On 16.09.21 16:37, Brian Milliron wrote:
Using a hardware flasher isn't a workaround, the signature check is done in hardware by the ACM using keys fused into the ME. If Bootguard enabled and keys fused, nothing can be done unfortunately.
I checked the BIOS. There was nothing specifically listed as "Bootguard" but all the BIOS protection options were turned off, including one listed as "Checked boot block on every boot". I'm guessing that means Bootguard is installed but not enabled. Is there another place to look to get a more accurate/detailed read on this?
There are more mechanisms beside Intel BootGuard. HP usually uses their own tech called SureStart (at least on EliteBooks and up to maybe two years ago). SureStart seems to be differently implemented from time to time. One really has to look into it and try, I guess. AFAIR, there are implementations that you can get around by externally flashing a secon- dary chip.
the IFD and ME aren't needed strictly speaking, unless you need to modify them in some way. But you would extract those using ifdtool. Definitely don't want to use a non-board-specific ME downloaded from win-raid (eg) as the soft straps and clock mappings will not be correct for your board.
I intend on using me_cleaner to wipe all but a stub of the ME code, so having a working copy isn't something I'm too worried about as long as it passes the signature checks.
This "stub of the ME code" is what contains those board specific information. Never skip to configure the ME firmware unless you just keep the one that was shipped. This is recommended anyway during coreboot development, just never flash it (flashrom has options to only flash the BIOS region).
Nico