The only truth is looking inside of the firmwares that are built and their blobs dependencies.
Sorry for references on librem5, and librem15 missing, but they also come in different chipsets depending on their revisions, but it doesn’t change the fact: they are post broadwell and therefore are in ME >= 11, which is not fully neuteurable. I wrote about this so many times in the past, I can’t believe there is still confusion about this but because terminology intricacies.
As described under Platform blobs, collaborators/maintainers/testers for faster problems resolution · Issue #692 · linuxboot/heads · GitHub there is no such thing as fully neutereable ME after =>11 and this documentation is the reference How does it work? · corna/me_cleaner Wiki · GitHub.
If we take for example what is built from Heads CircleCI.
- Last build of master at time of writing this https://app.circleci.com/pipelines/github/osresearch/heads/679/workflows/8224ced6-b204-4cf0-b55a-0a2891a709e2
- Let’s pick Librem15v3 https://app.circleci.com/pipelines/github/osresearch/heads/679/workflows/8224ced6-b204-4cf0-b55a-0a2891a709e2/jobs/12681
- Let’s download the build rom artifact https://output.circle-artifacts.com/output/job/e362a61d-1bfb-40f7-b1d7-99f01ed85bd6/artifacts/0/build/x86/librem_15v3/heads-librem_15v3-v0.2.0-1809-gbd2a8eb.rom
user@heads-tests-deb12:~/heads$ ~/heads/blobs/xx30/me_cleaner.py heads-librem_15v3-v0.2.0-1809-gbd2a8eb.rom
Full image detected
Found FPT header at 0x1010
Found 2 partition(s)
Found FTPR header: FTPR partition spans from 0x1000 to 0xa8000
Found FTPR manifest at 0x1478
ME/TXE firmware version 11.0.18.1002 (generation 3)
Public key match: Intel ME, firmware versions 11.x.x.x
The HAP bit is SET
Reading partitions list...
FTPR (0x00001000 - 0x0000a8000, 0x000a7000 total bytes): NOT removed
MFS (0x000a8000 - 0x00010c000, 0x00064000 total bytes): removed
Removing partition entries in FPT...
Removing EFFS presence flag...
Correcting checksum (0x01)...
Reading FTPR modules list...
FTPR.man (uncompressed, 0x001478 - 0x00207c): NOT removed, partition manif.
rbe.met (uncompressed, 0x00207c - 0x002112): NOT removed, module metadata
kernel.met (uncompressed, 0x002112 - 0x0021a0): NOT removed, module metadata
syslib.met (uncompressed, 0x0021a0 - 0x002204): NOT removed, module metadata
bup.met (uncompressed, 0x002204 - 0x0026a4): NOT removed, module metadata
pm.met (uncompressed, 0x0026a4 - 0x002752): NOT removed, module metadata
syncman.met (uncompressed, 0x002752 - 0x0027e8): NOT removed, module metadata
vfs.met (uncompressed, 0x0027e8 - 0x003148): NOT removed, module metadata
evtdisp.met (uncompressed, 0x003148 - 0x0032d6): NOT removed, module metadata
loadmgr.met (uncompressed, 0x0032d6 - 0x0033fe): NOT removed, module metadata
busdrv.met (uncompressed, 0x0033fe - 0x0037b0): NOT removed, module metadata
gpio.met (uncompressed, 0x0037b0 - 0x0038bc): NOT removed, module metadata
prtc.met (uncompressed, 0x0038bc - 0x003a6c): NOT removed, module metadata
policy.met (uncompressed, 0x003a6c - 0x003c36): NOT removed, module metadata
crypto.met (uncompressed, 0x003c36 - 0x003dc0): NOT removed, module metadata
heci.met (uncompressed, 0x003dc0 - 0x003f74): NOT removed, module metadata
storage.met (uncompressed, 0x003f74 - 0x004258): NOT removed, module metadata
