1====================== 2ME (Management Engine) 3====================== 4 5ME stands for Management Engine (or Manageability Engine) and refers to an Embedded Controller found in Intel chipsets. It uses different versions 6of an `ARC <http://en.wikipedia.org/wiki/ARC_International>`_ 32-bit microcontroller that runs its own operating system independently from the user's. 7The ME has access to all kinds of buses which allows for out-of-band processing which is used for features 8like `Active Management Technology <http://en.wikipedia.org/wiki/Intel_Active_Management_Technology>`_, but it makes it also a very interesting target for black hats. 9The firmware it runs is secured by certificates stored in ROM, but it is a complex beast and it is very unlikely that there is 10no `way around its security measures <http://invisiblethingslab.com/resources/misc09/Quest%20To%20The%20Core%20(public).pdf>`_ (intentional backdoors included). 11For further details about the ME please see these excellent `slides by Igor Skochinsky <http://2012.ruxconbreakpoint.com/assets/Uploads/bpx/Breakpoint%202012%20Skochinsky.pdf>`_ 12and the `Security Evaluation of AMT by Vassilios Ververis <http://web.it.kth.se/~maguire/DEGREE-PROJECT-REPORTS/100402-Vassilios_Ververis-with-cover.pdf>`_. 13 14Effects on flashrom 15=================== 16 17The firmware of the ME usually shares the flash memory with the firmware of the host PC (BIOS/UEFI/coreboot). 18The address space is separated into regions (similar to partitions on a harddisk). The first one (*Descriptor region*) 19contains configuration data which contains something similar to a partition table and access rights for the different devices that can access the flash 20(host CPU, ME, GbE controller). These restrictions are enforced by the chipset's SPI controller which is the main interface for flashrom 21to access the flash chip(s) attached to the chipset. Intel recommends to set the descriptor region read-only and to forbid reads and writes to the ME region by the host CPU. 22Writes by the host could interfere with the code running on the ME. This means that flashrom which runs on the host PC can not access 23the ME firmware region of the flash at all in this configuration. flashrom detects that, warns the user and disables write access for safety reasons in that case. 24 25Unlocking the ME region 26======================= 27 28There are a few ways to enable full access to the ME region, but they are not user friendly at all in general. Also, the Descriptor region is not affected by these actions, 29so it is still not possible to access the complete flash memory even when the ME region is unlocked. For the different possibilities please see 30the document :doc:`misc_intel`. 31 32Suggested workarounds 33===================== 34 35 * If you just want to update the proprietary firmware of the board use the vendor tool(s). 36 * If you need full access to the flash chip get an external programmer (see :doc:`/supported_hw/supported_prog/index`) and try in-circuit programming. 37 * If you only need to update the BIOS region, then you may use the options ``--ifd -i bios --noverify-all`` to write (and verify) only the BIOS region as described in the Intel flash descriptor. 38 39.. todo:: Migrate page for in-circuit programming (ISP) 40 41See also 42======== 43 44 * The respective `coreboot page on the management engine <http://www.coreboot.org/Intel_Management_Engine>`_ 45 * :doc:`misc_intel` 46