> If i'm correct, the ME firmware (or parts of it) is signed, and> the CPU won't run (or switches off) if signatures don't match.
I have no idea how it works for non INTEL architectures. I do know how it works for INTEL.
You can fully use UEFI BIOS without any signatures. With so-called slim TXE engine.
I used stitched BIOSes, with slim TXEs, and I freely walk Fedoras' distros HDDs around,
which were installed on one platform, but used on different ones.
To start using signatures, you should have full blown TXE, which is ~ 3MB of size. Even
in such a case, you do not need signatures, unless you really would like to start using
TXE extended capabilities.
For ME, you MUST have ME initialized. You must have MEI initialized (which is Virtual
PCIe on bridge 0, port 0, as I recall), so ME can allow BIOS to start. Once you pass this
phase, ME (as application) is not anymore required.
At least, it was like this till ATOM APL-I (former Broxton) and CORE Coffee Lake.
Zoran