Stefan Tauner | 25ffba7 | 2011-11-13 23:03:30 +0000 | [diff] [blame] | 1 | = BBAR on ICH8 = |
| 2 | There is no sign of BBAR (BIOS Base Address Configuration Register) in the |
| 3 | public datasheet (or specification update) of the ICH8. Also, the offset of |
| 4 | that register has changed between ICH7 (SPIBAR + 50h) and ICH9 (SPIBAR + |
| 5 | A0h), so we have no clue if or where it is on ICH8. Out current policy is to |
| 6 | not touch it at all and assume/hope it is 0. |
| 7 | |
David Hendricks | a9d6d1a | 2019-11-19 19:29:26 -0800 | [diff] [blame] | 8 | = SMM BIOS Write Protection = |
| 9 | Sometimes a hardware vendor will enable "SMM BIOS Write Protect" (SMM_BWP) |
| 10 | in the firmware during boot time. The bits that control SMM_BWP are in the |
| 11 | BIOS_CNTL register in the LPC interface. |
| 12 | |
| 13 | When enabled, the SPI flash can only be written when the system is operating in |
| 14 | in System Management Mode (SMM). In other words, only certain code that was |
| 15 | installed by the BIOS can write to the flash chip. Programs that run in OS |
Nico Huber | c3b02dc | 2023-08-12 01:13:45 +0200 | [diff] [blame^] | 16 | context such as flashprog can still read the flash chip, but cannot write to the |
David Hendricks | a9d6d1a | 2019-11-19 19:29:26 -0800 | [diff] [blame] | 17 | flash chip. |
| 18 | |
Nico Huber | c3b02dc | 2023-08-12 01:13:45 +0200 | [diff] [blame^] | 19 | Flashprog will attempt to detect this and print a warning such as the following: |
David Hendricks | a9d6d1a | 2019-11-19 19:29:26 -0800 | [diff] [blame] | 20 | "Warning: BIOS region SMM protection is enabled!" |
| 21 | |
| 22 | Many vendor-supplied firmware update utilities do not actually write to the ROM; |
| 23 | instead they transfer data to/from memory which is read/written by a routine |
| 24 | running in SMM and is responsible for writing to the firmware ROM. This causes |
| 25 | severe system performance degradataion since all processors must be in SMM |
| 26 | context (ring -2) instead of OS context (ring 0) while the firmware ROM is being |
| 27 | written. |
| 28 | |
Stefan Tauner | 25ffba7 | 2011-11-13 23:03:30 +0000 | [diff] [blame] | 29 | = Accesses beyond region bounds in descriptor mode = |
| 30 | Intel's flash image tool will always expand the last region so that it covers |
| 31 | the whole flash chip, but some boards ship with a different configuration. |
| 32 | It seems that in descriptor mode all addresses outside the used regions can not |
| 33 | be accessed whatsoever. This is not specified anywhere publicly as far as we |
Nico Huber | c3b02dc | 2023-08-12 01:13:45 +0200 | [diff] [blame^] | 34 | could tell. flashprog does not handle this explicitly yet. It will just fail |
Stefan Tauner | 25ffba7 | 2011-11-13 23:03:30 +0000 | [diff] [blame] | 35 | when trying to touch an address outside of any region. |
| 36 | See also http://www.flashrom.org/pipermail/flashrom/2011-August/007606.html |
| 37 | |
Stefan Tauner | d94d25d | 2012-07-28 03:17:15 +0000 | [diff] [blame] | 38 | = (Un)locking the ME region = |
Stefan Tauner | 2abab94 | 2012-04-27 20:41:23 +0000 | [diff] [blame] | 39 | If the ME region is locked by the FRAP register in descriptor mode, the host |
Stefan Tauner | d94d25d | 2012-07-28 03:17:15 +0000 | [diff] [blame] | 40 | software is not allowed to read or write any address inside that region. |
| 41 | Although the chipset datasheets specify that "[t]he contents of this register |
| 42 | are that of the Flash Descriptor" [PANTHER], this is not entirely true. |
| 43 | The firmware has to fill at least some of the registers involved. It is not |
| 44 | known when they become read-only or any other details, but there is at least |
| 45 | one HM67-based board, that provides an user-changeable setting in the firmware |
| 46 | user interface to enable ME region updates that lead to a FRAP content that is |
| 47 | not equal to the descriptor region bits [NC9B]. |
| 48 | |
| 49 | There are different ways to unlock access: |
Stefan Tauner | 2abab94 | 2012-04-27 20:41:23 +0000 | [diff] [blame] | 50 | |
| 51 | - A pin strap: Flash Descriptor Security Override Strap (as indicated by the |
| 52 | Flash Descriptor Override Pin Strap Status (FDOPSS) in HSFS. That pin is |
| 53 | probably not accessible to end users on consumer boards (every Intel doc i |
| 54 | have seen stresses that this is for debugging in manufacturing only and |
| 55 | should not be available for end users). |
| 56 | The ME indicates this in bits [19:16] (Operation Mode) in the HFS register of |
| 57 | the HECI/MEI PCI device by setting them to 4 (SECOVR_JMPR) [MODE_CTRL]. |
| 58 | |
| 59 | - Intel Management Engine BIOS Extension (MEBx) Disable |
| 60 | This option may be available to end users on some boards usually accessible |
