aka a l l o f t h e m
On Intel Sandybridge, IvyBridge and Haswell platforms,
the flash is divided into these partitions:
* Intel Flash Descriptor (IFD)
* Intel Management Engine (ME)
* Intel Gigabit Ethernet NVM (GbE)
* Platform Data
* BIOS
IFD contains many configuration details of the entire
machine, but for our purpose, you might compare this
to the MBR or GPT section (partition table) on an HDD
or SSD. It does, among other things, define these regions.
Intel Management Engine is a coprocessor that handles,
among other things, certain power management and OOB
execution for things like Intel AMT, providing remote
management features; it also implements a soft TPM on
some platforms, and (on later platforms) Intel Boot Guard.
GbE contains configuration data for the onboard ethernet
chipset, if it's an Intel chipset. It also stores the
MAC address.
Platform Data is essentially just text, where you can
store any number of things. Vendors will sometimes put
information here e.g. version information for firmware.
The BIOS region contains actual boot firmware, for
example Canoeboot.
The Intel ME is a binary blob, so it cannot be included
in Canoeboot. On *Libreboot*, we handle this where needed,
by automatically downloading it from a vendor, and
processing it with the me_cleaner utility which disables
the ME after early bringup; only the ROMP and BUP modules
remain. These are essentially an analog of coreboot, as
they initialise the Intel ME. The Intel ME's own bootrom
executes the ME firmware stored in system flash, from
the ME region.
The *Canoeboot* setup differs greatly from Libreboot, in
that the Intel ME is not handled at all, on these platforms.
It is possible to still disable early ME bringup, by setting
the HAP (ME AltDisable) bit in the IFD; coreboot also has
an option called ME Soft Temporary Disable, and we use this
by default.
With use of either HAP and/or Temporary Disable, a full ME
region, with nothing removed (no me_cleaner) is functionally
identical, as this means only the ROMP and BUP modules will
run, and other modules are disabled.
Libreboot handles Intel ME by generating a *full* image,
including Intel ME, downloading the ME firmware at build
time; Libreboot's way of doing it violates GNU FSDG, and
thus could not be used in Canoeboot.
Canoeboot *does not* handle the Intel ME, but it doesn't
need to. We simply provide images where the Intel ME region
in the ROM is all zeroes. If you then flash the ME region
with that, it will result in a brick; however, you can avoid
flashing the ME region.
The flashprog software (also flashrom which we no longer
use) can be made to flash only specific parts of the flash,
by using either the --ifd option, or by using a layout file.
To generate a layout file, do this on a Canoeboot ROM:
./ifdtool -f layout.txt canoeboot.rom
You can then do e.g.:
./flashprog -l layout.txt -i fd canoeboot.rom
./flashprog -l layout.txt -i gbe canoeboot.rom
./flashprog -l layout.txt -i bios canoeboot.rom
In these examples, fd means IFD, gbe means GbE and
bios means BIOS, so you flash these regions. If you
wanted to flash Intel ME, you could use -i me, but
Canoeboot users migrating from factory firmware or
Libreboot can simply leave the ME region alone.
For all of these machines being added, the BIOS region
is entirely free software; even microcode updates are
excluded. The machines run just fine without microcode
updates, after extensive testing.
The IFD and GBE are not software; they are just config,
and their data format is fully documented by public
Intel datasheets. Canoeboot provides the nvmutil software
for changing GBE MAC addresses, and also ifdtool from
coreboot which can be used to modify IFD if you wish.
The general rule of thumb is this:
* If flashing Canoeboot from factory firmware, please
flash both the IFD and BIOS regions; you may also
modify the GBE region if you wish
* If flashing Canoeboot from Libreboot firmware, please
note that Libreboot *shrinks* the ME, and uses a different
IFD layout; some Dell mainboards also use 16KB GbE in
the Canoeboot setup, mirroring what the vendor did, where
Libreboot corrected this to 8KB:
* Therefore, if flashing Canoeboot from Libreboot, please
flash ONLY the GbE and BIOS regions; do not flash the IFD
region.
Libreboot's way of doing it is superior, because you don't
need to care what's in the original flash, since Intel ME
and other vendor files are automatically downloaded at
build time and inserted into images, or inserted after
the fact by use of a special script on release images.
Canoeboot's method has risks, because for example you might
ignore this entire commit message or the documentation that
I'm going to write covering these facts, and you would then
possibly overwrite the ME region with zeroes, or something
else stupid. If you did do that, you could always just build
Libreboot or something, and use that, but obviously We in
the Canoeboot project do not recommend this, as it would
be extremely unGNU.
Signed-off-by: Leah Rowe <leah@libreboot.org>
6577abc60a