[coreboot] Server systems shipped with coreboot
awokd
awokd at danwin1210.me
Mon Mar 26 15:01:09 CEST 2018
On Sun, March 25, 2018 3:21 pm, thierry.laurion at gmail.com wrote:
> On 03/23/2018 05:22 PM, Taiidan at gmx.com wrote:
>
>> Please also keep in mind that it is impossible to disable ME.
>>
> That is not a binary yes/no fact.
>
>
> Depending of the ME version, it is possible to deactivate it.
> The following x230 is not a server, but an example for older ME versions.
>
>
> The resulting ME is 98304 bytes, containing the ROMP and BUP modules
> only. The booting system complains about ME, tries to initialize it for 3
> seconds and then gives up.
>
> I know that the story is different for newer versions of ME/Servers. But
> that statement of saying that disabling ME is impossible is not empowering
> at all and not completely true.
Might just be a matter of semantics. Can you say ME is completely
"disabled" or "deactivated", even on older systems, if the system requires
ROMP and BUP to function? Have those 98304 bytes of code been analyzed for
weaknesses/obfuscation? (Don't actually know the answer to this one
although I know there has been some progress like
https://mobile.twitter.com/rootkovska/status/938458875522666497).
How about a phrase like "ME can be deactivated after initialization"- I
think that evaluates to true for everyone without getting into secret
opcodes/silicon. Like you said, probably can't be distilled down into a
single +/- word without losing context.
More information about the coreboot
mailing list