INTEL/AMD FAB

The processor chipset has an extra secure co-processor. For Intel, Intel Managment Engine, it is of the quark series MMU processor running minix. For AMD, Platform security Processor, it is an arm-cortex running Kinibi OS. It is a section of the chip with unrestricted access to peripheral and buses.

Uses:

• The idea is to DRM, in cases of creating just 1 chip-model and locking down cores for cheaper chipsets.
• And to monitor (Hi FBI bro!!). (The Intel in Intel means Intel).
• To provide RNG.
• Root-of-trust for boot process, module signing, enabling TEE.
• soft-TPM.

The firmware lives inside the external flash/eeprom, along with UEFI/BIOS.

MOTHERBOARD MANUFACTURER

The motherboard will flash an EEPROM with UEFI/BIOS and Secure firmware.

PC BUILDING

• The new chipset is put on the motherboard.
• The moment the CMOS battery is placed. The IME engine will start and look for external flash, it will start eXecute-In-Place. And start signing everything, and make records in the flash.

STANDBY POWER INIT

• Connected to AC with Vrms.
• Put through low pass filters.
• Rectified to DC to give Vdc = sqrt(2)*Vrms.
• For a moment, Vdc is reduced to 5V using a resistor, the power goes to switching controller. That momentary power, starts up Standby chip and chops Vdc,through the standby flyback transformer. The flyback powers the chip now, the chip stops taking power from resistor line using or-ing stategy. Now the resistor line is used to sense input Vdc. And optocoupler used to sense output Vsb.
• The 5 volt Vsb rail is live.
• PS_ON# known as "soft power on signal" line is pulled up to Vsb.
• 5 volt USB-PD is live.
• Wake-on-LAN is live.
• Vsb hijacks CMOS power.
• if CMOS battery had no power, IME starts now and signs everything.

PRIMARY POWER INIT

• Power button pushed, the PS_ON# is grounded. This signal is 'seen' by the standby chip.
• Standby chip switches on primary chip and primary line.
• Primary chip starts switching to output primary voltages (3.3,5,12). Many vendors have different ways of producing primary voltages.
• The primary chip tries to stabilize output voltages.
• After 500ms, the primary chip pulls the PWR_OK line.

Checkout more in this Ken Shirriff's blogpost

CPU wakes up

• The PWR_OK line acts as active high ENABLE for the chipset.
• The chip's Process Control Register has Protection Enable as 0. Real mode is on. 32-bit addressing from now.
• the control now is forced by Instruction pointer to go to 0xfffffff0, which is at the eeprom/flash area.

CPU Bootstrapping

• In the last 16 bytes of eeprom/flsah , the processor finds instruction to jump to IP combination , such as JMP FAR 0xeabc20d0, which jumps to start of BIOS/UEFI partition in EEPROM/FLASH. (running XIP)

BIOS/UEFI

BIOS means boot binary was same for all vendors. UEFI means boot binary can be customised.

Steps inside BIOS/UEFI:

• POST
• Start DDR, init modules required for boot order.
• Load in I/O modules
• If init flag is set in EEPROM/Flash, then come load up the BIOS/UEFI screen. User needs to edit boot order, and features enablement.
• If not, then control flow goes to the available boot device in boot priority.
• The boot file is placed in RAM.

GRUB

• The grub start in RAM.
• Uses EFI modules and start init and running boot script.
• When the script is over and the next args and os file is placed in RAM.
• The register bank holds the cmd-args pointer, initramfs pointer for linux. The dtb pointer is already known to be inside the NVRAM, which was dynamically created by IME.
• The BIOS tell UEFI that OS taking over control. The UEFI/Secure coproc/TEE register time taken, modules used, and other parameters to validate if there were any anomaly.

RICH EXECUTION ENVIRONMENT (OS)

• Linux start unpacking itself, requesting mode change, MMU-paging/dynamic inits, sets up data structures, interrupts, system call interface, timer, console.
• Load in initramfs.
• Init starts background services.
• Load in rootfs.
• Init does pivot_root and makes rootfs '/'.
• Execs new init.

Debian GNU/Linux 13 t480 tty1
t480 login: sidharth_seela