On Mon, Sep 12, 2016 at 09:27:18PM +0000, Peter Stuge wrote:
Trammell Hudson wrote:
I've experimented with clearing additional bits, from 0x3000 to 0x10000 with the same results. If I were really motivated I might binary search how much of the firmware it needs...
That would be interesting.
After a fairly brief binary search, I have determined a significantly reduced chunk of code required to have the Intel Management Engine bring up the hardware and then stay in the "ROM Phase". This also allowed me to adjust the flash descriptor to give an extra 3 MB of storage to coreboot for my payload, as well as removed some of the problematic ME applications.
The only piece that must be present for my x230 to function is the 512 KB FTPR partition at offset 0x183000, which contains these compressed modules (some Huffman, some LZMA):
'UPDATE' 000001BE 'ROMP' 0000070A 'BUP' 0000E064 'KERNEL' 00021B62 'POLICY' 00016AE2 'HOSTCOMM' 00006DDB 'RSA' 00005255 'CLS' 00005791 'TDT' 000066E5 'FTCS' 00004680 'ClsPriv' 000003E1 'SESSMGR' 0000E909
This means that the ME no longer has any network stack (stored in the NFTP partition that has been removed), nor the protected video path or JCOM modules from the MDMV parition. I do not know if the various anti-theft and timeout measures are also now neutralized.
If I leave the firmware partition table at offset 0x3000 in place, the ME faults after bringup (but the system continues to function). Without the partition table it stays in the ROM phase. I'm not sure if one outcome is preferable to the other.
Relocating the FTPR partition did not work unfortunately, so there is some wasted space.