chipsec.modules.common.me_mfg_mode module¶

This module checks that ME Manufacturing mode is not enabled.

References:

https://blog.ptsecurity.com/2018/10/intel-me-manufacturing-mode-macbook.html

#define PCH_DEV_SLOT_CSE        0x16
#define  PCH_DEVFN_CSE          _PCH_DEVFN(CSE, 0)
#define  PCH_DEV_CSE            _PCH_DEV(CSE, 0)

https://github.com/coreboot/coreboot/blob/master/src/soc/intel/apollolake/cse.c

fwsts1 = dump_status(1, PCI_ME_HFSTS1);
# Minimal decoding is done here in order to call out most important
# pieces. Manufacturing mode needs to be locked down prior to shipping
# the product so it's called out explicitly.
printk(BIOS_DEBUG, "ME: Manufacturing Mode      : %s", (fwsts1 & (1 << 0x4)) ? "YES" : "NO");

PCH.H

#define PCH_ME_DEV                PCI_DEV(0, 0x16, 0)

ME.H

struct me_hfs {
        u32 working_state: 4;
        u32 mfg_mode: 1;
        u32 fpt_bad: 1;
        u32 operation_state: 3;
        u32 fw_init_complete: 1;
        u32 ft_bup_ld_flr: 1;
        u32 update_in_progress: 1;
        u32 error_code: 4;
        u32 operation_mode: 4;
        u32 reserved: 4;
        u32 boot_options_present: 1;
        u32 ack_data: 3;
        u32 bios_msg_ack: 4;
} __packed;

ME_STATUS.C

printk(BIOS_DEBUG, "ME: Manufacturing Mode      : %s", hfs->mfg_mode ? "YES" : "NO");

This module checks the following:

HFS.MFG_MODE BDF: 0:22:0 offset 0x40 - Bit [4]

Usage:

chipsec_main -m common.me_mfg_mode

Examples:

>>> chipsec_main.py -m common.me_mfg_mode

The module returns the following results:

FAILED : HFS.MFG_MODE is set

PASSED : HFS.MFG_MODE is not set.

Hardware registers used:

HFS.MFG_MODE

chipsec.modules.common.me_mfg_mode module¶

Table of Contents

Previous topic

Next topic