[coreboot] Anyone got an opinion, technical or otherwise, on this?

Nico Huber nico.h at gmx.de
Wed May 3 20:31:20 CEST 2017


On 03.05.2017 16:31, Matt DeVillier wrote:
> On Wed, May 3, 2017 at 4:17 AM, John Lewis <jlewis at johnlewis.ie> wrote:
> 
>> I think I've answered my own questions by checking out the menuconfig
>> options, it looks to me as though up to and including Skylake is possible,
>> and flashing internally *should* be okay?
>>
> Since writing to the ME region is protected by the IFD configuration, the
> possibility of internal flashing would be dependent on the current
> configuration of the board's IFD. I suspect most non-ChromeOS hardware will
> have it unlocked (default config) as their initial flash was likely with an
> external programmer.  ChromeOS hardware will have a locked IFD and require
> external flashing to clean the ME (unless previously externally flashed
> with a ROM w/unlocked IFD).
> 

Actually internal flashing is always possible as long as you control the
firmware. The ME's flash region should be locked (Intel doesn't support
anything else) but there is ofc an update path for the ME firmware. Some
BIOSes have an option for this that temporarily disables the ME on the
next boot to give the host firmware (BIOS, coreboot) full access and
make ME firmware updates reliable (what could possibly go wrong if you
flash it while the ME is fully running).

AFAICT, coreboot hasn't such an option implemented (yet). But as long as
you control the machine, you can implement it, update coreboot, then up-
date the ME firmware.

Nico




More information about the coreboot mailing list