Hi, Many years ago I used to use Libreboot on a ThinkPad X200, but since then I've not been keeping an eye on the x86 firmware hacking community developments (save for the discovery of the "HAP bit" to disengage the Intel ME, which made some headlines at the time). Thus I'm not too familiar with the state of the art but wanted to share a finding that's too interesting to let be forgotten.
I'm in the United States and got a Lenovo ThinkCentre M93z second hand from a
local business that'd been using it:
CPU: ID 0x306c3, Processor Type 0x0, Family 0x6, Model 0x3c, Stepping 0x3
Northbridge: 8086:0c00 (4th generation (Haswell family) Core Processor
(Desktop))
Southbridge: 8086:8c4e (Q87)
IGD: 8086:0402 (unknown)
There are only a couple mentions on the internet, but when stumbling through
Lenovo's manual I found that there is a motherboard jumper to disable the Intel
Management Engine. (I thought these didn't exist?) Before moving the jumper
over, I checked in the UEFI that it showed a version number and some other
information about the Intel ME. The output of 'lspci' showed an Intel
Management Engine Interface device (or something along those lines).
After moving the jumper, I went back into the UEFI setup and found that the
Intel ME configuration options were no longer able to be selected and the text
turned light gray. The position where the version number formerly was now says
"N/A", and 'lspci' shows there is no MEI device anymore:
$ lspci
00:00.0 Host bridge: Intel Corporation 4th Gen Core Processor DRAM Controller
(rev 06)
00:02.0 VGA compatible controller: Intel Corporation Xeon E3-1200 v3/4th Gen
Core Processor Integrated Graphics Controller (rev 06)
00:03.0 Audio device: Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor
HD Audio Controller (rev 06)
00:14.0 USB controller: Intel Corporation 8 Series/C220 Series Chipset Family
USB xHCI (rev 05)
00:19.0 Ethernet controller: Intel Corporation Ethernet Connection I217-LM (rev
05)
00:1a.0 USB controller: Intel Corporation 8 Series/C220 Series Chipset Family
USB EHCI #2 (rev 05)
00:1b.0 Audio device: Intel Corporation 8 Series/C220 Series Chipset High
Definition Audio Controller (rev 05)
00:1c.0 PCI bridge: Intel Corporation 8 Series/C220 Series Chipset Family PCI
Express Root Port #5 (rev d5)
00:1d.0 USB controller: Intel Corporation 8 Series/C220 Series Chipset Family
USB EHCI #1 (rev 05)
00:1f.0 ISA bridge: Intel Corporation Q87 Express LPC Controller (rev 05)
00:1f.2 SATA controller: Intel Corporation 8 Series/C220 Series Chipset Family
6-port SATA Controller 1 [AHCI mode] (rev 05)
00:1f.3 SMBus: Intel Corporation 8 Series/C220 Series Chipset Family SMBus
Controller (rev 05)
Isn't this neat? I don't fully understand what the implications are, such as
"can this computer be liberated as much as a ThinkPad X200 can be?". So here
are some additional things I've done just fooling around.
The 'intelmetool' utility makes a seemingly-false claim that the Intel ME can't
be killed on this system (my sole annotation being denoted by a '†' symbol):
$ sudo intelmetool -s
Bad news, you have a `Q87 Express LPC Controller` so you have ME hardware on
board and you can't control or disable it, continuing...
MEI found: [8086:8c3a] 8 Series/C220 Series Chipset Family MEI Controller #1
† This doesn't show up in 'lspci' anymore so perhaps this tool uses an
indirect way to infer whether this exists?
