[coreboot] Experiments with disabling the ME on Sandybridge x230

ron minnich wrote: > That's pretty interesting. I had no idea that would work. > > I wonder if erasing it all erases that little boot of the ME you need to > get the hardware going, whereas the 4KB erase lets the little bootstrap > run but disables the ME otherwise. If so, that's great news. The ME code to start the platform is in (on-chip) ROM and a failed signature check of the (compressed with AFAIK still unknown codebook) ME code in flash just means that the ME considers the system broken and allows it to run for a little while so that a human can repair it. It's described pretty well in the Platform Embedded Security Revealed book, along with the fact that the ME will sync it's internal clock with NTP servers across the internet once every 30 days, to make CRL checks for the remote management PKI work. Maybe this particular thing doesn't happen with the smaller ME firmware. Dunno. //Peter