On generation 1 (ME version <= 5), Intel ME can be disabled completely
by:
* Wiping its firmware
* Disabling the corresponding region
* Setting the meDisable bits in ICHSTRP0 and MCHSTRP0
Optionally, with the usual -d flag, me_cleaner can remove the ME's RW
permissions to the other regions (but it probably has no effect, Intel
ME is disabled anyways).
Based on ich9deblob from the libreboot project.
Now me_cleaner is able to distinguish between ME, TXE and SPS images.
This will be useful in future commits, where variant (or version)
specific fixes must be applied.
Check and remove partitions from $FPT based on their name instead of
removing all partitions different from FTPR and hardcoding the addition
of FTPR partition into $FPT.
This is required in order to add support for unremovable partitions,
other than FTPR, which is required on some machines.
While some BIOS behaves better with the bit set, others don't. As
me_cleaner has been already tested on many platforms (and we don't want to
break things if it previously worked), revert to the default behaviour
and add an option (-S) to optionally set the HAP/AltMeDisable bit.
So now the situation is:
-s: just set the HAP/AltMeDisable bit, without modifying the firmware
-S: modify the firmware and set the HAP/AltMeDisable bit
none of them: modify the firmware but don't set the HAP/AltMeDisable bit
Positive Technologies discovered the presence of an undocumented HAP bit
in the PCHSTRP0 field of the descriptor which, when set to 1, disables
completely Intel ME just after the initialization. This is confirmed both
by an analysis of the status of Intel ME after the setting of the bit and
by reverse engineering the BUP module.
More information in their blog post:
http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
Moreover Igor Skochinsky discovered a bit in the PCHSTRP10, which achieves
more or less the same result as the HAP bit for ME < 11.
With this commit one of these bits is set to 1: instead of halting due to
corrupted modules, Intel ME now halts before trying to load them, possibly
leading to a cleaner shutoff of the ME subsystem.
-D can be used to extract the flash descriptor from a full image. When used
with -t, it extracts the flash descriptor and modifies it to shrink the ME
region and expand the BIOS one.
-M can be used to extract the ME image. When used with -t it extracts a
truncated ME image.
This commit has been widely tested on an MSI H110M (Sunrise Point) with an
i3-6300T, on two different ME firmware:
* 11.6.1.1142 CON (2.0 MB, no AMT)
* 11.6.1.1142 COR (7.1 MB, AMT)
In particular:
* The only fundamental FTPR modules seems to be rbe, kernel, syslib and
bup. Incidentally, on CON images, these modules are the only ones
Huffman-compressed. Removing any of these modules inhibits the correct
powering on of the PC.
* Now that the Huffman modules are not mixed together in a single Huffman
stream, removing them is trivial and can be done in the same way as the
LZMA/uncompressed modules.
* For the same reason, as there isn't a LLUT header anymore, the
partitions can be freely moved without any change in the content of the
partition, thus the relocation option has been added.
* The truncation information has been adjusted, like in the older ME
versions. However, the correct functioning of a PC with a truncated ME
region hasn't been tested yet.
With this commit me_cleaner is able to remove the majority of the FTPR
modules, going from the original code size of 2.0 MB (no AMT) or 6-7 MB
(AMT) to ~300 kB of compressed code.
It seems that the NR value doesn't really matter, as it is equal to 0 in some
images. The presence of a particular region is tied to the condition
region_end > region_start.
It seems that Intel ME requires some data after the last valid byte, as
truncating the image just after the last byte does not work.
For now this "safety margin" has been set to 4 blocks (16 kB).