Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

coreboot-nitrokey: hard-code ME state during boot #1596

Merged
merged 1 commit into from
Jan 22, 2024
Merged

coreboot-nitrokey: hard-code ME state during boot #1596

merged 1 commit into from
Jan 22, 2024

Conversation

daringer
Copy link
Collaborator

fixes Nitrokey#39

Dasharo v1.7.2 introduced a feature to always set the ME state during boot based on the EDK2 defined values.
This led to the ME being activated in Nitrokey's v2.4 release, this PR fixes this by hard-coding the EDK2 defined values.

This PR is intentionally minimal to minimize testing and release fast - the Nitropad releases, will be build from this branch.

We are currently testing - it affects anyways the coreboot-nitrokey module exclusively - so don't see further needs for testing - we will not only test our branch, but also the upstream artifacts. Once the tests are done I will promote this PR to "ready-for-review".

@tlaurion tlaurion marked this pull request as ready for review January 22, 2024 16:19
tlaurion
tlaurion approved these changes Jan 22, 2024
View reviewed changes
Copy link
Collaborator

@tlaurion tlaurion left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM if cbmem reports ME disabled.

@daringer : Can you post output before after this commit?

@daringer
Copy link
Collaborator Author

The originating issue describes what has been tested, 1. to 4. and all are either empty or disabled. Namely dmesg does not contain any contents like mei, HECI and CSE. Coreboot logs are a little more precise:

[WARN ]  HECI: CSE device 16.0 is disabled

/.. snip ../

[WARN ]  HECI: CSE device 16.0 is disabled
[DEBUG]  CSE is disabled, cannot send End-of-Post (EOP) message
[WARN ]  HECI: CSE device 16.0 is disabled
[WARN ]  HECI: CSE device 16.1 is disabled
[WARN ]  HECI: CSE device 16.2 is disabled
[WARN ]  HECI: CSE device 16.3 is disabled
[WARN ]  HECI: CSE device 16.4 is disabled
[WARN ]  HECI: CSE device 16.5 is disabled

verified on NV41 & NS50

@daringer
Copy link
Collaborator Author

We'll run another test-iteration also for the patch against upstream and plan to officially release tomorrow.

@tlaurion
Copy link
Collaborator

The originating issue describes what has been tested, 1. to 4. and all are either empty or disabled. Namely dmesg does not contain any contents like mei, HECI and CSE. Coreboot logs are a little more precise:

[WARN ]  HECI: CSE device 16.0 is disabled

/.. snip ../

[WARN ]  HECI: CSE device 16.0 is disabled
[DEBUG]  CSE is disabled, cannot send End-of-Post (EOP) message
[WARN ]  HECI: CSE device 16.0 is disabled
[WARN ]  HECI: CSE device 16.1 is disabled
[WARN ]  HECI: CSE device 16.2 is disabled
[WARN ]  HECI: CSE device 16.3 is disabled
[WARN ]  HECI: CSE device 16.4 is disabled
[WARN ]  HECI: CSE device 16.5 is disabled

verified on NV41 & NS50

@daringer ME linux modules are not packed under Heads for a while, I have opened an issue to remove artifacts and not build them forward from linux configurations at #1597 (comment) since no current board configurations actually instruct modules/linux to pack them under modules.cpio.

Therefore, you only have cbmem output under Heads, no dmesg output from kernel in regard of ME.

@daringer
Copy link
Collaborator Author

oh sorry, for clarification: We did inspections of dmesg in QubesOS and Ubuntu to ensure that ME is not made available by some OS mechanism, similar to what was reported in the original issue ...
HEADS' dmesg output - correct as you state @tlaurion does either way not contain any ME related messages

JonathonHall-Purism
JonathonHall-Purism approved these changes Jan 22, 2024
View reviewed changes
Copy link
Collaborator

@JonathonHall-Purism JonathonHall-Purism left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks reasonable to me 👍

@tlaurion tlaurion merged commit 25066e5 into linuxboot:master Jan 22, 2024
51 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tlaurion tlaurion tlaurion approved these changes

@JonathonHall-Purism JonathonHall-Purism JonathonHall-Purism approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Intel Management Engine not actually disabled on NK Heads 2.4?
3 participants
@daringer @tlaurion @JonathonHall-Purism