04d2601426
Recent patches in coreboot have fixed the freeze issues related to the use of me_cleaner on Nehalem. However, at least on the Lenovo X201, with me_cleaner some PCIe devices (like the SATA and USB controllers) disappear. In particular, setting the AltMeDisable bit ("-S" or "-s" flag) makes them disappear completely, while unsetting it makes them disappear only during cold boots. This kind of behaviour was already observed by Youness Alaoui on the Purism Librem laptops ([1]), and it seems related to some required board-specific PCIe configuration in the ME's MFS partition. For this reason, on the Lenovo X201, "-w EFFS" has been added to the me_cleaner arguments, which whitelists the MFS-equivalent partition for ME generation 2. This fixes all the issues, and the PCIe devices work as expected. [1] https://puri.sm/posts/deep-dive-into-intel-me-disablement/ Change-Id: Ie77a80d2cb4945cf1c984bdb0fb1cc2f18e82ebc Signed-off-by: Nicola Corna <nicola@corna.info> Reviewed-on: https://review.coreboot.org/27178 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
157 lines
5 KiB
Groff
157 lines
5 KiB
Groff
.TH me_cleaner 1 "JUNE 2018"
|
|
.SH me_cleaner
|
|
.PP
|
|
me_cleaner \- Tool for partial deblobbing of Intel ME/TXE firmware images
|
|
.SH SYNOPSIS
|
|
.PP
|
|
\fB\fCme_cleaner.py\fR [\-h] [\-v] [\-O output_file] [\-S | \-s] [\-r] [\-k]
|
|
[\-w whitelist | \-b blacklist] [\-d] [\-t] [\-c] [\-D output_descriptor]
|
|
[\-M output_me_image] \fIfile\fP
|
|
.SH DESCRIPTION
|
|
.PP
|
|
\fB\fCme_cleaner\fR is a tool able to disable parts of Intel ME/TXE by:
|
|
.RS
|
|
.IP \(bu 2
|
|
removing most of the code from its firmware
|
|
.IP \(bu 2
|
|
setting a special bit to force it to disable itself after the hardware
|
|
initialization
|
|
.RE
|
|
.PP
|
|
Using both the modes seems to be the most reliable way on many platforms.
|
|
.PP
|
|
The resulting modified firmware needs to be flashed (in most of the cases) with
|
|
an external programmer, often a dedicated SPI programmer or a Linux board with
|
|
a SPI master interface.
|
|
.PP
|
|
\fB\fCme_cleaner\fR works at least from Nehalem to Coffee Lake (for Intel ME) and on
|
|
Braswell/Cherry Trail (for Intel TXE), but may work as well on newer or
|
|
different architectures.
|
|
.PP
|
|
While \fB\fCme_cleaner\fR have been tested on a great number of platforms, fiddling
|
|
with the Intel ME/TXE firmware is \fIvery dangerous\fP and can easily lead to a
|
|
dead PC.
|
|
.PP
|
|
\fIYOU HAVE BEEN WARNED.\fP
|
|
.SH POSITIONAL ARGUMENTS
|
|
.TP
|
|
\fB\fCfile\fR
|
|
ME/TXE image or full dump.
|
|
.SH OPTIONAL ARGUMENTS
|
|
.TP
|
|
\fB\fC\-h\fR, \fB\fC\-\-help\fR
|
|
Show the help message and exit.
|
|
.TP
|
|
\fB\fC\-v\fR, \fB\fC\-\-version\fR
|
|
Show program's version number and exit.
|
|
.TP
|
|
\fB\fC\-O\fR, \fB\fC\-\-output\fR
|
|
Save the modified image in a separate file, instead of modifying the
|
|
original file.
|
|
.TP
|
|
\fB\fC\-S\fR, \fB\fC\-\-soft\-disable\fR
|
|
In addition to the usual operations on the ME/TXE firmware, set the
|
|
MeAltDisable bit or the HAP bit to ask Intel ME/TXE to disable itself after
|
|
the hardware initialization (requires a full dump).
|
|
.TP
|
|
\fB\fC\-s\fR, \fB\fC\-\-soft\-disable\-only\fR
|
|
Instead of the usual operations on the ME/TXE firmware, just set the
|
|
MeAltDisable bit or the HAP bit to ask Intel ME/TXE to disable itself after
|
|
the hardware initialization (requires a full dump).
|
|
.TP
|
|
\fB\fC\-r\fR, \fB\fC\-\-relocate\fR
|
|
Relocate the FTPR partition to the top of the ME region to save even more
|
|
space.
|
|
.TP
|
|
\fB\fC\-t\fR, \fB\fC\-\-truncate\fR
|
|
Truncate the empty part of the firmware (requires a separated ME/TXE image or
|
|
\fB\fC\-\-extract\-me\fR).