pmdrv.met (uncompressed, 0x004258 - 0x00437c): NOT removed, module metadata
maestro.met (uncompressed, 0x00437c - 0x004466): NOT removed, module metadata
fpf.met (uncompressed, 0x004466 - 0x00455a): NOT removed, module metadata
hci.met (uncompressed, 0x00455a - 0x004704): NOT removed, module metadata
fwupdate.met (uncompressed, 0x004704 - 0x00480c): NOT removed, module metadata
ptt.met (uncompressed, 0x00480c - 0x0048fe): NOT removed, module metadata
touch_fw.met (uncompressed, 0x0048fe - 0x004a40): NOT removed, module metadata
rbe (Huffman , 0x004a40 - 0x0070c0): NOT removed, essential
kernel (Huffman , 0x0070c0 - 0x015dc0): NOT removed, essential
syslib (Huffman , 0x015dc0 - 0x028a00): NOT removed, essential
bup (Huffman , 0x028a00 - 0x051600): NOT removed, essential
pm (LZMA/uncomp., 0x051600 - 0x053f80): removed
syncman (LZMA/uncomp., 0x053f80 - 0x0544c0): removed
vfs (LZMA/uncomp., 0x0544c0 - 0x05c2c0): removed
evtdisp (LZMA/uncomp., 0x05c2c0 - 0x05dd40): removed
loadmgr (LZMA/uncomp., 0x05dd40 - 0x060b80): removed
busdrv (LZMA/uncomp., 0x060b80 - 0x063980): removed
gpio (LZMA/uncomp., 0x063980 - 0x064e00): removed
prtc (LZMA/uncomp., 0x064e00 - 0x065bc0): removed
policy (LZMA/uncomp., 0x065bc0 - 0x06c280): removed
crypto (LZMA/uncomp., 0x06c280 - 0x07be00): removed
heci (LZMA/uncomp., 0x07be00 - 0x07fec0): removed
storage (LZMA/uncomp., 0x07fec0 - 0x084640): removed
pmdrv (LZMA/uncomp., 0x084640 - 0x085e40): removed
maestro (LZMA/uncomp., 0x085e40 - 0x088d40): removed
fpf (LZMA/uncomp., 0x088d40 - 0x08a740): removed
hci (LZMA/uncomp., 0x08a740 - 0x08afc0): removed
fwupdate (LZMA/uncomp., 0x08afc0 - 0x08f840): removed
ptt (LZMA/uncomp., 0x08f840 - 0x0a3980): removed
touch_fw (LZMA/uncomp., 0x0a3980 - 0x0a8000): removed
The ME minimum size should be 352256 bytes (0x56000 bytes)
The ME region can be reduced up to:
00001000:00056fff me
Checking the FTPR RSA signature... VALID
Done! Good luck!
As you can see, a lot of modules have been removed, but take note of the essential modules, which cannot be removed, just like referred documentation by me_cleaner.
So if we go back at statements: “kernel and rbe”, they are still there.
X230:
user@heads-tests-deb12:~/heads/blobs/xx30$ ./download_clean_me.sh
Usage: ./download_clean_me.sh -m <me_cleaner>(optional)
### Creating temp dir
### Downloading https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe...
--2023-10-16 18:03:33-- https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe
Resolving download.lenovo.com (download.lenovo.com)... 23.195.77.12
Connecting to download.lenovo.com (download.lenovo.com)|23.195.77.12|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4626016 (4.4M) [application/octet-stream]
Saving to: ‘g1rg24ww.exe’
g1rg24ww.exe 100%[=======================================================================>] 4.41M 8.39MB/s in 0.5s
2023-10-16 18:03:34 (8.39 MB/s) - ‘g1rg24ww.exe’ saved [4626016/4626016]
### Verifying expected hash of g1rg24ww.exe
g1rg24ww.exe: OK
### Extracting g1rg24ww.exe...
Extracting "Intel Management Engine 8.1 Firmware for Windows 7/8/8.1" - setup data version 5.4.2
- "app/FwDetect.exe"
- "app/FwUpdate.exe"
- "app/FWUpdLcl.exe"
- "app/FWUpdLcl64.exe"
- "app/Idrvdll.dll"
- "app/ME8_5M_Production.bin"
- "app/MEInfoWin.exe"
- "app/MEUpdate.CMD"
- "app/Pmxdll.dll"
- "app/SLA_TOOLS.pdf"
Done.
