nostr:nprofile1qy2hwumn8ghj7un9d3shjtnyd968gmewwp6kyqpq05gxtz00vfxzdela6xrhyvtqxmaxqz65d9hws3d56e72trqgcmvsxk52hs x86 is something I know very well. I don't see how mere opcode set is the problem. C...
@nprofile1q... Coreboot doesn't stop ME. ME is essential to bringing up and initializing all modern Intel based systems.
What happens when you "disable" it is that the system boots, half the ME is or can be overwritten and not execute if the disable bit is set, but the other half of the ME still executes.
You can actually see this happening if you set the ME option to disabled in coreboot and/or use one of the other methods to disable the ME.
So when yo first turn it on the system will run half of the ME and then it'll do what I believe would constitute a soft reboot.
If you check whether or not the ME is running it will show it is not running. However this doesn't mean it wasn't run. It was as it is critical for the bringing up and initialization of the system.
As I understand it the first half of the ME is signed and MUST execute. It can't be replaced by something you've built from source code (not that we have the source code). But basically even if we somehow reverse engineered this component and wrote our own code it wouldn't matter. It still would not execute as it's not signed with Intel's private key.
I haven't got a lot of first hand experience with coreboot and the numerous forks myself, but I'm around the folks tinkering with, building, and developing some of these components, porting versions of coreboot to newer systems, deblobing it, etc.
I can tell you some of the wtf are you guys doing issues with it. Though I also half understand the logic... it makes sure the development environment is the same for everyone... but it just doesn't sit well with me. We should be able to build everything from sources and not be relying on a set of binaries. For example at least one of the forks is using docker which I find a bit hypocritical.
What happens when you "disable" it is that the system boots, half the ME is or can be overwritten and not execute if the disable bit is set, but the other half of the ME still executes.
You can actually see this happening if you set the ME option to disabled in coreboot and/or use one of the other methods to disable the ME.
So when yo first turn it on the system will run half of the ME and then it'll do what I believe would constitute a soft reboot.
If you check whether or not the ME is running it will show it is not running. However this doesn't mean it wasn't run. It was as it is critical for the bringing up and initialization of the system.
As I understand it the first half of the ME is signed and MUST execute. It can't be replaced by something you've built from source code (not that we have the source code). But basically even if we somehow reverse engineered this component and wrote our own code it wouldn't matter. It still would not execute as it's not signed with Intel's private key.
I haven't got a lot of first hand experience with coreboot and the numerous forks myself, but I'm around the folks tinkering with, building, and developing some of these components, porting versions of coreboot to newer systems, deblobing it, etc.
I can tell you some of the wtf are you guys doing issues with it. Though I also half understand the logic... it makes sure the development environment is the same for everyone... but it just doesn't sit well with me. We should be able to build everything from sources and not be relying on a set of binaries. For example at least one of the forks is using docker which I find a bit hypocritical.
1