8882ac55ef
Changelog: * Add support for the HAP/AltMeDisable bit * Add support for selective partition removal * Fix the ME permission removal on gen. 3 * Add public key match * Print the compressed size of the Huffman modules on gen. 2 * Wipe the ME6 Ignition firmware images * Fix the removal of the last partition on ME6 * Various region size fixes * Add manpage * Add setup.py * Print the value of the HAP/AltMeDisable bit The output image should be identical, except for the platforms affected by bugs (ME 6.x, but it's not supported by coreboot and ME 11.x with the -d option, but it's not being used in our build process). Overall, nothing should change when it's used with the CONFIG_USE_ME_CLEANER option. Tested on a Lenovo X220 and Sapphire Pure Platinum H61. Change-Id: I3d5e0d9af0a36cc7476a964cf753914c2f3df9d2 Signed-off-by: Nicola Corna <nicola@corna.info> Reviewed-on: https://review.coreboot.org/25506 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
85 lines
3.7 KiB
Markdown
85 lines
3.7 KiB
Markdown
# me\_cleaner
|
|
|
|
_me\_cleaner_ is a Python script able to modify an Intel ME firmware image with
|
|
the final purpose of reducing its ability to interact with the system.
|
|
|
|
## Intel ME
|
|
|
|
Intel ME is a co-processor integrated in all post-2006 Intel boards, which is
|
|
the base hardware for many Intel features like Intel AMT, Intel Boot Guard,
|
|
Intel PAVP and many others. To provide such features, it requires full access to
|
|
the system, including memory (through DMA) and network access (transparent to
|
|
the user).
|
|
|
|
Unlike many other firmware components, the Intel ME firmware can't be neither
|
|
disabled nor reimplemented, as it is tightly integrated in the boot process and
|
|
it is signed.
|
|
|
|
This poses an issue both to the free firmware implementations like [coreboot](
|
|
https://www.coreboot.org/), which are forced to rely on a proprietary, obscure
|
|
and always-on blob, and to the privacy-aware users, who are reasonably worried
|
|
about such firmware, running on the lowest privilege ring on x86.
|
|
|
|
## What can be done
|
|
|
|
Before Nehalem (ME version 6, 2008/2009) the ME firmware could be removed
|
|
completely from the flash chip by setting a couple of bits inside the flash
|
|
descriptor, effectively disabling it.
|
|
|
|
Starting from Nehalem the Intel ME firmware can't be removed anymore: without a
|
|
valid firmware the PC shuts off forcefully after 30 minutes, probably as an
|
|
attempt to enforce the Intel Anti-Theft policies.
|
|
|
|
However, while Intel ME can't be turned off completely, it is still possible to
|
|
modify its firmware up to a point where Intel ME is active only during the boot
|
|
process, effectively disabling it during the normal operation, which is what
|
|
_me\_cleaner_ tries to accomplish.
|
|
|
|
## Platform support
|
|
|
|
_me\_cleaner_ currently works on [most of the Intel platforms](
|
|
https://github.com/corna/me_cleaner/wiki/me_cleaner-status); while this doesn't
|
|
mean it works on all the boards (due to the different firmware implementations),
|
|
it has been proven quite reliable on a great number of them.
|
|
|
|
## Usage
|
|
|
|
_me\_cleaner_ should handle all the steps necessary to the modification of an
|
|
Intel ME firmware with the command:
|
|
|
|
$ python me_cleaner.py -S -O modified_image.bin original_dump.bin
|
|
|
|
However, obtaining the original firmware and flashing back the modified one is
|
|
usually not trivial, as the Intel ME firmware region is often non-writable from
|
|
the OS (and it's not a safe option anyways), requiring the use of an external
|
|
SPI programmer.
|
|
|
|
## Results
|
|
|
|
For pre-Skylake firmware (ME version < 11) this tool removes almost everything,
|
|
leaving only the two fundamental modules needed for the correct boot, `ROMP` and
|
|
`BUP`. The code size is reduced from 1.5 MB (non-AMT firmware) or 5 MB (AMT
|
|
firmware) to ~90 kB of compressed code.
|
|
|
|
Starting from Skylake (ME version >= 11) the ME subsystem and the firmware
|
|
structure have changed, requiring substantial changes in _me\_cleaner_.
|
|
The fundamental modules required for the correct boot are now four (`rbe`,
|
|
`kernel`, `syslib` and `bup`) and the minimum code size is ~300 kB of compressed
|
|
code (from the 2 MB of the non-AMT firmware and the 7 MB of the AMT one).
|
|
|
|
On some boards the OEM firmware fails to boot without a valid Intel ME firmware;
|
|
in the other cases the system should work with minor inconveniences (like longer
|
|
boot times or warning messages) or without issues at all.
|
|
|
|
Obviously, the features provided by Intel ME won't be functional anymore after
|
|
the modifications.
|
|
|
|
## Documentation
|
|
|
|
The detailed documentation about the working of _me\_cleaner_ can be found on
|
|
the page ["How does it work?" page](
|
|
https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F).
|
|
|
|
Various guides and tutorials are available on the Internet, however a good
|
|
starting point is the ["How to apply me_cleaner" guide](
|
|
https://github.com/corna/me_cleaner/wiki/How-to-apply-me_cleaner).
|