> If i'm correct, the ME firmware (or parts of it) is signed, and
> the CPU won't run (or switches off) if signatures don't match.

I have no idea how it works for non INTEL architectures. I do know how it works for INTEL.

You can fully use UEFI BIOS without any signatures. With so-called slim TXE engine.

I used stitched BIOSes, with slim TXEs, and I freely walk Fedoras' distros HDDs around,

which were installed on one platform, but used on different ones.

To start using signatures, you should have full blown TXE, which is ~ 3MB of size. Even

in such a case, you do not need signatures, unless you really would like to start using

TXE extended capabilities.

For ME, you MUST have ME initialized. You must have MEI initialized (which is Virtual

PCIe on bridge 0, port 0, as I recall), so ME can allow BIOS to start. Once you pass this

phase, ME (as application) is not anymore required.

At least, it was like this till ATOM APL-I (former Broxton) and CORE Coffee Lake.

Zoran

On Wed, Nov 29, 2017 at 11:39 PM, Enrico Weigelt, metux IT consult <info@metux.net> wrote:

Hi folks,

i'm curios whether Goryachy's JTAG hack is a chance for
getting rid of all proprietary ME/UEFI firmware.

If i'm correct, the ME firmware (or parts of it) is signed, and
the CPU won't run (or switches off) if signatures don't match.

Can the JTAG channel be used to get around that ?

thx.

--mtx

--
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
info@metux.net -- +49-151-27565287

--
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot