Hi Allen,

Thursday, May 11, 2017, 2:01:47 PM, you wrote: AK> One thing I am still confused about is the relationship between AK> Intel Boot Guard and the regions of flash. My understanding is AK> that Boot Guard only applies to the legacy BIOS region of flash, AK> not the ME/AMT region. Is that correct? So, if that is true, AK> then is it possible to flash the ME/AMT region of flash with any AK> ME code module that has been signed with the Intel signature?

Well, in theory BootGuard indeed only protects the BIOS boot block (ME has its own protection via Intel-signed manifest), so changing ME region should not affect it but apparently in practice it does lead to problems at least on *some* platforms using BootGuard:

https://github.com/corna/me_cleaner/issues/6