Recreating FULL 12Mb ROM image from Lenovo downloaded, neutered+deactivated xx30 ME exe

[tlaurion]

Hello there,

Attempting to bridge the legal gap/inertia in creating full 12mb reproducible Heads ROM images.

I realized recently that:

• Not including GBe blob resulted in ethernet (e1000e) not being initialized.
• Instructions to generate cleaned_me and reduced ifd.bin results in a wholy flashable x230-external-flash CI build (producing coreboot.rom, bottom.tom and top.rom which are externally flashable), including Gbe ME and corresponding IFD, while the resulting coreboot.rom cannot be reparsed by me_cleaner:

user@x230-external-flash:~/heads$ python ~/me_cleaner/me_cleaner.py -r -t -d -O out.bin -D blobs/xx30/x230-ifd.bin -M blobs/xx30/me.bin build/x230-external-flash/coreboot.rom
Full image detected
Found FPT header at 0x3010
Found 1 partition(s)
Found FTPR header: FTPR partition spans from 0xd00 to 0xcad00
ME/TXE firmware version 8.1.72.3002 (generation 2)
Public key match: Intel ME, firmware versions 7.x.x.x, 8.x.x.x
The AltMeDisable bit is SET
Reading partitions list...
 FTPR (      no data here      , 0x000ca000 total bytes): nothing to remove
Removing partition entries in FPT...
Removing EFFS presence flag...
Correcting checksum (0xee)...
Reading FTPR modules list...
 UPDATE           (LZMA   , 0x04d208 - 0x04d3c6       ): Traceback (most recent call last):
  File "/home/user/me_cleaner/me_cleaner.py", line 859, in <module>
    args.keep_modules)
  File "/home/user/me_cleaner/me_cleaner.py", line 373, in check_and_remove_modules
    end_addr = remove_modules(f, mod_headers, offset, me_end)
  File "/home/user/me_cleaner/me_cleaner.py", line 182, in remove_modules
    f.fill_range(offset, end, b"\xff")
  File "/home/user/me_cleaner/me_cleaner.py", line 101, in fill_range
    raise OutOfRegionException()
__main__.OutOfRegionException

• This shows some inconsistencies, resulting in the full ROM not containing a vaild GBe region, since the result as if Gbe region was not included.

• ifdtool -d on the extracted ifd.bin shows the same result as when asking a dump on the whole generated coreboot.rom on this commit

Resulting full ROM image is still resulting in e1000e not probing ethernet card correctly while me_cleaner still complains when ran against downloaded ROM regions being invalid. Any insight?

[tlaurion]

@corna: any insight playing with the CI produced coreboot.rom?

[tlaurion]

@corna: actually this output shows that coreboot doesnt integrate gbe.bin at all in coreboot.

[tlaurion]

@corna:
I was able to inject Gbe with last commit which results in a full functional rom, with of course, a static MAC being hardcoded in the GBe.bin

Could we fix that by randomizing it? Could me_cleaner extract Gbe + me + ifd, minimizing what is linked to a host computer (remove IFD OEM host related information in IFD, generalizing it) and randomize Gbe mac address? Would you be interested in being funded to do such work? The ME update.exe contains full ME, preextracted IFD and Gbe from a preexisting rom works but should be anonymized.

The last coreboot.rom artifact still gives the same result when trying to reapply me_cleaner on it, even though ROM is completely functional including Gbe blob:

user@x230-external-flash:~/heads$ python ~/me_cleaner/me_cleaner.py -r -t -d -O out.bin -D blobs/xx30/x230-ifd.bin -M blobs/xx30/me.bin build/x230-external-flash/coreboot.rom
Full image detected
Found FPT header at 0x3010
Found 1 partition(s)
Found FTPR header: FTPR partition spans from 0xd00 to 0xcad00
ME/TXE firmware version 8.1.72.3002 (generation 2)
Public key match: Intel ME, firmware versions 7.x.x.x, 8.x.x.x
The AltMeDisable bit is SET
Reading partitions list...
 FTPR (      no data here      , 0x000ca000 total bytes): nothing to remove
Removing partition entries in FPT...
Removing EFFS presence flag...
Correcting checksum (0xee)...
Reading FTPR modules list...
 UPDATE           (LZMA   , 0x04d208 - 0x04d3c6       ): Traceback (most recent call last):
  File "/home/user/me_cleaner/me_cleaner.py", line 859, in <module>
    args.keep_modules)
  File "/home/user/me_cleaner/me_cleaner.py", line 373, in check_and_remove_modules
    end_addr = remove_modules(f, mod_headers, offset, me_end)
  File "/home/user/me_cleaner/me_cleaner.py", line 182, in remove_modules
    f.fill_range(offset, end, b"\xff")
  File "/home/user/me_cleaner/me_cleaner.py", line 101, in fill_range
    raise OutOfRegionException()
__main__.OutOfRegionException

I guess there is some misaligments between IFD and real regions, but can't spot it.
@PatrickRudolph

[tlaurion]

@corna : updates here following official Intel doc:

I did a quick search and found the gbe area documented for

    Intel 6 Series Chipsets

in the datasheet:

    Intel® 82579 Gigabit Ethernet PHY

Chapter LAN NVM Format and Contents.

It's using an A/B partition scheme where only 128bytes are checksummed, but way less are actually used.

[tlaurion]

Gbe generated I and included in maximized roms for a while. Closing