[coreboot] coreboot Digest, Vol 147, Issue 17
Trammell Hudson
hudson at trmm.net
Thu May 11 16:56:11 CEST 2017
On Thu, May 11, 2017 at 07:01:47AM -0500, Allen Krell wrote:
> One thing I am still confused about is the relationship between Intel Boot
> Guard and the regions of flash. My understanding is that Boot Guard only
> applies to the legacy BIOS region of flash, not the ME/AMT region.
It seems to be even more restricted than that -- the "hardware" part of
Bootguard only applies to the startup ACM region in the FIT table
of the BIOS region of the flash. That ACM is what is responsible for
implementing whatever policy for the rest of the flash.
> [...] So, if that is true, then is it possible to flash the ME/AMT
> region of flash with any ME code module that has been signed with the Intel
> signature?
I think so, although I haven't looked at enough to determine if
the different chipsets or CPU models are signed with different keys.
Unlike the few startup ACM images that I've looked at have the same
public key for their signature, despite being on very different
CPU models and from different IBV.
--
Trammell
More information about the coreboot
mailing list