[coreboot] References to ich9gen in the wiki (was: Re: Fwd: Ethernet problem in x200)

Denis 'GNUtoo' Carikli GNUtoo at no-log.org
Wed Mar 29 22:37:54 CEST 2017 

Nico Huber <nico.huber at secunet.com> wrote:
> >> Pew, thanks for reminding me, that we have this in our wiki.
[...]
> Sorry, this was badly articulated. The "thanks" was meant sincere.
There was indeed some missunderstanding from both sides, I'm happy that
it's fixed and we can now understand each other.

> I had this on my TODO list for some time. I think we should (if not
> already done) extend ifdtool to toggle whatever bit is needed to run
> without ME firmware. And let people use that instead of building a new
> blob which only extends the list of entities you have to trust.
I had that on my TODO list too, I planed to do it this way:
- First merge ifdtool and ifdfake
- Adjust the build system to use the unified tool
- Add the bits necessary to produce a working GM45 image, by using
  ich9gen as documentation.

Until now, I only started evaluating how to merge ifdtool and ifdfake
and didn't made much progress due to the lack of time spent on it.

> PS. Actually I think coreboot shouldn't handle these platform blobs at
>     all. But that's even harder to convince people of ;)
== Usage ==
I also don't like blobs. I've some questions with reguard to the ME
blob:
- What are the advantages of having the ME blob, for the end users, on
  devices with the GM45 chipset?
  - I would guess that it provides a "software" TPM. I don't see any
    TPM without the ME on my X200.
  - In thinkpads, it provides AMT, however I fail to see how relevant
    this is. I guess that no coreboot (or derivative) users want it. It
    would also require to use SeaBIOS and to extract the ME BIOS
    extensions option rom.
  - Does it gives better platform stability? RAM compatibility? Thermal
    management?

Given that:
- The ME blob(s) are all proprietary software. As far as I know, no
  free software can run on the ME of the GM45 chipset.
- The ME is not meant to have the end user directly interact with it in
  any ways.
- The firmware partitions are signed.
- The hardware (ME Processor or SOC or whatever it is called) has
  access to:
  - The network interfaces
  - Probably many other things, but I can't say for sure as I make some
    confusions between ME versions.
    I'm not sure that on GM45 it has access to the x86 CPU RAM, or the
    GPU framebuffer. I'm sure some versions of the ME do.
- Having to use a blob complicates the compilation and installation for
  the end user[1], thus increasing the probability of making mistakes.
- The ME blob occupy flash space.

It might be interesting to only offer the option to generate a valid
flash descriptor that doesn't use any ME blobs for end users[1].

References:
----------
[1]Note that by end-user I mean anyone that have at least one
   GM45 laptop running coreboot (or derivative) that is not only used
   for coreboot development and testing. This probably includes many
   coreboot developers having such machines.

== Development ==
As far as I know, there isn't any way to execute code on the GM45
Management Engine, unless it's signed by Intel, right?

If we keep the code that handles the Management Engine (HECI), but
remove the option to produce a flash image that uses a Management
Engine firmware, would it be useful?

Would it help developers to find a way to execute code on the
Management Engine and have free software code running in there?

I didn't look into the Management Engine yet, but I fear that there is
a lack of available documentation on its internals.

So having free software (especially GNU/Linux) running there would:
- Allow to understand better the hardware, and thus, improving the
  trustworthyness (or untrustworthyness) of the hardware.
- Allow to implement things like software TPM, gpg smartcard, or
  whatever similar things.
- Allow to offload an IRC client/mail fetcher/downloader on the
  Management Engine, and suspend-to-ram the x86 processor.
- Allow to have a software BMC-like. I personally don't see any good use
  of it on laptops beside runtime testing (of coreboot), or remote
  assistance, but other people might have better ideas. It might be
  very useful for servers/desktops though.
- Whatever idea people comes up with.

Denis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.coreboot.org/pipermail/coreboot/attachments/20170329/2ea197d2/attachment.sig>

More information about the coreboot mailing list