### Verifying expected hash of app/ME8_5M_Production.bin
app/ME8_5M_Production.bin: OK
###Applying me_cleaner to neuter+deactivate+maximize reduction of ME on , outputting minimized ME under /home/user/heads/blobs/xx30/me.bin...
ME/TXE image detected
Found FPT header at 0x10
Found 23 partition(s)
Found FTPR header: FTPR partition spans from 0x180000 to 0x24a000
ME/TXE firmware version 8.1.72.3002
Public key match: Intel ME, firmware versions 7.x.x.x, 8.x.x.x
Reading partitions list...
???? (0x000003c0 - 0x000000400, 0x00000040 total bytes): removed
FOVD (0x00000400 - 0x000001000, 0x00000c00 total bytes): removed
MDES (0x00001000 - 0x000002000, 0x00001000 total bytes): removed
FCRS (0x00002000 - 0x000003000, 0x00001000 total bytes): removed
EFFS (0x00003000 - 0x0000df000, 0x000dc000 total bytes): removed
BIAL (NVRAM partition, no data, 0x0000add0 total bytes): nothing to remove
BIEL (NVRAM partition, no data, 0x00003000 total bytes): nothing to remove
BIIS (NVRAM partition, no data, 0x00036000 total bytes): nothing to remove
NVCL (NVRAM partition, no data, 0x00010511 total bytes): nothing to remove
NVCM (NVRAM partition, no data, 0x0000493f total bytes): nothing to remove
NVCP (NVRAM partition, no data, 0x0000a553 total bytes): nothing to remove
NVJC (NVRAM partition, no data, 0x00004000 total bytes): nothing to remove
NVKR (NVRAM partition, no data, 0x0001257d total bytes): nothing to remove
NVOS (NVRAM partition, no data, 0x00034af7 total bytes): nothing to remove
NVSH (NVRAM partition, no data, 0x00007609 total bytes): nothing to remove
NVTD (NVRAM partition, no data, 0x00001eac total bytes): nothing to remove
PLDM (NVRAM partition, no data, 0x0000a000 total bytes): nothing to remove
GLUT (0x000df000 - 0x0000e3000, 0x00004000 total bytes): removed
LOCL (0x000e3000 - 0x0000e7000, 0x00004000 total bytes): removed
WCOD (0x000e7000 - 0x000140000, 0x00059000 total bytes): removed
MDMV (0x00140000 - 0x000180000, 0x00040000 total bytes): removed
FTPR (0x00180000 - 0x00024a000, 0x000ca000 total bytes): NOT removed
NFTP (0x0024a000 - 0x0004a4000, 0x0025a000 total bytes): removed
Removing partition entries in FPT...
Removing EFFS presence flag...
Correcting checksum (0xed)...
Reading FTPR modules list...
UPDATE (LZMA , 0x1cc508 - 0x1cc6c6 ): removed
ROMP (Huffman, fragmented data, ~2 KiB ): NOT removed, essential
BUP (Huffman, fragmented data, ~56 KiB ): NOT removed, essential
KERNEL (Huffman, fragmented data, ~135 KiB ): removed
POLICY (Huffman, fragmented data, ~91 KiB ): removed
HOSTCOMM (LZMA , 0x1cc6c6 - 0x1d343f ): removed
RSA (LZMA , 0x1d343f - 0x1d872a ): removed
CLS (LZMA , 0x1d872a - 0x1ddec0 ): removed
TDT (LZMA , 0x1ddec0 - 0x1e45be ): removed
FTCS (Huffman, fragmented data, ~18 KiB ): removed
ClsPriv (LZMA , 0x1e45be - 0x1e499f ): removed
SESSMGR (LZMA , 0x1e499f - 0x1f32cb ): removed
Relocating FTPR from 0x180000 - 0x24a000 to 0xd00 - 0xcad00...
Adjusting FPT entry...
Adjusting LUT start offset...
Adjusting Huffman start offset...
Adjusting chunks offsets...
Moving data...
The ME minimum size should be 98304 bytes (0x18000 bytes)
Truncating file at 0x18000...
