[coreboot] Experiments with disabling the ME on Sandybridge x230
ron minnich
rminnich at gmail.com
Mon Sep 12 19:34:43 CEST 2016
I was thinking that the x230 was so old it would just keep running, is that
possible? I know that on newer platforms you only get the 30 minutes.
ron
On Mon, Sep 12, 2016 at 10:28 AM Peter Stuge <peter at stuge.se> wrote:
> ron minnich wrote:
> > That's pretty interesting. I had no idea that would work.
> >
> > I wonder if erasing it all erases that little boot of the ME you need to
> > get the hardware going, whereas the 4KB erase lets the little bootstrap
> > run but disables the ME otherwise. If so, that's great news.
>
> The ME code to start the platform is in (on-chip) ROM and a failed
> signature check of the (compressed with AFAIK still unknown codebook)
> ME code in flash just means that the ME considers the system broken
> and allows it to run for a little while so that a human can repair it.
>
> It's described pretty well in the Platform Embedded Security Revealed
> book, along with the fact that the ME will sync it's internal clock
> with NTP servers across the internet once every 30 days, to make CRL
> checks for the remote management PKI work. Maybe this particular thing
> doesn't happen with the smaller ME firmware. Dunno.
>
>
> //Peter
>
> --
> coreboot mailing list: coreboot at coreboot.org
> https://www.coreboot.org/mailman/listinfo/coreboot
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.coreboot.org/pipermail/coreboot/attachments/20160912/7a4ab476/attachment.html>
More information about the coreboot
mailing list