Hi folks,
Platforms like the x230 have two flash ROMs which are virtually treated as a single one.
So: 1. What the heck is the meaning of this? Why do vendors buy and solder two small chips (even worse, on the x230, one with 8M and one with 4M) instead of a single big one? Is this cheaper? Sounds unlikely to me, in technics one big thing is usually cheaper than several small ones. Beyond that, I imagine you have some effort to concatenate the two chips virtually. 2. The manual for the x230 [1] (is there a version in the new documentation btw?) states that you can just flash the smaller (4M) chip and then you're done. So I assume: 1. the 4M chip is the one the CPU first executes code from 2. neither coreboot nor the payload will ever jump "into" the larger chip, therefore code from it will not be executed. 3. Therefore, it does not matter if you overwrite the 8M chip or not.
But what lays on this larger ROM? What if there are parts of the IME on it I would like to annihilate?
The whole thing is really awkward to me. Especially, because the predecessor x220 already has a place on the board ready to host the second chip, but it was left empty on this device.
P.
Yes, this is often done as a cost reduction method. The habit started with the arrival of the ME and the firmware descriptor allowing you to spread your different firmware regions across one or both chips. The tool ifdtool will help you analyze images for Intel firmware descriptors. Sounds like in this case ME and the other regions live in the larger chip, allowing the smaller chip to be fully used for system firmware. If that's the case, erasing the larger chip will brick your system. Better do some analysis first.
Stefan
On Mon, 16 Sep 2019, 04:50 Philipp Stanner, stanner@posteo.de wrote:
Hi folks,
Platforms like the x230 have two flash ROMs which are virtually treated as a single one.
So:
- What the heck is the meaning of this? Why do vendors buy and solder two small chips (even worse, on the x230, one with 8M and one with 4M) instead of a single big one? Is this cheaper? Sounds unlikely to me, in technics one big thing is usually cheaper than several small ones. Beyond that, I imagine you have some effort to concatenate the two chips virtually.
- The manual for the x230 [1] (is there a version in the new documentation btw?) states that you can just flash the smaller (4M) chip and then you're done. So I assume:
- the 4M chip is the one the CPU first executes code from
- neither coreboot nor the payload will ever jump "into" the larger chip, therefore code from it will not be executed.
- Therefore, it does not matter if you overwrite the 8M chip or not.
But what lays on this larger ROM? What if there are parts of the IME on it I would like to annihilate?
The whole thing is really awkward to me. Especially, because the predecessor x220 already has a place on the board ready to host the second chip, but it was left empty on this device.
P.
[1] https://www.coreboot.org/Board:lenovo/x230 _______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org
Am Montag, den 16.09.2019, 07:20 -0700 schrieb Stefan Reinauer:
Yes, this is often done as a cost reduction method. The habit started with the arrival of the ME and the firmware descriptor allowing you to spread your different firmware regions across one or both chips.
Hm, surprises me. Normally, in technology one big thing is cheaper – a large container ship instead of several small ones, one big hard drive instead of two small ones. And in this case they need some hardware mechanism concatenating the chips; this had to be developed first etc. But hey, the manufacturer's ways are unpredictable ^^
The tool ifdtool will help you analyze images for Intel firmware descriptors. Sounds like in this case ME and the other regions live in the larger chip, allowing the smaller chip to be fully used for system firmware. If that's the case, erasing the larger chip will brick your system. Better do some analysis first.
Ok, just to confirm: I have to analyze which part of the firmware + ME lays where. If the ME lays partly on the second chip (and I want to strip it), I have to extract both images – and flash both chips again so that the IME lays at the same offsets? I didn't fully understand how the flash descriptors work so far.
If the ME lays on the first chip and coreboot fits into it with the stripped ME, I could erase the second chip – but don't really have to, because if there's no ME code on it, whatever lays there will not be executed again after flashing?
P.
Hi Philipp,
there is some documentation you might have missed [1] (can't blame you, the index is broken [2]).
On 18.09.19 23:23, Philipp Stanner wrote:
Am Montag, den 16.09.2019, 07:20 -0700 schrieb Stefan Reinauer:
Yes, this is often done as a cost reduction method. The habit started with the arrival of the ME and the firmware descriptor allowing you to spread your different firmware regions across one or both chips.
Hm, surprises me. Normally, in technology one big thing is cheaper – a large container ship instead of several small ones, one big hard drive instead of two small ones. And in this case they need some hardware mechanism concatenating the chips; this had to be developed first etc.
The opposite seems true if you consider that these chips are at the limit of the current technology. A better comparison would be a high end processor, 16 cores might cost you three times as much as 8 cores in the same package.
The tool ifdtool will help you analyze images for Intel firmware descriptors. Sounds like in this case ME and the other regions live in the larger chip, allowing the smaller chip to be fully used for system firmware. If that's the case, erasing the larger chip will brick your system. Better do some analysis first.
Ok, just to confirm: I have to analyze which part of the firmware + ME lays where. If the ME lays partly on the second chip (and I want to strip it), I have to extract both images – and flash both chips again so that the IME lays at the same offsets? I didn't fully understand how the flash descriptors work so far.
See documentation ^
If the ME lays on the first chip and coreboot fits into it with the stripped ME, I could erase the second chip – but don't really have to, because if there's no ME code on it, whatever lays there will not be executed again after flashing?
That question can only be answered if we'd assume absence of all bugs (otherwise, "will not be executed" becomes "shouldn't be executed"). If you erase it, you can be sure. If you don't, and some dormant code gets activated, you can never tell if it was an accident or a sophis- ticated backdoor.
In case, if you want to put coreboot into the first chip, you'll have to adapt the descriptor layout. coreboot needs to reside at the top (highest address) of the BIOS region.
Nico
[1] https://doc.coreboot.org/mainboard/lenovo/xx30_series.html [2] https://review.coreboot.org/c/coreboot/+/35462
Philipp Stanner wrote:
Platforms like the x230 have two flash ROMs which are virtually treated as a single one.
..
- What the heck is the meaning of this? Why do vendors buy and solder two small chips (even worse, on the x230, one with 8M and one with 4M) instead of a single big one? Is this cheaper?
As was already mentioned it may actually be. Another factor is that 16M flash chips were available only some time later than 8M flash chips. And finally I would say that sourcing can be a significant factor; It can be a lot easier to source 1x each of two parts with different parameters, than 2x of a single part with particular parameters.
//Peter
-
Nico Huber -
Peter Stuge -
Philipp Stanner -
Stefan Reinauer