any battery or AC power supplied. So I almost always have a full power-down between flashing to avoid having multiple drivers on those pins.
[...] The possibility of replacing the ME blob inside an official (Lenovo or other) bios is very interesting because it extends also to hardware not supported by coreboot, and probabily to CPUs newer than Ivy Bridge (Trammell Hudson tested it on a Skylake mobile CPU https://www.coreboot.org/pipermail/coreboot/2016-November/082335.html)
The mobile Skylake works fine with the reduced ME image, although I'm not sure if there are power management issues with it. The system is still drawing nearly 5W, when I think it should be closer to 2-3. Next week I plan to update to a 4.8 kernel to see if that makes a difference since I've read that there were changes.
Another bit of research: the ME image has the Bootguard profile and key hash, but it is ignored if the CPU has exited manufacturing mode. During manufacturing mode the OEM can set these and they will be copied into the fuses in the CPU and not be changed afterwards. My Skylake does not have any bootguard profile enabled, so I haven't been able to experiment with how the boot ACM is affected by the ME changes.
This might be a worthwhile experiment if anyone has a T450/460 with bootguard and wants to try flashing their ME image.