ron minnich wrote:
That's pretty interesting. I had no idea that would work.
I wonder if erasing it all erases that little boot of the ME you need to get the hardware going, whereas the 4KB erase lets the little bootstrap run but disables the ME otherwise. If so, that's great news.
The ME code to start the platform is in (on-chip) ROM and a failed signature check of the (compressed with AFAIK still unknown codebook) ME code in flash just means that the ME considers the system broken and allows it to run for a little while so that a human can repair it.
It's described pretty well in the Platform Embedded Security Revealed book, along with the fact that the ME will sync it's internal clock with NTP servers across the internet once every 30 days, to make CRL checks for the remote management PKI work. Maybe this particular thing doesn't happen with the smaller ME firmware. Dunno.
//Peter
I was thinking that the x230 was so old it would just keep running, is that possible? I know that on newer platforms you only get the 30 minutes.
ron
On Mon, Sep 12, 2016 at 10:28 AM Peter Stuge peter@stuge.se wrote:
ron minnich wrote:
That's pretty interesting. I had no idea that would work.
I wonder if erasing it all erases that little boot of the ME you need to get the hardware going, whereas the 4KB erase lets the little bootstrap run but disables the ME otherwise. If so, that's great news.
The ME code to start the platform is in (on-chip) ROM and a failed signature check of the (compressed with AFAIK still unknown codebook) ME code in flash just means that the ME considers the system broken and allows it to run for a little while so that a human can repair it.
It's described pretty well in the Platform Embedded Security Revealed book, along with the fact that the ME will sync it's internal clock with NTP servers across the internet once every 30 days, to make CRL checks for the remote management PKI work. Maybe this particular thing doesn't happen with the smaller ME firmware. Dunno.
//Peter
-- coreboot mailing list: coreboot@coreboot.org https://www.coreboot.org/mailman/listinfo/coreboot