scripts icon indicating copy to clipboard operation
scripts copied to clipboard

Published 20 hours ago verified publisher icon MrChromebox

Intel ME region deblobbing [EVE only, for now]

Open simonepsp opened this issue 5 years ago • 5 comments

Dear all,

as a person concerned about security and privacy, coming from a Thinkpad X230 (/w coreboot) I felt the need of implementing an automated firmware deblobbing (which uses the wonderful @corna/me_cleaner script).

It still lacks a check on me_cleaner's output. So please proceed with care, but I didn't encounter any problems so far. It has been tested on my new Pixelbook i7 (see photo below).

P.S. I'm confident that this would work on any Chromebook but would be great if someone from the community could confirm this. For the time being, the user will be asked to deblob his firmware only when ran on EVE (Pixelbook).

IMG_8253

simonepsp avatar Dec 03 '19 12:12 simonepsp

I'm confident that this would work on any Chromebook but would be great if someone from the community could confirm this.

one cannot read, let alone write, the ME firmware region on a stock ChromeOS device, due to it being locked via the IFD configuration. So this isn't useful to any Chromebook/box users unless they've first externally flashed their device to unlock the IFD. Which is what I assume you did at some point, since I'm pretty sure EVE doesn't ship with an unlocked flash descriptor

MrChromebox avatar Dec 03 '19 16:12 MrChromebox

Argh, you're right. I just checked a bios backup and the Intel ME region is indeed missing. The flashroom output tricked me saying that the writing was "VERIFIED" and I thought it successfully wrote even the ME region, that was originally included in the coreboot rom.

Is there an easy way to unlock the IFD ? (maybe with ifdtool ?) Thanks for your help. Please accept my apology, I was sure I found the answer to this.

At this point, I guess this proposed solution is also wrong, if one doesn't unlock the IFD first: https://github.com/corna/me_cleaner/issues/300

simonepsp avatar Dec 03 '19 19:12 simonepsp

the IFD can be unlocked with ifdtool (-u option), but the IFD is RO on a live system (normally). You would need to flash the IFD externally, at which point you can just flash the cleaned ME as well. On EVE (and any other CR50 device with CCD support), you can easily do this with a USB-C debug (aka Suzy-Q) cable.

Whitelisting the MFS partition is required on Skylake and newer platforms otherwise the PCIe routing isn't performed correctly (so NVMe and WiFi wouldn't work).

MrChromebox avatar Dec 03 '19 20:12 MrChromebox

thanks a lot! I will try give it a try in the next days :)

simonepsp avatar Dec 09 '19 07:12 simonepsp

I have no intention of integrating ME cleaner support, since 99.9% of users can't flash the ME region from a live system anyway

MrChromebox avatar Feb 20 '21 21:02 MrChromebox

@MrChromebox You should close this PR if it has been rejected.

GravisZro avatar Dec 23 '22 14:12 GravisZro