On 03.05.2017 16:31, Matt DeVillier wrote:
On Wed, May 3, 2017 at 4:17 AM, John Lewis jlewis@johnlewis.ie wrote:
I think I've answered my own questions by checking out the menuconfig options, it looks to me as though up to and including Skylake is possible, and flashing internally *should* be okay?
Since writing to the ME region is protected by the IFD configuration, the possibility of internal flashing would be dependent on the current configuration of the board's IFD. I suspect most non-ChromeOS hardware will have it unlocked (default config) as their initial flash was likely with an external programmer. ChromeOS hardware will have a locked IFD and require external flashing to clean the ME (unless previously externally flashed with a ROM w/unlocked IFD).
Actually internal flashing is always possible as long as you control the firmware. The ME's flash region should be locked (Intel doesn't support anything else) but there is ofc an update path for the ME firmware. Some BIOSes have an option for this that temporarily disables the ME on the next boot to give the host firmware (BIOS, coreboot) full access and make ME firmware updates reliable (what could possibly go wrong if you flash it while the ME is fully running).
AFAICT, coreboot hasn't such an option implemented (yet). But as long as you control the machine, you can implement it, update coreboot, then up- date the ME firmware.
Nico
-
Nico Huber