39 lines
1.5 KiB
Plaintext
39 lines
1.5 KiB
Plaintext
# Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
|
|
# Use of this source code is governed by a BSD-style license that can be
|
|
# found in the LICENSE file.
|
|
|
|
AUTHOR = "ChromeOS Team"
|
|
NAME = "firmware_LockedME"
|
|
PURPOSE = "Ensure the ME region is locked."
|
|
ATTRIBUTES = "suite:faft_bios_ro_qual, suite:faft_bios_rw_qual"
|
|
CRITERIA = "Fail if any part of the BIOS ME region is mutable from userspace"
|
|
TIME = "SHORT"
|
|
TEST_CATEGORY = "Security"
|
|
TEST_CLASS = "firmware"
|
|
TEST_TYPE = "client"
|
|
|
|
DOC = """
|
|
Intel x86 CPUs (Sandybridge and later) reserve a portion of the BIOS
|
|
firmware image for use by the Intel Management Engine (ME). Intel
|
|
requires that section of the BIOS flash to be mutable. The ME firmware
|
|
itself determines whether or not the CPU can modify the ME region. During
|
|
development, we often use an ME image that allows CPU updates. For
|
|
production, we need to ensure that we do NOT allow CPU updates.
|
|
|
|
This test PASSES if the CPU is unable to modify the ME region.
|
|
|
|
This test FAILS if the CPU can modify the ME region, which means it should
|
|
*always* fail on any pre-production image.
|
|
|
|
Because the only way to be sure that the ME is locked is to try to change
|
|
it, if the test fails and is interrupted before it can restore the original
|
|
content, the DUT may stop functioning and will require reimaging via servo
|
|
or Dediprog to restore it.
|
|
|
|
This test is only meaningful to systems using Intel x86 CPUs, and then only
|
|
Sandybrige models or later (not Pinetrail, for example)
|
|
|
|
"""
|
|
|
|
job.run_test('firmware_LockedME')
|