Checking the FTPR RSA signature... VALID
Done! Good luck!
### Verifying expected hash of me.bin
/home/user/heads/blobs/xx30/me.bin: OK
###Cleaning up...
/home/user/heads/blobs/xx30
X220:
user@heads-tests-deb12:~/heads/blobs/xx20$ ./download_parse_me.sh
### Creating temp dir
### Downloading https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/83rf46ww.exe...
--2023-10-16 18:02:42-- https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/83rf46ww.exe
Resolving download.lenovo.com (download.lenovo.com)... 23.207.56.164
Connecting to download.lenovo.com (download.lenovo.com)|23.207.56.164|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3661480 (3.5M) [application/octet-stream]
Saving to: ‘83rf46ww.exe’
83rf46ww.exe 100%[=======================================================================>] 3.49M 6.39MB/s in 0.5s
2023-10-16 18:02:44 (6.39 MB/s) - ‘83rf46ww.exe’ saved [3661480/3661480]
### Verifying expected hash of 83rf46ww.exe
83rf46ww.exe: OK
### Extracting 83rf46ww.exe...
Extracting "Intel Management Engine 7.1 Firmware for Windows XP/Vista/7/8" - setup data version 5.4.2
- "app/ME7_5M_UPD_Production.bin"
Done.
### Verifying expected hash of app/ME7_5M_UPD_Production.bin
app/ME7_5M_UPD_Production.bin: OK
###Generating neuter+deactivate+maximize reduction of ME on , outputting minimized ME under /home/user/heads/blobs/xx20/me.bin...
Starting ME 7.x Update parser.
UPDATE (LZMA , 0x044a5a - 0x044aec ): removed
BUP (Huffman, fragmented data, ~48 KiB ): NOT removed, essential
KERNEL (Huffman, fragmented data, ~122 KiB ): removed
POLICY (Huffman, fragmented data, ~86 KiB ): removed
HOSTCOMM (LZMA , 0x044aec - 0x04a082 ): removed
RSA (LZMA , 0x04a082 - 0x04eb3f ): removed
CLS (LZMA , 0x04eb3f - 0x053551 ): removed
TDT (LZMA , 0x053551 - 0x0596fc ): removed
FTCS (Huffman, fragmented data, ~15 KiB ): removed
Relocating from 0x0 - 0x0 to 0x400 - 0x400...
Adjusting FPT entry...
Adjusting LUT start offset...
Adjusting Huffman start offset...
Adjusting chunks offsets...
Moving data...
The ME minimum size should be 84992 bytes (0x14c00 bytes)
Truncating file at 0x14c00...
/home/user/heads/blobs/xx20/me.bin is VALID
### Verifying expected hash of me.bin
/home/user/heads/blobs/xx20/me.bin: OK
###Cleaning up...
/home/user/heads/blobs/xx20
It is true to say that neutering is applied, but corna doc is right after Skylake:
As you can see, things are a bit more complex but the overall concept is the same: one RSA signature over the hash chains of the modules. As before, the hashes are not checked all at once but only when needed, allowing us to remove some modules without problem. Unfortunately it seems that the hashes of the modules
rbe,bup,kernelandsyslibare checked together, increasing the number of the fundamental modules to four.
- Sandy: BUP
- Ivy: BUP+ROMP (neutered)
- Skylake+: BUP+RBE+KERNEL+SYSLIB. (partly neutered)
More recent:
- No neutering. Only HAP: Deactivated.
Note: This has nothing to do with Purism but chipset and ME versions coming with those. Purism does what can be done to neuter and their articles are pretty clear on what they do and can do with state of current research and the chipsets in use. So are the other vendors that care enough to disable ME. But newer platforms cannot use the term neutering anymore. It should be partly neutered only, where newer platforms simply can’t neuter anymore on ME>=12 where discussion are continuing here Add soft-disable support for Intel ME 12, 14, 15 and 16 by XutaxKamay · Pull Request #384 · corna/me_cleaner · GitHub
Edit: repointing to the discussion on ME differences 3rd gen vs 10th gen - Intel ME - #24 by Insurgo