| 61 | by hitting ctrl+p after BIOS POST. Quote: "'Disabling' the Intel ME does not |
| 62 | really disable it: it causes the Intel ME code to be halted at an early stage |
| 63 | of the Intel ME's booting so that the system has no traffic originating from |
| 64 | the Intel ME on any of the buses." [MEBX] The ME indicates this in |
| 65 | bits [19:16] (Operation Mode) in the HFS register of the HECI/MEI PCI device |
| 66 | by setting them to 3 (Soft Temporary Disable) [MODE_CTRL]. |
| 67 | |
| 68 | - Previous to Ibex Peak/5 Series chipsets removing the DIMM from slot (or |
| 69 | channel?) #0 disables the ME completely, which may give the host access to |
| 70 | the ME region. |
| 71 | |
| 72 | - HMRFPO (Host ME Region Flash Protection Override) Enable MEI command |
| 73 | This is the most interesting one because it allows to temporarily disable |
| 74 | the ME region protection by software. The ME indicates this in bits [19:16] |
| 75 | (Operation Mode) in the HFS register of the HECI/MEI PCI device by setting |
| 76 | them to 5 (SECOVER_MEI_MSG) [MODE_CTRL]. |
| 77 | |
| 78 | == MEI/HECI == |
| 79 | Communication between the host software and the different services provided by |
| 80 | the ME is done via a packet-based protocol that uses MMIO transfers to one or |
| 81 | more virtual PCI devices. Upon this layer there exist various services that can |
| 82 | be used to read out hardware management values (e.g. temperatures, fan speeds |
| 83 | etc.). The lower levels of that protocol are well documented: |
| 84 | The locations/offsets of the PCI MMIO registers are noted in the chipset |
| 85 | datasheets. The actually communication is documented in a whitepaper [DCMI] and |
| 86 | an outdated as well as a current Linux kernel implementation (currently in |
| 87 | staging/ exist [KERNEL]. There exists a patch that re-implements this in user |
Nico Huber | c3b02dc | 2023-08-12 01:13:45 +0200 | [diff] [blame^] | 88 | space (as part of flashprog). |
Stefan Tauner | 2abab94 | 2012-04-27 20:41:23 +0000 | [diff] [blame] | 89 | |
| 90 | == Problems == |
| 91 | The problem is that only very few higher level protocols are documented publicly, |
| 92 | especially the bunch of messages that contain the HMRFPO commands is probably |
| 93 | well protected and only documented in ME-specific docs and the BIOS writer's |
| 94 | guides. We are aware of a few leaked documents though that give us a few hints |
| 95 | about it, but nothing substantial regarding its implementation. |
| 96 | |
| 97 | The documents are somewhat contradicting each other in various points which |
| 98 | might be due to factual changes in process of time or due to the different |
| 99 | capabilities of the ME firmwares, example: |
| 100 | |
| 101 | Intel's Flash Programming Tool (FPT) "automatically stops ME writing to SPI |
| 102 | ME Region, to prevent both writing at the same time, causing data corruption." [ME8] |
| 103 | |
| 104 | "FPT is not HMRFPO-capable, so needs [the help of the FDOPS pin] HDA_SDO if |
| 105 | used to update the ME Region." [SPS] |
| 106 | |
| 107 | When looking at the various ME firmware editions (and different chipsets), things |
| 108 | get very unclear. Some docs say that HMRFPO needs to be sent before End-of-POST |
| 109 | (EOP), others say that the ME region can be updated in the field or that some |
| 110 | vendor tools use it for updates. This needs to be investigated further before |
| 111 | drawing any conclusion. |
| 112 | |
Stefan Tauner | d94d25d | 2012-07-28 03:17:15 +0000 | [diff] [blame] | 113 | [PANTHER] Intel 7 Series Chipset Family Platform Controller Hub (PCH) Datasheet |
| 114 | Document Number: 326776, April 2012, page 857 |
| 115 | [NC9B] Jetway NC9B flashrom v0.9.5.2-r1517 log with ME region unlocked. |
| 116 | NB: "FRAP 0e0f" vs. "FLMSTR1 0a0b". |
| 117 | http://paste.flashrom.org/view.php?id=1215 |
Stefan Tauner | 2abab94 | 2012-04-27 20:41:23 +0000 | [diff] [blame] | 118 | [MODE_CTRL] Client Platform Enabling Tour: Platform Software |
| 119 | Document Number: 439167, Revision 1.2, page 52 |
| 120 | [MEBX] Intel Management Engine BIOS Extension (MEBX) User's Guide |
| 121 | Revision 1.2, Section 3.1 and 3.5 |
| 122 | [DCMI] DCMI Host Interface Specification |
| 123 | Revision 1.0 |
| 124 | [KERNEL] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=tree;f=drivers/staging/mei;hb=HEAD |
| 125 | [SPI_PROG] Ibex Peak SPI Programming Guide |
| 126 | Document Number: 403598, Revision 1.3, page 79 |
| 127 | [ME8] Manufacturing with Intel Management Engine (ME) Firmware 8.X on Intel 7 Series |
| 128 | Revision 2.0, page 59 |
| 129 | [SPS] Manufacturing with Intel Management Engine (ME) on Intel C600 Series Chipset 1 |
| 130 | for Romley Server 2 Platforms using Server Platform Services (SPS) Firmware |
| 131 | Revision 2.2, page 51 |