Apr 27, 2012, 10:41:23 PM (3 years ago)

Add a bunch of new/tested stuff and various small changes 12.

Tested Mainboards:


Tested flash chips:

Tested chipset enables:

  • Fix compilation of ich_descriptor_tool which was broken since r1492.
  • Add Documentation regarding unlocking the ME region on Intel chipsets.
  • Fix reading the flash descriptor via FDOC/FDOD and prettyprinting of the descriptor on boards with 5 active regions.
  • Reorder some boards in print.c.
  • Add Intel 7 Series (Panther Point) PCI IDs.
  • Add preliminary PCI IDs for future Intel chipsets (DH89xxCC and Lynx Point) see https://lkml.org/lkml/2012/2/20/467
  • Change the message for untested chipsets to send only after an attempt to update the firmware with flashrom.
  • Fix warnings in ich_descriptor_tool's build.

Signed-off-by: Stefan Tauner <stefan.tauner@…>
Acked-by: Stefan Tauner <stefan.tauner@…>

1 edited


  • trunk/Documentation/mysteries_intel.txt

    r1465 r1524  
    1717= Unlocking the ME region = 
    18 TODO 
     18 If the ME region is locked by the FRAP register in descriptor mode, the host 
     19 software is not allowed to read or write any address inside that region. There 
     20 are different ways to unlock access: 
     22 - A pin strap: Flash Descriptor Security Override Strap (as indicated by the 
     23   Flash Descriptor Override Pin Strap Status (FDOPSS) in HSFS. That pin is 
     24   probably not accessible to end users on consumer boards (every Intel doc i 
     25   have seen stresses that this is for debugging in manufacturing only and 
     26   should not be available for end users). 
     27   The ME indicates this in bits [19:16] (Operation Mode) in the HFS register of 
     28   the HECI/MEI PCI device by setting them to 4 (SECOVR_JMPR) [MODE_CTRL]. 
     30 - Intel Management Engine BIOS Extension (MEBx) Disable 
     31   This option may be available to end users on some boards usually accessible 
     32   by hitting ctrl+p after BIOS POST. Quote: "'Disabling' the Intel ME does not 
     33   really disable it: it causes the Intel ME code to be halted at an early stage 
     34   of the Intel ME's booting so that the system has no traffic originating from 
     35   the Intel ME on any of the buses." [MEBX] The ME indicates this in 
     36   bits [19:16] (Operation Mode) in the HFS register of the HECI/MEI PCI device 
     37   by setting them to 3 (Soft Temporary Disable) [MODE_CTRL]. 
     39 - Previous to Ibex Peak/5 Series chipsets removing the DIMM from slot (or 
     40   channel?) #0 disables the ME completely, which may give the host access to 
     41   the ME region. 
     43 - HMRFPO (Host ME Region Flash Protection Override) Enable MEI command 
     44   This is the most interesting one because it allows to temporarily disable 
     45   the ME region protection by software. The ME indicates this in bits [19:16] 
     46   (Operation Mode) in the HFS register of the HECI/MEI PCI device by setting 
     47   them to 5 (SECOVER_MEI_MSG) [MODE_CTRL]. 
     49== MEI/HECI == 
     50 Communication between the host software and the different services provided by 
     51 the ME is done via a packet-based protocol that uses MMIO transfers to one or 
     52 more virtual PCI devices. Upon this layer there exist various services that can 
     53 be used to read out hardware management values (e.g. temperatures, fan speeds 
     54 etc.). The lower levels of that protocol are well documented: 
     55 The locations/offsets of the PCI MMIO registers are noted in the chipset 
     56 datasheets. The actually communication is documented in a whitepaper [DCMI] and 
     57 an outdated as well as a current Linux kernel implementation (currently in 
     58 staging/ exist [KERNEL]. There exists a patch that re-implements this in user 
     59 space (as part of flashrom). 
     61== Problems == 
     62 The problem is that only very few higher level protocols are documented publicly, 
     63 especially the bunch of messages that contain the HMRFPO commands is probably 
     64 well protected and only documented in ME-specific docs and the BIOS writer's 
     65 guides. We are aware of a few leaked documents though that give us a few hints 
     66 about it, but nothing substantial regarding its implementation. 
     68 The documents are somewhat contradicting each other in various points which 
     69 might be due to factual changes in process of time or due to the different 
     70 capabilities of the ME firmwares, example: 
     72 Intel's Flash Programming Tool (FPT) "automatically stops ME writing to SPI 
     73 ME Region, to prevent both writing at the same time, causing data corruption." [ME8] 
     75 "FPT is not HMRFPO-capable, so needs [the help of the FDOPS pin] HDA_SDO if 
     76 used to update the ME Region." [SPS] 
     78 When looking at the various ME firmware editions (and different chipsets), things 
     79 get very unclear. Some docs say that HMRFPO needs to be sent before End-of-POST 
     80 (EOP), others say that the ME region can be updated in the field or that some 
     81 vendor tools use it for updates. This needs to be investigated further before 
     82 drawing any conclusion. 
     84[MODE_CTRL] Client Platform Enabling Tour: Platform Software 
     85            Document Number: 439167, Revision 1.2, page 52 
     86[MEBX]      Intel Management Engine BIOS Extension (MEBX) User's Guide 
     87            Revision 1.2, Section 3.1 and 3.5 
     88[DCMI]      DCMI Host Interface Specification 
     89            Revision 1.0 
     90[KERNEL]    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=tree;f=drivers/staging/mei;hb=HEAD 
     91[SPI_PROG]  Ibex Peak SPI Programming Guide 
     92            Document Number: 403598, Revision 1.3, page 79 
     93[ME8]       Manufacturing with Intel Management Engine (ME) Firmware 8.X on Intel 7 Series 
     94            Revision 2.0, page 59 
     95[SPS]       Manufacturing with Intel Management Engine (ME) on Intel C600 Series Chipset 1 
     96            for Romley Server 2 Platforms using Server Platform Services (SPS) Firmware 
     97            Revision 2.2, page 51 
Note: See TracChangeset for help on using the changeset viewer.