1# Copyright (c) 2013 The Chromium OS Authors. All rights reserved. 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5AUTHOR = "ChromeOS Team" 6NAME = "firmware_LockedME" 7PURPOSE = "Ensure the ME region is locked." 8ATTRIBUTES = "suite:faft_bios_ro_qual, suite:faft_bios_rw_qual" 9CRITERIA = "Fail if any part of the BIOS ME region is mutable from userspace" 10TIME = "SHORT" 11TEST_CATEGORY = "Security" 12TEST_CLASS = "firmware" 13TEST_TYPE = "client" 14PY_VERSION = 3 15 16DOC = """ 17Intel x86 CPUs (Sandybridge and later) reserve a portion of the BIOS 18firmware image for use by the Intel Management Engine (ME). Intel 19requires that section of the BIOS flash to be mutable. The ME firmware 20itself determines whether or not the CPU can modify the ME region. During 21development, we often use an ME image that allows CPU updates. For 22production, we need to ensure that we do NOT allow CPU updates. 23 24This test PASSES if the CPU is unable to modify the ME region. 25 26This test FAILS if the CPU can modify the ME region, which means it should 27*always* fail on any pre-production image. 28 29Because the only way to be sure that the ME is locked is to try to change 30it, if the test fails and is interrupted before it can restore the original 31content, the DUT may stop functioning and will require reimaging via servo 32or Dediprog to restore it. 33 34This test is only meaningful to systems using Intel x86 CPUs, and then only 35Sandybrige models or later (not Pinetrail, for example) 36 37""" 38 39job.run_test('firmware_LockedME') 40