mirror of
https://codeberg.org/canoeboot/cbmk.git
synced 2025-06-06 22:57:20 +01:00
6577abc60a
aka a l l o f t h e m On Intel Sandybridge, IvyBridge and Haswell platforms, the flash is divided into these partitions: * Intel Flash Descriptor (IFD) * Intel Management Engine (ME) * Intel Gigabit Ethernet NVM (GbE) * Platform Data * BIOS IFD contains many configuration details of the entire machine, but for our purpose, you might compare this to the MBR or GPT section (partition table) on an HDD or SSD. It does, among other things, define these regions. Intel Management Engine is a coprocessor that handles, among other things, certain power management and OOB execution for things like Intel AMT, providing remote management features; it also implements a soft TPM on some platforms, and (on later platforms) Intel Boot Guard. GbE contains configuration data for the onboard ethernet chipset, if it's an Intel chipset. It also stores the MAC address. Platform Data is essentially just text, where you can store any number of things. Vendors will sometimes put information here e.g. version information for firmware. The BIOS region contains actual boot firmware, for example Canoeboot. The Intel ME is a binary blob, so it cannot be included in Canoeboot. On *Libreboot*, we handle this where needed, by automatically downloading it from a vendor, and processing it with the me_cleaner utility which disables the ME after early bringup; only the ROMP and BUP modules remain. These are essentially an analog of coreboot, as they initialise the Intel ME. The Intel ME's own bootrom executes the ME firmware stored in system flash, from the ME region. The *Canoeboot* setup differs greatly from Libreboot, in that the Intel ME is not handled at all, on these platforms. It is possible to still disable early ME bringup, by setting the HAP (ME AltDisable) bit in the IFD; coreboot also has an option called ME Soft Temporary Disable, and we use this by default. With use of either HAP and/or Temporary Disable, a full ME region, with nothing removed (no me_cleaner) is functionally identical, as this means only the ROMP and BUP modules will run, and other modules are disabled. Libreboot handles Intel ME by generating a *full* image, including Intel ME, downloading the ME firmware at build time; Libreboot's way of doing it violates GNU FSDG, and thus could not be used in Canoeboot. Canoeboot *does not* handle the Intel ME, but it doesn't need to. We simply provide images where the Intel ME region in the ROM is all zeroes. If you then flash the ME region with that, it will result in a brick; however, you can avoid flashing the ME region. The flashprog software (also flashrom which we no longer use) can be made to flash only specific parts of the flash, by using either the --ifd option, or by using a layout file. To generate a layout file, do this on a Canoeboot ROM: ./ifdtool -f layout.txt canoeboot.rom You can then do e.g.: ./flashprog -l layout.txt -i fd canoeboot.rom ./flashprog -l layout.txt -i gbe canoeboot.rom ./flashprog -l layout.txt -i bios canoeboot.rom In these examples, fd means IFD, gbe means GbE and bios means BIOS, so you flash these regions. If you wanted to flash Intel ME, you could use -i me, but Canoeboot users migrating from factory firmware or Libreboot can simply leave the ME region alone. For all of these machines being added, the BIOS region is entirely free software; even microcode updates are excluded. The machines run just fine without microcode updates, after extensive testing. The IFD and GBE are not software; they are just config, and their data format is fully documented by public Intel datasheets. Canoeboot provides the nvmutil software for changing GBE MAC addresses, and also ifdtool from coreboot which can be used to modify IFD if you wish. The general rule of thumb is this: * If flashing Canoeboot from factory firmware, please flash both the IFD and BIOS regions; you may also modify the GBE region if you wish * If flashing Canoeboot from Libreboot firmware, please note that Libreboot *shrinks* the ME, and uses a different IFD layout; some Dell mainboards also use 16KB GbE in the Canoeboot setup, mirroring what the vendor did, where Libreboot corrected this to 8KB: * Therefore, if flashing Canoeboot from Libreboot, please flash ONLY the GbE and BIOS regions; do not flash the IFD region. Libreboot's way of doing it is superior, because you don't need to care what's in the original flash, since Intel ME and other vendor files are automatically downloaded at build time and inserted into images, or inserted after the fact by use of a special script on release images. Canoeboot's method has risks, because for example you might ignore this entire commit message or the documentation that I'm going to write covering these facts, and you would then possibly overwrite the ME region with zeroes, or something else stupid. If you did do that, you could always just build Libreboot or something, and use that, but obviously We in the Canoeboot project do not recommend this, as it would be extremely unGNU. Signed-off-by: Leah Rowe <leah@libreboot.org>
16 KiB
16 KiB