|
|
.TP
|
|
\fB\fC\-k\fR, \fB\fC\-\-keep\-modules\fR
|
|
Don't remove the FTPR modules, even when possible.
|
|
.TP
|
|
\fB\fC\-w\fR, \fB\fC\-\-whitelist\fR
|
|
Comma separated list of additional partitions to keep in the final image.
|
|
This can be used to specify the MFS partition for example, which stores PCIe
|
|
and clock settings.
|
|
.TP
|
|
\fB\fC\-b\fR, \fB\fC\-\-blacklist\fR
|
|
Comma separated list of partitions to remove from the image. This option
|
|
overrides the default removal list.
|
|
.TP
|
|
\fB\fC\-d\fR, \fB\fC\-\-descriptor\fR
|
|
Remove the ME/TXE Read/Write permissions to the other regions on the flash
|
|
from the Intel Flash Descriptor (requires a full dump).
|
|
.TP
|
|
\fB\fC\-D\fR, \fB\fC\-\-extract\-descriptor\fR
|
|
Extract the flash descriptor from a full dump; when used with \fB\fC\-\-truncate\fR
|
|
save a descriptor with adjusted regions start and end.
|
|
.TP
|
|
\fB\fC\-M\fR, \fB\fC\-\-extract\-me\fR
|
|
Extract the ME firmware from a full dump; when used with \fB\fC\-\-truncate\fR save a
|
|
truncated ME/TXE image.
|
|
.TP
|
|
\fB\fC\-c\fR, \fB\fC\-\-check\fR
|
|
Verify the integrity of the fundamental parts of the firmware and exit.
|
|
.SH SUPPORTED PLATFORMS
|
|
.PP
|
|
Currently \fB\fCme_cleaner\fR has been tested on the following platforms:
|
|
.TS
|
|
allbox;
|
|
cb cb cb cb
|
|
c c c c
|
|
c c c c
|
|
c c c c
|
|
c c c c
|
|
c c c c
|
|
c c c c
|
|
c c c c
|
|
c c c c
|
|
.
|
|
PCH CPU ME SKU
|
|
Ibex Peak Nehalem/Westmere 6.0 Ignition
|
|
Ibex Peak Nehalem/Westmere 6.x 1.5/5 MB
|
|
Cougar Point Sandy Bridge 7.x 1.5/5 MB
|
|
Panther Point Ivy Bridge 8.x 1.5/5 MB
|
|
Lynx/Wildcat Point Haswell/Broadwell 9.x 1.5/5 MB
|
|
Wildcat Point LP Broadwell Mobile 10.0 1.5/5 MB
|
|
Sunrise Point Skylake/Kabylake 11.x CON/COR
|
|
Union Point Kabylake 11.x CON/COR
|
|
.TE
|
|
.TS
|
|
allbox;
|
|
cb cb cb
|
|
c c c
|
|
.
|
|
SoC TXE SKU
|
|
Braswell/Cherry Trail 2.x 1.375 MB
|
|
.TE
|
|
.PP
|
|
All the reports are available on the project's GitHub page \[la]https://github.com/corna/me_cleaner/issues/3\[ra]\&.
|
|
.SH EXAMPLES
|
|
.PP
|
|
Check whether the provided image has a valid structure and signature:
|
|
.IP
|
|
\fB\fCme_cleaner.py \-c dumped_firmware.bin\fR
|
|
.PP
|
|
Remove most of the Intel ME firmware modules but don't set the HAP/AltMeDisable
|
|
bit:
|
|
.IP
|
|
\fB\fCme_cleaner.py \-S \-O modified_me_firmware.bin dumped_firmware.bin\fR
|
|
.PP
|
|
Remove most of the Intel ME firmware modules and set the HAP/AltMeDisable bit,
|
|
disable the Read/Write access of Intel ME to the other flash region, then
|
|
relocate the code to the top of the image and truncate it, extracting a modified
|
|
descriptor and ME image:
|
|
.IP
|
|
\fB\fCme_cleaner.py \-S \-r \-t \-d \-D ifd_shrinked.bin \-M me_shrinked.bin \-O modified_firmware.bin full_dumped_firmware.bin\fR
|
|
.SH BUGS
|
|
.PP
|
|
Bugs should be reported on the project's GitHub page \[la]https://github.com/corna/me_cleaner\[ra]\&.
|
|
.SH AUTHOR
|
|
.PP
|
|
Nicola Corna \[la]nicola@corna.info\[ra]
|
|
.SH SEE ALSO
|
|
.PP
|
|
.BR flashrom (8),
|
|
me_cleaner's Wiki \[la]https://github.com/corna/me_cleaner/wiki\[ra]
|