Replacing x86 firmware with Linux and Go

Posted Nov 21, 2017 18:25 UTC (Tue) by cyphar (subscriber, #110703)
In reply to: Replacing x86 firmware with Linux and Go by ThinkRob
Parent article: Replacing x86 firmware with Linux and Go

You can use me_cleaner in both the "remove as many modules as possible" and "enable HAP / MeDisable bit" modes -- which should reduce your concerns. This is what I've done on my X220, and I believe it is what Purism is doing for their new laptops.

Replacing x86 firmware with Linux and Go

Posted Nov 22, 2017 0:32 UTC (Wed) by ThinkRob (guest, #64513) [Link]

AFAIK this doesn't work for laptops where Boot Guard is enabled and enforcing using the keys burned in during board manufacture.

I have an X230 running coreboot w/ a stripped + HAPd ME, but with subsequent ThinkPads actually modifying the ME seems to cause Boot Guard to brick the whole system. And since the key is supposedly OEM-specific and burned into the chipset (CPU?) itself, it's not like you can replace it yourself.

What I *don't* know is if setting the HAP bit but leaving the rest of the ME image the same will trigger Boot Guard's hissy fit.

(The above is based on my understanding of Boot Guard, which may be comically wrong. Please correct if it is!)