summaryrefslogtreecommitdiffstats
path: root/Documentation/mysteries_intel.txt
diff options
context:
space:
mode:
authorStefan Tauner <stefan.tauner@alumni.tuwien.ac.at>2012-04-27 20:41:23 +0000
committerStefan Tauner <stefan.tauner@alumni.tuwien.ac.at>2012-04-27 20:41:23 +0000
commit2abab94c18721181c8d517b8e31ffada22145ea9 (patch)
tree5942453208bdb73ff2bfeadc94fbacf79d5bf023 /Documentation/mysteries_intel.txt
parent23bb6d579f0e8d76905ee108b85db10b0cf11f90 (diff)
downloadast2050-flashrom-2abab94c18721181c8d517b8e31ffada22145ea9.zip
ast2050-flashrom-2abab94c18721181c8d517b8e31ffada22145ea9.tar.gz
Add a bunch of new/tested stuff and various small changes 12
Tested Mainboards: OK: - ASUS M4A785T-M http://www.flashrom.org/pipermail/flashrom/2012-April/009118.html - ASUS P5VD2-MX http://www.flashrom.org/pipermail/flashrom/2012-March/009014.html - ASUS P8Z68-V PRO/GEN3 http://www.flashrom.org/pipermail/flashrom/2012-April/009086.html - Bachmann electronic OT200 http://www.flashrom.org/pipermail/flashrom/2012-April/009094.html - Biostar N61PB-M2S http://www.flashrom.org/pipermail/flashrom/2012-March/008958.html - GIGABYTE GA-H61M-D2-B3 http://www.flashrom.org/pipermail/flashrom/2012-March/009002.html - MSI MS-7740 (H61MA-E35(B3)) http://www.flashrom.org/pipermail/flashrom/2012-March/008985.html - Tyan S2875 (Tiger K8W) http://www.flashrom.org/pipermail/flashrom/2012-March/008986.html - ZOTAC nForce 630i Supreme (N73U-Supreme) http://www.flashrom.org/pipermail/flashrom/2012-April/009073.html - ZOTAC ZBOX AD02 (PLUS) http://www.flashrom.org/pipermail/flashrom/2012-April/009047.html NOT OK: - ASRock H67M http://www.flashrom.org/pipermail/flashrom/2012-March/008909.html - ASUS P8P67 LE http://paste.flashrom.org/view.php?id=1097 - ASUS Maximus IV Extreme http://www.flashrom.org/pipermail/flashrom/2012-March/009033.html - Biostar H61MU3 http://www.flashrom.org/pipermail/flashrom/2012-February/008832.html - Biostar M7VIQ http://www.flashrom.org/pipermail/flashrom/2012-February/008863.html - Dell Inspiron 580 http://www.flashrom.org/pipermail/flashrom/2012-March/008888.html - Dell Vostro 460 http://www.flashrom.org/pipermail/flashrom/2012-April/009144.html - Fujitsu-Siemens CELSIUS W410 (D3062-A1) http://www.flashrom.org/pipermail/flashrom/2012-March/008987.html - EPoX EP-3PTA http://www.flashrom.org/pipermail/flashrom/2012-April/009043.html - HP XW6400 http://www.flashrom.org/pipermail/flashrom/2012-March/009006.html - HP XW9300 http://www.flashrom.org/pipermail/flashrom/2012-February/008862.html - Intel DG965OT http://paste.flashrom.org/view.php?id=1096 - Intel DN2800MT (Marshalltown) http://www.flashrom.org/pipermail/flashrom/2012-April/009095.html - Lenovo T420 http://paste.flashrom.org/view.php?id=1095 - Lenovo X1 http://www.flashrom.org/pipermail/flashrom/2012-April/009135.html - MSI GF615M-P33 http://www.flashrom.org/pipermail/flashrom/2012-March/008956.html Tested flash chips: - mark EN25Q32(A/B) as TEST_OK_PROBE (+P) http://www.flashrom.org/pipermail/flashrom/2012-February/008832.html - mark S25FL032A as TEST_OK_PR (+PR) http://www.flashrom.org/pipermail/flashrom/2012-April/009105.html - mark AT25DF161 as TEST_OK_PROBE (+P) http://www.flashrom.org/pipermail/flashrom/2012-April/009095.html - mark SST as TEST_OK_PREW (+EW) http://www.flashrom.org/pipermail/flashrom/2012-April/009094.html Tested chipset enables: - H61 (various reports) - SiS 755 http://www.flashrom.org/pipermail/flashrom/2012-April/009072.html - Fix compilation of ich_descriptor_tool which was broken since r1492. - Add Documentation regarding unlocking the ME region on Intel chipsets. - Fix reading the flash descriptor via FDOC/FDOD and prettyprinting of the descriptor on boards with 5 active regions. - Reorder some boards in print.c. - Add Intel 7 Series (Panther Point) PCI IDs. - Add preliminary PCI IDs for future Intel chipsets (DH89xxCC and Lynx Point) see https://lkml.org/lkml/2012/2/20/467 - Change the message for untested chipsets to send only after an attempt to update the firmware with flashrom. - Fix warnings in ich_descriptor_tool's build. Corresponding to flashrom svn r1524. Signed-off-by: Stefan Tauner <stefan.tauner@alumni.tuwien.ac.at> Acked-by: Stefan Tauner <stefan.tauner@alumni.tuwien.ac.at>
Diffstat (limited to 'Documentation/mysteries_intel.txt')
-rw-r--r--Documentation/mysteries_intel.txt81
1 files changed, 80 insertions, 1 deletions
diff --git a/Documentation/mysteries_intel.txt b/Documentation/mysteries_intel.txt
index d6d3dfb..55921cf 100644
--- a/Documentation/mysteries_intel.txt
+++ b/Documentation/mysteries_intel.txt
@@ -15,4 +15,83 @@
See also http://www.flashrom.org/pipermail/flashrom/2011-August/007606.html
= Unlocking the ME region =
-TODO
+ If the ME region is locked by the FRAP register in descriptor mode, the host
+ software is not allowed to read or write any address inside that region. There
+ are different ways to unlock access:
+
+ - A pin strap: Flash Descriptor Security Override Strap (as indicated by the
+ Flash Descriptor Override Pin Strap Status (FDOPSS) in HSFS. That pin is
+ probably not accessible to end users on consumer boards (every Intel doc i
+ have seen stresses that this is for debugging in manufacturing only and
+ should not be available for end users).
