Apr 27, 2012, 10:41:23 PM (4 years ago)

Add a bunch of new/tested stuff and various small changes 12.

Tested Mainboards:


Tested flash chips:

Tested chipset enables:

  • Fix compilation of ich_descriptor_tool which was broken since r1492.
  • Add Documentation regarding unlocking the ME region on Intel chipsets.
  • Fix reading the flash descriptor via FDOC/FDOD and prettyprinting of the descriptor on boards with 5 active regions.
  • Reorder some boards in print.c.
  • Add Intel 7 Series (Panther Point) PCI IDs.
  • Add preliminary PCI IDs for future Intel chipsets (DH89xxCC and Lynx Point) see https://lkml.org/lkml/2012/2/20/467
  • Change the message for untested chipsets to send only after an attempt to update the firmware with flashrom.
  • Fix warnings in ich_descriptor_tool's build.

Signed-off-by: Stefan Tauner <stefan.tauner@…>
Acked-by: Stefan Tauner <stefan.tauner@…>

1 edited


  • trunk/Documentation/mysteries_intel.txt

    r1465 r1524  
    1717= Unlocking the ME region =
    18 TODO
     18 If the ME region is locked by the FRAP register in descriptor mode, the host
     19 software is not allowed to read or write any address inside that region. There
     20 are different ways to unlock access:
     22 - A pin strap: Flash Descriptor Security Override Strap (as indicated by the
     23   Flash Descriptor Override Pin Strap Status (FDOPSS) in HSFS. That pin is
     24   probably not accessible to end users on consumer boards (every Intel doc i
     25   have seen stresses that this is for debugging in manufacturing only and
     26   should not be available for end users).
     27   The ME indicates this in bits [19:16] (Operation Mode) in the HFS register of
     28   the HECI/MEI PCI device by setting them to 4 (SECOVR_JMPR) [MODE_CTRL].
     30 - Intel Management Engine BIOS Extension (MEBx) Disable
     31   This option may be available to end users on some boards usually accessible
     32   by hitting ctrl+p after BIOS POST. Quote: "'Disabling' the Intel ME does not
     33   really disable it: it causes the Intel ME code to be halted at an early stage
     34   of the Intel ME's booting so that the system has no traffic originating from
     35   the Intel ME on any of the buses." [MEBX] The ME indicates this in
     36   bits [19:16] (Operation Mode) in the HFS register of the HECI/MEI PCI device
     37   by setting them to 3 (Soft Temporary Disable) [MODE_CTRL].
     39 - Previous to Ibex Peak/5 Series chipsets removing the DIMM from slot (or
     40   channel?) #0 disables the ME completely, which may give the host access to
     41   the ME region.
     43 - HMRFPO (Host ME Region Flash Protection Override) Enable MEI command
     44   This is the most interesting one because it allows to temporarily disable
     45   the ME region protection by software. The ME indicates this in bits [19:16]
     46   (Operation Mode) in the HFS register of the HECI/MEI PCI device by setting
     47   them to 5 (SECOVER_MEI_MSG) [MODE_CTRL].
     49== MEI/HECI ==
     50 Communication between the host software and the different services provided by
     51 the ME is done via a packet-based protocol that uses MMIO transfers to one or
     52 more virtual PCI devices. Upon this layer there exist various services that can
     53 be used to read out hardware management values (e.g. temperatures, fan speeds
     54 etc.). The lower levels of that protocol are well documented:
     55 The locations/offsets of the PCI MMIO registers are noted in the chipset
     56 datasheets. The actually communication is documented in a whitepaper [DCMI] and
     57 an outdated as well as a current Linux kernel implementation (currently in
     58 staging/ exist [KERNEL]. There exists a patch that re-implements this in user
     59 space (as part of flashrom).
     61== Problems ==
     62 The problem is that only very few higher level protocols are documented publicly,
     63 especially the bunch of messages that contain the HMRFPO commands is probably
     64 well protected and only documented in ME-specific docs and the BIOS writer's
     65 guides. We are aware of a few leaked documents though that give us a few hints
     66 about it, but nothing substantial regarding its implementation.
     68 The documents are somewhat contradicting each other in various points which
     69 might be due to factual changes in process of time or due to the different
     70 capabilities of the ME firmwares, example:
     72 Intel's Flash Programming Tool (FPT) "automatically stops ME writing to SPI
     73 ME Region, to prevent both writing at the same time, causing data corruption." [ME8]
     75 "FPT is not HMRFPO-capable, so needs [the help of the FDOPS pin] HDA_SDO if
     76 used to update the ME Region." [SPS]
     78 When looking at the various ME firmware editions (and different chipsets), things
     79 get very unclear. Some docs say that HMRFPO needs to be sent before End-of-POST
     80 (EOP), others say that the ME region can be updated in the field or that some
     81 vendor tools use it for updates. This needs to be investigated further before
     82 drawing any conclusion.
     84[MODE_CTRL] Client Platform Enabling Tour: Platform Software
     85            Document Number: 439167, Revision 1.2, page 52
     86[MEBX]      Intel Management Engine BIOS Extension (MEBX) User's Guide
     87            Revision 1.2, Section 3.1 and 3.5
     88[DCMI]      DCMI Host Interface Specification
     89            Revision 1.0
     90[KERNEL]    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=tree;f=drivers/staging/mei;hb=HEAD
     91[SPI_PROG]  Ibex Peak SPI Programming Guide
     92            Document Number: 403598, Revision 1.3, page 79
     93[ME8]       Manufacturing with Intel Management Engine (ME) Firmware 8.X on Intel 7 Series
     94            Revision 2.0, page 59
     95[SPS]       Manufacturing with Intel Management Engine (ME) on Intel C600 Series Chipset 1
     96            for Romley Server 2 Platforms using Server Platform Services (SPS) Firmware
     97            Revision 2.2, page 51
Note: See TracChangeset for help on using the changeset viewer.