sravan/system76-firmware-open
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docs: Update Intel ME info

Browse Source 
Document the new CMOS option for enabling/disabling the IME.

Signed-off-by: Tim Crawford <tcrawford@system76.com>
This commit is contained in:
Tim Crawford
2021-12-21 10:32:37 -07:00
committed by Tim Crawford
parent 92a601fbb7
commit 9c63db4c9f
1 changed files with 27 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
docs/intel-me.md
View File

@@ -1,19 +1,35 @@
# Intel Management Engine # Intel Management Engine
Intel-based machines by System76 come with the [Intel Management Engine][wiki] [Intel Management Engine][wiki] is a proprietary, mostly undocumented, firmware
disabled. It is a proprietary, mostly undocumented, system that provides many system that provides many extraneous features that are generally not usable or
extraneous features that are generally not usable or useful to our users, with useful to our users, with multiple known vulnerabilities that compromise the
multiple known vulnerabilities that compromise the entire system. entire system.
The Intel ME is _required_ (since Nehalem, 2008), so cannot be removed. The The Intel ME is _required_ (since Nehalem, 2008), so cannot be removed. The
[me\_cleaner] project is able to remove non-essential components, but currently [me\_cleaner] project is able to remove non-essential components, but does not
does not support the ME version used on many of our systems. Instead, we [send support the ME version used on many of our systems. Instead, we [send a HECI
a HECI command][heci_disable] to tell the Intel ME to disable runtime command][CB52800] to tell the Intel ME to disable runtime components during
components during early boot. early boot.
Most Intel-based machines from System76 come with the IME disabled.
## Configuring
The IME can be enabled or disabled via the coreboot CMOS option `me_state`.
The value can be set using coreboot's nvramtool.
```
make -C coreboot/util/nvramtool
sudo ./coreboot/util/nvramtool/nvramtool -w me_state={Enable,Disable}
```
A restart is required for the change to take effect. On the boot after changing
the value, the system will perform a global reset (power off again) to complete
the change and ensure the IME is operating in a valid state.
## Tiger Lake-U ## Tiger Lake-U
Models using TGL-U processors currently leave the IME enabled. TGL-U removes Models using TGL-U processors default to having the IME enabled. TGL-U removes
support for S3 and requires S0ix. This requires all CPU, PCH, and PCIe devices support for S3 and requires S0ix. This requires all CPU, PCH, and PCIe devices
to have ACPI defined low power states. With S0ix, the CPU has numerous states to have ACPI defined low power states. With S0ix, the CPU has numerous states
for low power, with the lowest being C10. In order to reach this C10 state, the for low power, with the lowest being C10. In order to reach this C10 state, the
@@ -21,6 +37,7 @@ IME must report that it is in a low power state. Disabling the ME with the HAP
bit keeps the CPU in the C8 state. This nearly triples the power usage in S0ix bit keeps the CPU in the C8 state. This nearly triples the power usage in S0ix
suspend, from around 1 watt to around 3 watts. suspend, from around 1 watt to around 3 watts.
[wiki]: https://en.wikipedia.org/wiki/Intel_Management_Engine [wiki]: https://en.wikipedia.org/wiki/Intel_Management_Engine
[me\_cleaner]: https://github.com/corna/me_cleaner [me\_cleaner]: https://github.com/corna/me_cleaner
[heci_disable]: https://github.com/system76/coreboot/blob/011439cb9196d6a71d394ead8c98dfd8ead325d4/src/soc/intel/cannonlake/me.c#L186 [CB52800]: https://review.coreboot.org/c/coreboot/+/52800