+ The ME indicates this in bits [19:16] (Operation Mode) in the HFS register of
+ the HECI/MEI PCI device by setting them to 4 (SECOVR_JMPR) [MODE_CTRL].
+
+ - Intel Management Engine BIOS Extension (MEBx) Disable
+ This option may be available to end users on some boards usually accessible
+ by hitting ctrl+p after BIOS POST. Quote: "'Disabling' the Intel ME does not
+ really disable it: it causes the Intel ME code to be halted at an early stage
+ of the Intel ME's booting so that the system has no traffic originating from
+ the Intel ME on any of the buses." [MEBX] The ME indicates this in
+ bits [19:16] (Operation Mode) in the HFS register of the HECI/MEI PCI device
+ by setting them to 3 (Soft Temporary Disable) [MODE_CTRL].
+
+ - Previous to Ibex Peak/5 Series chipsets removing the DIMM from slot (or
+ channel?) #0 disables the ME completely, which may give the host access to
+ the ME region.
+
+ - HMRFPO (Host ME Region Flash Protection Override) Enable MEI command
+ This is the most interesting one because it allows to temporarily disable
+ the ME region protection by software. The ME indicates this in bits [19:16]
+ (Operation Mode) in the HFS register of the HECI/MEI PCI device by setting
+ them to 5 (SECOVER_MEI_MSG) [MODE_CTRL].
+
+== MEI/HECI ==
+ Communication between the host software and the different services provided by
+ the ME is done via a packet-based protocol that uses MMIO transfers to one or
+ more virtual PCI devices. Upon this layer there exist various services that can
+ be used to read out hardware management values (e.g. temperatures, fan speeds
+ etc.). The lower levels of that protocol are well documented:
+ The locations/offsets of the PCI MMIO registers are noted in the chipset
+ datasheets. The actually communication is documented in a whitepaper [DCMI] and
+ an outdated as well as a current Linux kernel implementation (currently in
+ staging/ exist [KERNEL]. There exists a patch that re-implements this in user
+ space (as part of flashrom).
+
+== Problems ==
+ The problem is that only very few higher level protocols are documented publicly,
+ especially the bunch of messages that contain the HMRFPO commands is probably
+ well protected and only documented in ME-specific docs and the BIOS writer's
+ guides. We are aware of a few leaked documents though that give us a few hints
+ about it, but nothing substantial regarding its implementation.
+
+ The documents are somewhat contradicting each other in various points which
+ might be due to factual changes in process of time or due to the different
+ capabilities of the ME firmwares, example:
+
+ Intel's Flash Programming Tool (FPT) "automatically stops ME writing to SPI
+ ME Region, to prevent both writing at the same time, causing data corruption." [ME8]
+
+ "FPT is not HMRFPO-capable, so needs [the help of the FDOPS pin] HDA_SDO if
+ used to update the ME Region." [SPS]
+
+ When looking at the various ME firmware editions (and different chipsets), things
+ get very unclear. Some docs say that HMRFPO needs to be sent before End-of-POST
+ (EOP), others say that the ME region can be updated in the field or that some
+ vendor tools use it for updates. This needs to be investigated further before
+ drawing any conclusion.
+
+[MODE_CTRL] Client Platform Enabling Tour: Platform Software
+ Document Number: 439167, Revision 1.2, page 52
+[MEBX] Intel Management Engine BIOS Extension (MEBX) User's Guide
+ Revision 1.2, Section 3.1 and 3.5
+[DCMI] DCMI Host Interface Specification
+ Revision 1.0
+[KERNEL] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=tree;f=drivers/staging/mei;hb=HEAD
+[SPI_PROG] Ibex Peak SPI Programming Guide
+ Document Number: 403598, Revision 1.3, page 79
+[ME8] Manufacturing with Intel Management Engine (ME) Firmware 8.X on Intel 7 Series
+ Revision 2.0, page 59
+[SPS] Manufacturing with Intel Management Engine (ME) on Intel C600 Series Chipset 1
+ for Romley Server 2 Platforms using Server Platform Services (SPS) Firmware
+ Revision 2.2, page 51
OpenPOWER on IntegriCloud