coreboot-kgpe-d16/util
Nicola Corna 9bcc002f1e util: Add me_cleaner
me_cleaner is a tool to strip down Intel ME/TXE images by removing all
the non-fundamental code, while keeping the ME/TXE image valid and
suitable for booting the system. The remaining code (ROMP and BUP
modules) is the one responsible for the very basic initialization of
the ME/TXE subsystem and can't be removed.

This tool exploits the fact that:
 * Each ME/TXE partition is signed individually and it is possible to
    remove both the partition and the signature.
 * The ME/TXE modules are not signed directly, instead they are hashed
    and the list of their hashes is hashed again and signed: this
    means that modifying a module doesn't invalidate the signature,
    but only the hash of that single module.
 * The modules hashes are checked only when the corresponding module
    needs to be executed.
 * The system can boot after the execution of the first module (BUP,
    inside the FTPR partition), even if the subsequent stages fail.

Currently me_cleaner works on every Intel platform with Intel ME or
Intel TXE with the following limitations:
 * Doesn't work when Intel Boot Guard is set in Verified Boot mode.
 * Doesn't fully work on Nehalem yet.
 * On Skylake and later generations, since the partitions' internal
    structure has changed, me_cleaner leaves intact the FTPR
    partition, removing all the the other partitions.

This tool has been tested on multiple platforms and architectures by
different users, and seems to be stable. The reports are available
here:
https://github.com/corna/me_cleaner/issues/3

A more in-depth description of me_cleaner is available here:
https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F

Change-Id: I9013799e9adea0dea0775b9afe718de5fc4ca748
Signed-off-by: Nicola Corna <nicola@corna.info>
Reviewed-on: https://review.coreboot.org/18203
Tested-by: build bot (Jenkins)
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
2017-01-25 18:19:58 +01:00
..
abuild util/abuild: Print list of failed boards at the end of the abuild 2017-01-09 18:26:38 +01:00
acpi
amdfwtool util/amdfwtool: Wrap long lines, excluding comments 2016-11-21 23:37:08 +01:00
amdtools
archive
arm_boot_tools/mksunxiboot
autoport util/autoport: Fix gfx dump of log_maker 2017-01-09 18:17:45 +01:00
bimgtool
board_status board_status: Abort early if the coreboot image doesn't exist 2016-05-18 00:17:18 +02:00
broadcom util/broadcom: Check for successful file access 2016-12-16 18:22:43 +01:00
cbfstool cbfs-compression-tool: catch compression failures 2017-01-24 09:35:49 +01:00
cbmem cbmem: Exit with an errorlevel of 0 after printing help 2016-09-15 00:43:02 +02:00
checklist util/checklist: Place tables in proper boot order 2016-08-03 18:01:32 +02:00
chromeos util/chromeos: Make scripts executable 2016-07-30 19:34:20 +02:00
crossgcc buildgcc: try curl if wget is not present 2017-01-10 14:43:49 +01:00
docker util/docker: Add a makefile for common docker tasks 2016-12-12 17:52:57 +01:00
dtd_parser
ectool
exynos
futility Rename VB_SOURCE to VBOOT_SOURCE for increased clarity 2016-07-27 17:26:05 +02:00
fuzz-tests
genbuild_h
genprof
gitconfig Rename and move util/gitconfig/rebase.sh 2016-10-25 17:09:19 +02:00
ifdfake util/ifdfake: Add number of regions 2016-12-15 23:47:09 +01:00
ifdtool ifdtool: Add option to specify platform (-p) quirks 2016-11-08 23:11:29 +01:00
intelmetool util/intelmetool: Try to activate the ME before scanning PCIe for it 2017-01-20 17:22:54 +01:00
inteltool util/inteltool: Add ICH6-10 to BIOS_CNTL list 2017-01-03 17:40:34 +01:00
intelvbttool intelvbttool: cope with errors in open() 2016-07-31 19:23:29 +02:00
ipqheader
k8resdump
kconfig Kconfig: Change symbol override from warning to notice 2016-12-12 17:53:32 +01:00
lint util/lint: Add check for the signed-off-by line 2017-01-09 18:14:10 +01:00
marvell util/marvell: Add Marvell doimage utility and dependency in relevant Makefile 2016-02-11 14:16:08 +01:00
me_cleaner util: Add me_cleaner 2017-01-25 18:19:58 +01:00
mma util/mma: changing BOOT_STUB to COREBOOT region and few more things 2016-05-10 22:59:36 +02:00
msrtool util/msrtool: Use tabs for indents 2016-10-19 17:02:07 +02:00
mtkheader
nvidia
nvramtool nvramtool: Don't consider reserved regions to be "out of range" 2016-07-31 19:07:43 +02:00
optionlist
post
release util/release/build-release: Update tar command 2016-10-07 18:18:47 +02:00
riscvtools RISCV: change make-spike-elf to use the coreboot toolchain. 2016-10-15 00:34:27 +02:00
rockchip
romcc util/romcc: avoid shifting more than the variable's width 2017-01-06 18:40:04 +01:00
sconfig sconfig: Reformat C code 2016-08-08 19:16:24 +02:00
scripts util/scripts: extend cross-repo-cherrypick 2017-01-17 18:01:10 +01:00
showdevicetree
spkmodem_recv
superiotool superiotool: Add support for HWM registers on W83627EHG 2017-01-03 17:34:12 +01:00
uio_usbdebug
vgabios Remove extra newlines from the end of all coreboot files. 2016-07-31 18:19:33 +02:00
viatool viatool/quirks: Add newline to end of file 2016-07-28 20:18:10 +02:00
xcompile util/xcompile/xcompile: Add a space before && 2016-10-28 20:16:13 +02:00