[coreboot] Intel ME what is it? And when did this dangerous thing get installed?

Peter Stuge peter at stuge.se
Tue Sep 4 18:16:11 CEST 2018 

Philipp Stanner wrote:
> I might have one: What does stop a motherboard-vendor from just buying
> a CPU and implementing it?

It just isn't the common case anymore, if it ever was.

Platform vendors (Intel and AMD) move away from that use case.

No high-end x86 machines are intended to be created that way now, for
several reasons; time-to-market, know-how and intellectual property
are a few that I can think of right away.

Time-to-market and know-how go together; as x86 platforms evolve it
becomes increasingly difficult for anyone but the platform vendor to
design a reliable system with maximum performance in minimum time.

Platform vendors have delivered reference designs (CRBs or Customer
Reference Boards) for decades, and always several years before the
actual platform ships, so that customers have some time to design
their products, so that retail products can be launched at the same
time as the platform.

Each new platform seems to have a shorter lifetime than the previous,
so it becomes increasingly difficult for anyone but the platform
vendor themselves to design a reliable system with max performance in
that constantly shrinking timeframe between platform freeze and
platform launch.

And performance requirements/expectations grow that problem exponentially
over time.


> Which chips, beside the CPU, do you need from Intel in any case to
> make the machine work?

The relevant concept is "platform" - and a platform is whatever Intel
offers, because almost noone has time, knowledge and money to really
innovate significantly every 12 or even 6 months. The platform churn
is too fast for an OEM to innovate.

Google could only realize Chrome machines by taking an ODM role; ie.
by creating their own reference designs and building blocks for OEMs
to turn into retail products.

In those reference designs they could introduce innovative features,
like the Chrome EC and verified boot with coreboot, but such innovation
is completely foreign to the daily business of an OEM that has to churn
out Windows machines in sync with platform vendors' new platforms.


> I always thought of the CPU just as a machine executing code,

That's accurate up to and including the Pentium, since the
Pentium Pro it's not really the case anymore. Up until Pentium, Intel
was able to design and ship a CPU building block without serious issues.

The Pentium recall was very expensive and Intel would not want to repeat
that, so they would have had to change how they did things.

Ever since that time, the platform integration is tighter and tighter.

And that has its benefits too. More integration = less power consumption
and more reliability because there are less things a customer
(mainboard designer) can get wrong.


> and assumed it's possible to use it just as any microcontroller:

No, that hasn't been the case for a long time. Increasing integration
has more benefits for platform vendors:

If you deliver ever larger macro blocks then you lock out the competition,
offer less power hungry products, and also there is no longer any reason
to deliver accurate documentation.

Accurately documenting a modern x86 system requires tens if not hundreds
thousand pages, which would also have to be produced, reviewed for
technical correctness and compliance within the short time between
freeze and launch. That is of course bound to fail, and as many firmware
developers can tell you, register level documentation for x86 systems
is absolutely not comparable to that for a microcontroller or GHz SoC.


> You can add the ME-Chipset, but you don't have to.

Please read the PEST/PSTR book about the ME, published by Intel.

http://www.apress.com/9781430265719

From the book it is clear that Intel considers the ME to be the only
trustworthy environment in an x86 machine, it is used to check
firmware signatures (BootGuard), store keys (TPM is no longer a chip,
but software in the ME), pass DRM content directly to GPU without
allowing Windows to ever see the unencrypted data (PAVP), etc.

For any of that to work, the ME must neccessarily be inside the CPU,
and so it is. The ME isn't a separate chip, never was.

Here's my favorite quote from the book, on p. 165:

"The owner of a platform is not always the one to protect."


//Peter

More information about the coreboot mailing list