util/me_cleaner: Update to v1.2

Changelog:
 * Add support for the HAP/AltMeDisable bit
 * Add support for selective partition removal
 * Fix the ME permission removal on gen. 3
 * Add public key match
 * Print the compressed size of the Huffman modules on gen. 2
 * Wipe the ME6 Ignition firmware images
 * Fix the removal of the last partition on ME6
 * Various region size fixes
 * Add manpage
 * Add setup.py
 * Print the value of the HAP/AltMeDisable bit

The output image should be identical, except for the platforms affected
by bugs (ME 6.x, but it's not supported by coreboot and ME 11.x with the
-d option, but it's not being used in our build process).
Overall, nothing should change when it's used with the
CONFIG_USE_ME_CLEANER option.

Tested on a Lenovo X220 and Sapphire Pure Platinum H61.

Change-Id: I3d5e0d9af0a36cc7476a964cf753914c2f3df9d2
Signed-off-by: Nicola Corna <nicola@corna.info>
Reviewed-on: https://review.coreboot.org/25506
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>

1 files changed, 72 insertions, 31 deletions

diff --git a/util/me_cleaner/README.md b/util/me_cleaner/README.md
index 72c15986df5c..d4c20598d64b 100644
--- a/util/me_cleaner/README.md
+++ b/util/me_cleaner/README.md
@@ -1,44 +1,85 @@
-# me_cleaner
-
-Intel ME is a coprocessor integrated in all post-2006 Intel boards, for which
-this [Libreboot page](https://libreboot.org/faq.html#intelme) has an excellent
-description. The main component of Intel ME is Intel AMT, and I suggest you to
-read [this Wikipedia page](https://en.wikipedia.org/wiki/Intel_Active_Management_Technology)
-for more information about it. In short, Intel ME is an irremovable environment
-with an obscure signed proprietary firmware, with full network and memory
-access, which poses a serious security threat.
-Even when disabled from the BIOS settings, Intel ME is active: the only way to
-be sure it is disabled is to remove its firmware from the flash chip.
+# me\_cleaner
+
+_me\_cleaner_ is a Python script able to modify an Intel ME firmware image with
+the final purpose of reducing its ability to interact with the system.
+
+## Intel ME
+
+Intel ME is a co-processor integrated in all post-2006 Intel boards, which is
+the base hardware for many Intel features like Intel AMT, Intel Boot Guard,
+Intel PAVP and many others. To provide such features, it requires full access to
+the system, including memory (through DMA) and network access (transparent to
+the user).
+
+Unlike many other firmware components, the Intel ME firmware can't be neither
+disabled nor reimplemented, as it is tightly integrated in the boot process and
+it is signed.
+
+This poses an issue both to the free firmware implementations like [coreboot](
+https://www.coreboot.org/), which are forced to rely on a proprietary, obscure
+and always-on blob, and to the privacy-aware users, who are reasonably worried
+about such firmware, running on the lowest privilege ring on x86.
+
+## What can be done
 
 Before Nehalem (ME version 6, 2008/2009) the ME firmware could be removed
 completely from the flash chip by setting a couple of bits inside the flash
-descriptor, without the need to reverse-engineer the ME firmware.
+descriptor, effectively disabling it.
 
 Starting from Nehalem the Intel ME firmware can't be removed anymore: without a
-valid firmware the PC shuts off forcefully after 30 minutes. This project is an
-attempt to remove as much code as possible from such firmware without falling
-into the 30 minutes recovery mode.
+valid firmware the PC shuts off forcefully after 30 minutes, probably as an
+attempt to enforce the Intel Anti-Theft policies.
+
+However, while Intel ME can't be turned off completely, it is still possible to
+modify its firmware up to a point where Intel ME is active only during the boot
+process, effectively disabling it during the normal operation, which is what
+_me\_cleaner_ tries to accomplish.
+
+## Platform support
 
-me_cleaner currently works on most architectures, see [me_cleaner status](https://github.com/corna/me_cleaner/wiki/me_cleaner-status) (or [its discussion](https://github.com/corna/me_cleaner/issues/3))
-for more info about them. me_cleaner works also on the TXE and SPS firmware.
+_me\_cleaner_ currently works on [most of the Intel platforms](
+https://github.com/corna/me_cleaner/wiki/me_cleaner-status); while this doesn't
+mean it works on all the boards (due to the different firmware implementations),
+it has been proven quite reliable on a great number of them.
 
-If you want to understand how me_cleaner works, you can read the ["How does it work?" page](https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F).
+## Usage
 
-If you want to apply me_cleaner on your platform I suggest you to read the
-["How does it work?" page](https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F)
-and then follow the guide ["How to apply me_cleaner"](https://github.com/corna/me_cleaner/wiki/How-to-apply-me_cleaner).
+_me\_cleaner_ should handle all the steps necessary to the modification of an
+Intel ME firmware with the command:
+
+      $ python me_cleaner.py -S -O modified_image.bin original_dump.bin
+
+However, obtaining the original firmware and flashing back the modified one is
+usually not trivial, as the Intel ME firmware region is often non-writable from
+the OS (and it's not a safe option anyways), requiring the use of an external
+SPI programmer.
+
+## Results
 
 For pre-Skylake firmware (ME version < 11) this tool removes almost everything,
-leaving only the two fundamental modules needed for the correct boot, ROMP and
-BUP. The code size is reduced from 1.5 MB (non-AMT firmware) or 5 MB (AMT
+leaving only the two fundamental modules needed for the correct boot, `ROMP` and
+`BUP`. The code size is reduced from 1.5 MB (non-AMT firmware) or 5 MB (AMT
 firmware) to ~90 kB of compressed code.
 
 Starting from Skylake (ME version >= 11) the ME subsystem and the firmware
-structure have changed, requiring substantial changes in me_cleaner.
-The fundamental modules required for the correct boot are now four (rbe, kernel,
-syslib and bup) and the minimum code size is ~300 kB of compressed code (from
-the 2 MB of the non-AMT firmware and the 7 MB of the AMT one).
-
-This project is based on the work of the community; in particular I thank Igor
-Skochinsky, for the core information about Intel ME and its firmware structure,
-and Federico Amedeo Izzo, for its help during the study of Intel ME.
+structure have changed, requiring substantial changes in _me\_cleaner_.
+The fundamental modules required for the correct boot are now four (`rbe`,
+`kernel`, `syslib` and `bup`) and the minimum code size is ~300 kB of compressed
+code (from the 2 MB of the non-AMT firmware and the 7 MB of the AMT one).
+
+On some boards the OEM firmware fails to boot without a valid Intel ME firmware;
+in the other cases the system should work with minor inconveniences (like longer
+boot times or warning messages) or without issues at all.
+
+Obviously, the features provided by Intel ME won't be functional anymore after
+the modifications.
+
+## Documentation
+
+The detailed documentation about the working of _me\_cleaner_ can be found on
+the page ["How does it work?" page](
+https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F).
+
+Various guides and tutorials are available on the Internet, however a good
+starting point is the ["How to apply me_cleaner" guide](
+https://github.com/corna/me_cleaner/wiki/How-to-apply-me_cleaner).