[coreboot] More experiments with disabling the ME

Trammell Hudson hudson at trmm.net
Sat Nov 12 16:03:32 CET 2016

On Sat, Nov 12, 2016 at 03:41:17PM +0100, Federico Amedeo Izzo wrote:
> Be careful whenever you try changing ME blob to poweroff completely the
> computer, and start again, because apparently if you don't reboot the ME
> won't load the new firmware from the flash.

I've also found that the PCH sometimes keeps the SPI flash lines
occupied on some platforms if there is any battery or AC power supplied.
So I almost always have a full power-down between flashing to avoid
having multiple drivers on those pins.

> [...]
> The possibility of replacing the ME blob inside an official (Lenovo or
> other) bios is very interesting because it extends also to hardware not
> supported by coreboot, and probabily to CPUs newer than Ivy Bridge
> (Trammell Hudson tested it on a Skylake mobile CPU
> https://www.coreboot.org/pipermail/coreboot/2016-November/082335.html)

The mobile Skylake works fine with the reduced ME image, although
I'm not sure if there are power management issues with it.  The
system is still drawing nearly 5W, when I think it should be closer
to 2-3.  Next week I plan to update to a 4.8 kernel to see if that
makes a difference since I've read that there were changes.

Another bit of research: the ME image has the Bootguard profile and
key hash, but it is ignored if the CPU has exited manufacturing mode.
During manufacturing mode the OEM can set these and they will be copied
into the fuses in the CPU and not be changed afterwards.  My Skylake
does not have any bootguard profile enabled, so I haven't been able to
experiment with how the boot ACM is affected by the ME changes.

This might be a worthwhile experiment if anyone has a T450/460 with
bootguard and wants to try flashing their ME image.


More information about the coreboot mailing list