It's possible to 'clean' the ME partition within the flash medium as part of the build process. While cleaning as much code as possible is removed from the ME firmware partition. In this state the ME errors out and doesn't operate any more.
Using a 'cleaned' ME partition may lead to issues and its use should be carefully evaluated.
Always test with unmodified IFD and ME section before reporting bugs to the coreboot project.
By default the cleaned ME firmware will still occupy the same space in the firmware image. It's possible to change the firmware partition layout and reclaim the space for the use by coreboot. With the reduced Intel ME firmware the ifd
, gbe
and me
regions require less than 128 KiB of space in the ROM, which leaves the remaining for the bios
region.
This tutorial will guide you through the steps necessary.
You need a full and working ROM with a full Intel ME firmware.
You need to run the me_cleaner on a full ROM, here called fulldump.rom
: The full ROM contains:
Running the command will generate two new files:
./util/me_cleaner/me_cleaner.py -D patched_desciptor.bin -M stripped_me.bin fulldump.rom -t -r -S
The generated files are:
patched_desciptor.bin
stripped_me.bin
The patched IFD has the AltMeDisable bit set and a modified flash layout.
Note: coreboot allows to select CONFIG_ME_CLEANER
as part of the build-process, but that doesn't rework the flash layout, it only removes files from ME and sets the AltMeDisable-bit.
As you have modified the layout you need to write the full ROM to flash using an external programmer. Make sure to include all partitions into the ROM: