coreboot-nitrokey: hard-code ME state during boot

[daringer]

fixes Nitrokey#39

Dasharo v1.7.2 introduced a feature to always set the ME state during boot based on the EDK2 defined values.
This led to the ME being activated in Nitrokey's v2.4 release, this PR fixes this by hard-coding the EDK2 defined values.

This PR is intentionally minimal to minimize testing and release fast - the Nitropad releases, will be build from this branch.

We are currently testing - it affects anyways the coreboot-nitrokey module exclusively - so don't see further needs for testing - we will not only test our branch, but also the upstream artifacts. Once the tests are done I will promote this PR to "ready-for-review".

[tlaurion]

LGTM if cbmem reports ME disabled.

@daringer : Can you post output before after this commit?

[daringer]

The originating issue describes what has been tested, 1. to 4. and all are either empty or disabled. Namely dmesg does not contain any contents like mei, HECI and CSE. Coreboot logs are a little more precise:

[WARN ]  HECI: CSE device 16.0 is disabled

/.. snip ../

[WARN ]  HECI: CSE device 16.0 is disabled
[DEBUG]  CSE is disabled, cannot send End-of-Post (EOP) message
[WARN ]  HECI: CSE device 16.0 is disabled
[WARN ]  HECI: CSE device 16.1 is disabled
[WARN ]  HECI: CSE device 16.2 is disabled
[WARN ]  HECI: CSE device 16.3 is disabled
[WARN ]  HECI: CSE device 16.4 is disabled
[WARN ]  HECI: CSE device 16.5 is disabled

verified on NV41 & NS50

[daringer]

We'll run another test-iteration also for the patch against upstream and plan to officially release tomorrow.

[tlaurion]

The originating issue describes what has been tested, 1. to 4. and all are either empty or disabled. Namely dmesg does not contain any contents like mei, HECI and CSE. Coreboot logs are a little more precise:

[WARN ]  HECI: CSE device 16.0 is disabled

/.. snip ../

[WARN ]  HECI: CSE device 16.0 is disabled
[DEBUG]  CSE is disabled, cannot send End-of-Post (EOP) message
[WARN ]  HECI: CSE device 16.0 is disabled
[WARN ]  HECI: CSE device 16.1 is disabled
[WARN ]  HECI: CSE device 16.2 is disabled
[WARN ]  HECI: CSE device 16.3 is disabled
[WARN ]  HECI: CSE device 16.4 is disabled
[WARN ]  HECI: CSE device 16.5 is disabled

verified on NV41 & NS50

@daringer ME linux modules are not packed under Heads for a while, I have opened an issue to remove artifacts and not build them forward from linux configurations at #1597 (comment) since no current board configurations actually instruct modules/linux to pack them under modules.cpio.

Therefore, you only have cbmem output under Heads, no dmesg output from kernel in regard of ME.

[daringer]

oh sorry, for clarification: We did inspections of dmesg in QubesOS and Ubuntu to ensure that ME is not made available by some OS mechanism, similar to what was reported in the original issue ...
HEADS' dmesg output - correct as you state @tlaurion does either way not contain any ME related messages

[JonathonHall-Purism]

Looks reasonable to me 👍