[coreboot] Experiments with disabling the ME on Sandybridge x230

Peter Stuge peter at stuge.se
Mon Sep 12 20:17:28 CEST 2016

ron minnich wrote:
> That's pretty interesting. I had no idea that would work.
> I wonder if erasing it all erases that little boot of the ME you need to
> get the hardware going, whereas the 4KB erase lets the little bootstrap
> run but disables the ME otherwise. If so, that's great news.

The ME code to start the platform is in (on-chip) ROM and a failed
signature check of the (compressed with AFAIK still unknown codebook)
ME code in flash just means that the ME considers the system broken
and allows it to run for a little while so that a human can repair it.

It's described pretty well in the Platform Embedded Security Revealed
book, along with the fact that the ME will sync it's internal clock
with NTP servers across the internet once every 30 days, to make CRL
checks for the remote management PKI work. Maybe this particular thing
doesn't happen with the smaller ME firmware. Dunno.


More information about the coreboot mailing list