ME Status : 0x1e040185
ME Status 2 : 0x1652012e
ME: FW Partition Table : OK
ME: Bringup Loader Failure : NO
ME: Firmware Init Complete : NO
ME: Manufacturing Mode : NO
ME: Boot Options Present : NO
ME: Update In Progress : NO
ME: Current Working State : Normal
ME: Current Operation State : Bring up
ME: Current Operation Mode : Security Override via Jumper
ME: Error Code : No Error
ME: Progress Phase : BUP Phase
ME: Power Management Event : Pseudo-global reset
ME: Progress Phase State : 0x52
ME: Extend SHA-256:
80e6f9c223162ef567282bdff22e274369465d7af5d6d97badb0e4a15ed79cca
ME: failed to become ready
ME: failed to become ready
ME: GET FW VERSION message failed
When passing the appropriate option to check on Intel Boot Guard (whatever that
is), I find:
Boot Guard MSR Output : 0x0
Your system isn't Boot Guard ready.
You can flash other firmware!
Also, I can use flashrom to dump the internal flash and get a seemingly-valid
file:
$ sudo flashrom -p internal -r ./foobar
flashrom 1.4.0 on Linux 6.12.57+deb13-amd64 (x86_64)
flashrom is free software, get the source code at https://flashrom.org
Found chipset "Intel Q87".
This chipset is marked as untested. If you are using an up-to-date version
of flashrom *and* were (not) able to successfully update your firmware with it,
then please email a report to [email protected] including a verbose (-V)
log.
Thank you!
Enabling flash write... Warning: BIOS region SMM protection is enabled!
Warning: Setting BIOS Control at 0xdc from 0x22 to 0x01 failed.
New value is 0x22.
SPI Configuration is locked down.
The Flash Descriptor Override Strap-Pin is set. Restrictions implied by
the Master Section of the flash descriptor are NOT in effect. Please note
that Protected Range (PR) restrictions still apply.
FREG0: Flash Descriptor region (0x00000000-0x00000fff) is read-write.
FREG1: BIOS region (0x00580000-0x00bfffff) is read-write.
FREG2: Management Engine region (0x00003000-0x0057ffff) is read-write.
FREG3: Gigabit Ethernet region (0x00001000-0x00002fff) is read-write.
Enabling hardware sequencing due to multiple flash chips detected.
OK.
Multiple flash components detected, skipping flash identification.
Found Programmer flash chip "Opaque flash chip" (12288 kB, Programmer-specific)
on internal.
Reading flash... done.
I see that the 'ifdtool' utility can successfully dump information about such a
flash dump. For example it says (among many other things)
AltMeDisable bit is not set
thus the jumper seems to be working by some totally different mechanism.
That tool also hints that I have write access to all flash regions if I
understand it right:
Found Region Section
FLREG0: 0x00000000
Flash Region 0 (Flash Descriptor): 00000000 - 00000fff
FLREG1: 0x0bff0580
Flash Region 1 (BIOS): 00580000 - 00bfffff
FLREG2: 0x057f0003
Flash Region 2 (Intel ME): 00003000 - 0057ffff
FLREG3: 0x00020001
Flash Region 3 (GbE): 00001000 - 00002fff
FLREG4: 0x00007fff
Flash Region 4 (Platform Data): 00fff000 - 00000fff (unused)
Found Master Section
FLMSTR1: 0x0a0b0000 (Host CPU/BIOS)
Host CPU/BIOS Region Write Access: enabled
Host CPU/BIOS Region Read Access: enabled
FLMSTR2: 0x0c0d0000 (Intel ME)
Intel ME Region Write Access: enabled
Intel ME Region Read Access: enabled
FLMSTR3: 0x08080118 (GbE)
GbE Region Write Access: enabled
GbE Region Read Access: enabled
so presumably I can change attributes of the flash and maybe set the
AltMeDisable/HAP bit if I so wish.
So in conclusion, I don't know if there's anything groundbreaking here, but it
sure would be cool if this just so happened to be a hidden gem in plain sight
for tinkering with. Maybe completely free boot firmware could be made to run on
it in reality as well as my dreams.
Let me know what you think. Thanks
signature.asc
Description: This is a digitally signed message part
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ coreboot mailing list -- [email protected] To unsubscribe send an email to [email protected]
