- Apr 27, 2012 10:41:23 PM (20 months ago)
- 1 edited
r1465 r1524 16 16 17 17 = Unlocking the ME region = 18 TODO 18 If the ME region is locked by the FRAP register in descriptor mode, the host 19 software is not allowed to read or write any address inside that region. There 20 are different ways to unlock access: 21 22 - A pin strap: Flash Descriptor Security Override Strap (as indicated by the 23 Flash Descriptor Override Pin Strap Status (FDOPSS) in HSFS. That pin is 24 probably not accessible to end users on consumer boards (every Intel doc i 25 have seen stresses that this is for debugging in manufacturing only and 26 should not be available for end users). 27 The ME indicates this in bits [19:16] (Operation Mode) in the HFS register of 28 the HECI/MEI PCI device by setting them to 4 (SECOVR_JMPR) [MODE_CTRL]. 29 30 - Intel Management Engine BIOS Extension (MEBx) Disable 31 This option may be available to end users on some boards usually accessible 32 by hitting ctrl+p after BIOS POST. Quote: "'Disabling' the Intel ME does not 33 really disable it: it causes the Intel ME code to be halted at an early stage 34 of the Intel ME's booting so that the system has no traffic originating from 35 the Intel ME on any of the buses." [MEBX] The ME indicates this in 36 bits [19:16] (Operation Mode) in the HFS register of the HECI/MEI PCI device 37 by setting them to 3 (Soft Temporary Disable) [MODE_CTRL]. 38 39 - Previous to Ibex Peak/5 Series chipsets removing the DIMM from slot (or 40 channel?) #0 disables the ME completely, which may give the host access to 41 the ME region. 42 43 - HMRFPO (Host ME Region Flash Protection Override) Enable MEI command 44 This is the most interesting one because it allows to temporarily disable 45 the ME region protection by software. The ME indicates this in bits [19:16] 46 (Operation Mode) in the HFS register of the HECI/MEI PCI device by setting 47 them to 5 (SECOVER_MEI_MSG) [MODE_CTRL]. 48 49 == MEI/HECI == 50 Communication between the host software and the different services provided by 51 the ME is done via a packet-based protocol that uses MMIO transfers to one or 52 more virtual PCI devices. Upon this layer there exist various services that can 53 be used to read out hardware management values (e.g. temperatures, fan speeds 54 etc.). The lower levels of that protocol are well documented: 55 The locations/offsets of the PCI MMIO registers are noted in the chipset 56 datasheets. The actually communication is documented in a whitepaper [DCMI] and 57 an outdated as well as a current Linux kernel implementation (currently in 58 staging/ exist [KERNEL]. There exists a patch that re-implements this in user 59 space (as part of flashrom). 60 61 == Problems == 62 The problem is that only very few higher level protocols are documented publicly, 63 especially the bunch of messages that contain the HMRFPO commands is probably 64 well protected and only documented in ME-specific docs and the BIOS writer's 65 guides. We are aware of a few leaked documents though that give us a few hints 66 about it, but nothing substantial regarding its implementation. 67 68 The documents are somewhat contradicting each other in various points which 69 might be due to factual changes in process of time or due to the different 70 capabilities of the ME firmwares, example: 71 72 Intel's Flash Programming Tool (FPT) "automatically stops ME writing to SPI 73 ME Region, to prevent both writing at the same time, causing data corruption." [ME8] 74 75 "FPT is not HMRFPO-capable, so needs [the help of the FDOPS pin] HDA_SDO if 76 used to update the ME Region." [SPS] 77 78 When looking at the various ME firmware editions (and different chipsets), things 79 get very unclear. Some docs say that HMRFPO needs to be sent before End-of-POST 80 (EOP), others say that the ME region can be updated in the field or that some 81 vendor tools use it for updates. This needs to be investigated further before 82 drawing any conclusion. 83 84 [MODE_CTRL] Client Platform Enabling Tour: Platform Software 85 Document Number: 439167, Revision 1.2, page 52 86 [MEBX] Intel Management Engine BIOS Extension (MEBX) User's Guide 87 Revision 1.2, Section 3.1 and 3.5 88 [DCMI] DCMI Host Interface Specification 89 Revision 1.0 90 [KERNEL] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=tree;f=drivers/staging/mei;hb=HEAD 91 [SPI_PROG] Ibex Peak SPI Programming Guide 92 Document Number: 403598, Revision 1.3, page 79 93 [ME8] Manufacturing with Intel Management Engine (ME) Firmware 8.X on Intel 7 Series 94 Revision 2.0, page 59 95 [SPS] Manufacturing with Intel Management Engine (ME) on Intel C600 Series Chipset 1 96 for Romley Server 2 Platforms using Server Platform Services (SPS) Firmware 97 Revision 2.2, page 51
Note: See TracChangeset for help on using the changeset viewer.