Using the Coreboot utility tool returns just a few lines starting with MEM, nothing about Intel ME.
I was wondering if this means the Librem 15 does in fact have ME enabled or this tool is simply dated.
Could you be more specific which command you run and which output you get?
what firmware type an version are you running on your L15v4?
Absolutely no L15v4s have ever shipped with an enabled ME (unless one was inadvertently shipped without firmware being flashed with coreboot). It’s not possible to re-enable the ME on a L15v4 which is running Purism firmware without some major work, since you’d need to find a “clean” version of the ME firmware used on the device, then reconfigure it to match the cleaned/neutered ME firmware on the device already. The number of people who know how to do that is pretty damn small.
If your device is running upstream/non-Purism coreboot firmware, then it’s likely not reporting any ME status at all, since the status is not normally reported when the ME is disabled (there’s a patch in Purism’s tree to print it regardless).
2 Likes
Running: sudo ./cbmem -c | grep ^ME
Returns 4 lines starting with MEM and then some numbers after.
I’m not sure, is there a command to check?
I had just used the Coreboot utility to flash PureBoot and that was successful so whatever the latest version of that is.
As for the patch, would the latest utility contain that? I ran these commands:
mkdir ~/updates
cd ~/updates
wget https://source.puri.sm/coreboot/utility/raw/master/coreboot_util.sh -O coreboot_util.sh
sudo bash ./coreboot_util.sh
it’s reported in the Pueboot System Info menu item.
Pureboot R20 should include the patch to report the status of a disabled ME, if it’s not then I need to fix that for the next release. But rest assured that no output is a good sign here, since an enabled ME would report itself as such
Yeah I can confirm I’m on R20 and the utility doesn’t report anything about ME.
Will I have to reflash Pureboot when you release a patch? Or is it a bug with cbmem.c?
Thanks
it’s an issue with Pureboot R20 then, there’s nothing wrong with cbmem
It looks like cbmem just reads predefined values set in Coreboot/Pureboot. Does this mean the “bug” is the lack of manually entered ME status or is there some kind of test Pureboot does to derive this value?
cbmem just reads tables from RAM, that’s it.
I need to investigate to see why the ME status isn’t being printed; either my patch didn’t get applied, or it needs to be updated
Does your patch set ME values (as per your input) to RAM to later be read by cbmem? Or is there a test that executes and reports the results to ram to be read by cbmem?
I’m just wondering if there’s a test being run against an ME function that would only run properly with intact ME or if it’s just a manufacture set value being returned.
as I explained above, coreboot by default will skip printing the status of the ME if it is disabled; my patch removes that check, so the ME status gets printed regardless of enabled/disabled status
Alright I understand so a good test on my end would be to run the cbmem command on a machine with Coreboot that hasn’t had ME cleaned and it should return something related to ME?
yes, but where/how that info is printed is platform specific
looking at Pureboot R20, it seems that upstream coreboot was used instead of Purism’s repo, which explains why the patches were missing / why the ME status isn’t printed. I’ll be sure this is fixed in R21
2 Likes